Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support for NIAPSEC updates #3

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Added support for NIAPSEC updates #3

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8f94ce2
Added support for NIAPSEC updates, which includes testing devices wit…
jmarkoff Jul 22, 2020
b6e2f3c
Add key testing patches for Android 9
brarcher-google Aug 7, 2020
1b0adaf
Add key testing patches for Android 10
brarcher-google Aug 7, 2020
4dc96c3
Removed worker threads. Running all encryption on UI thread to ensure…
jmarkoff Aug 15, 2020
0aa4fe7
Updated to ensure key clearing. All EphemeralSecretKey usage is in on…
jmarkoff Aug 20, 2020
41022ab
Added keypairalias for key eviction.
jmarkoff Oct 6, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions ...IAPSecExample/app/src/main/java/com/android/certifications/niap/EncryptedDataService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
import android.os.Build;
import android.util.Log;

import com.android.certifications.niap.niapsec.SecureConfig;
import com.android.certifications.niap.niapsec.biometric.BiometricSupport;
import com.android.certifications.niap.niapsec.biometric.BiometricSupportImpl;
import com.android.certifications.niap.niapsec.crypto.SecureCipher;
Expand Down Expand Up @@ -73,7 +74,7 @@ public void onCreate() {
super.onCreate();
this.viewModel = MainActivity.viewModel;
biometricSupport = new BiometricSupportImpl(MainActivity.thisActivity,
getApplicationContext()) {
getApplicationContext(), false) {
@Override
public void onAuthenticationSucceeded() {
showMessage(BIOMETRIC_AUTH + " Succeeded!");
Expand All @@ -84,17 +85,15 @@ public void onAuthenticationFailed() {
onMessage(BIOMETRIC_AUTH + " Failed");
}

@Override
public void onAuthenticationCancelled() {
showMessage(BIOMETRIC_AUTH + " Cancelled!");
}

@Override
public void onMessage(String message) {
showMessage(message);
}
};
dataManager = new EncryptionManager(getApplicationContext(), biometricSupport);
dataManager = new EncryptionManager(getApplicationContext(),
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move first arg to separate line to match other args.

SecureConfig.getStrongConfig(),
biometricSupport);

deviceLocked = dataManager.deviceLocked();
}

Expand Down Expand Up @@ -147,7 +146,8 @@ private void createKeys(String fileName) {
asymmetricKeyPairAlias,
testDataString.getBytes(),
(byte[] encryptedData) -> {
SecureCipher secureCipher = SecureCipher.getDefault(biometricSupport);
SecureCipher secureCipher = SecureCipher.getDefault(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be one line? If not, leave as is.

SecureConfig.getStrongConfig(biometricSupport));
secureCipher.decryptEncodedData(encryptedData, (byte[] decryptedData) -> {
Log.i(TAG, "Decrypted... " + new String(decryptedData));
boolean encrypted = encryptData(fileName, (byte[] cipherText) -> {
Expand Down
33 changes: 19 additions & 14 deletions ...c/NIAPSecExample/app/src/main/java/com/android/certifications/niap/EncryptionManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
import android.util.Log;
import android.util.Pair;

import com.android.certifications.niap.niapsec.SecureConfig;
import com.android.certifications.niap.niapsec.biometric.BiometricSupport;
import com.android.certifications.niap.niapsec.context.SecureContextCompat;
import com.android.certifications.niap.niapsec.crypto.EphemeralSecretKey;
Expand All @@ -43,17 +44,21 @@ public class EncryptionManager {

private Context context;
private BiometricSupport biometricSupport;
private SecureConfig secureConfig;

public EncryptionManager(Context context, BiometricSupport biometricSupport) {
public EncryptionManager(Context context,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you move this to new line? Arguments below don't look like they follow right spacing?

