Limit maximum number of concurrent keystore operations. am: ddab0bb513 am: 7335397765
am: d7870f1fea
* commit 'd7870f1fea0f7d27dd46153558766088414ec640':
Limit maximum number of concurrent keystore operations.
diff --git a/keystore/Android.mk b/keystore/Android.mk
index d1f45ca..e26aebe 100644
--- a/keystore/Android.mk
+++ b/keystore/Android.mk
@@ -44,6 +44,9 @@
LOCAL_MODULE := keystore
LOCAL_MODULE_TAGS := optional
LOCAL_INIT_RC := keystore.rc
+LOCAL_C_INCLUES := system/keymaster/
+LOCAL_CLANG := true
+LOCAL_SANITIZE := integer
LOCAL_ADDITIONAL_DEPENDENCIES := $(LOCAL_PATH)/Android.mk
include $(BUILD_EXECUTABLE)
@@ -99,6 +102,8 @@
LOCAL_MODULE_TAGS := optional
LOCAL_C_INCLUDES := $(LOCAL_PATH)/include $(call keystore_proto_include)
LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include
+LOCAL_CLANG := true
+LOCAL_SANITIZE := integer
LOCAL_ADDITIONAL_DEPENDENCIES := $(LOCAL_PATH)/Android.mk
include $(BUILD_SHARED_LIBRARY)
diff --git a/keystore/IKeystoreService.cpp b/keystore/IKeystoreService.cpp
index 8ed09c4..6e20f9d 100644
--- a/keystore/IKeystoreService.cpp
+++ b/keystore/IKeystoreService.cpp
@@ -418,11 +418,12 @@
return ret;
}
- virtual int32_t get(const String16& name, uint8_t** item, size_t* itemLength)
+ virtual int32_t get(const String16& name, int32_t uid, uint8_t** item, size_t* itemLength)
{
Parcel data, reply;
data.writeInterfaceToken(IKeystoreService::getInterfaceDescriptor());
data.writeString16(name);
+ data.writeInt32(uid);
status_t status = remote()->transact(BnKeystoreService::GET, data, &reply);
if (status != NO_ERROR) {
ALOGD("get() could not contact remote: %d\n", status);
@@ -833,11 +834,12 @@
return ret;
}
- int64_t getmtime(const String16& name)
+ int64_t getmtime(const String16& name, int32_t uid)
{
Parcel data, reply;
data.writeInterfaceToken(IKeystoreService::getInterfaceDescriptor());
data.writeString16(name);
+ data.writeInt32(uid);
status_t status = remote()->transact(BnKeystoreService::GETMTIME, data, &reply);
if (status != NO_ERROR) {
ALOGD("getmtime() could not contact remote: %d\n", status);
@@ -963,7 +965,7 @@
virtual int32_t getKeyCharacteristics(const String16& name,
const keymaster_blob_t* clientId,
const keymaster_blob_t* appData,
- KeyCharacteristics* outCharacteristics)
+ int32_t uid, KeyCharacteristics* outCharacteristics)
{
Parcel data, reply;
data.writeInterfaceToken(IKeystoreService::getInterfaceDescriptor());
@@ -978,6 +980,7 @@
} else {
data.writeInt32(-1);
}
+ data.writeInt32(uid);
status_t status = remote()->transact(BnKeystoreService::GET_KEY_CHARACTERISTICS,
data, &reply);
if (status != NO_ERROR) {
@@ -1028,7 +1031,7 @@
virtual void exportKey(const String16& name, keymaster_key_format_t format,
const keymaster_blob_t* clientId,
- const keymaster_blob_t* appData, ExportResult* result)
+ const keymaster_blob_t* appData, int32_t uid, ExportResult* result)
{
if (!result) {
return;
@@ -1048,6 +1051,7 @@
} else {
data.writeInt32(-1);
}
+ data.writeInt32(uid);
status_t status = remote()->transact(BnKeystoreService::EXPORT_KEY, data, &reply);
if (status != NO_ERROR) {
ALOGD("exportKey() could not contact remote: %d\n", status);
@@ -1068,7 +1072,7 @@
virtual void begin(const sp<IBinder>& appToken, const String16& name,
keymaster_purpose_t purpose, bool pruneable,
