Use better names for associated classes of RecoveryManager

author Robert Berry <robertberry@google.com>

Wed, 17 Jan 2018 15:18:05 +0000 (15:18 +0000)

committer Robert Berry <robertberry@google.com>

Wed, 17 Jan 2018 15:22:56 +0000 (15:22 +0000)
author Robert Berry <robertberry@google.com>
Wed, 17 Jan 2018 15:18:05 +0000 (15:18 +0000)
committer Robert Berry <robertberry@google.com>
Wed, 17 Jan 2018 15:22:56 +0000 (15:22 +0000)
diff --git a/core/java/android/security/keystore/RecoveryData.aidl b/core/java/android/security/keystore/KeychainProtectionParameter.aidl

similarity index 94%

rename from core/java/android/security/keystore/RecoveryData.aidl

rename to core/java/android/security/keystore/KeychainProtectionParameter.aidl

index 4200de1..1e2c365 100644 (file)
--- a/core/java/android/security/keystore/RecoveryData.aidl
+++ b/core/java/android/security/keystore/KeychainProtectionParameter.aidl
@@ -17,4 +17,4 @@
  package android.security.keystore;
  
  /* @hide */
-parcelable RecoveryData;
+parcelable KeychainProtectionParameter;
diff --git a/core/java/android/security/keystore/RecoveryMetadata.java b/core/java/android/security/keystore/KeychainProtectionParameter.java

similarity index 78%

rename from core/java/android/security/keystore/RecoveryMetadata.java

rename to core/java/android/security/keystore/KeychainProtectionParameter.java

index 3f09455..2319ef5 100644 (file)
--- a/core/java/android/security/keystore/RecoveryMetadata.java
+++ b/core/java/android/security/keystore/KeychainProtectionParameter.java
@@ -28,12 +28,26 @@ import java.lang.annotation.RetentionPolicy;
  import java.util.Arrays;
  
  /**
- * Helper class with data necessary to recover Keystore on a new device.
- * It defines UI shown to the user and a way to derive a cryptographic key from user output.
+ * A {@link KeychainSnapshot} is protected with a key derived from the user's lock screen. This
+ * class wraps all the data necessary to derive the same key on a recovering device:
+ *
+ * <ul>
+ *     <li>UI parameters for the user's lock screen - so that if e.g., the user was using a pattern,
+ *         the recovering device can display the pattern UI to the user when asking them to enter
+ *         the lock screen from their previous device.
+ *     <li>The algorithm used to derive a key from the user's lock screen, e.g. SHA-256 with a salt.
+ * </ul>
+ *
+ * <p>As such, this data is sent along with the {@link KeychainSnapshot} when syncing the current
+ * version of the keychain.
+ *
+ * <p>For now, the recoverable keychain only supports a single layer of protection, which is the
+ * user's lock screen. In the future, the keychain will support multiple layers of protection
+ * (e.g. an additional keychain password, along with the lock screen).
   *
   * @hide
   */
-public final class RecoveryMetadata implements Parcelable {
+public final class KeychainProtectionParameter implements Parcelable {
      /** @hide */
      @Retention(RetentionPolicy.SOURCE)
      @IntDef({TYPE_LOCKSCREEN, TYPE_CUSTOM_PASSWORD})
@@ -88,7 +102,7 @@ public final class RecoveryMetadata implements Parcelable {
       * @link {#clearSecret} to overwrite its value in memory.
       * @hide
       */
-    public RecoveryMetadata(@UserSecretType int userSecretType,
+    public KeychainProtectionParameter(@UserSecretType int userSecretType,
              @LockScreenUiFormat int lockScreenUiFormat,
              @NonNull KeyDerivationParams keyDerivationParams,
              @NonNull byte[] secret) {
@@ -98,7 +112,7 @@ public final class RecoveryMetadata implements Parcelable {
          mSecret = Preconditions.checkNotNull(secret);
      }
  
-    private RecoveryMetadata() {
+    private KeychainProtectionParameter() {
  
      }
  
@@ -141,10 +155,10 @@ public final class RecoveryMetadata implements Parcelable {
      }
  
      /**
-     * Builder for creating {@link RecoveryMetadata}.
+     * Builder for creating {@link KeychainProtectionParameter}.
       */
      public static class Builder {
-        private RecoveryMetadata mInstance = new RecoveryMetadata();
+        private KeychainProtectionParameter mInstance = new KeychainProtectionParameter();
  
          /**
           * Sets user secret type.
@@ -198,14 +212,14 @@ public final class RecoveryMetadata implements Parcelable {
  
  
          /**
-         * Creates a new {@link RecoveryMetadata} instance.
+         * Creates a new {@link KeychainProtectionParameter} instance.
           * The instance will include default values, if {@link setSecret}
           * or {@link setUserSecretType} were not called.
           *
           * @return new instance
           * @throws NullPointerException if some required fields were not set.
           */
-        public @NonNull RecoveryMetadata build() {
+        @NonNull public KeychainProtectionParameter build() {
              if (mInstance.mUserSecretType == null) {
                  mInstance.mUserSecretType = TYPE_LOCKSCREEN;
              }
@@ -235,14 +249,14 @@ public final class RecoveryMetadata implements Parcelable {
          Arrays.fill(mSecret, (byte) 0);
      }
  
-    public static final Parcelable.Creator<RecoveryMetadata> CREATOR =
-            new Parcelable.Creator<RecoveryMetadata>() {
-        public RecoveryMetadata createFromParcel(Parcel in) {
-            return new RecoveryMetadata(in);
+    public static final Parcelable.Creator<KeychainProtectionParameter> CREATOR =
+            new Parcelable.Creator<KeychainProtectionParameter>() {
+        public KeychainProtectionParameter createFromParcel(Parcel in) {
+            return new KeychainProtectionParameter(in);
          }
  
-        public RecoveryMetadata[] newArray(int length) {
-            return new RecoveryMetadata[length];
+        public KeychainProtectionParameter[] newArray(int length) {
+            return new KeychainProtectionParameter[length];
          }
      };
  
@@ -260,7 +274,7 @@ public final class RecoveryMetadata implements Parcelable {
      /**
       * @hide
       */
-    protected RecoveryMetadata(Parcel in) {
+    protected KeychainProtectionParameter(Parcel in) {
          mUserSecretType = in.readInt();
          mLockScreenUiFormat = in.readInt();
          mKeyDerivationParams = in.readTypedObject(KeyDerivationParams.CREATOR);
diff --git a/core/java/android/security/keystore/RecoveryMetadata.aidl b/core/java/android/security/keystore/KeychainSnapshot.aidl

similarity index 95%

rename from core/java/android/security/keystore/RecoveryMetadata.aidl

rename to core/java/android/security/keystore/KeychainSnapshot.aidl

index 8e342b4..b35713f 100644 (file)
--- a/core/java/android/security/keystore/RecoveryMetadata.aidl
+++ b/core/java/android/security/keystore/KeychainSnapshot.aidl
@@ -17,4 +17,4 @@
  package android.security.keystore;
  
  /* @hide */
-parcelable RecoveryMetadata;
+parcelable KeychainSnapshot;
diff --git a/core/java/android/security/keystore/RecoveryData.java b/core/java/android/security/keystore/KeychainSnapshot.java

similarity index 59%

rename from core/java/android/security/keystore/RecoveryData.java

rename to core/java/android/security/keystore/KeychainSnapshot.java

index 897aa18..71a808a 100644 (file)
--- a/core/java/android/security/keystore/RecoveryData.java
+++ b/core/java/android/security/keystore/KeychainSnapshot.java
@@ -25,42 +25,48 @@ import com.android.internal.util.Preconditions;
  import java.util.List;
  
