commit 32adc7d500a5469c54152ec0b33ff844dfee3dd0
author Janis Danisevskis <jdanis@google.com> Sun Feb 07 14:04:01 2021 -0800
committer Janis Danisevskis <jdanis@google.com> Mon Feb 08 09:11:51 2021 -0800
tree 339b9dbace9ec38064dbfd3b3b51619b3b2c87bf
parent e766edca9154aab12d6d709d99f0c62bd8e3c9b9

Keystore 2.0: Fix import wrapped key.

Test: CTS test for wrapped key import.
Change-Id: If75c941b0ec5e5c1f12bc683f3568fba613c53fa

keystore2/src/security_level.rs

diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index fe9a27d..a6acacc 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -459,10 +459,21 @@
         params: &[KeyParameter],
         authenticators: &[AuthenticatorSpec],
     ) -> Result<KeyMetadata> {
-        if !(key.domain == Domain::BLOB && key.alias.is_some()) {
-            return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
-                .context("In import_wrapped_key: Alias must be specified.");
-        }
+        let wrapped_data: &[u8] = match key {
+            KeyDescriptor { domain: Domain::APP, blob: Some(ref blob), alias: Some(_), .. }
+            | KeyDescriptor {
+                domain: Domain::SELINUX, blob: Some(ref blob), alias: Some(_), ..
+            } => blob,
+            _ => {
+                return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)).context(format!(
+                    concat!(
+                        "In import_wrapped_key: Alias and blob must be specified ",
+                        "and domain must be APP or SELINUX. {:?}"
+                    ),
+                    key
+                ))
+            }
+        };
 
         if wrapping_key.domain == Domain::BLOB {
             return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)).context(
@@ -470,15 +481,6 @@
             );
         }
 
-        let wrapped_data = match &key.blob {
-            Some(d) => d,
-            None => {
-                return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)).context(
-                    "In import_wrapped_key: Blob must be specified and hold wrapped key data.",
-                )
-            }
-        };
-
         let caller_uid = ThreadState::get_calling_uid();
         let key = match key.domain {
             Domain::APP => KeyDescriptor {
@@ -487,7 +489,13 @@
                 alias: key.alias.clone(),
                 blob: None,
             },
-            _ => key.clone(),
+            Domain::SELINUX => KeyDescriptor {
+                domain: Domain::SELINUX,
+                nspace: key.nspace,
+                alias: key.alias.clone(),
+                blob: None,
+            },
+            _ => panic!("Unreachable."),
         };
 
         // import_wrapped_key requires the rebind permission for the new key.
@@ -524,8 +532,7 @@
                 HardwareAuthenticatorType::PASSWORD => Some(a.authenticatorId),
                 _ => None,
             })
-            .ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
-            .context("A password authenticator SID must be specified.")?;
+            .unwrap_or(-1);
 
         let fp_sid = authenticators
             .iter()
@@ -533,8 +540,7 @@
                 HardwareAuthenticatorType::FINGERPRINT => Some(a.authenticatorId),
                 _ => None,
             })
-            .ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
-            .context("A fingerprint authenticator SID must be specified.")?;
+            .unwrap_or(-1);
 
         let masking_key = masking_key.unwrap_or(ZERO_BLOB_32);