const KeymasterArguments& params, const uint8_t* entropy,
- size_t entropyLength, OperationResult* result)
+ size_t entropyLength, int32_t uid, OperationResult* result)
{
if (!result) {
return;
@@ -1082,6 +1086,7 @@
data.writeInt32(1);
params.writeToParcel(&data);
data.writeByteArray(entropyLength, entropy);
+ data.writeInt32(uid);
status_t status = remote()->transact(BnKeystoreService::BEGIN, data, &reply);
if (status != NO_ERROR) {
ALOGD("begin() could not contact remote: %d\n", status);
@@ -1278,9 +1283,10 @@
case GET: {
CHECK_INTERFACE(IKeystoreService, data, reply);
String16 name = data.readString16();
+ int32_t uid = data.readInt32();
void* out = NULL;
size_t outSize = 0;
- int32_t ret = get(name, (uint8_t**) &out, &outSize);
+ int32_t ret = get(name, uid, (uint8_t**) &out, &outSize);
reply->writeNoException();
if (ret == 1) {
reply->writeInt32(outSize);
@@ -1524,7 +1530,8 @@
case GETMTIME: {
CHECK_INTERFACE(IKeystoreService, data, reply);
String16 name = data.readString16();
- int64_t ret = getmtime(name);
+ int32_t uid = data.readInt32();
+ int64_t ret = getmtime(name, uid);
reply->writeNoException();
reply->writeInt64(ret);
return NO_ERROR;
@@ -1592,8 +1599,9 @@
String16 name = data.readString16();
std::unique_ptr<keymaster_blob_t> clientId = readKeymasterBlob(data);
std::unique_ptr<keymaster_blob_t> appData = readKeymasterBlob(data);
+ int32_t uid = data.readInt32();
KeyCharacteristics outCharacteristics;
- int ret = getKeyCharacteristics(name, clientId.get(), appData.get(),
+ int ret = getKeyCharacteristics(name, clientId.get(), appData.get(), uid,
&outCharacteristics);
reply->writeNoException();
reply->writeInt32(ret);
@@ -1630,8 +1638,9 @@
keymaster_key_format_t format = static_cast<keymaster_key_format_t>(data.readInt32());
std::unique_ptr<keymaster_blob_t> clientId = readKeymasterBlob(data);
std::unique_ptr<keymaster_blob_t> appData = readKeymasterBlob(data);
+ int32_t uid = data.readInt32();
ExportResult result;
- exportKey(name, format, clientId.get(), appData.get(), &result);
+ exportKey(name, format, clientId.get(), appData.get(), uid, &result);
reply->writeNoException();
reply->writeInt32(1);
result.writeToParcel(reply);
@@ -1651,8 +1660,9 @@
const uint8_t* entropy = NULL;
size_t entropyLength = 0;
readByteArray(data, &entropy, &entropyLength);
+ int32_t uid = data.readInt32();
OperationResult result;
- begin(token, name, purpose, pruneable, args, entropy, entropyLength, &result);
+ begin(token, name, purpose, pruneable, args, entropy, entropyLength, uid, &result);
reply->writeNoException();
reply->writeInt32(1);
result.writeToParcel(reply);
diff --git a/keystore/include/keystore/IKeystoreService.h b/keystore/include/keystore/IKeystoreService.h
index c136dfd..7160b5a 100644
--- a/keystore/include/keystore/IKeystoreService.h
+++ b/keystore/include/keystore/IKeystoreService.h
@@ -140,7 +140,7 @@
virtual int32_t getState(int32_t userId) = 0;
- virtual int32_t get(const String16& name, uint8_t** item, size_t* itemLength) = 0;
+ virtual int32_t get(const String16& name, int32_t uid, uint8_t** item, size_t* itemLength) = 0;
virtual int32_t insert(const String16& name, const uint8_t* item, size_t itemLength, int uid,
int32_t flags) = 0;
@@ -179,7 +179,7 @@
virtual int32_t ungrant(const String16& name, int32_t granteeUid) = 0;
