commit 2bf6d4f5ce02c350804b957a52cf15d22a7ee3c2
author Shaquille Johnson <ssjohnson@google.com> Mon Jul 15 15:03:32 2024 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Jul 15 15:03:32 2024 +0000
tree 7befe1b779fce13247af6e4b6710cf013f6eac24
parent f33103c5d38deb9d053473c5f1ba08a713ae79e7
parent a3f10496e35ee1a6afa7ddbdda9839ca2d520bba

Merge "Deprecate get in ILegacyKeystore" into main

keystore2/Android.bp

diff --git a/keystore2/Android.bp b/keystore2/Android.bp
index ed9cd88..28bdfea 100644
--- a/keystore2/Android.bp
+++ b/keystore2/Android.bp
@@ -162,6 +162,11 @@
     srcs: ["aconfig/flags.aconfig"],
 }
 
+java_aconfig_library {
+    name: "keystore2_flags_java",
+    aconfig_declarations: "keystore2_flags",
+}
+
 rust_aconfig_library {
     name: "libkeystore2_flags_rust",
     crate_name: "keystore2_flags",

keystore2/aconfig/flags.aconfig

diff --git a/keystore2/aconfig/flags.aconfig b/keystore2/aconfig/flags.aconfig
index 856b42e..65f0857 100644
--- a/keystore2/aconfig/flags.aconfig
+++ b/keystore2/aconfig/flags.aconfig
@@ -18,6 +18,14 @@
 }
 
 flag {
+  name: "disable_legacy_keystore_get"
+  namespace: "hardware_backed_security"
+  description: "This flag disables legacy keystore get and makes it so that get returns an error"
+  bug: "307460850"
+  is_fixed_read_only: true
+}
+
+flag {
   name: "import_previously_emulated_keys"
   namespace: "hardware_backed_security"
   description: "Include support for importing keys that were previously software-emulated into KeyMint"

keystore2/legacykeystore/lib.rs

diff --git a/keystore2/legacykeystore/lib.rs b/keystore2/legacykeystore/lib.rs
index 8e6040b..b173da8 100644
--- a/keystore2/legacykeystore/lib.rs
+++ b/keystore2/legacykeystore/lib.rs
@@ -134,6 +134,7 @@
     }
 
     fn get(&mut self, caller_uid: u32, alias: &str) -> Result<Option<Vec<u8>>> {
+        ensure_keystore_get_is_enabled()?;
         self.with_transaction(TransactionBehavior::Deferred, |tx| {
             tx.query_row(
                 "SELECT profile FROM profiles WHERE owner = ? AND alias = ?;",
@@ -239,6 +240,17 @@
     }
 }
 
+fn ensure_keystore_get_is_enabled() -> Result<()> {
+    if keystore2_flags::disable_legacy_keystore_get() {
+        Err(Error::deprecated()).context(concat!(
+            "Retrieving from Keystore's legacy database is ",
+            "no longer supported, store in an app-specific database instead"
+        ))
+    } else {
+        Ok(())
+    }
+}
+
 struct LegacyKeystoreDeleteListener {
     legacy_keystore: Arc<LegacyKeystore>,
 }
@@ -313,6 +325,7 @@
     }
 
     fn get(&self, alias: &str, uid: i32) -> Result<Vec<u8>> {
+        ensure_keystore_get_is_enabled()?;
         let mut db = self.open_db().context("In get.")?;
         let uid = Self::get_effective_uid(uid).context("In get.")?;