  /**
- * Helper class which returns data necessary to recover keys.
- * Contains
+ * A snapshot of a version of the keystore. Two events can trigger the generation of a new snapshot:
   *
   * <ul>
- * <li>Snapshot version.
- * <li>Recovery metadata with UI and key derivation parameters.
- * <li>List of application keys encrypted by recovery key.
- * <li>Encrypted recovery key.
+ *     <li>The user's lock screen changes. (A key derived from the user's lock screen is used to
+ *         protected the keychain, which is why this forces a new snapshot.)
+ *     <li>A key is added to or removed from the recoverable keychain.
   * </ul>
   *
+ * <p>The snapshot data is also encrypted with the remote trusted hardware's public key, so even
+ * the recovery agent itself should not be able to decipher the data. The recovery agent sends an
+ * instance of this to the remote trusted hardware whenever a new snapshot is generated. During a
+ * recovery flow, the recovery agent retrieves a snapshot from the remote trusted hardware. It then
+ * sends it to the framework, where it is decrypted using the user's lock screen from their previous
+ * device.
+ *
   * @hide
   */
-public final class RecoveryData implements Parcelable {
+public final class KeychainSnapshot implements Parcelable {
      private int mSnapshotVersion;
-    private List<RecoveryMetadata> mRecoveryMetadata;
-    private List<EntryRecoveryData> mEntryRecoveryData;
+    private List<KeychainProtectionParameter> mKeychainProtectionParams;
+    private List<WrappedApplicationKey> mEntryRecoveryData;
      private byte[] mEncryptedRecoveryKeyBlob;
  
      /**
       * @hide
       * Deprecated, consider using builder.
       */
-    public RecoveryData(
+    public KeychainSnapshot(
              int snapshotVersion,
-            @NonNull List<RecoveryMetadata> recoveryMetadata,
-            @NonNull List<EntryRecoveryData> entryRecoveryData,
+            @NonNull List<KeychainProtectionParameter> keychainProtectionParams,
+            @NonNull List<WrappedApplicationKey> wrappedApplicationKeys,
              @NonNull byte[] encryptedRecoveryKeyBlob) {
          mSnapshotVersion = snapshotVersion;
-        mRecoveryMetadata =
-                Preconditions.checkCollectionElementsNotNull(recoveryMetadata, "recoveryMetadata");
-        mEntryRecoveryData = Preconditions.checkCollectionElementsNotNull(entryRecoveryData,
-                "entryRecoveryData");
+        mKeychainProtectionParams =
+                Preconditions.checkCollectionElementsNotNull(keychainProtectionParams,
+                        "keychainProtectionParams");
+        mEntryRecoveryData = Preconditions.checkCollectionElementsNotNull(wrappedApplicationKeys,
+                "wrappedApplicationKeys");
          mEncryptedRecoveryKeyBlob = Preconditions.checkNotNull(encryptedRecoveryKeyBlob);
      }
  
-    private RecoveryData() {
+    private KeychainSnapshot() {
  
      }
  
@@ -75,15 +81,15 @@ public final class RecoveryData implements Parcelable {
      /**
       * UI and key derivation parameters. Note that combination of secrets may be used.
       */
-    public @NonNull List<RecoveryMetadata> getRecoveryMetadata() {
-        return mRecoveryMetadata;
+    public @NonNull List<KeychainProtectionParameter> getKeychainProtectionParams() {
+        return mKeychainProtectionParams;
      }
  
      /**
       * List of application keys, with key material encrypted by
       * the recovery key ({@link #getEncryptedRecoveryKeyBlob}).
       */
-    public @NonNull List<EntryRecoveryData> getEntryRecoveryData() {
+    public @NonNull List<WrappedApplicationKey> getWrappedApplicationKeys() {
          return mEntryRecoveryData;
      }
  
@@ -94,22 +100,22 @@ public final class RecoveryData implements Parcelable {
          return mEncryptedRecoveryKeyBlob;
      }
  
-    public static final Parcelable.Creator<RecoveryData> CREATOR =
-            new Parcelable.Creator<RecoveryData>() {
-        public RecoveryData createFromParcel(Parcel in) {
-            return new RecoveryData(in);
+    public static final Parcelable.Creator<KeychainSnapshot> CREATOR =
+            new Parcelable.Creator<KeychainSnapshot>() {
+        public KeychainSnapshot createFromParcel(Parcel in) {
+            return new KeychainSnapshot(in);
          }
  
-        public RecoveryData[] newArray(int length) {
-            return new RecoveryData[length];
+        public KeychainSnapshot[] newArray(int length) {
+            return new KeychainSnapshot[length];
          }
      };
  
      /**
-     * Builder for creating {@link RecoveryData}.
+     * Builder for creating {@link KeychainSnapshot}.
       */
      public static class Builder {
-        private RecoveryData mInstance = new RecoveryData();
+        private KeychainSnapshot mInstance = new KeychainSnapshot();
  
          /**
           * Snapshot version for given account.
@@ -128,8 +134,9 @@ public final class RecoveryData implements Parcelable {
           * @param recoveryMetadata The UI and key derivation parameters
           * @return This builder.
           */
-        public Builder setRecoveryMetadata(@NonNull List<RecoveryMetadata> recoveryMetadata) {
-            mInstance.mRecoveryMetadata = recoveryMetadata;
+        public Builder setKeychainProtectionParams(
+                @NonNull List<KeychainProtectionParameter> recoveryMetadata) {
+            mInstance.mKeychainProtectionParams = recoveryMetadata;
              return this;
          }
  
@@ -139,7 +146,7 @@ public final class RecoveryData implements Parcelable {
           * @param entryRecoveryData List of application keys
           * @return This builder.
           */
-        public Builder setEntryRecoveryData(List<EntryRecoveryData> entryRecoveryData) {
+        public Builder setWrappedApplicationKeys(List<WrappedApplicationKey> entryRecoveryData) {
              mInstance.mEntryRecoveryData = entryRecoveryData;
              return this;
          }
@@ -157,13 +164,13 @@ public final class RecoveryData implements Parcelable {
  
  
          /**
-         * Creates a new {@link RecoveryData} instance.
+         * Creates a new {@link KeychainSnapshot} instance.
           *
           * @return new instance
           * @throws NullPointerException if some required fields were not set.
           */
-        public @NonNull RecoveryData build() {
-            Preconditions.checkCollectionElementsNotNull(mInstance.mRecoveryMetadata,
+        @NonNull public KeychainSnapshot build() {
+            Preconditions.checkCollectionElementsNotNull(mInstance.mKeychainProtectionParams,
                      "recoveryMetadata");
              Preconditions.checkCollectionElementsNotNull(mInstance.mEntryRecoveryData,
                      "entryRecoveryData");
@@ -178,7 +185,7 @@ public final class RecoveryData implements Parcelable {
      @Override
      public void writeToParcel(Parcel out, int flags) {
          out.writeInt(mSnapshotVersion);
-        out.writeTypedList(mRecoveryMetadata);
+        out.writeTypedList(mKeychainProtectionParams);
          out.writeByteArray(mEncryptedRecoveryKeyBlob);
          out.writeTypedList(mEntryRecoveryData);
      }
@@ -186,11 +193,11 @@ public final class RecoveryData implements Parcelable {
      /**
       * @hide
       */
-    protected RecoveryData(Parcel in) {
+    protected KeychainSnapshot(Parcel in) {
          mSnapshotVersion = in.readInt();
-        mRecoveryMetadata = in.createTypedArrayList(RecoveryMetadata.CREATOR);
+        mKeychainProtectionParams = in.createTypedArrayList(KeychainProtectionParameter.CREATOR);
          mEncryptedRecoveryKeyBlob = in.createByteArray();
-        mEntryRecoveryData = in.createTypedArrayList(EntryRecoveryData.CREATOR);
+        mEntryRecoveryData = in.createTypedArrayList(WrappedApplicationKey.CREATOR);
      }
  