- virtual int64_t getmtime(const String16& name) = 0;
+ virtual int64_t getmtime(const String16& name, int32_t uid) = 0;
virtual int32_t duplicate(const String16& srcKey, int32_t srcUid, const String16& destKey,
int32_t destUid) = 0;
@@ -197,6 +197,7 @@
virtual int32_t getKeyCharacteristics(const String16& name,
const keymaster_blob_t* clientId,
const keymaster_blob_t* appData,
+ int32_t uid,
KeyCharacteristics* outCharacteristics) = 0;
virtual int32_t importKey(const String16& name, const KeymasterArguments& params,
@@ -206,12 +207,12 @@
virtual void exportKey(const String16& name, keymaster_key_format_t format,
const keymaster_blob_t* clientId,
- const keymaster_blob_t* appData, ExportResult* result) = 0;
+ const keymaster_blob_t* appData, int32_t uid, ExportResult* result) = 0;
virtual void begin(const sp<IBinder>& apptoken, const String16& name,
keymaster_purpose_t purpose, bool pruneable,
const KeymasterArguments& params, const uint8_t* entropy,
- size_t entropyLength, OperationResult* result) = 0;
+ size_t entropyLength, int32_t uid, OperationResult* result) = 0;
virtual void update(const sp<IBinder>& token, const KeymasterArguments& params,
const uint8_t* data, size_t dataLength, OperationResult* result) = 0;
diff --git a/keystore/keystore.cpp b/keystore/keystore.cpp
index 77b3039..9eb6c7b 100644
--- a/keystore/keystore.cpp
+++ b/keystore/keystore.cpp
@@ -257,8 +257,6 @@
params->push_back(keymaster_param_date(KM_TAG_ORIGINATION_EXPIRE_DATETIME, LLONG_MAX));
params->push_back(keymaster_param_date(KM_TAG_USAGE_EXPIRE_DATETIME, LLONG_MAX));
params->push_back(keymaster_param_date(KM_TAG_ACTIVE_DATETIME, 0));
- uint64_t now = keymaster::java_time(time(NULL));
- params->push_back(keymaster_param_date(KM_TAG_CREATION_DATETIME, now));
}
/***************
@@ -1896,16 +1894,16 @@
return mKeyStore->getState(userId);
}
- int32_t get(const String16& name, uint8_t** item, size_t* itemLength) {
- if (!checkBinderPermission(P_GET)) {
+ int32_t get(const String16& name, int32_t uid, uint8_t** item, size_t* itemLength) {
+ uid_t targetUid = getEffectiveUid(uid);
+ if (!checkBinderPermission(P_GET, targetUid)) {
return ::PERMISSION_DENIED;
}
- uid_t callingUid = IPCThreadState::self()->getCallingUid();
String8 name8(name);
Blob keyBlob;
- ResponseCode responseCode = mKeyStore->getKeyForName(&keyBlob, name8, callingUid,
+ ResponseCode responseCode = mKeyStore->getKeyForName(&keyBlob, name8, targetUid,
TYPE_GENERIC);
if (responseCode != ::NO_ERROR) {
*item = NULL;
@@ -2244,7 +2242,7 @@
*/
int32_t get_pubkey(const String16& name, uint8_t** pubkey, size_t* pubkeyLength) {
ExportResult result;
- exportKey(name, KM_KEY_FORMAT_X509, NULL, NULL, &result);
+ exportKey(name, KM_KEY_FORMAT_X509, NULL, NULL, UID_SELF, &result);
if (result.resultCode != ::NO_ERROR) {
ALOGW("export failed: %d", result.resultCode);
return translateResultToLegacyResult(result.resultCode);
@@ -2290,15 +2288,15 @@
return mKeyStore->removeGrant(filename.string(), granteeUid) ? ::NO_ERROR : ::KEY_NOT_FOUND;
}
- int64_t getmtime(const String16& name) {
- uid_t callingUid = IPCThreadState::self()->getCallingUid();
- if (!checkBinderPermission(P_GET)) {
- ALOGW("permission denied for %d: getmtime", callingUid);
+ int64_t getmtime(const String16& name, int32_t uid) {
