Deprecate get in ILegacyKeystore
This pull request initiates the deprecation of the
get method in the ILegacyKeystore interface. This
is the first step towards phasing out the legacy
keystore, which was intended to be disabled but
remains in use due to dependencies in the VPN and
WIFI code.
- The get method in ILegacyKeystore is marked as deprecated.
- Clear warnings are added to indicate that this method
is no longer recommended for use and will be removed in the future.
The existing behavior of get is maintained for
now to avoid immediate disruptions to the VPN
and WIFI code.
Test: atest CtsKeystoreTestCases
Bug: 307460850
Change-Id: I912eed99d8e7cd35ed3a7a06096d911984a2eb41
diff --git a/keystore2/Android.bp b/keystore2/Android.bp
index ed9cd88..28bdfea 100644
--- a/keystore2/Android.bp
+++ b/keystore2/Android.bp
@@ -162,6 +162,11 @@
srcs: ["aconfig/flags.aconfig"],
}
+java_aconfig_library {
+ name: "keystore2_flags_java",
+ aconfig_declarations: "keystore2_flags",
+}
+
rust_aconfig_library {
name: "libkeystore2_flags_rust",
crate_name: "keystore2_flags",
diff --git a/keystore2/aconfig/flags.aconfig b/keystore2/aconfig/flags.aconfig
index 856b42e..65f0857 100644
--- a/keystore2/aconfig/flags.aconfig
+++ b/keystore2/aconfig/flags.aconfig
@@ -18,6 +18,14 @@
}
flag {
+ name: "disable_legacy_keystore_get"
+ namespace: "hardware_backed_security"
+ description: "This flag disables legacy keystore get and makes it so that get returns an error"
+ bug: "307460850"
+ is_fixed_read_only: true
+}
+
+flag {
name: "import_previously_emulated_keys"
namespace: "hardware_backed_security"
description: "Include support for importing keys that were previously software-emulated into KeyMint"
diff --git a/keystore2/legacykeystore/lib.rs b/keystore2/legacykeystore/lib.rs
index 8e6040b..b173da8 100644
--- a/keystore2/legacykeystore/lib.rs
+++ b/keystore2/legacykeystore/lib.rs
@@ -134,6 +134,7 @@
}
fn get(&mut self, caller_uid: u32, alias: &str) -> Result<Option<Vec<u8>>> {
+ ensure_keystore_get_is_enabled()?;
self.with_transaction(TransactionBehavior::Deferred, |tx| {
tx.query_row(
"SELECT profile FROM profiles WHERE owner = ? AND alias = ?;",
@@ -239,6 +240,17 @@
}
}
+fn ensure_keystore_get_is_enabled() -> Result<()> {
+ if keystore2_flags::disable_legacy_keystore_get() {
+ Err(Error::deprecated()).context(concat!(
+ "Retrieving from Keystore's legacy database is ",
+ "no longer supported, store in an app-specific database instead"
+ ))
+ } else {
+ Ok(())
+ }
+}
+
struct LegacyKeystoreDeleteListener {
legacy_keystore: Arc<LegacyKeystore>,
}
@@ -313,6 +325,7 @@
}
fn get(&self, alias: &str, uid: i32) -> Result<Vec<u8>> {
+ ensure_keystore_get_is_enabled()?;
let mut db = self.open_db().context("In get.")?;
let uid = Self::get_effective_uid(uid).context("In get.")?;