Fix retreiving characteristics file for grant key
getKeyForName was broken in case the name was a grant name and the
type was TYPE_KEY_CHARACTERISTICS. In this case the key blob instead of
the key characteristics blob was retreived.
Bug: 65200397
Bug: 37264540
Bug: 62237038
Test: run cts-dev --module CtsDevicePolicyManagerTestCases --test
com.android.cts.devicepolicy.DeviceOwnerTest#testKeyManagement
because it grants a key
Change-Id: I0746d60555b51d47ea19ab05b9da29164c8b71db
(cherry picked from commit 6905c336b29561abf7841cfa1bde5eeab62915e7)
diff --git a/keystore/grant_store.cpp b/keystore/grant_store.cpp
index 9c2e591..2fb09c1 100644
--- a/keystore/grant_store.cpp
+++ b/keystore/grant_store.cpp
@@ -25,8 +25,10 @@
static const char* kKeystoreGrantInfix = "_KEYSTOREGRANT_";
static constexpr size_t kKeystoreGrantInfixLength = 15;
-Grant::Grant(const std::string& alias, const std::string& key_file, const uint64_t grant_no)
- : alias_(alias), key_file_(key_file), grant_no_(grant_no) {}
+Grant::Grant(const std::string& alias, const std::string& owner_dir_name, const uid_t owner_uid,
+ const uint64_t grant_no)
+ : alias_(alias), owner_dir_name_(owner_dir_name), owner_uid_(owner_uid),
+ grant_no_(grant_no) {}
static std::pair<uint64_t, std::string> parseGrantAlias(const std::string& grantAlias) {
auto pos = grantAlias.rfind(kKeystoreGrantInfix);
@@ -39,7 +41,8 @@
return {grant_no, wrapped_alias};
}
-std::string GrantStore::put(const uid_t uid, const std::string& alias, const std::string& key_file) {
+std::string GrantStore::put(const uid_t uid, const std::string& alias,
+ const std::string& owner_dir_name, const uid_t owner_uid) {
std::stringstream s;
s << alias << kKeystoreGrantInfix;
auto& uid_grant_list = grants_[uid];
@@ -47,10 +50,12 @@
bool success = false;
auto iterator = std::find_if(uid_grant_list.begin(), uid_grant_list.end(),
[&](auto& entry) {
- return success = entry.alias_ == alias && entry.key_file_ == key_file;
+ return success = entry.alias_ == alias && entry.owner_dir_name_ == owner_dir_name
+ && entry.owner_uid_ == owner_uid;
});
while (!success) {
- std::tie(iterator, success) = uid_grant_list.emplace(alias, key_file, std::rand());
+ std::tie(iterator, success) = uid_grant_list.emplace(alias, owner_dir_name, owner_uid,
+ std::rand());
}
s << iterator->grant_no_;
return s.str();
@@ -70,10 +75,10 @@
return &(*grant);
}
-bool GrantStore::removeByFileName(const uid_t uid, const std::string& fileName) {
- auto& uid_grant_list = grants_.operator[](uid);
+bool GrantStore::removeByFileAlias(const uid_t uid, const std::string& alias) {
+ auto& uid_grant_list = grants_[uid];
for (auto i = uid_grant_list.begin(); i != uid_grant_list.end(); ++i) {
- if (i->key_file_ == fileName) {
+ if (i->alias_ == alias) {
uid_grant_list.erase(i);
return true;
}
diff --git a/keystore/grant_store.h b/keystore/grant_store.h
index 43e814e..ab03630 100644
--- a/keystore/grant_store.h
+++ b/keystore/grant_store.h
@@ -32,9 +32,11 @@
*/
class Grant {
public:
- Grant(const std::string& alias, const std::string& key_file, const uint64_t grant_no);
+ Grant(const std::string& alias, const std::string& owner_dir_name, const uid_t owner_uid,
+ const uint64_t grant_no);
std::string alias_;
- std::string key_file_;
+ std::string owner_dir_name_;
+ uid_t owner_uid_;
uint64_t grant_no_;
operator const uint64_t&() const { return grant_no_; }
@@ -52,9 +54,10 @@
class GrantStore {
public:
GrantStore() : grants_() {}
- std::string put(const uid_t uid, const std::string& alias, const std::string& key_file);
+ std::string put(const uid_t uid, const std::string& alias, const std::string& owner_dir_name,
+ const uid_t owner_uid);
const Grant* get(const uid_t uid, const std::string& alias) const;
- bool removeByFileName(const uid_t uid, const std::string& filename);
+ bool removeByFileAlias(const uid_t uid, const std::string& alias);
// GrantStore is neither copyable nor movable.