+ uid_t targetUid = getEffectiveUid(uid);
+ if (!checkBinderPermission(P_GET, targetUid)) {
+ ALOGW("permission denied for %d: getmtime", targetUid);
return -1L;
}
String8 name8(name);
- String8 filename(mKeyStore->getKeyNameForUidWithDir(name8, callingUid));
+ String8 filename(mKeyStore->getKeyNameForUidWithDir(name8, targetUid));
if (access(filename.string(), R_OK) == -1) {
ALOGW("could not access %s for getmtime", filename.string());
@@ -2508,18 +2506,25 @@
int32_t getKeyCharacteristics(const String16& name,
const keymaster_blob_t* clientId,
const keymaster_blob_t* appData,
+ int32_t uid,
KeyCharacteristics* outCharacteristics) {
if (!outCharacteristics) {
return KM_ERROR_UNEXPECTED_NULL_POINTER;
}
+ uid_t targetUid = getEffectiveUid(uid);
uid_t callingUid = IPCThreadState::self()->getCallingUid();
+ if (!is_granted_to(callingUid, targetUid)) {
+ ALOGW("uid %d not permitted to act for uid %d in getKeyCharacteristics", callingUid,
+ targetUid);
+ return ::PERMISSION_DENIED;
+ }
Blob keyBlob;
String8 name8(name);
int rc;
- ResponseCode responseCode = mKeyStore->getKeyForName(&keyBlob, name8, callingUid,
+ ResponseCode responseCode = mKeyStore->getKeyForName(&keyBlob, name8, targetUid,
TYPE_KEYMASTER_10);
if (responseCode != ::NO_ERROR) {
return responseCode;
@@ -2600,15 +2605,22 @@
void exportKey(const String16& name, keymaster_key_format_t format,
const keymaster_blob_t* clientId,
- const keymaster_blob_t* appData, ExportResult* result) {
+ const keymaster_blob_t* appData, int32_t uid, ExportResult* result) {
+ uid_t targetUid = getEffectiveUid(uid);
uid_t callingUid = IPCThreadState::self()->getCallingUid();
+ if (!is_granted_to(callingUid, targetUid)) {
+ ALOGW("uid %d not permitted to act for uid %d in exportKey", callingUid,
+ targetUid);
+ result->resultCode = ::PERMISSION_DENIED;
+ return;
+ }
Blob keyBlob;
String8 name8(name);
int rc;
- ResponseCode responseCode = mKeyStore->getKeyForName(&keyBlob, name8, callingUid,
+ ResponseCode responseCode = mKeyStore->getKeyForName(&keyBlob, name8, targetUid,
TYPE_KEYMASTER_10);
if (responseCode != ::NO_ERROR) {
result->resultCode = responseCode;
@@ -2632,8 +2644,15 @@
void begin(const sp<IBinder>& appToken, const String16& name, keymaster_purpose_t purpose,
bool pruneable, const KeymasterArguments& params, const uint8_t* entropy,
- size_t entropyLength, OperationResult* result) {
+ size_t entropyLength, int32_t uid, OperationResult* result) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
+ uid_t targetUid = getEffectiveUid(uid);
+ if (!is_granted_to(callingUid, targetUid)) {
+ ALOGW("uid %d not permitted to act for uid %d in begin", callingUid,
+ targetUid);
+ result->resultCode = ::PERMISSION_DENIED;
+ return;
+ }
if (!pruneable && get_app_id(callingUid) != AID_SYSTEM) {
ALOGE("Non-system uid %d trying to start non-pruneable operation", callingUid);
result->resultCode = ::PERMISSION_DENIED;
@@ -2645,7 +2664,7 @@
}
Blob keyBlob;
String8 name8(name);
- ResponseCode responseCode = mKeyStore->getKeyForName(&keyBlob, name8, callingUid,
+ ResponseCode responseCode = mKeyStore->getKeyForName(&keyBlob, name8, targetUid,
TYPE_KEYMASTER_10);
if (responseCode != ::NO_ERROR) {
result->resultCode = responseCode;
@@ -3236,7 +3255,7 @@
// Look up the algorithm of the key.
