Merge "Mitigate LSKF leaks in RecoverableKeyStoreManager" into main

commit: 4857d7011dead69039771c5b05807615e859fa1c [log] [tgz]
author: Ellen Arteca <emarteca@google.com> Thu Apr 25 17:10:56 2024 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Apr 25 17:10:56 2024 +0000
tree: 71315bdd0029a04f3018f9302244c6f5801a332d
parent: 548ee3851e394f9eeac1f105904cba9f2a6f2d10 [diff]
parent: 562ea6037ef28ecf7ceae78d22b132aff4f94dfc [diff]
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
index e5807e8..54303c0 100644
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java

@@ -1082,7 +1082,8 @@
             int keyguardCredentialsType = lockPatternUtilsToKeyguardType(savedCredentialType);
             try (LockscreenCredential credential =
                     createLockscreenCredential(keyguardCredentialsType, decryptedCredentials)) {
-                // TODO(b/254335492): remove decryptedCredentials
+                Arrays.fill(decryptedCredentials, (byte) 0);
+                decryptedCredentials = null;
                 VerifyCredentialResponse verifyResponse =
                         lockSettingsService.verifyCredential(credential, userId, 0);
                 return handleVerifyCredentialResponse(verifyResponse, userId);
commit	4857d7011dead69039771c5b05807615e859fa1c	[log] [tgz]
author	Ellen Arteca <emarteca@google.com>	Thu Apr 25 17:10:56 2024 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Apr 25 17:10:56 2024 +0000
tree	71315bdd0029a04f3018f9302244c6f5801a332d
parent	548ee3851e394f9eeac1f105904cba9f2a6f2d10 [diff]
parent	562ea6037ef28ecf7ceae78d22b132aff4f94dfc [diff]