      @Override
diff --git a/core/java/android/security/keystore/RecoveryManager.java b/core/java/android/security/keystore/RecoveryManager.java

index 99bd284..bddf3e8 100644 (file)
--- a/core/java/android/security/keystore/RecoveryManager.java
+++ b/core/java/android/security/keystore/RecoveryManager.java
@@ -99,11 +99,11 @@ public class RecoveryManager {
       * @return Data necessary to recover keystore.
       * @hide
       */
-    public @NonNull RecoveryData getRecoveryData(@NonNull byte[] account)
+    @NonNull public KeychainSnapshot getRecoveryData(@NonNull byte[] account)
              throws RecoveryManagerException {
          try {
-            RecoveryData recoveryData = mBinder.getRecoveryData(account);
-            return recoveryData;
+            KeychainSnapshot keychainSnapshot = mBinder.getRecoveryData(account);
+            return keychainSnapshot;
          } catch (RemoteException e) {
              throw e.rethrowFromSystemServer();
          } catch (ServiceSpecificException e) {
@@ -136,7 +136,7 @@ public class RecoveryManager {
       * version. Version zero is used, if no snapshots were created for the account.
       *
       * @return Map from recovery agent accounts to snapshot versions.
-     * @see RecoveryData#getSnapshotVersion
+     * @see KeychainSnapshot#getSnapshotVersion
       * @hide
       */
      public @NonNull Map<byte[], Integer> getRecoverySnapshotVersions()
@@ -156,7 +156,7 @@ public class RecoveryManager {
  
      /**
       * Server parameters used to generate new recovery key blobs. This value will be included in
-     * {@code RecoveryData.getEncryptedRecoveryKeyBlob()}. The same value must be included
+     * {@code KeychainSnapshot.getEncryptedRecoveryKeyBlob()}. The same value must be included
       * in vaultParams {@link #startRecoverySession}
       *
       * @param serverParams included in recovery key blob.
@@ -230,11 +230,11 @@ public class RecoveryManager {
       * Specifies a set of secret types used for end-to-end keystore encryption. Knowing all of them
       * is necessary to recover data.
       *
-     * @param secretTypes {@link RecoveryMetadata#TYPE_LOCKSCREEN} or {@link
-     *     RecoveryMetadata#TYPE_CUSTOM_PASSWORD}
+     * @param secretTypes {@link KeychainProtectionParameter#TYPE_LOCKSCREEN} or {@link
+     *     KeychainProtectionParameter#TYPE_CUSTOM_PASSWORD}
       */
      public void setRecoverySecretTypes(
-            @NonNull @RecoveryMetadata.UserSecretType int[] secretTypes)
+            @NonNull @KeychainProtectionParameter.UserSecretType int[] secretTypes)
              throws RecoveryManagerException {
          try {
              mBinder.setRecoverySecretTypes(secretTypes);
@@ -247,12 +247,12 @@ public class RecoveryManager {
  
      /**
       * Defines a set of secret types used for end-to-end keystore encryption. Knowing all of them is
-     * necessary to generate RecoveryData.
+     * necessary to generate KeychainSnapshot.
       *
       * @return list of recovery secret types
-     * @see RecoveryData
+     * @see KeychainSnapshot
       */
-    public @NonNull @RecoveryMetadata.UserSecretType int[] getRecoverySecretTypes()
+    @NonNull public @KeychainProtectionParameter.UserSecretType int[] getRecoverySecretTypes()
              throws RecoveryManagerException {
          try {
              return mBinder.getRecoverySecretTypes();
@@ -271,7 +271,8 @@ public class RecoveryManager {
       * @return list of recovery secret types
       * @hide
       */
-    public @NonNull @RecoveryMetadata.UserSecretType int[] getPendingRecoverySecretTypes()
+    @NonNull
+    public @KeychainProtectionParameter.UserSecretType int[] getPendingRecoverySecretTypes()
              throws RecoveryManagerException {
          try {
              return mBinder.getPendingRecoverySecretTypes();
@@ -285,14 +286,14 @@ public class RecoveryManager {
      /**
       * Method notifies KeyStore that a user-generated secret is available. This method generates a
       * symmetric session key which a trusted remote device can use to return a recovery key. Caller
-     * should use {@link RecoveryMetadata#clearSecret} to override the secret value in
+     * should use {@link KeychainProtectionParameter#clearSecret} to override the secret value in
       * memory.
       *
       * @param recoverySecret user generated secret together with parameters necessary to regenerate
       *     it on a new device.
       * @hide
       */
-    public void recoverySecretAvailable(@NonNull RecoveryMetadata recoverySecret)
+    public void recoverySecretAvailable(@NonNull KeychainProtectionParameter recoverySecret)
              throws RecoveryManagerException {
          try {
              mBinder.recoverySecretAvailable(recoverySecret);
@@ -326,7 +327,7 @@ public class RecoveryManager {
              @NonNull byte[] verifierPublicKey,
              @NonNull byte[] vaultParams,
              @NonNull byte[] vaultChallenge,
-            @NonNull List<RecoveryMetadata> secrets)
+            @NonNull List<KeychainProtectionParameter> secrets)
              throws RecoveryManagerException {
          try {
              byte[] recoveryClaim =
@@ -352,13 +353,13 @@ public class RecoveryManager {
       * @param recoveryKeyBlob Recovery blob encrypted by symmetric key generated for this session.
       * @param applicationKeys Application keys. Key material can be decrypted using recoveryKeyBlob
       *     and session. KeyStore only uses package names from the application info in {@link
-     *     EntryRecoveryData}. Caller is responsibility to perform certificates check.
+     *     WrappedApplicationKey}. Caller is responsibility to perform certificates check.
       * @return Map from alias to raw key material.
       */
      public Map<String, byte[]> recoverKeys(
              @NonNull String sessionId,
              @NonNull byte[] recoveryKeyBlob,
-            @NonNull List<EntryRecoveryData> applicationKeys)
+            @NonNull List<WrappedApplicationKey> applicationKeys)
              throws RecoveryManagerException {
          try {
              return (Map<String, byte[]>) mBinder.recoverKeys(
diff --git a/core/java/android/security/keystore/EntryRecoveryData.aidl b/core/java/android/security/keystore/WrappedApplicationKey.aidl

similarity index 95%

rename from core/java/android/security/keystore/EntryRecoveryData.aidl

rename to core/java/android/security/keystore/WrappedApplicationKey.aidl

index c6c20e3..a6294fe 100644 (file)
--- a/core/java/android/security/keystore/EntryRecoveryData.aidl
+++ b/core/java/android/security/keystore/WrappedApplicationKey.aidl
@@ -17,4 +17,4 @@
  package android.security.keystore;
  