GrantStore(const GrantStore&) = delete;
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index c33a1d0..28cff58 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -526,7 +526,7 @@
return String16();
}
- return String16(mKeyStore->addGrant(filename.string(), String8(name).string(), granteeUid).c_str());
+ return String16(mKeyStore->addGrant(String8(name).string(), granteeUid, callingUid).c_str());
}
KeyStoreServiceReturnCode KeyStoreService::ungrant(const String16& name, int32_t granteeUid) {
@@ -543,8 +543,8 @@
return (errno != ENOENT) ? ResponseCode::SYSTEM_ERROR : ResponseCode::KEY_NOT_FOUND;
}
- return mKeyStore->removeGrant(filename.string(), granteeUid) ? ResponseCode::NO_ERROR
- : ResponseCode::KEY_NOT_FOUND;
+ return mKeyStore->removeGrant(name8, granteeUid) ? ResponseCode::NO_ERROR
+ : ResponseCode::KEY_NOT_FOUND;
}
int64_t KeyStoreService::getmtime(const String16& name, int32_t uid) {
diff --git a/keystore/keystore.cpp b/keystore/keystore.cpp
index ab386ad..a5d482e 100644
--- a/keystore/keystore.cpp
+++ b/keystore/keystore.cpp
@@ -24,6 +24,7 @@
#include <openssl/bio.h>
#include <utils/String16.h>
+#include <utils/String8.h>
#include <keystore/IKeystoreService.h>
@@ -39,6 +40,7 @@
const android::String16 KeyStore::sRSAKeyType("RSA");
using namespace keystore;
+using android::String8;
KeyStore::KeyStore(Entropy* entropy, const km_device_t& device, const km_device_t& fallback,
bool allowNewFallback)
@@ -414,12 +416,13 @@
return ResponseCode::NO_ERROR;
}
-std::string KeyStore::addGrant(const char* filename, const char* alias, uid_t granteeUid) {
- return mGrants.put(granteeUid, alias, filename);
+std::string KeyStore::addGrant(const char* alias, uid_t granterUid, uid_t granteeUid) {
+ return mGrants.put(granteeUid, alias, getUserStateByUid(granterUid)->getUserDirName(),
+ granterUid);
}
-bool KeyStore::removeGrant(const char* filename, uid_t granteeUid) {
- return mGrants.removeByFileName(granteeUid, filename);
+bool KeyStore::removeGrant(const char* alias, uid_t granteeUid) {
+ return mGrants.removeByFileAlias(granteeUid, alias);
}
ResponseCode KeyStore::importKey(const uint8_t* key, size_t keyLen, const char* filename,
@@ -519,7 +522,8 @@
// They might be using a granted key.
auto grant = mGrants.get(uid, keyName.string());
if (!grant) return ResponseCode::KEY_NOT_FOUND;
- filepath8 = grant->key_file_.c_str();
+ filepath8.format("%s/%s", grant->owner_dir_name_.c_str(),
+ getKeyNameForUid(String8(grant->alias_.c_str()), grant->owner_uid_, type).c_str());
// It is a granted key. Try to load it.
return get(filepath8.string(), keyBlob, type, userId);
diff --git a/keystore/keystore.h b/keystore/keystore.h
index a08508f..39761bb 100644
--- a/keystore/keystore.h
+++ b/keystore/keystore.h
@@ -87,8 +87,8 @@
ResponseCode list(const android::String8& prefix, android::Vector<android::String16>* matches,
uid_t userId);
- std::string addGrant(const char* filename, const char* alias, uid_t granteeUid);
- bool removeGrant(const char* filename, uid_t granteeUid);
+ std::string addGrant(const char* alias, uid_t granterUid, uid_t granteeUid);
+ bool removeGrant(const char* alias, uid_t granteeUid);
ResponseCode importKey(const uint8_t* key, size_t keyLen, const char* filename, uid_t userId,
int32_t flags);