Fix use of auth-bound keys after screen lock removal
When auth-bound keys are used after the screen lock has been removed it
is expected that getKeyCharacteristics still succeeds. However, when the
super encrypt feature was introduced the key blob is no longer
accessible, and thus, the retrieving the key characteristics fails.
This patch retrieves the key characteristics from the characteristics
cache file, which is not super encrypted. Using such a key still fails
but in ways expected by the framework.
Bug: 65200397
Test: CtsVerifier ScreenLockBoundKeysTest:
1. Run test
2. with CtsVerifier in the background remove the screen lock
through the settings dialog
3. Select VtsVerifier in 'recents'
4. Run test again
Change-Id: Ifa88c58a41c376e4f800a76114d4cf9149506ac0
(cherry picked from commit 36316d673ef836a0a34a62ab4ccce67d22c8a0d2)
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index c33a1d0..f04ffc1 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -800,7 +800,26 @@
KeyStoreServiceReturnCode rc =
mKeyStore->getKeyForName(&keyBlob, name8, targetUid, TYPE_KEYMASTER_10);
- if (!rc.isOk()) {
+ if (rc == ResponseCode::UNINITIALIZED) {
+ /*
+ * If we fail reading the blob because the master key is missing we try to retrieve the
+ * key characteristics from the characteristics file. This happens when auth-bound
+ * keys are used after a screen lock has been removed by the user.
+ */
+ rc = mKeyStore->getKeyForName(&keyBlob, name8, targetUid, TYPE_KEY_CHARACTERISTICS);
+ if (!rc.isOk()) {
+ return rc;
+ }
+ AuthorizationSet keyCharacteristics;
+ // TODO write one shot stream buffer to avoid copying (twice here)
+ std::string charBuffer(reinterpret_cast<const char*>(keyBlob.getValue()),
+ keyBlob.getLength());
+ std::stringstream charStream(charBuffer);
+ keyCharacteristics.Deserialize(&charStream);
+
+ outCharacteristics->softwareEnforced = keyCharacteristics.hidl_data();
+ return rc;
+ } else if (!rc.isOk()) {
return rc;
}