  /* @hide */
-parcelable EntryRecoveryData;
+parcelable WrappedApplicationKey;
diff --git a/core/java/android/security/keystore/EntryRecoveryData.java b/core/java/android/security/keystore/WrappedApplicationKey.java

similarity index 78%

rename from core/java/android/security/keystore/EntryRecoveryData.java

rename to core/java/android/security/keystore/WrappedApplicationKey.java

index aaca3fe..522bb95 100644 (file)
--- a/core/java/android/security/keystore/EntryRecoveryData.java
+++ b/core/java/android/security/keystore/WrappedApplicationKey.java
@@ -35,16 +35,16 @@ import com.android.internal.util.Preconditions;
   *
   * @hide
   */
-public final class EntryRecoveryData implements Parcelable {
+public final class WrappedApplicationKey implements Parcelable {
      private String mAlias;
      // The only supported format is AES-256 symmetric key.
      private byte[] mEncryptedKeyMaterial;
  
      /**
-     * Builder for creating {@link EntryRecoveryData}.
+     * Builder for creating {@link WrappedApplicationKey}.
       */
      public static class Builder {
-        private EntryRecoveryData mInstance = new EntryRecoveryData();
+        private WrappedApplicationKey mInstance = new WrappedApplicationKey();
  
          /**
           * Sets Application-specific alias of the key.
@@ -70,19 +70,19 @@ public final class EntryRecoveryData implements Parcelable {
          }
  
          /**
-         * Creates a new {@link EntryRecoveryData} instance.
+         * Creates a new {@link WrappedApplicationKey} instance.
           *
           * @return new instance
           * @throws NullPointerException if some required fields were not set.
           */
-        public @NonNull EntryRecoveryData build() {
+        @NonNull public WrappedApplicationKey build() {
              Preconditions.checkNotNull(mInstance.mAlias);
              Preconditions.checkNotNull(mInstance.mEncryptedKeyMaterial);
              return mInstance;
          }
      }
  
-    private EntryRecoveryData() {
+    private WrappedApplicationKey() {
  
      }
  
@@ -90,7 +90,7 @@ public final class EntryRecoveryData implements Parcelable {
       * Deprecated - consider using Builder.
       * @hide
       */
-    public EntryRecoveryData(@NonNull String alias, @NonNull byte[] encryptedKeyMaterial) {
+    public WrappedApplicationKey(@NonNull String alias, @NonNull byte[] encryptedKeyMaterial) {
          mAlias = Preconditions.checkNotNull(alias);
          mEncryptedKeyMaterial = Preconditions.checkNotNull(encryptedKeyMaterial);
      }
@@ -109,14 +109,14 @@ public final class EntryRecoveryData implements Parcelable {
          return mEncryptedKeyMaterial;
      }
  
-    public static final Parcelable.Creator<EntryRecoveryData> CREATOR =
-            new Parcelable.Creator<EntryRecoveryData>() {
-                public EntryRecoveryData createFromParcel(Parcel in) {
-                    return new EntryRecoveryData(in);
+    public static final Parcelable.Creator<WrappedApplicationKey> CREATOR =
+            new Parcelable.Creator<WrappedApplicationKey>() {
+                public WrappedApplicationKey createFromParcel(Parcel in) {
+                    return new WrappedApplicationKey(in);
                  }
  
-                public EntryRecoveryData[] newArray(int length) {
-                    return new EntryRecoveryData[length];
+                public WrappedApplicationKey[] newArray(int length) {
+                    return new WrappedApplicationKey[length];
                  }
              };
  
@@ -132,7 +132,7 @@ public final class EntryRecoveryData implements Parcelable {
      /**
       * @hide
       */
-    protected EntryRecoveryData(Parcel in) {
+    protected WrappedApplicationKey(Parcel in) {
          mAlias = in.readString();
          mEncryptedKeyMaterial = in.createByteArray();
      }
diff --git a/core/java/com/android/internal/widget/ILockSettings.aidl b/core/java/com/android/internal/widget/ILockSettings.aidl

index 31d22e0..b2bab6f 100644 (file)
--- a/core/java/com/android/internal/widget/ILockSettings.aidl
+++ b/core/java/com/android/internal/widget/ILockSettings.aidl
@@ -19,9 +19,9 @@ package com.android.internal.widget;
  import android.app.PendingIntent;
  import android.app.trust.IStrongAuthTracker;
  import android.os.Bundle;
-import android.security.keystore.EntryRecoveryData;
-import android.security.keystore.RecoveryData;
-import android.security.keystore.RecoveryMetadata;
+import android.security.keystore.WrappedApplicationKey;
+import android.security.keystore.KeychainSnapshot;
+import android.security.keystore.KeychainProtectionParameter;
  import com.android.internal.widget.ICheckCredentialProgressCallback;
  import com.android.internal.widget.VerifyCredentialResponse;
  
@@ -64,7 +64,7 @@ interface ILockSettings {
      // {@code ServiceSpecificException} may be thrown to signal an error, which caller can
      // convert to  {@code RecoveryManagerException}.
      void initRecoveryService(in String rootCertificateAlias, in byte[] signedPublicKeyList);
-    RecoveryData getRecoveryData(in byte[] account);
+    KeychainSnapshot getRecoveryData(in byte[] account);
      byte[] generateAndStoreKey(String alias);
      void removeKey(String alias);
      void setSnapshotCreatedPendingIntent(in PendingIntent intent);
@@ -75,10 +75,10 @@ interface ILockSettings {
      void setRecoverySecretTypes(in int[] secretTypes);
      int[] getRecoverySecretTypes();
      int[] getPendingRecoverySecretTypes();
-    void recoverySecretAvailable(in RecoveryMetadata recoverySecret);
+    void recoverySecretAvailable(in KeychainProtectionParameter recoverySecret);
      byte[] startRecoverySession(in String sessionId,
              in byte[] verifierPublicKey, in byte[] vaultParams, in byte[] vaultChallenge,
-            in List<RecoveryMetadata> secrets);
+            in List<KeychainProtectionParameter> secrets);
      Map/*<String, byte[]>*/ recoverKeys(in String sessionId, in byte[] recoveryKeyBlob,
-            in List<EntryRecoveryData> applicationKeys);
+            in List<WrappedApplicationKey> applicationKeys);
  }
diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java

index ee08c38..d116c5d 100644 (file)
--- a/services/core/java/com/android/server/locksettings/LockSettingsService.java
+++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java
@@ -63,7 +63,6 @@ import android.os.Process;
  import android.os.RemoteException;
  import android.os.ResultReceiver;
  import android.os.ServiceManager;
-import android.os.ServiceSpecificException;
  import android.os.ShellCallback;
  import android.os.StrictMode;
  import android.os.SystemProperties;
@@ -78,11 +77,10 @@ import android.security.KeyStore;
  import android.security.keystore.AndroidKeyStoreProvider;
  import android.security.keystore.KeyProperties;
  import android.security.keystore.KeyProtection;
+import android.security.keystore.KeychainProtectionParameter;
  import android.security.keystore.UserNotAuthenticatedException;
-import android.security.keystore.EntryRecoveryData;
-import android.security.keystore.RecoveryData;
-import android.security.keystore.RecoveryMetadata;
-import android.security.keystore.RecoveryManagerException;
+import android.security.keystore.WrappedApplicationKey;
+import android.security.keystore.KeychainSnapshot;
  import android.service.gatekeeper.GateKeeperResponse;
  import android.service.gatekeeper.IGateKeeperService;
  import android.text.TextUtils;
@@ -1968,7 +1966,7 @@ public class LockSettingsService extends ILockSettings.Stub {
      }
  
      @Override
-    public RecoveryData getRecoveryData(@NonNull byte[] account) throws RemoteException {
+    public KeychainSnapshot getRecoveryData(@NonNull byte[] account) throws RemoteException {
          return mRecoverableKeyStoreManager.getRecoveryData(account);
      }
  