KeyCharacteristics characteristics;
- int32_t rc = getKeyCharacteristics(name, NULL, NULL, &characteristics);
+ int32_t rc = getKeyCharacteristics(name, NULL, NULL, UID_SELF, &characteristics);
if (rc != ::NO_ERROR) {
ALOGE("Failed to get key characteristics");
return;
@@ -3260,7 +3279,7 @@
sp<IBinder> appToken(new BBinder);
sp<IBinder> token;
- begin(appToken, name, purpose, true, inArgs, NULL, 0, &result);
+ begin(appToken, name, purpose, true, inArgs, NULL, 0, UID_SELF, &result);
if (result.resultCode != ResponseCode::NO_ERROR) {
if (result.resultCode == ::KEY_NOT_FOUND) {
ALOGW("Key not found");
diff --git a/keystore/keystore_cli.cpp b/keystore/keystore_cli.cpp
index 34f1d9c..7f6996b 100644
--- a/keystore/keystore_cli.cpp
+++ b/keystore/keystore_cli.cpp
@@ -104,7 +104,7 @@
int uid = -1; \
if (argc > 3) { \
uid = atoi(argv[3]); \
- fprintf(stderr, "Working with uid %d\n", uid); \
+ fprintf(stderr, "Running as uid %d\n", uid); \
} \
int32_t ret = service->cmd(String16(argv[2]), uid); \
if (ret < 0) { \
@@ -117,28 +117,47 @@
} \
} while (0)
-#define STING_ARG_DATA_STDIN_PLUS_UID_PLUS_FLAGS_INT_RETURN(cmd) \
+#define SINGLE_ARG_PLUS_UID_DATA_RETURN(cmd) \
do { \
if (strcmp(argv[1], #cmd) == 0) { \
if (argc < 3) { \
- fprintf(stderr, "Usage: %s " #cmd " <name> [<uid>, <flags>]\n", argv[0]); \
+ fprintf(stderr, "Usage: %s " #cmd " <name> <uid>\n", argv[0]); \
+ return 1; \
+ } \
+ uint8_t* data; \
+ size_t dataSize; \
+ int uid = -1; \
+ if (argc > 3) { \
+ uid = atoi(argv[3]); \
+ fprintf(stderr, "Running as uid %d\n", uid); \
+ } \
+ int32_t ret = service->cmd(String16(argv[2]), uid, &data, &dataSize); \
+ if (ret < 0) { \
+ fprintf(stderr, "%s: could not connect: %d\n", argv[0], ret); \
+ return 1; \
+ } else if (ret != ::NO_ERROR) { \
+ fprintf(stderr, "%s: " #cmd ": %s (%d)\n", argv[0], responses[ret], ret); \
+ return 1; \
+ } else { \
+ fwrite(data, dataSize, 1, stdout); \
+ fflush(stdout); \
+ free(data); \
+ return 0; \
+ } \
+ } \
+ } while (0)
+
+#define STING_ARG_DATA_STDIN_INT_RETURN(cmd) \
+ do { \
+ if (strcmp(argv[1], #cmd) == 0) { \
+ if (argc < 3) { \
+ fprintf(stderr, "Usage: %s " #cmd " <name>\n", argv[0]); \
return 1; \
} \
uint8_t* data; \
size_t dataSize; \
read_input(&data, &dataSize); \
- int uid = -1; \
- if (argc > 3) { \
- uid = atoi(argv[3]); \
- fprintf(stderr, "Working with uid %d\n", uid); \
- } \
- int32_t flags = 0; \
- if (argc > 4) { \
- flags = int32_t(atoi(argv[4])); \
- fprintf(stderr, "Using flags %04x\n", flags); \
- } \
- int32_t ret = service->cmd(String16(argv[2]), data, dataSize, uid, flags); \
- free(data); \
+ int32_t ret = service->cmd(String16(argv[2]), data, dataSize); \
if (ret < 0) { \
fprintf(stderr, "%s: could not connect: %d\n", argv[0], ret); \
return 1; \
@@ -162,16 +181,14 @@
if (ret < 0) { \
fprintf(stderr, "%s: could not connect: %d\n", argv[0], ret); \
return 1; \
- } else if (ret) { \
+ } else if (ret != ::NO_ERROR) { \
fprintf(stderr, "%s: " #cmd ": %s (%d)\n", argv[0], responses[ret], ret); \
return 1; \
- } else if (dataSize) { \
+ } else { \
fwrite(data, dataSize, 1, stdout); \
fflush(stdout); \
free(data); \
return 0; \
- } else { \
- return 1; \
} \
} \
} while (0)
@@ -194,39 +211,6 @@
}
}
-#define BUF_SIZE 1024
-static void read_input(uint8_t** data, size_t* dataSize) {
