Implement onLockScreenEvent method of IKeystoreAuthorization AIDL interface.
In addition, this CL creates a global instance of LegacyBlobLoader.
Bug: 159475191,166672367
Test: TBD
Change-Id: I04005238f973b5eae98a07400688ea17edba80f8
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 7a87e8d..943f69f 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -33,6 +33,7 @@
use crate::auth_token_handler::AuthTokenHandler;
use crate::globals::ENFORCEMENTS;
use crate::key_parameter::KeyParameter as KsKeyParam;
+use crate::key_parameter::KeyParameterValue as KsKeyParamValue;
use crate::utils::{check_key_permission, Asp};
use crate::{database::KeyIdGuard, globals::DB};
use crate::{
@@ -47,6 +48,7 @@
use crate::{
error::{self, map_km_error, map_or_log_err, Error, ErrorCode},
utils::key_characteristics_to_internal,
+ utils::uid_to_android_user,
};
use anyhow::{Context, Result};
use binder::{IBinder, Interface, ThreadState};
@@ -83,6 +85,7 @@
&self,
key: KeyDescriptor,
creation_result: KeyCreationResult,
+ user_id: u32,
) -> Result<KeyMetadata> {
let KeyCreationResult {
keyBlob: key_blob,
@@ -108,7 +111,12 @@
},
);
- let key_parameters = key_characteristics_to_internal(key_characteristics);
+ let mut key_parameters = key_characteristics_to_internal(key_characteristics);
+
+ key_parameters.push(KsKeyParam::new(
+ KsKeyParamValue::UserID(user_id as i32),
+ SecurityLevel::SOFTWARE,
+ ));
let creation_date = DateTime::now().context("Trying to make creation time.")?;
@@ -335,11 +343,12 @@
return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
.context("In generate_key: Alias must be specified");
}
+ let caller_uid = ThreadState::get_calling_uid();
let key = match key.domain {
Domain::APP => KeyDescriptor {
domain: key.domain,
- nspace: ThreadState::get_calling_uid() as i64,
+ nspace: caller_uid as i64,
alias: key.alias.clone(),
blob: None,
},
@@ -353,7 +362,8 @@
map_km_error(km_dev.addRngEntropy(entropy))?;
let creation_result = map_km_error(km_dev.generateKey(¶ms))?;
- self.store_new_key(key, creation_result).context("In generate_key.")
+ let user_id = uid_to_android_user(caller_uid);
+ self.store_new_key(key, creation_result, user_id).context("In generate_key.")
}
fn import_key(
@@ -368,11 +378,12 @@
return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
.context("In import_key: Alias must be specified");
}
+ let caller_uid = ThreadState::get_calling_uid();
let key = match key.domain {
Domain::APP => KeyDescriptor {
domain: key.domain,
- nspace: ThreadState::get_calling_uid() as i64,
+ nspace: caller_uid as i64,
alias: key.alias.clone(),
blob: None,
},
@@ -401,7 +412,8 @@
let km_dev: Box<dyn IKeyMintDevice> = self.keymint.get_interface()?;
let creation_result = map_km_error(km_dev.importKey(¶ms, format, key_data))?;
- self.store_new_key(key, creation_result).context("In import_key.")
+ let user_id = uid_to_android_user(caller_uid);
+ self.store_new_key(key, creation_result, user_id).context("In import_key.")
}
fn import_wrapped_key(
@@ -432,10 +444,11 @@
}
};
+ let caller_uid = ThreadState::get_calling_uid();
let key = match key.domain {
Domain::APP => KeyDescriptor {
domain: key.domain,
- nspace: ThreadState::get_calling_uid() as i64,
+ nspace: caller_uid as i64,
alias: key.alias.clone(),
blob: None,
},
@@ -451,7 +464,7 @@
wrapping_key.clone(),
KeyType::Client,
KeyEntryLoadBits::KM,
- ThreadState::get_calling_uid(),
+ caller_uid,
|k, av| check_key_permission(KeyPerm::use_(), k, &av),
)
})
@@ -509,7 +522,8 @@
},
)?;
- self.store_new_key(key, creation_result).context("In import_wrapped_key.")
+ let user_id = uid_to_android_user(caller_uid);
+ self.store_new_key(key, creation_result, user_id).context("In import_wrapped_key.")
}
fn upgrade_keyblob_if_required_with<T, F>(