@@ -1997,7 +1995,7 @@ public class LockSettingsService extends ILockSettings.Stub {
      }
  
      @Override
-    public void setRecoverySecretTypes(@NonNull @RecoveryMetadata.UserSecretType
+    public void setRecoverySecretTypes(@NonNull @KeychainProtectionParameter.UserSecretType
              int[] secretTypes) throws RemoteException {
          mRecoverableKeyStoreManager.setRecoverySecretTypes(secretTypes);
      }
@@ -2014,7 +2012,7 @@ public class LockSettingsService extends ILockSettings.Stub {
      }
  
      @Override
-    public void recoverySecretAvailable(@NonNull RecoveryMetadata recoverySecret)
+    public void recoverySecretAvailable(@NonNull KeychainProtectionParameter recoverySecret)
              throws RemoteException {
          mRecoverableKeyStoreManager.recoverySecretAvailable(recoverySecret);
      }
@@ -2022,7 +2020,7 @@ public class LockSettingsService extends ILockSettings.Stub {
      @Override
      public byte[] startRecoverySession(@NonNull String sessionId,
              @NonNull byte[] verifierPublicKey, @NonNull byte[] vaultParams,
-            @NonNull byte[] vaultChallenge, @NonNull List<RecoveryMetadata> secrets)
+            @NonNull byte[] vaultChallenge, @NonNull List<KeychainProtectionParameter> secrets)
              throws RemoteException {
          return mRecoverableKeyStoreManager.startRecoverySession(sessionId, verifierPublicKey,
                  vaultParams, vaultChallenge, secrets);
@@ -2030,7 +2028,7 @@ public class LockSettingsService extends ILockSettings.Stub {
  
      @Override
      public Map<String, byte[]> recoverKeys(@NonNull String sessionId,
-            @NonNull byte[] recoveryKeyBlob, @NonNull List<EntryRecoveryData> applicationKeys)
+            @NonNull byte[] recoveryKeyBlob, @NonNull List<WrappedApplicationKey> applicationKeys)
              throws RemoteException {
          return mRecoverableKeyStoreManager.recoverKeys(
                  sessionId, recoveryKeyBlob, applicationKeys);
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java

index 5fe11b1..38745f6 100644 (file)
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java
@@ -16,15 +16,14 @@
  
  package com.android.server.locksettings.recoverablekeystore;
  
-import static android.security.keystore.RecoveryMetadata.TYPE_LOCKSCREEN;
+import static android.security.keystore.KeychainProtectionParameter.TYPE_LOCKSCREEN;
  
-import android.annotation.NonNull;
  import android.annotation.Nullable;
  import android.content.Context;
  import android.security.keystore.KeyDerivationParams;
-import android.security.keystore.EntryRecoveryData;
-import android.security.keystore.RecoveryData;
-import android.security.keystore.RecoveryMetadata;
+import android.security.keystore.KeychainProtectionParameter;
+import android.security.keystore.KeychainSnapshot;
+import android.security.keystore.WrappedApplicationKey;
  import android.util.Log;
  
  import com.android.internal.annotations.VisibleForTesting;
@@ -251,12 +250,12 @@ public class KeySyncTask implements Runnable {
          }
          // TODO: store raw data in RecoveryServiceMetadataEntry and generate Parcelables later
          // TODO: use Builder.
-        RecoveryMetadata metadata = new RecoveryMetadata(
+        KeychainProtectionParameter metadata = new KeychainProtectionParameter(
                  /*userSecretType=*/ TYPE_LOCKSCREEN,
                  /*lockScreenUiFormat=*/ getUiFormat(mCredentialType, mCredential),
                  /*keyDerivationParams=*/ KeyDerivationParams.createSha256Params(salt),
                  /*secret=*/ new byte[0]);
-        ArrayList<RecoveryMetadata> metadataList = new ArrayList<>();
+        ArrayList<KeychainProtectionParameter> metadataList = new ArrayList<>();
          metadataList.add(metadata);
  
          int snapshotVersion = incrementSnapshotVersion(recoveryAgentUid);
@@ -265,7 +264,7 @@ public class KeySyncTask implements Runnable {
          mRecoverableKeyStoreDb.setShouldCreateSnapshot(mUserId, recoveryAgentUid, false);
  
          // TODO: use Builder.
-        mRecoverySnapshotStorage.put(recoveryAgentUid, new RecoveryData(
+        mRecoverySnapshotStorage.put(recoveryAgentUid, new KeychainSnapshot(
                  snapshotVersion,
                  /*recoveryMetadata=*/ metadataList,
                  /*applicationKeyBlobs=*/ createApplicationKeyEntries(encryptedApplicationKeys),
@@ -308,7 +307,7 @@ public class KeySyncTask implements Runnable {
       */
      private boolean shoudCreateSnapshot(int recoveryAgentUid) {
          int[] types = mRecoverableKeyStoreDb.getRecoverySecretTypes(mUserId, recoveryAgentUid);
-        if (!ArrayUtils.contains(types, RecoveryMetadata.TYPE_LOCKSCREEN)) {
+        if (!ArrayUtils.contains(types, KeychainProtectionParameter.TYPE_LOCKSCREEN)) {
              // Only lockscreen type is supported.
              // We will need to pass extra argument to KeySyncTask to support custom pass phrase.
              return false;
@@ -331,14 +330,14 @@ public class KeySyncTask implements Runnable {
       * @return The format - either pattern, pin, or password.
       */
      @VisibleForTesting
-    @RecoveryMetadata.LockScreenUiFormat static int getUiFormat(
+    @KeychainProtectionParameter.LockScreenUiFormat static int getUiFormat(
              int credentialType, String credential) {
          if (credentialType == LockPatternUtils.CREDENTIAL_TYPE_PATTERN) {
-            return RecoveryMetadata.TYPE_PATTERN;
+            return KeychainProtectionParameter.TYPE_PATTERN;
          } else if (isPin(credential)) {
-            return RecoveryMetadata.TYPE_PIN;
+            return KeychainProtectionParameter.TYPE_PIN;
          } else {
-            return RecoveryMetadata.TYPE_PASSWORD;
+            return KeychainProtectionParameter.TYPE_PASSWORD;
          }
      }
  
@@ -401,12 +400,12 @@ public class KeySyncTask implements Runnable {
          return keyGenerator.generateKey();
      }
  
-    private static List<EntryRecoveryData> createApplicationKeyEntries(
+    private static List<WrappedApplicationKey> createApplicationKeyEntries(
              Map<String, byte[]> encryptedApplicationKeys) {
-        ArrayList<EntryRecoveryData> keyEntries = new ArrayList<>();
+        ArrayList<WrappedApplicationKey> keyEntries = new ArrayList<>();
          for (String alias : encryptedApplicationKeys.keySet()) {
              keyEntries.add(
-                    new EntryRecoveryData(
+                    new WrappedApplicationKey(
                              alias,
                              encryptedApplicationKeys.get(alias)));
          }
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java

index 7658178..f14af4b 100644 (file)
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
@@ -34,9 +34,9 @@ import android.os.RemoteException;
  import android.os.ServiceSpecificException;
  import android.os.UserHandle;
  
-import android.security.keystore.EntryRecoveryData;
-import android.security.keystore.RecoveryData;
-import android.security.keystore.RecoveryMetadata;
+import android.security.keystore.KeychainProtectionParameter;
+import android.security.keystore.KeychainSnapshot;
+import android.security.keystore.WrappedApplicationKey;
  import android.security.keystore.RecoveryManager;
  import android.util.Log;
  