- char buffer[BUF_SIZE];
- size_t contentSize = 0;
- char *content = (char *) malloc(sizeof(char) * BUF_SIZE);
-
- if (content == NULL) {
- fprintf(stderr, "read_input: failed to allocate content");
- exit(1);
- }
- content[0] = '\0';
- while (fgets(buffer, BUF_SIZE, stdin)) {
- char *old = content;
- contentSize += strlen(buffer);
- content = (char *) realloc(content, contentSize);
- if (content == NULL) {
- fprintf(stderr, "read_input: failed to reallocate content.");
- free(old);
- exit(1);
- }
- strcat(content, buffer);
- }
-
- if (ferror(stdin)) {
- free(content);
- fprintf(stderr, "read_input: error reading from stdin.");
- exit(1);
- }
-
- *data = (uint8_t*) content;
- *dataSize = contentSize;
-}
-
int main(int argc, char* argv[])
{
if (argc < 2) {
@@ -249,9 +233,9 @@
SINGLE_INT_ARG_INT_RETURN(getState);
- SINGLE_ARG_DATA_RETURN(get);
+ SINGLE_ARG_PLUS_UID_DATA_RETURN(get);
- STING_ARG_DATA_STDIN_PLUS_UID_PLUS_FLAGS_INT_RETURN(insert);
+ // TODO: insert
SINGLE_ARG_PLUS_UID_INT_RETURN(del);
@@ -276,7 +260,7 @@
SINGLE_ARG_DATA_RETURN(get_pubkey);
- SINGLE_ARG_PLUS_UID_INT_RETURN(grant);
+ // TODO: grant
// TODO: ungrant
diff --git a/keystore/keystore_get.cpp b/keystore/keystore_get.cpp
index 45ad415..2783816 100644
--- a/keystore/keystore_get.cpp
+++ b/keystore/keystore_get.cpp
@@ -31,7 +31,7 @@
}
size_t valueLength;
- int32_t ret = service->get(String16(key, keyLength), value, &valueLength);
+ int32_t ret = service->get(String16(key, keyLength), -1, value, &valueLength);
if (ret < 0) {
return -1;
} else if (ret != ::NO_ERROR) {
diff --git a/keystore/test-keystore b/keystore/test-keystore
index 071cfcd..3be51b3 100755
--- a/keystore/test-keystore
+++ b/keystore/test-keystore
@@ -44,7 +44,7 @@
function run() {
# strip out carriage returns from adb
# strip out date/time from ls -l
- "$@" | tr -d '\r' | sed -E 's/[0-9]{4}-[0-9]{2}-[0-9]{2} +[0-9]{1,2}:[0-9]{2} //' >> $log_file
+ "$@" | tr --delete '\r' | sed -E 's/[0-9]{4}-[0-9]{2}-[0-9]{2} +[0-9]{1,2}:[0-9]{2} //' >> $log_file
}
function keystore() {
@@ -53,15 +53,8 @@
run adb shell su $user keystore_cli "$@"
}
-function keystore_in() {
- declare -r user=$1
- declare -r input=$2
- shift; shift
- run adb shell "echo '$input' | su $user keystore_cli $@"
-}
-
function list_keystore_directory() {
- run adb shell ls -al /data/misc/keystore$@
+ run adb shell ls -al /data/misc/keystore
}
function compare() {
@@ -75,211 +68,195 @@
# reset
#
log "reset keystore as system user"
- keystore system reset
- expect "reset: No error (1)"
+ keystore system r
+ expect "1 No error"
list_keystore_directory
- expect "-rw------- keystore keystore 4 .metadata"
- expect "drwx------ keystore keystore user_0"
#
# basic tests as system/root
#
log "root does not have permission to run test"
- keystore root test
- expect "test: Permission denied (6)"
-
+ keystore root t
+ expect "6 Permission denied"
+
log "but system user does"
- keystore system test
- expect "test: Uninitialized (3)"
+ keystore system t
+ expect "3 Uninitialized"
list_keystore_directory
- expect "-rw------- keystore keystore 4 .metadata"
- expect "drwx------ keystore keystore user_0"
log "password is now bar"
- keystore system password bar
- expect "password: No error (1)"
- list_keystore_directory /user_0
+ keystore system p bar
