Keystore 2.0: Add super encryption infrastructure.
Add super_key.rs a runtime key database for credential based keys and
the relevant metadata fields to the database.
Also in this patch:
* Add DateTime type to represent database wall clock time.
* Move creation time to key metadata.
* Add KeyType field to the keyentry table to accommodate super keys
and attestation keys.
Test: keystore2_test
Bug: 173545997
Change-Id: I670898174fb0223bf1c910051dfd7ead80b2c1a9
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 3657a43..a89f309 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -30,10 +30,13 @@
KeyMetadata::KeyMetadata, KeyParameters::KeyParameters,
};
-use crate::permission::KeyPerm;
use crate::utils::{check_key_permission, Asp};
use crate::{database::KeyIdGuard, globals::DB};
use crate::{
+ database::{DateTime, KeyMetaData, KeyMetaEntry, KeyType},
+ permission::KeyPerm,
+};
+use crate::{
database::{KeyEntry, KeyEntryLoadBits, SubComponentType},
operation::KeystoreOperation,
operation::OperationDb,
@@ -114,6 +117,8 @@
let key_parameters =
key_characteristics_to_internal(key_characteristics, self.security_level);
+ let creation_date = DateTime::now().context("Trying to make creation time.")?;
+
let key = match key.domain {
Domain::BLOB => {
KeyDescriptor { domain: Domain::BLOB, blob: Some(blob.data), ..Default::default() }
@@ -126,7 +131,7 @@
.context("Trying to create a key entry.")?;
db.insert_blob(
&key_id,
- SubComponentType::KM_BLOB,
+ SubComponentType::KEY_BLOB,
&blob.data,
self.security_level,
)
@@ -146,6 +151,10 @@
}
db.insert_keyparameter(&key_id, &key_parameters)
.context("Trying to insert key parameters.")?;
+ let mut metadata = KeyMetaData::new();
+ metadata.add(KeyMetaEntry::CreationDate(creation_date));
+ db.insert_key_metadata(&key_id, &metadata)
+ .context("Trying to insert key metadata.")?;
match &key.alias {
Some(alias) => db
.rebind_alias(&key_id, alias, key.domain, key.nspace)
@@ -171,7 +180,7 @@
certificate: cert,
certificateChain: cert_chain,
authorizations: crate::utils::key_parameters_to_authorizations(key_parameters),
- ..Default::default()
+ modificationTimeMs: creation_date.to_millis_epoch(),
})
}
@@ -208,6 +217,7 @@
.with::<_, Result<(KeyIdGuard, KeyEntry)>>(|db| {
db.borrow_mut().load_key_entry(
key.clone(),
+ KeyType::Client,
KeyEntryLoadBits::KM,
caller_uid,
|k, av| check_key_permission(KeyPerm::use_(), k, &av),
@@ -439,6 +449,7 @@
.with(|db| {
db.borrow_mut().load_key_entry(
wrapping_key.clone(),
+ KeyType::Client,
KeyEntryLoadBits::KM,
ThreadState::get_calling_uid(),
|k, av| check_key_permission(KeyPerm::use_(), k, &av),
@@ -524,7 +535,7 @@
DB.with(|db| {
db.borrow_mut().insert_blob(
&key_id_guard,
- SubComponentType::KM_BLOB,
+ SubComponentType::KEY_BLOB,
&upgraded_blob,
self.security_level,
)