@@ -45,7 +45,6 @@ import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKe
  import com.android.server.locksettings.recoverablekeystore.storage.RecoverySessionStorage;
  import com.android.server.locksettings.recoverablekeystore.storage.RecoverySnapshotStorage;
  
-import java.nio.charset.StandardCharsets;
  import java.security.InvalidKeyException;
  import java.security.KeyStoreException;
  import java.security.KeyFactory;
@@ -171,11 +170,12 @@ public class RecoverableKeyStoreManager {
       * @return recovery data
       * @hide
       */
-    public @NonNull RecoveryData getRecoveryData(@NonNull byte[] account)
+    public @NonNull
+    KeychainSnapshot getRecoveryData(@NonNull byte[] account)
              throws RemoteException {
          checkRecoverKeyStorePermission();
          int uid = Binder.getCallingUid();
-        RecoveryData snapshot = mSnapshotStorage.get(uid);
+        KeychainSnapshot snapshot = mSnapshotStorage.get(uid);
          if (snapshot == null) {
              throw new ServiceSpecificException(ERROR_NO_SNAPSHOT_PENDING);
          }
@@ -257,7 +257,7 @@ public class RecoverableKeyStoreManager {
       * @hide
       */
      public void setRecoverySecretTypes(
-            @NonNull @RecoveryMetadata.UserSecretType int[] secretTypes)
+            @NonNull @KeychainProtectionParameter.UserSecretType int[] secretTypes)
              throws RemoteException {
          checkRecoverKeyStorePermission();
          int userId = UserHandle.getCallingUserId();
@@ -292,9 +292,9 @@ public class RecoverableKeyStoreManager {
      }
  
      public void recoverySecretAvailable(
-            @NonNull RecoveryMetadata recoverySecret) throws RemoteException {
+            @NonNull KeychainProtectionParameter recoverySecret) throws RemoteException {
          int uid = Binder.getCallingUid();
-        if (recoverySecret.getLockScreenUiFormat() == RecoveryMetadata.TYPE_LOCKSCREEN) {
+        if (recoverySecret.getLockScreenUiFormat() == KeychainProtectionParameter.TYPE_LOCKSCREEN) {
              throw new SecurityException(
                      "Caller " + uid + " is not allowed to set lock screen secret");
          }
@@ -320,13 +320,13 @@ public class RecoverableKeyStoreManager {
              @NonNull byte[] verifierPublicKey,
              @NonNull byte[] vaultParams,
              @NonNull byte[] vaultChallenge,
-            @NonNull List<RecoveryMetadata> secrets)
+            @NonNull List<KeychainProtectionParameter> secrets)
              throws RemoteException {
          checkRecoverKeyStorePermission();
          int uid = Binder.getCallingUid();
  
          if (secrets.size() != 1) {
-            throw new UnsupportedOperationException("Only a single RecoveryMetadata is supported");
+            throw new UnsupportedOperationException("Only a single KeychainProtectionParameter is supported");
          }
  
          PublicKey publicKey;
@@ -384,7 +384,7 @@ public class RecoverableKeyStoreManager {
      public Map<String, byte[]> recoverKeys(
              @NonNull String sessionId,
              @NonNull byte[] encryptedRecoveryKey,
-            @NonNull List<EntryRecoveryData> applicationKeys)
+            @NonNull List<WrappedApplicationKey> applicationKeys)
              throws RemoteException {
          checkRecoverKeyStorePermission();
          int uid = Binder.getCallingUid();
@@ -474,9 +474,9 @@ public class RecoverableKeyStoreManager {
       */
      private Map<String, byte[]> recoverApplicationKeys(
              @NonNull byte[] recoveryKey,
-            @NonNull List<EntryRecoveryData> applicationKeys) throws RemoteException {
+            @NonNull List<WrappedApplicationKey> applicationKeys) throws RemoteException {
          HashMap<String, byte[]> keyMaterialByAlias = new HashMap<>();
-        for (EntryRecoveryData applicationKey : applicationKeys) {
+        for (WrappedApplicationKey applicationKey : applicationKeys) {
              String alias = applicationKey.getAlias();
              byte[] encryptedKeyMaterial = applicationKey.getEncryptedKeyMaterial();
  
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java

index eb2da80..8bba212 100644 (file)
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java
@@ -404,7 +404,7 @@ public class RecoverableKeyStoreDb {
      /**
       * Updates the list of user secret types used for end-to-end encryption.
       * If no secret types are set, recovery snapshot will not be created.
-     * See {@code RecoveryMetadata}
+     * See {@code KeychainProtectionParameter}
       *
       * @param userId The userId of the profile the application is running under.
       * @param uid The uid of the application.
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorage.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorage.java

index 158b1e3..62bb41e 100644 (file)
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorage.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorage.java
@@ -17,7 +17,7 @@
  package com.android.server.locksettings.recoverablekeystore.storage;
  
  import android.annotation.Nullable;
-import android.security.keystore.RecoveryData;
+import android.security.keystore.KeychainSnapshot;
  import android.util.SparseArray;
  
  import com.android.internal.annotations.GuardedBy;
@@ -34,12 +34,12 @@ import com.android.internal.annotations.GuardedBy;
   */
  public class RecoverySnapshotStorage {
      @GuardedBy("this")
-    private final SparseArray<RecoveryData> mSnapshotByUid = new SparseArray<>();
+    private final SparseArray<KeychainSnapshot> mSnapshotByUid = new SparseArray<>();
  
      /**
       * Sets the latest {@code snapshot} for the recovery agent {@code uid}.
       */
-    public synchronized void put(int uid, RecoveryData snapshot) {
+    public synchronized void put(int uid, KeychainSnapshot snapshot) {
          mSnapshotByUid.put(uid, snapshot);
      }
  
@@ -47,7 +47,7 @@ public class RecoverySnapshotStorage {
       * Returns the latest snapshot for the recovery agent {@code uid}, or null if none exists.
       */
      @Nullable
-    public synchronized RecoveryData get(int uid) {
+    public synchronized KeychainSnapshot get(int uid) {
          return mSnapshotByUid.get(uid);
      }
  
diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java

index 9eb42e9..c1789ba 100644 (file)
--- a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java
+++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java
@@ -16,11 +16,11 @@
  
  package com.android.server.locksettings.recoverablekeystore;
  
-import static android.security.keystore.RecoveryMetadata.TYPE_LOCKSCREEN;
+import static android.security.keystore.KeychainProtectionParameter.TYPE_LOCKSCREEN;
  
-import static android.security.keystore.RecoveryMetadata.TYPE_PASSWORD;
-import static android.security.keystore.RecoveryMetadata.TYPE_PATTERN;
-import static android.security.keystore.RecoveryMetadata.TYPE_PIN;
+import static android.security.keystore.KeychainProtectionParameter.TYPE_PASSWORD;
+import static android.security.keystore.KeychainProtectionParameter.TYPE_PATTERN;
+import static android.security.keystore.KeychainProtectionParameter.TYPE_PIN;
  
  import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PASSWORD;
  import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PATTERN;
@@ -41,8 +41,8 @@ import android.security.keystore.AndroidKeyStoreSecretKey;
  import android.security.keystore.KeyGenParameterSpec;
  import android.security.keystore.KeyProperties;
  import android.security.keystore.KeyDerivationParams;
-import android.security.keystore.EntryRecoveryData;
-import android.security.keystore.RecoveryData;
+import android.security.keystore.KeychainSnapshot;
+import android.security.keystore.WrappedApplicationKey;
  import android.support.test.InstrumentationRegistry;
  import android.support.test.filters.SmallTest;
  import android.support.test.runner.AndroidJUnit4;
@@ -283,9 +283,9 @@ public class KeySyncTaskTest {
                  addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS);
          mKeySyncTask.run();
  