+ expect "1 No error"
+ list_keystore_directory
expect "-rw------- keystore keystore 84 .masterkey"
-
+
log "no error implies initialized and unlocked"
- keystore system test
- expect "test: No error (1)"
-
+ keystore system t
+ expect "1 No error"
+
log "saw with no argument"
- keystore system saw
+ keystore system s
+ expect "5 Protocol error"
log "saw nothing"
- keystore system saw ""
+ keystore system s ""
+ expect "1 No error"
log "add key baz"
- keystore_in system quux insert baz
- expect "insert: No error (1)"
+ keystore system i baz quux
+ expect "1 No error"
log "1000 is uid of system"
- list_keystore_directory /user_0
+ list_keystore_directory
expect "-rw------- keystore keystore 84 .masterkey"
expect "-rw------- keystore keystore 52 1000_baz"
log "saw baz"
- keystore system saw
+ keystore system s ""
+ expect "1 No error"
expect "baz"
log "get baz"
- keystore system get baz
+ keystore system g baz
+ expect "1 No error"
expect "quux"
log "root can read system user keys (as can wifi or vpn users)"
- keystore root get baz
+ keystore root g baz
+ expect "1 No error"
expect "quux"
#
# app user tests
#
- # u0_a0 has uid 10000, as seen below
+ # app_0 has uid 10000, as seen below
log "other uses cannot see the system keys"
- keystore u0_a0 get baz
-
+ keystore app_0 g baz
+ expect "7 Key not found"
+
log "app user cannot use reset, password, lock, unlock"
- keystore u0_a0 reset
- expect "reset: Permission denied (6)"
- keystore u0_a0 password some_pass
- expect "password: Permission denied (6)"
- keystore u0_a0 lock
- expect "lock: Permission denied (6)"
- keystore u0_a0 unlock some_pass
- expect "unlock: Permission denied (6)"
+ keystore app_0 r
+ expect "6 Permission denied"
+ keystore app_0 p
+ expect "6 Permission denied"
+ keystore app_0 l
+ expect "6 Permission denied"
+ keystore app_0 u
+ expect "6 Permission denied"
- log "install u0_a0 key"
- keystore_in u0_a0 deadbeef insert 0x
- expect "insert: No error (1)"
- list_keystore_directory /user_0
+ log "install app_0 key"
+ keystore app_0 i 0x deadbeef
+ expect 1 No error
+ list_keystore_directory
expect "-rw------- keystore keystore 84 .masterkey"
expect "-rw------- keystore keystore 52 10000_0x"
expect "-rw------- keystore keystore 52 1000_baz"
log "get with no argument"
- keystore u0_a0 get
- expect "Usage: keystore_cli get <name>"
-
- log "few get tests for an app"
- keystore u0_a0 get 0x
+ keystore app_0 g
+ expect "5 Protocol error"
+
+ keystore app_0 g 0x
+ expect "1 No error"
expect "deadbeef"
-
- keystore_in u0_a0 barney insert fred
- expect "insert: No error (1)"
-
- keystore u0_a0 saw
+
+ keystore app_0 i fred barney
+ expect "1 No error"
+
+ keystore app_0 s ""
+ expect "1 No error"
expect "0x"
expect "fred"
log "note that saw returns the suffix of prefix matches"
- keystore u0_a0 saw fr # fred
+ keystore app_0 s fr # fred
+ expect "1 No error"
expect "ed" # fred
#
# lock tests
#
log "lock the store as system"
- keystore system lock
- expect "lock: No error (1)"
- keystore system test
- expect "test: Locked (2)"
-
+ keystore system l
+ expect "1 No error"
+ keystore system t
+ expect "2 Locked"
+
log "saw works while locked"
- keystore u0_a0 saw
+ keystore app_0 s ""
+ expect "1 No error"
expect "0x"
expect "fred"
- log "...and app can read keys..."
