| /* |
| * Copyright (C) 2011 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package com.android.cts.verifier.security; |
| |
| import com.android.cts.verifier.PassFailButtons; |
| import com.android.cts.verifier.R; |
| |
| import android.app.AlertDialog; |
| import android.app.KeyguardManager; |
| import android.content.Context; |
| import android.content.Intent; |
| import android.os.Bundle; |
| import android.security.keystore.KeyGenParameterSpec; |
| import android.security.keystore.KeyPermanentlyInvalidatedException; |
| import android.security.keystore.KeyProperties; |
| import android.security.keystore.UserNotAuthenticatedException; |
| import android.view.View; |
| import android.view.View.OnClickListener; |
| import android.widget.Button; |
| import android.widget.Toast; |
| |
| import java.io.IOException; |
| import java.security.InvalidAlgorithmParameterException; |
| import java.security.InvalidKeyException; |
| import java.security.KeyStore; |
| import java.security.KeyStoreException; |
| import java.security.NoSuchAlgorithmException; |
| import java.security.NoSuchProviderException; |
| import java.security.UnrecoverableKeyException; |
| import java.security.cert.CertificateException; |
| |
| import javax.crypto.BadPaddingException; |
| import javax.crypto.Cipher; |
| import javax.crypto.IllegalBlockSizeException; |
| import javax.crypto.KeyGenerator; |
| import javax.crypto.NoSuchPaddingException; |
| import javax.crypto.SecretKey; |
| |
| public class ScreenLockBoundKeysTest extends PassFailButtons.Activity { |
| |
| /** Alias for our key in the Android Key Store. */ |
| private static final String KEY_NAME = "my_lock_key"; |
| private static final byte[] SECRET_BYTE_ARRAY = new byte[] {1, 2, 3, 4, 5, 6}; |
| private static final int AUTHENTICATION_DURATION_SECONDS = 5; |
| private static final int CONFIRM_CREDENTIALS_REQUEST_CODE = 1; |
| |
| private KeyguardManager mKeyguardManager; |
| |
| @Override |
| protected void onCreate(Bundle savedInstanceState) { |
| super.onCreate(savedInstanceState); |
| setContentView(R.layout.sec_screen_lock_keys_main); |
| setPassFailButtonClickListeners(); |
| setInfoResources(R.string.sec_lock_bound_key_test, R.string.sec_lock_bound_key_test_info, -1); |
| |
| mKeyguardManager = (KeyguardManager) getSystemService(KEYGUARD_SERVICE); |
| |
| getPassButton().setEnabled(false); |
| |
| Button startTestButton = (Button) findViewById(R.id.sec_start_test_button); |
| startTestButton.setOnClickListener(new OnClickListener() { |
| @Override |
| public void onClick(View v) { |
| showToast("Test running..."); |
| v.postDelayed(new Runnable() { |
| @Override |
| public void run() { |
| if (tryEncrypt()) { |
| showToast("Test failed. Key accessible without auth."); |
| } else { |
| showAuthenticationScreen(); |
| } |
| } |
| }, |
| AUTHENTICATION_DURATION_SECONDS * 1000); |
| } |
| |
| }); |
| |
| if (!mKeyguardManager.isKeyguardSecure()) { |
| // Show a message that the user hasn't set up a lock screen. |
| Toast.makeText(this, |
| "Secure lock screen hasn't set up.\n" |
| + "Go to 'Settings -> Security -> Screenlock' to set up a lock screen", |
| Toast.LENGTH_LONG).show(); |
| startTestButton.setEnabled(false); |
| return; |
| } |
| |
| createKey(); |
| } |
| |
| /** |
| * Creates a symmetric key in the Android Key Store which can only be used after the user has |
| * authenticated with device credentials within the last X seconds. |
| */ |
| private void createKey() { |
| // Generate a key to decrypt payment credentials, tokens, etc. |
| // This will most likely be a registration step for the user when they are setting up your app. |
| try { |
| KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore"); |
| keyStore.load(null); |
| KeyGenerator keyGenerator = KeyGenerator.getInstance( |
| KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore"); |
| |
| // Set the alias of the entry in Android KeyStore where the key will appear |
| // and the constrains (purposes) in the constructor of the Builder |
| keyGenerator.init(new KeyGenParameterSpec.Builder(KEY_NAME, |
| KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) |
| .setBlockModes(KeyProperties.BLOCK_MODE_CBC) |
| .setUserAuthenticationRequired(true) |
| // Require that the user has unlocked in the last 30 seconds |
| .setUserAuthenticationValidityDurationSeconds(AUTHENTICATION_DURATION_SECONDS) |
| .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7) |
| .build()); |
| keyGenerator.generateKey(); |
| } catch (NoSuchAlgorithmException | NoSuchProviderException |
| | InvalidAlgorithmParameterException | KeyStoreException |
| | CertificateException | IOException e) { |
| throw new RuntimeException("Failed to create a symmetric key", e); |
| } |
| } |
| |
| /** |
| * Tries to encrypt some data with the generated key in {@link #createKey} which is |
| * only works if the user has just authenticated via device credentials. |
| */ |
| private boolean tryEncrypt() { |
| try { |
| KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore"); |
| keyStore.load(null); |
| SecretKey secretKey = (SecretKey) keyStore.getKey(KEY_NAME, null); |
| Cipher cipher = Cipher.getInstance( |
| KeyProperties.KEY_ALGORITHM_AES + "/" + KeyProperties.BLOCK_MODE_CBC + "/" |
| + KeyProperties.ENCRYPTION_PADDING_PKCS7); |
| |
| // Try encrypting something, it will only work if the user authenticated within |
| // the last AUTHENTICATION_DURATION_SECONDS seconds. |
| cipher.init(Cipher.ENCRYPT_MODE, secretKey); |
| cipher.doFinal(SECRET_BYTE_ARRAY); |
| return true; |
| } catch (UserNotAuthenticatedException e) { |
| // User is not authenticated, let's authenticate with device credentials. |
| return false; |
| } catch (KeyPermanentlyInvalidatedException e) { |
| // This happens if the lock screen has been disabled or reset after the key was |
| // generated after the key was generated. |
| createKey(); |
| Toast.makeText(this, "Set up lockscreen after test ran. Retry the test.\n" |
| + e.getMessage(), |
| Toast.LENGTH_LONG).show(); |
| return false; |
| } catch (BadPaddingException | IllegalBlockSizeException | KeyStoreException | |
| CertificateException | UnrecoverableKeyException | IOException |
| | NoSuchPaddingException | NoSuchAlgorithmException | InvalidKeyException e) { |
| throw new RuntimeException(e); |
| } |
| } |
| |
| private void showAuthenticationScreen() { |
| // Create the Confirm Credentials screen. You can customize the title and description. Or |
| // we will provide a generic one for you if you leave it null |
| Intent intent = mKeyguardManager.createConfirmDeviceCredentialIntent(null, null); |
| if (intent != null) { |
| startActivityForResult(intent, CONFIRM_CREDENTIALS_REQUEST_CODE); |
| } |
| } |
| |
| private void showToast(String message) { |
| Toast.makeText(this, message, Toast.LENGTH_LONG) |
| .show(); |
| } |
| |
| @Override |
| protected void onActivityResult(int requestCode, int resultCode, Intent data) { |
| super.onActivityResult(requestCode, resultCode, data); |
| switch (requestCode) { |
| case CONFIRM_CREDENTIALS_REQUEST_CODE: |
| if (resultCode == RESULT_OK) { |
| if (tryEncrypt()) { |
| showToast("Test passed."); |
| getPassButton().setEnabled(true); |
| } else { |
| showToast("Test failed. Key not accessible after auth"); |
| } |
| } |
| } |
| } |
| } |
| |