-        RecoveryData recoveryData = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID);
+        KeychainSnapshot keychainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID);
          KeyDerivationParams KeyDerivationParams =
-                recoveryData.getRecoveryMetadata().get(0).getKeyDerivationParams();
+                keychainSnapshot.getKeychainProtectionParams().get(0).getKeyDerivationParams();
          assertThat(KeyDerivationParams.getAlgorithm()).isEqualTo(
                  KeyDerivationParams.ALGORITHM_SHA256);
          verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID);
@@ -296,15 +296,15 @@ public class KeySyncTaskTest {
          assertThat(counterId).isNotNull();
          byte[] recoveryKey = decryptThmEncryptedKey(
                  lockScreenHash,
-                recoveryData.getEncryptedRecoveryKeyBlob(),
+                keychainSnapshot.getEncryptedRecoveryKeyBlob(),
                  /*vaultParams=*/ KeySyncUtils.packVaultParams(
                          mKeyPair.getPublic(),
                          counterId,
                          TEST_DEVICE_ID,
                          /*maxAttempts=*/ 10));
-        List<EntryRecoveryData> applicationKeys = recoveryData.getEntryRecoveryData();
+        List<WrappedApplicationKey> applicationKeys = keychainSnapshot.getWrappedApplicationKeys();
          assertThat(applicationKeys).hasSize(1);
-        EntryRecoveryData keyData = applicationKeys.get(0);
+        WrappedApplicationKey keyData = applicationKeys.get(0);
          assertEquals(TEST_APP_KEY_ALIAS, keyData.getAlias());
          assertThat(keyData.getAlias()).isEqualTo(keyData.getAlias());
          byte[] appKey = KeySyncUtils.decryptApplicationKey(
@@ -322,14 +322,14 @@ public class KeySyncTaskTest {
  
          mKeySyncTask.run();
  
-        RecoveryData recoveryData = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID);
-        assertThat(recoveryData.getSnapshotVersion()).isEqualTo(1); // default value;
+        KeychainSnapshot keychainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID);
+        assertThat(keychainSnapshot.getSnapshotVersion()).isEqualTo(1); // default value;
          mRecoverableKeyStoreDb.setShouldCreateSnapshot(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, true);
  
          mKeySyncTask.run();
  
-        recoveryData = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID);
-        assertThat(recoveryData.getSnapshotVersion()).isEqualTo(2); // Updated
+        keychainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID);
+        assertThat(keychainSnapshot.getSnapshotVersion()).isEqualTo(2); // Updated
      }
  
      @Test
@@ -352,9 +352,9 @@ public class KeySyncTaskTest {
  
          mKeySyncTask.run();
  
-        RecoveryData recoveryData = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID);
-        assertThat(recoveryData.getRecoveryMetadata()).hasSize(1);
-        assertThat(recoveryData.getRecoveryMetadata().get(0).getLockScreenUiFormat()).
+        KeychainSnapshot keychainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID);
+        assertThat(keychainSnapshot.getKeychainProtectionParams()).hasSize(1);
+        assertThat(keychainSnapshot.getKeychainProtectionParams().get(0).getLockScreenUiFormat()).
                  isEqualTo(TYPE_PASSWORD);
      }
  
@@ -378,10 +378,10 @@ public class KeySyncTaskTest {
  
          mKeySyncTask.run();
  
-        RecoveryData recoveryData = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID);
-        assertThat(recoveryData.getRecoveryMetadata()).hasSize(1);
+        KeychainSnapshot keychainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID);
+        assertThat(keychainSnapshot.getKeychainProtectionParams()).hasSize(1);
          // Password with only digits is changed to pin.
-        assertThat(recoveryData.getRecoveryMetadata().get(0).getLockScreenUiFormat()).
+        assertThat(keychainSnapshot.getKeychainProtectionParams().get(0).getLockScreenUiFormat()).
                  isEqualTo(TYPE_PIN);
      }
  
@@ -405,9 +405,9 @@ public class KeySyncTaskTest {
  
          mKeySyncTask.run();
  
-        RecoveryData recoveryData = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID);
-        assertThat(recoveryData.getRecoveryMetadata()).hasSize(1);
-        assertThat(recoveryData.getRecoveryMetadata().get(0).getLockScreenUiFormat()).
+        KeychainSnapshot keychainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID);
+        assertThat(keychainSnapshot.getKeychainProtectionParams()).hasSize(1);
+        assertThat(keychainSnapshot.getKeychainProtectionParams().get(0).getLockScreenUiFormat()).
                  isEqualTo(TYPE_PATTERN);
      }
  
diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java

index 1bdcf47..3715742 100644 (file)
--- a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java
+++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java
@@ -16,8 +16,8 @@
  
  package com.android.server.locksettings.recoverablekeystore;
  
-import static android.security.keystore.RecoveryMetadata.TYPE_LOCKSCREEN;
-import static android.security.keystore.RecoveryMetadata.TYPE_PASSWORD;
+import static android.security.keystore.KeychainProtectionParameter.TYPE_LOCKSCREEN;
+import static android.security.keystore.KeychainProtectionParameter.TYPE_PASSWORD;
  
  import static com.google.common.truth.Truth.assertThat;
  import static org.junit.Assert.assertArrayEquals;
@@ -43,9 +43,8 @@ import android.security.keystore.AndroidKeyStoreSecretKey;
  import android.security.keystore.KeyGenParameterSpec;
  import android.security.keystore.KeyProperties;
  import android.security.keystore.KeyDerivationParams;
-import android.security.keystore.EntryRecoveryData;
-import android.security.keystore.RecoveryMetadata;
-import android.security.keystore.RecoveryManager;
+import android.security.keystore.KeychainProtectionParameter;
+import android.security.keystore.WrappedApplicationKey;
  import android.support.test.filters.SmallTest;
  import android.support.test.InstrumentationRegistry;
  import android.support.test.runner.AndroidJUnit4;
@@ -251,7 +250,7 @@ public class RecoverableKeyStoreManagerTest {
                  TEST_VAULT_PARAMS,
                  TEST_VAULT_CHALLENGE,
                  ImmutableList.of(
-                        new RecoveryMetadata(
+                        new KeychainProtectionParameter(
                                  TYPE_LOCKSCREEN,
                                  TYPE_PASSWORD,
                                  KeyDerivationParams.createSha256Params(TEST_SALT),
@@ -270,7 +269,7 @@ public class RecoverableKeyStoreManagerTest {
                  TEST_VAULT_PARAMS,
                  TEST_VAULT_CHALLENGE,
                  ImmutableList.of(
-                        new RecoveryMetadata(
+                        new KeychainProtectionParameter(
                                  TYPE_LOCKSCREEN,
                                  TYPE_PASSWORD,
                                  KeyDerivationParams.createSha256Params(TEST_SALT),
@@ -295,7 +294,7 @@ public class RecoverableKeyStoreManagerTest {
              fail("should have thrown");
          } catch (ServiceSpecificException e) {
              assertThat(e.getMessage()).startsWith(
-                    "Only a single RecoveryMetadata is supported");
+                    "Only a single KeychainProtectionParameter is supported");
          }
      }
  
