Keystore 2.0: Key garbage collection.
This patch introduces a key life cycle state in the keyentry table. We
use this to implement key garbage collection.
This patch:
* Introduces the key lifecycle.
* Database functionality for marking a key unreferenced, getting an
unreferenced key, and purging keys from the database.
* Implements the deleteKey API call of IKeyStoreService.
* Implements async_task, a singke on-demand worker thread.
* Implements a garbage collector that collects unreferenced
keys and disposes off sensitive key material.
* Remove security level from the blobentry table.
Bug: 159340471
Test: keystore2_test
Change-Id: I84ffd64eaae1b86c645b50f100b1b399b9e16e40
diff --git a/keystore2/src/service.rs b/keystore2/src/service.rs
index d185025..9c5a697 100644
--- a/keystore2/src/service.rs
+++ b/keystore2/src/service.rs
@@ -165,18 +165,13 @@
.context("Failed to load key_entry.")?;
if let Some(cert) = public_cert {
- db.insert_blob(&key_id_guard, SubComponentType::CERT, cert, key_entry.sec_level())
+ db.insert_blob(&key_id_guard, SubComponentType::CERT, cert)
.context("Failed to update cert subcomponent.")?;
}
if let Some(cert_chain) = certificate_chain {
- db.insert_blob(
- &key_id_guard,
- SubComponentType::CERT_CHAIN,
- cert_chain,
- key_entry.sec_level(),
- )
- .context("Failed to update cert chain subcomponent.")?;
+ db.insert_blob(&key_id_guard, SubComponentType::CERT_CHAIN, cert_chain)
+ .context("Failed to update cert chain subcomponent.")?;
}
Ok(())
})
@@ -225,7 +220,13 @@
}
fn delete_key(&self, key: &KeyDescriptor) -> Result<()> {
- // TODO implement.
+ let caller_uid = ThreadState::get_calling_uid();
+ DB.with(|db| {
+ db.borrow_mut().unbind_key(key.clone(), KeyType::Client, caller_uid, |k, av| {
+ check_key_permission(KeyPerm::delete(), k, &av).context("During delete_key.")
+ })
+ })
+ .context("In delete_key: Trying to unbind the key.")?;
Ok(())
}