Merge changes from topic "keystore-niap"
* changes:
Increase the master key size to 256 bits
Use vector to pass around keys
Use SHA256 for 32 byte keys
Replace Entropy with RAND_bytes
diff --git a/keystore/Android.bp b/keystore/Android.bp
index fd24979..a12183f 100644
--- a/keystore/Android.bp
+++ b/keystore/Android.bp
@@ -13,7 +13,6 @@
},
clang: true,
- cpp_std: "c++17",
}
cc_binary {
diff --git a/keystore/binder/android/security/keystore/IKeystoreService.aidl b/keystore/binder/android/security/keystore/IKeystoreService.aidl
index ea1e0f4..348964f 100644
--- a/keystore/binder/android/security/keystore/IKeystoreService.aidl
+++ b/keystore/binder/android/security/keystore/IKeystoreService.aidl
@@ -75,5 +75,5 @@
int cancelConfirmationPrompt(IBinder listener);
boolean isConfirmationPromptSupported();
int onKeyguardVisibilityChanged(in boolean isShowing, in int userId);
- int listUidsOfAuthBoundKeys(out int[] uids);
+ int listUidsOfAuthBoundKeys(out @utf8InCpp List<String> uids);
}
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 2f17848..a7fcd38 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -281,7 +281,7 @@
* if the password/pin is removed. Only allowed to be called by system.
* The output is bound by the initial size of uidsOut to be compatible with Java.
*/
-Status KeyStoreService::listUidsOfAuthBoundKeys(::std::vector<int32_t>* uidsOut,
+Status KeyStoreService::listUidsOfAuthBoundKeys(std::vector<std::string>* uidsOut,
int32_t* aidl_return) {
const int32_t callingUid = IPCThreadState::self()->getCallingUid();
const int32_t userId = get_user_id(callingUid);
@@ -312,14 +312,11 @@
return Status::fromServiceSpecificError(static_cast<int32_t>(rc));
}
- auto it = uidsOut->begin();
for (LockedKeyBlobEntry& entry : internal_matches) {
- if (it == uidsOut->end()) {
- ALOGW("Maximum number (%d) of auth bound uids found, truncating remainder",
- static_cast<int32_t>(uidsOut->capacity()));
- break;
- }
- if (std::find(uidsOut->begin(), it, entry->uid()) != it) {
+ // Need to store uids as a list of strings because integer list output
+ // parameters is not supported in aidl-cpp.
+ std::string entryUid = std::to_string(entry->uid());
+ if (std::find(uidsOut->begin(), uidsOut->end(), entryUid) != uidsOut->end()) {
// uid already in list, skip
continue;
}
@@ -331,7 +328,7 @@
}
if (blob && blob.isEncrypted()) {
- *it++ = entry->uid();
+ uidsOut->push_back(entryUid);
} else if (charBlob) {
auto [success, hwEnforced, swEnforced] = charBlob.getKeyCharacteristics();
if (!success) {
@@ -340,7 +337,7 @@
}
if (hwEnforced.Contains(TAG_USER_SECURE_ID) ||
swEnforced.Contains(TAG_USER_SECURE_ID)) {
- *it++ = entry->uid();
+ uidsOut->push_back(entryUid);
}
}
}
diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h
index 5a3586f..2171213 100644
--- a/keystore/key_store_service.h
+++ b/keystore/key_store_service.h
@@ -61,7 +61,7 @@
int32_t* _aidl_return) override;
::android::binder::Status list(const ::android::String16& namePrefix, int32_t uid,
::std::vector<::android::String16>* _aidl_return) override;
- ::android::binder::Status listUidsOfAuthBoundKeys(::std::vector<int32_t>* uids,
+ ::android::binder::Status listUidsOfAuthBoundKeys(std::vector<::std::string>* uids,
int32_t* _aidl_return) override;
::android::binder::Status reset(int32_t* _aidl_return) override;
diff --git a/keystore/keymaster_worker.cpp b/keystore/keymaster_worker.cpp
index c7d2671..fd07e86 100644
--- a/keystore/keymaster_worker.cpp
+++ b/keystore/keymaster_worker.cpp
@@ -346,7 +346,7 @@
{
hidl_vec<uint8_t> clientId;
hidl_vec<uint8_t> appData;
- for (auto param : opParams) {
+ for (const auto& param : opParams) {
if (param.tag == Tag::APPLICATION_ID) {
clientId = authorizationValue(TAG_APPLICATION_ID, param).value();
} else if (param.tag == Tag::APPLICATION_DATA) {
diff --git a/keystore/keystore_cli_v2.cpp b/keystore/keystore_cli_v2.cpp
index 0500da2..b46b221 100644
--- a/keystore/keystore_cli_v2.cpp
+++ b/keystore/keystore_cli_v2.cpp
@@ -384,7 +384,7 @@
return 1;
}
int32_t aidl_return;
- ::std::vector<int32_t> uids(100);
+ ::std::vector<::std::string> uids;
android::binder::Status status = service->listUidsOfAuthBoundKeys(&uids, &aidl_return);
if (!status.isOk()) {
fprintf(stderr, "Requesting uids of auth bound keys failed with error %s.\n",
@@ -397,8 +397,7 @@
}
printf("Apps with auth bound keys:\n");
for (auto i = uids.begin(); i != uids.end(); ++i) {
- if (*i == 0) break;
- printf("%d\n", *i);
+ printf("%s\n", i->c_str());
}
return 0;
}