@@ -308,7 +307,7 @@ public class RecoverableKeyStoreManagerTest {
                      TEST_VAULT_PARAMS,
                      TEST_VAULT_CHALLENGE,
                      ImmutableList.of(
-                            new RecoveryMetadata(
+                            new KeychainProtectionParameter(
                                      TYPE_LOCKSCREEN,
                                      TYPE_PASSWORD,
                                      KeyDerivationParams.createSha256Params(TEST_SALT),
@@ -330,7 +329,7 @@ public class RecoverableKeyStoreManagerTest {
                      vaultParams,
                      TEST_VAULT_CHALLENGE,
                      ImmutableList.of(
-                            new RecoveryMetadata(
+                            new KeychainProtectionParameter(
                                      TYPE_LOCKSCREEN,
                                      TYPE_PASSWORD,
                                      KeyDerivationParams.createSha256Params(TEST_SALT),
@@ -348,7 +347,7 @@ public class RecoverableKeyStoreManagerTest {
                      TEST_SESSION_ID,
                      /*recoveryKeyBlob=*/ randomBytes(32),
                      /*applicationKeys=*/ ImmutableList.of(
-                            new EntryRecoveryData("alias", randomBytes(32))
+                            new WrappedApplicationKey("alias", randomBytes(32))
                      ));
              fail("should have thrown");
          } catch (ServiceSpecificException e) {
@@ -363,7 +362,7 @@ public class RecoverableKeyStoreManagerTest {
                  TEST_PUBLIC_KEY,
                  TEST_VAULT_PARAMS,
                  TEST_VAULT_CHALLENGE,
-                ImmutableList.of(new RecoveryMetadata(
+                ImmutableList.of(new KeychainProtectionParameter(
                          TYPE_LOCKSCREEN,
                          TYPE_PASSWORD,
                          KeyDerivationParams.createSha256Params(TEST_SALT),
@@ -387,7 +386,7 @@ public class RecoverableKeyStoreManagerTest {
                  TEST_PUBLIC_KEY,
                  TEST_VAULT_PARAMS,
                  TEST_VAULT_CHALLENGE,
-                ImmutableList.of(new RecoveryMetadata(
+                ImmutableList.of(new KeychainProtectionParameter(
                          TYPE_LOCKSCREEN,
                          TYPE_PASSWORD,
                          KeyDerivationParams.createSha256Params(TEST_SALT),
@@ -397,7 +396,7 @@ public class RecoverableKeyStoreManagerTest {
          SecretKey recoveryKey = randomRecoveryKey();
          byte[] encryptedClaimResponse = encryptClaimResponse(
                  keyClaimant, TEST_SECRET, TEST_VAULT_PARAMS, recoveryKey);
-        EntryRecoveryData badApplicationKey = new EntryRecoveryData(
+        WrappedApplicationKey badApplicationKey = new WrappedApplicationKey(
                  TEST_ALIAS,
                  randomBytes(32));
  
@@ -419,7 +418,7 @@ public class RecoverableKeyStoreManagerTest {
                  TEST_PUBLIC_KEY,
                  TEST_VAULT_PARAMS,
                  TEST_VAULT_CHALLENGE,
-                ImmutableList.of(new RecoveryMetadata(
+                ImmutableList.of(new KeychainProtectionParameter(
                          TYPE_LOCKSCREEN,
                          TYPE_PASSWORD,
                          KeyDerivationParams.createSha256Params(TEST_SALT),
@@ -430,7 +429,7 @@ public class RecoverableKeyStoreManagerTest {
          byte[] encryptedClaimResponse = encryptClaimResponse(
                  keyClaimant, TEST_SECRET, TEST_VAULT_PARAMS, recoveryKey);
          byte[] applicationKeyBytes = randomBytes(32);
-        EntryRecoveryData applicationKey = new EntryRecoveryData(
+        WrappedApplicationKey applicationKey = new WrappedApplicationKey(
                  TEST_ALIAS,
                  encryptedApplicationKey(recoveryKey, applicationKeyBytes));
  
diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorageTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorageTest.java

index 6308f74..56b44e2 100644 (file)
--- a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorageTest.java
+++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorageTest.java
@@ -3,7 +3,7 @@ package com.android.server.locksettings.recoverablekeystore.storage;
  import static org.junit.Assert.assertEquals;
  import static org.junit.Assert.assertNull;
  
-import android.security.keystore.RecoveryData;
+import android.security.keystore.KeychainSnapshot;
  import android.support.test.filters.SmallTest;
  import android.support.test.runner.AndroidJUnit4;
  
@@ -26,25 +26,25 @@ public class RecoverySnapshotStorageTest {
      @Test
      public void get_returnsSetSnapshot() {
          int userId = 1000;
-        RecoveryData recoveryData = new RecoveryData(
+        KeychainSnapshot keychainSnapshot = new KeychainSnapshot(
                  /*snapshotVersion=*/ 1,
                  new ArrayList<>(),
                  new ArrayList<>(),
                  new byte[0]);
-        mRecoverySnapshotStorage.put(userId, recoveryData);
+        mRecoverySnapshotStorage.put(userId, keychainSnapshot);
  
-        assertEquals(recoveryData, mRecoverySnapshotStorage.get(userId));
+        assertEquals(keychainSnapshot, mRecoverySnapshotStorage.get(userId));
      }
  
      @Test
      public void remove_removesSnapshots() {
          int userId = 1000;
-        RecoveryData recoveryData = new RecoveryData(
+        KeychainSnapshot keychainSnapshot = new KeychainSnapshot(
                  /*snapshotVersion=*/ 1,
                  new ArrayList<>(),
                  new ArrayList<>(),
                  new byte[0]);
-        mRecoverySnapshotStorage.put(userId, recoveryData);
+        mRecoverySnapshotStorage.put(userId, keychainSnapshot);
  
          mRecoverySnapshotStorage.remove(userId);
author	Robert Berry <robertberry@google.com>
	Wed, 17 Jan 2018 15:18:05 +0000 (15:18 +0000)
committer	Robert Berry <robertberry@google.com>
	Wed, 17 Jan 2018 15:22:56 +0000 (15:22 +0000)
core/java/android/security/keystore/KeychainProtectionParameter.aidl	[moved from core/java/android/security/keystore/RecoveryData.aidl with 94% similarity]	patch \| blob \| history
core/java/android/security/keystore/KeychainProtectionParameter.java	[moved from core/java/android/security/keystore/RecoveryMetadata.java with 78% similarity]	patch \| blob \| history
core/java/android/security/keystore/KeychainSnapshot.aidl	[moved from core/java/android/security/keystore/RecoveryMetadata.aidl with 95% similarity]	patch \| blob \| history
core/java/android/security/keystore/KeychainSnapshot.java	[moved from core/java/android/security/keystore/RecoveryData.java with 59% similarity]	patch \| blob \| history
core/java/android/security/keystore/RecoveryManager.java		patch \| blob \| history
core/java/android/security/keystore/WrappedApplicationKey.aidl	[moved from core/java/android/security/keystore/EntryRecoveryData.aidl with 95% similarity]	patch \| blob \| history
core/java/android/security/keystore/WrappedApplicationKey.java	[moved from core/java/android/security/keystore/EntryRecoveryData.java with 78% similarity]	patch \| blob \| history
core/java/com/android/internal/widget/ILockSettings.aidl		patch \| blob \| history
services/core/java/com/android/server/locksettings/LockSettingsService.java		patch \| blob \| history
services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java		patch \| blob \| history
services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java		patch \| blob \| history
services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java		patch \| blob \| history
services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorage.java		patch \| blob \| history
services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java		patch \| blob \| history
services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java		patch \| blob \| history
services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorageTest.java		patch \| blob \| history