Rename OUT_OF_KEYS -> OUT_OF_KEYS_TRANSIENT
More OUT_OF_KEYS errors are coming, and the old "OUT_OF_KEYS" is a
bucket for all transient errors. Rename the enum to better indicate
this.
Also rename OUT_OF_KEYS_REQUIRES_UPGRADE to
OUT_OF_KEYS_REQUIRES_SECURITY_PATCH. This better indicates that
system is potentially vulnerable (rather than simply running old code).
Test: keystore2_test
Change-Id: I1f2d803529c3e43592536016a9261e2294b42bb5
diff --git a/keystore2/src/database.rs b/keystore2/src/database.rs
index 62fd579..f4333cd 100644
--- a/keystore2/src/database.rs
+++ b/keystore2/src/database.rs
@@ -1859,7 +1859,8 @@
let (_, hw_info) = get_keymint_dev_by_uuid(km_uuid)
.context("Error in retrieving keymint device by UUID.")?;
log_rkp_error_stats(MetricsRkpError::OUT_OF_KEYS, &hw_info.securityLevel);
- return Err(KsError::Rc(ResponseCode::OUT_OF_KEYS)).context("Out of keys.");
+ return Err(KsError::Rc(ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR))
+ .context("Out of keys.");
} else if result > 1 {
return Err(KsError::sys())
.context(format!("Expected to update 1 entry, instead updated {}", result));
diff --git a/keystore2/src/error.rs b/keystore2/src/error.rs
index b60b64f..d1d58a4 100644
--- a/keystore2/src/error.rs
+++ b/keystore2/src/error.rs
@@ -72,9 +72,9 @@
Error::Rc(ResponseCode::PERMISSION_DENIED)
}
- /// Short hand for `Error::Rc(ResponseCode::OUT_OF_KEYS)`
+ /// Short hand for `Error::Rc(ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR)`
pub fn out_of_keys() -> Self {
- Error::Rc(ResponseCode::OUT_OF_KEYS)
+ Error::Rc(ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR)
}
}
diff --git a/keystore2/src/remote_provisioning.rs b/keystore2/src/remote_provisioning.rs
index cb2962a..1a83339 100644
--- a/keystore2/src/remote_provisioning.rs
+++ b/keystore2/src/remote_provisioning.rs
@@ -138,8 +138,8 @@
/// (2) if remote provisioning is present and enabled on the system. If these conditions are
/// met, it makes an attempt to fetch the attestation key assigned to the `caller_uid`.
///
- /// It returns the ResponseCode `OUT_OF_KEYS` if there is not one key currently assigned to the
- /// `caller_uid` and there are none available to assign.
+ /// It returns the ResponseCode `OUT_OF_KEYS_TRANSIENT_ERROR` if there is not one key currently
+ /// assigned to the `caller_uid` and there are none available to assign.
pub fn get_remotely_provisioned_attestation_key_and_certs(
&self,
key: &KeyDescriptor,
@@ -490,7 +490,7 @@
/// Fetches a remote provisioning attestation key and certificate chain inside of the
/// returned `CertificateChain` struct if one exists for the given caller_uid. If one has not
/// been assigned, this function will assign it. If there are no signed attestation keys
-/// available to be assigned, it will return the ResponseCode `OUT_OF_KEYS`
+/// available to be assigned, it will return the ResponseCode `OUT_OF_KEYS_TRANSIENT_ERROR`
fn get_rem_prov_attest_key(
domain: Domain,
caller_uid: u32,
@@ -645,7 +645,7 @@
/// Fetches a remotely provisioned certificate chain and key for the given client uid that
/// was provisioned using the IRemotelyProvisionedComponent with the given id. The same key
/// will be returned for a given caller_uid on every request. If there are no attestation keys
- /// available, `OUT_OF_KEYS` is returned.
+ /// available, `OUT_OF_KEYS_TRANSIENT_ERROR` is returned.
fn get_attestation_key(
&self,
db: &mut KeystoreDB,
@@ -671,7 +671,7 @@
}),
// It should be impossible to get `None`, but handle it just in case as a
// precaution against future behavioral changes in `get_rem_prov_attest_key`.
- None => Err(error::Error::Rc(ResponseCode::OUT_OF_KEYS))
+ None => Err(error::Error::Rc(ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR))
.context(ks_err!("No available attestation keys")),
}
}
@@ -958,7 +958,7 @@
.unwrap_err()
.downcast::<error::Error>()
.unwrap(),
- error::Error::Rc(ResponseCode::OUT_OF_KEYS)
+ error::Error::Rc(ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR)
);
}
@@ -1023,7 +1023,7 @@
.unwrap_err()
.downcast::<error::Error>()
.unwrap(),
- error::Error::Rc(ResponseCode::OUT_OF_KEYS)
+ error::Error::Rc(ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR)
);
}