Adding the ability to delete all attestation keys
This feature primarily supports better testing, by making sure the
system is completely cleaned up after running tests. There are potential
other use cases for this, such as deleting attestation keys that haven't
yet been included in a certificate signing request, if there are
compatibility issues in CBOR formats during an upgrade of the KM HAL. It
would be simpler and more robust to simply delete and regenerate keys on
the upgraded instance than attempt to upgrade the CBOR formats.
Test: keystore2_test
Change-Id: I8a636a47f54dc9265f5f503ac59546aa717ea61b
diff --git a/keystore2/src/remote_provisioning.rs b/keystore2/src/remote_provisioning.rs
index d6cc680..cc97573 100644
--- a/keystore2/src/remote_provisioning.rs
+++ b/keystore2/src/remote_provisioning.rs
@@ -367,6 +367,15 @@
pub fn get_security_levels(&self) -> Result<Vec<SecurityLevel>> {
Ok(self.device_by_sec_level.keys().cloned().collect())
}
+
+ /// Deletes all attestation keys generated by the IRemotelyProvisionedComponent from the device,
+ /// regardless of what state of the attestation key lifecycle they were in.
+ pub fn delete_all_keys(&self) -> Result<i64> {
+ DB.with::<_, Result<i64>>(|db| {
+ let mut db = db.borrow_mut();
+ Ok(db.delete_all_attestation_keys()?)
+ })
+ }
}
impl binder::Interface for RemoteProvisioningService {}
@@ -422,4 +431,8 @@
fn getSecurityLevels(&self) -> binder::public_api::Result<Vec<SecurityLevel>> {
map_or_log_err(self.get_security_levels(), Ok)
}
+
+ fn deleteAllKeys(&self) -> binder::public_api::Result<i64> {
+ map_or_log_err(self.delete_all_keys(), Ok)
+ }
}