- keystore u0_a0 get 0x
- expect "deadbeef"
-
- log "...but they cannot be deleted."
- keystore u0_a0 exist 0x
- expect "exist: No error (1)"
- keystore u0_a0 del_key 0x
- expect "del_key: Key not found (7)"
+ log "...but cannot read keys..."
+ keystore app_0 g 0x
+ expect "2 Locked"
+
+ log "...but they can be deleted."
+ keystore app_0 e 0x
+ expect "1 No error"
+ keystore app_0 d 0x
+ expect "1 No error"
+ keystore app_0 e 0x
+ expect "7 Key not found"
#
# password
#
log "wrong password"
- keystore system unlock foo
- expect "unlock: Wrong password (4 tries left) (13)"
+ keystore system u foo
+ expect "13 Wrong password (4 tries left)"
log "right password"
- keystore system unlock bar
- expect "unlock: No error (1)"
-
+ keystore system u bar
+ expect "1 No error"
+
log "make the password foo"
- keystore system password foo
- expect "password: No error (1)"
-
+ keystore system p foo
+ expect "1 No error"
+
#
# final reset
#
log "reset wipes everything for all users"
- keystore system reset
- expect "reset: No error (1)"
+ keystore system r
+ expect "1 No error"
list_keystore_directory
- expect "-rw------- keystore keystore 4 .metadata"
- expect "drwx------ keystore keystore user_0"
- list_keystore_directory /user_0
-
- keystore system test
- expect "test: Uninitialized (3)"
-}
-
-function test_grant() {
- log "test granting"
- keystore system reset
- expect "reset: No error (1)"
- keystore system password test_pass
- expect "password: No error (1)"
-
- keystore_in system granted_key_value insert granted_key
- expect "insert: No error (1)"
-
- # Cannot read before grant.
- keystore u10_a0 get granted_key
- # Grant and read.
- log "System grants to u0_a1"
- keystore system grant granted_key 10001
- expect "Working with uid 10001"
- expect "grant: No error (1)"
- keystore u0_a1 get 1000_granted_key
- expect "granted_key_value"
+ keystore system t
+ expect "3 Uninitialized"
+
}
function test_4599735() {
# http://b/4599735
log "start regression test for b/4599735"
- keystore system reset
- expect "reset: No error (1)"
- list_keystore_directory /user_0
+ keystore system r
+ expect "1 No error"
- keystore system password foo
- expect "password: No error (1)"
+ keystore system p foo
+ expect "1 No error"
- keystore_in system quux insert baz
- expect "insert: No error (1)"
-
- keystore root get baz
+ keystore system i baz quux
+ expect "1 No error"
+
+ keystore root g baz
+ expect "1 No error"
expect "quux"
- keystore system lock
- expect "lock: No error (1)"
+ keystore system l
+ expect "1 No error"
- keystore system password foo
- expect "password: No error (1)"
+ keystore system p foo
+ expect "1 No error"
log "after unlock, regression led to result of '8 Value corrupted'"
- keystore root get baz
+ keystore root g baz
+ expect "1 No error"
expect "quux"
- keystore system reset
- expect "reset: No error (1)"
+ keystore system r
+ expect "1 No error"
log "end regression test for b/4599735"
}
@@ -288,7 +265,6 @@
log $tag START
test_basic
test_4599735
- test_grant
compare
log $tag PASSED
cleanup_output