SecureConfig secureConfig,
BiometricSupport biometricSupport) {
this.context = context;
this.secureConfig = secureConfig;
this.biometricSupport = biometricSupport;
}

public void createSensitiveDataSymmetricKey(final String keyAlias) {
Log.i(TAG, "Generating Key...");
SecureKeyGenerator keyGenerator = SecureKeyGenerator.getDefault();
SecureKeyGenerator keyGenerator = SecureKeyGenerator.getInstance(secureConfig);
boolean created = keyGenerator.generateKey(keyAlias);
SecureKeyStore secureKeyStore = SecureKeyStore.getDefault();
SecureKeyStore secureKeyStore = SecureKeyStore.getDefault(secureConfig);
final boolean keyInHardware = secureKeyStore.checkKeyInsideSecureHardware(keyAlias);
if (UpdateViewModel.updateStatus != null) {
UpdateViewModel.updateStatus.postValue("Generated Key Stored in Hardware: " +
Expand All @@ -63,10 +68,10 @@ public void createSensitiveDataSymmetricKey(final String keyAlias) {

public void createSensitiveDataAsymmetricKeyPair(final String keyPairAlias) {
Log.i(TAG, "Generating KeyPair (RSA)...");
SecureKeyGenerator keyGenerator = SecureKeyGenerator.getDefault();
SecureKeyGenerator keyGenerator = SecureKeyGenerator.getInstance(secureConfig);
boolean createdAsym = keyGenerator.generateAsymmetricKeyPair(keyPairAlias);
Log.i(TAG, "KeyPair Generated: " + createdAsym);
SecureKeyStore secureKeyStore = SecureKeyStore.getDefault();
SecureKeyStore secureKeyStore = SecureKeyStore.getDefault(secureConfig);
final boolean keyInHardwareAsym =
secureKeyStore.checkKeyInsideSecureHardwareAsymmetric(keyPairAlias);
if (UpdateViewModel.updateStatus != null) {
Expand All @@ -76,7 +81,7 @@ public void createSensitiveDataAsymmetricKeyPair(final String keyPairAlias) {
}

public EphemeralSecretKey createEphemeralKey() {
SecureKeyGenerator secureKeyGenerator = SecureKeyGenerator.getDefault();
SecureKeyGenerator secureKeyGenerator = SecureKeyGenerator.getInstance(secureConfig);
EphemeralSecretKey secretKey = secureKeyGenerator.generateEphemeralDataKey();
Log.i("SDPTestWorker", "Ephemeral AES Key Base64:\n" +
Base64.encodeToString(secretKey.getEncoded(), Base64.DEFAULT));
Expand All @@ -87,7 +92,7 @@ public void encryptEphemeralKeyAsymmetric(
EphemeralSecretKey secretKey,
String keyPairAlias,
SecureCipher.SecureAsymmetricEncryptionCallback callback) {
SecureCipher secureCipher = SecureCipher.getDefault(biometricSupport);
SecureCipher secureCipher = SecureCipher.getDefault(secureConfig);
secureCipher.encryptSensitiveDataAsymmetric(keyPairAlias, secretKey.getEncoded(), callback);
}

