Keystore 2.0: Implement delete_key in IKeystoreSecurityLevel
Implement delete_key that allows callers to delete Domain::BLOB keys
from the underlying IKeymintDevice. The implementation checks that the
caller has "DELETE" permissions for the key, and has the permissions to
manage key blobs.
Bug: 181820340
Bug: 181910578
Change-Id: I8eb898cd793332e7fcb80558869d3aa5e3aaa2b4
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 63b0c74..e50155b 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -754,6 +754,28 @@
map_km_error(km_dev.convertStorageKeyToEphemeral(key_blob))
.context("In keymint device convertStorageKeyToEphemeral")
}
+
+ fn delete_key(&self, key: &KeyDescriptor) -> Result<()> {
+ if key.domain != Domain::BLOB {
+ return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
+ .context("In IKeystoreSecurityLevel delete_key: Key must be of Domain::BLOB");
+ }
+
+ let key_blob = key
+ .blob
+ .as_ref()
+ .ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
+ .context("In IKeystoreSecurityLevel delete_key: No key blob specified")?;
+
+ check_key_permission(KeyPerm::delete(), key, &None)
+ .context("In IKeystoreSecurityLevel delete_key: Checking delete permissions")?;
+
+ let km_dev: Strong<dyn IKeyMintDevice> = self
+ .keymint
+ .get_interface()
+ .context("In IKeystoreSecurityLevel delete_key: Getting keymint device interface")?;
+ map_km_error(km_dev.deleteKey(&key_blob)).context("In keymint device deleteKey")
+ }
}
impl binder::Interface for KeystoreSecurityLevel {}
@@ -806,4 +828,7 @@
) -> binder::public_api::Result<Vec<u8>> {
map_or_log_err(self.convert_storage_key_to_ephemeral(storage_key), Ok)
}
+ fn deleteKey(&self, key: &KeyDescriptor) -> binder::public_api::Result<()> {
+ map_or_log_err(self.delete_key(key), Ok)
+ }
}