commit 3361b618e78efe0dd5c66822ef255f4380734f64
author Satya Tangirala <satyat@google.com> Mon Mar 08 14:36:11 2021 -0800
committer Satya Tangirala <satyat@google.com> Mon Mar 22 22:35:34 2021 -0700
tree d3c4deb5580b41dd9452b91fbd617b832b1da9bb
parent 650ca9fed92366c48ba0210bc36307963ba864b4

Keystore 2.0: Implement convertStorageKeyToEphemeral() in security_level.rs

Introduce and implement convertStorageKeyToEphemeral() in
IKeystoreSecurityLevel. The function first checks for the associated
permission before routing the call to
IKeyMintDevice::convertStorageKeyToEphemeral()

Bug: 181806377
Bug: 181910578
Change-Id: I19212b1870f0e19a7125d6144fe43e23fc35d1c5

keystore2/src/security_level.rs

diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 5a776fb..63b0c74 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -727,6 +727,33 @@
             Ok(v) => Ok((v, None)),
         }
     }
+
+    fn convert_storage_key_to_ephemeral(&self, storage_key: &KeyDescriptor) -> Result<Vec<u8>> {
+        if storage_key.domain != Domain::BLOB {
+            return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)).context(concat!(
+                "In IKeystoreSecurityLevel convert_storage_key_to_ephemeral: ",
+                "Key must be of Domain::BLOB"
+            ));
+        }
+        let key_blob = storage_key
+            .blob
+            .as_ref()
+            .ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
+            .context(
+                "In IKeystoreSecurityLevel convert_storage_key_to_ephemeral: No key blob specified",
+            )?;
+
+        // convert_storage_key_to_ephemeral requires the associated permission
+        check_key_permission(KeyPerm::convert_storage_key_to_ephemeral(), storage_key, &None)
+            .context("In convert_storage_key_to_ephemeral: Check permission")?;
+
+        let km_dev: Strong<dyn IKeyMintDevice> = self.keymint.get_interface().context(concat!(
+            "In IKeystoreSecurityLevel convert_storage_key_to_ephemeral: ",
+            "Getting keymint device interface"
+        ))?;
+        map_km_error(km_dev.convertStorageKeyToEphemeral(key_blob))
+            .context("In keymint device convertStorageKeyToEphemeral")
+    }
 }
 
 impl binder::Interface for KeystoreSecurityLevel {}
@@ -773,4 +800,10 @@
             Ok,
         )
     }
+    fn convertStorageKeyToEphemeral(
+        &self,
+        storage_key: &KeyDescriptor,
+    ) -> binder::public_api::Result<Vec<u8>> {
+        map_or_log_err(self.convert_storage_key_to_ephemeral(storage_key), Ok)
+    }
 }