Expand Down Expand Up @@ -117,7 +122,7 @@ public void encryptData(String symKeyAlias,
// Asymmetric Sensitive Data Protection
Log.i(TAG, "Device Locked: Encrypted Data using Asymmetric Key");
EphemeralSecretKey secretKey = createEphemeralKey();
SecureCipher secureCipher = SecureCipher.getDefault(biometricSupport);
SecureCipher secureCipher = SecureCipher.getDefault(secureConfig);
Pair<byte[], byte[]> encryptedData = secureCipher.encryptEphemeralData(secretKey, data);
encryptEphemeralKeyAsymmetric(secretKey, asymKeyPairAlias,
(byte[] encryptedEphemeralKey) -> {
Expand All @@ -130,7 +135,7 @@ public void encryptData(String symKeyAlias,
asymmetricEncryptionCallback.encryptionComplete(encodedData);
});
} else {
SecureCipher secureCipher = SecureCipher.getDefault(biometricSupport);
SecureCipher secureCipher = SecureCipher.getDefault(secureConfig);
secureCipher.encryptSensitiveData(
symKeyAlias,
data,
Expand All @@ -152,7 +157,7 @@ public boolean encryptData(String fileName, String symKeyAlias,
final AtomicBoolean saved = new AtomicBoolean(false);
encryptData(symKeyAlias, asymKeyPairAlias, data, (byte[] encryptedData) -> {
try {
SecureContextCompat secureContext = new SecureContextCompat(context);
SecureContextCompat secureContext = new SecureContextCompat(context, secureConfig);
Log.i(TAG, "Keyname " + fileName.substring(0, fileName.indexOf(".")));
FileOutputStream outputStream = secureContext.openEncryptedFileOutput(
fileName,
Expand All @@ -177,7 +182,7 @@ public void convertEphemeralEncodedData(
byte[] encodedCipherText,
SecureCipher.SecureAsymmetricEncryptionCallback callback) {
if (!deviceLocked()) {
SecureCipher secureCipher = SecureCipher.getDefault(biometricSupport);
SecureCipher secureCipher = SecureCipher.getDefault(secureConfig);
secureCipher.decryptEncodedData(
encodedCipherText,
(byte[] decryptedData) -> {
Expand All @@ -198,7 +203,7 @@ public void convertEphemeralEncodedData(
public boolean convertEphemeralEncodedData(String fileName, String keyPairAlias) {
AtomicBoolean converted = new AtomicBoolean(false);
try {
SecureContextCompat secureContext = new SecureContextCompat(context);
SecureContextCompat secureContext = new SecureContextCompat(context, secureConfig);
secureContext.openEncryptedFileInput(
fileName,
Executors.newSingleThreadExecutor(),
Expand Down Expand Up @@ -240,7 +245,7 @@ public boolean convertEphemeralEncodedData(String fileName, String keyPairAlias)

public void decryptData(String fileName, SecureCipher.SecureDecryptionCallback callback) {
try {
SecureContextCompat secureContext = new SecureContextCompat(context);
SecureContextCompat secureContext = new SecureContextCompat(context, secureConfig);
secureContext.openEncryptedFileInput(
fileName,
Executors.newSingleThreadExecutor(),
Expand All @@ -250,7 +255,7 @@ public void decryptData(String fileName, SecureCipher.SecureDecryptionCallback c
byte[] encodedData = new byte[inputStream.available()];
inputStream.read(encodedData);
inputStream.close();
SecureCipher secureCipher = SecureCipher.getDefault(biometricSupport);
SecureCipher secureCipher = SecureCipher.getDefault(secureConfig);
secureCipher.decryptEncodedData(encodedData, callback);
} catch (IOException ex) {
Log.e(TAG, "There was a problem writing to file... " + ex.getMessage());
Expand Down
50 changes: 38 additions & 12 deletions niap-cc/NIAPSecExample/app/src/main/java/com/android/certifications/niap/MainActivity.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,13 +34,15 @@
import androidx.lifecycle.Observer;
import androidx.lifecycle.ViewModelProviders;
import androidx.work.OneTimeWorkRequest;
import androidx.work.WorkContinuation;
import androidx.work.WorkManager;

import com.android.certifications.niap.niapsec.SecureConfig;
import com.android.certifications.niap.niapsec.biometric.BiometricSupport;
import com.android.certifications.niap.niapsec.crypto.SecureCipher;
import com.android.certifications.niap.niapsec.net.SecureURL;
import com.android.certifications.niap.niapsecexample.R;
import com.android.certifications.niap.tests.SDPDeviceCredentialTestWorker;
import com.google.android.material.floatingactionbutton.FloatingActionButton;
import com.google.android.material.snackbar.Snackbar;
import com.android.certifications.niap.tests.SDPAuthFailureTestWorker;
Expand Down Expand Up @@ -69,6 +71,9 @@ public class MainActivity extends FragmentActivity {
public static FragmentActivity thisActivity;
private TextView textView;
private CheckBox runInBackgroundCheckBox;
private CheckBox useDeviceCredentialCheckBox;
private CheckBox testNoAuthCheckBox;

