Implement onLockScreenEvent method of IKeystoreAuthorization AIDL interface.
In addition, this CL creates a global instance of LegacyBlobLoader.
Bug: 159475191,166672367
Test: TBD
Change-Id: I04005238f973b5eae98a07400688ea17edba80f8
diff --git a/keystore2/src/enforcements.rs b/keystore2/src/enforcements.rs
index 93e077c..4ff3950 100644
--- a/keystore2/src/enforcements.rs
+++ b/keystore2/src/enforcements.rs
@@ -211,6 +211,7 @@
let mut user_secure_ids = Vec::<i64>::new();
let mut key_time_out: Option<i64> = None;
let mut allow_while_on_body = false;
+ let mut unlocked_device_required = false;
// iterate through key parameters, recording information we need for authorization
// enforcements later, or enforcing authorizations in place, where applicable
@@ -267,12 +268,7 @@
user_id = *u;
}
KeyParameterValue::UnlockedDeviceRequired => {
- // check the device locked status. If locked, operations on the key are not
- // allowed.
- if self.is_device_locked(user_id) {
- return Err(KeystoreError::Km(Ec::DEVICE_LOCKED))
- .context("In authorize_create: device is locked.");
- }
+ unlocked_device_required = true;
}
KeyParameterValue::AllowWhileOnBody => {
allow_while_on_body = true;
@@ -320,6 +316,16 @@
);
}
+ if unlocked_device_required {
+ // check the device locked status. If locked, operations on the key are not
+ // allowed.
+ log::info!("Checking for lockd device of user {}.", user_id);
+ if self.is_device_locked(user_id) {
+ return Err(KeystoreError::Km(Ec::DEVICE_LOCKED))
+ .context("In authorize_create: device is locked.");
+ }
+ }
+
if !user_secure_ids.is_empty() {
// key requiring authentication per operation
if !is_time_out_key {