private boolean serviceRunning = false;
public static UpdateViewModel viewModel;
private BiometricSupport biometricSupport;
Expand All @@ -81,6 +86,8 @@ protected void onCreate(Bundle savedInstanceState) {
thisActivity = this;
textView = (TextView) findViewById(R.id.output_textview);
runInBackgroundCheckBox = findViewById(R.id.run_in_background);
useDeviceCredentialCheckBox = findViewById(R.id.use_device_credential);
testNoAuthCheckBox = findViewById(R.id.test_failure_sdp);
viewModel = ViewModelProviders.of(this).get(UpdateViewModel.class);
FloatingActionButton fab = (FloatingActionButton) findViewById(R.id.fab);
fab.setOnClickListener(new View.OnClickListener() {
Expand Down Expand Up @@ -131,16 +138,27 @@ private void runTest() {
Log.i(TAG, "!!!!!!!!!!LOCK DEVICE NOW...!!!!");
initialDelay = 6;
}
OneTimeWorkRequest sdpTestWorker = new OneTimeWorkRequest.Builder(SDPTestWorker.class)
.setInitialDelay(initialDelay, TimeUnit.SECONDS)
.build();
OneTimeWorkRequest sdpFailureTestWorker =
new OneTimeWorkRequest.Builder(SDPAuthFailureTestWorker.class)
.build();
WorkManager.getInstance()
.beginWith(sdpTestWorker)
.then(sdpFailureTestWorker)
.enqueue();
OneTimeWorkRequest sdpTestWorker;
if(useDeviceCredentialCheckBox.isChecked()) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

space after if to follow guidelines

sdpTestWorker = new OneTimeWorkRequest.Builder(SDPDeviceCredentialTestWorker.class)
.setInitialDelay(initialDelay, TimeUnit.SECONDS)
.build();
} else {
sdpTestWorker = new OneTimeWorkRequest.Builder(SDPTestWorker.class)
.setInitialDelay(initialDelay, TimeUnit.SECONDS)
.build();
}

WorkContinuation workContinuation =
WorkManager.getInstance(getApplicationContext()).beginWith(sdpTestWorker);
if(testNoAuthCheckBox.isChecked()) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

space after if to follow guidelines

OneTimeWorkRequest sdpFailureTestWorker =
new OneTimeWorkRequest.Builder(SDPAuthFailureTestWorker.class)
.build();
workContinuation.then(sdpFailureTestWorker);
}
workContinuation.enqueue();


try {
new AsyncTask<Void, Void, Void>() {
Expand Down Expand Up @@ -172,15 +190,23 @@ private void showMessage(String message) {
}

private void testOAEP() {
EncryptionManager encryptionManager = new EncryptionManager(this, biometricSupport);
SecureConfig config;
if(useDeviceCredentialCheckBox.isChecked()) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

space after if to follow guidelines

config = SecureConfig.getStrongDeviceCredentialConfig(biometricSupport);
} else {
config = SecureConfig.getStrongConfig(biometricSupport);
}
EncryptionManager encryptionManager = new EncryptionManager(this,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1st argument should be on new line if all others are (for readability).

config,
biometricSupport);
Log.i(TAG, "Creating Keypair OAEP_TESTING_RSA");
encryptionManager.createSensitiveDataAsymmetricKeyPair("OAEP_TESTING_RSA");
Log.i(TAG, "Created Keypair OAEP_TESTING_RSA");
byte[] clearText = new String("SO MUCH TESTING!").getBytes();

Log.i(TAG, "Encrypting " + new String(clearText));

SecureCipher secureCipher = SecureCipher.getDefault(biometricSupport);
SecureCipher secureCipher = SecureCipher.getDefault(config);
secureCipher.encryptSensitiveDataAsymmetric(
"OAEP_TESTING_RSA",
clearText,
Expand Down
Loading