Align KeyMint AIDL with usage
- Make HardwareAuthToken nullable on begin()
- Drop unused vestigial performOperation() entrypoint
- Drop unused Tag::BLOB_USAGE_REQUIREMENTS
Test: TreeHugger, VtsKeyMintAidlTargetTest (CF)
Change-Id: Ief6a9c97456cdf7e7626ff26a875792584c40199
diff --git a/keystore2/src/boot_level_keys.rs b/keystore2/src/boot_level_keys.rs
index dd69ed7..686f5c4 100644
--- a/keystore2/src/boot_level_keys.rs
+++ b/keystore2/src/boot_level_keys.rs
@@ -196,7 +196,7 @@
let begin_result: BeginResult = self
.upgrade_keyblob_if_required_with(db, &km_dev, key_id_guard, &key_blob, |blob| {
- map_km_error(km_dev.begin(purpose, blob, operation_parameters, &Default::default()))
+ map_km_error(km_dev.begin(purpose, blob, operation_parameters, None))
})
.context("In use_key_in_one_step: Failed to begin operation.")?;
let operation: Strong<dyn IKeyMintOperation> = begin_result
diff --git a/keystore2/src/km_compat/km_compat.cpp b/keystore2/src/km_compat/km_compat.cpp
index b824aa8..4141b1c 100644
--- a/keystore2/src/km_compat/km_compat.cpp
+++ b/keystore2/src/km_compat/km_compat.cpp
@@ -108,7 +108,6 @@
case Tag::EC_CURVE:
case Tag::RSA_PUBLIC_EXPONENT:
case Tag::RSA_OAEP_MGF_DIGEST:
- case Tag::BLOB_USAGE_REQUIREMENTS:
case Tag::BOOTLOADER_ONLY:
case Tag::ROLLBACK_RESISTANCE:
case Tag::EARLY_BOOT_ONLY:
@@ -589,7 +588,7 @@
ScopedAStatus KeyMintDevice::begin(KeyPurpose in_inPurpose,
const std::vector<uint8_t>& prefixedKeyBlob,
const std::vector<KeyParameter>& in_inParams,
- const HardwareAuthToken& in_inAuthToken,
+ const std::optional<HardwareAuthToken>& in_inAuthToken,
BeginResult* _aidl_return) {
if (!mOperationSlots.claimSlot()) {
return convertErrorCode(V4_0_ErrorCode::TOO_MANY_OPERATIONS);
@@ -688,11 +687,6 @@
return convertErrorCode(km_error);
}
-ScopedAStatus KeyMintDevice::performOperation(const std::vector<uint8_t>& /* request */,
- std::vector<uint8_t>* /* response */) {
- return convertErrorCode(KMV1::ErrorCode::UNIMPLEMENTED);
-}
-
ScopedAStatus KeyMintOperation::updateAad(const std::vector<uint8_t>& input,
const std::optional<HardwareAuthToken>& optAuthToken,
const std::optional<TimeStampToken>& optTimeStampToken) {
diff --git a/keystore2/src/km_compat/km_compat.h b/keystore2/src/km_compat/km_compat.h
index 69c24b4..cd2b804 100644
--- a/keystore2/src/km_compat/km_compat.h
+++ b/keystore2/src/km_compat/km_compat.h
@@ -109,7 +109,7 @@
ScopedAStatus destroyAttestationIds() override;
ScopedAStatus begin(KeyPurpose in_inPurpose, const std::vector<uint8_t>& in_inKeyBlob,
const std::vector<KeyParameter>& in_inParams,
- const HardwareAuthToken& in_inAuthToken,
+ const std::optional<HardwareAuthToken>& in_inAuthToken,
BeginResult* _aidl_return) override;
ScopedAStatus deviceLocked(bool passwordOnly,
const std::optional<TimeStampToken>& timestampToken) override;
@@ -118,9 +118,6 @@
ScopedAStatus convertStorageKeyToEphemeral(const std::vector<uint8_t>& storageKeyBlob,
std::vector<uint8_t>* ephemeralKeyBlob) override;
- ScopedAStatus performOperation(const std::vector<uint8_t>& request,
- std::vector<uint8_t>* response) override;
-
// These are public to allow testing code to use them directly.
// This class should not be used publicly anyway.
std::variant<std::vector<Certificate>, KMV1_ErrorCode>
diff --git a/keystore2/src/km_compat/km_compat_type_conversion.h b/keystore2/src/km_compat/km_compat_type_conversion.h
index e3240e9..de09477 100644
--- a/keystore2/src/km_compat/km_compat_type_conversion.h
+++ b/keystore2/src/km_compat/km_compat_type_conversion.h
@@ -503,9 +503,6 @@
return V4_0::makeKeyParameter(V4_0::TAG_INCLUDE_UNIQUE_ID, v->get());
}
break;
- case KMV1::Tag::BLOB_USAGE_REQUIREMENTS:
- // This tag has been removed. Mapped on invalid.
- break;
case KMV1::Tag::BOOTLOADER_ONLY:
if (auto v = KMV1::authorizationValue(KMV1::TAG_BOOTLOADER_ONLY, kp)) {
return V4_0::makeKeyParameter(V4_0::TAG_BOOTLOADER_ONLY, v->get());
diff --git a/keystore2/src/km_compat/lib.rs b/keystore2/src/km_compat/lib.rs
index 5ece8a7..eddd684 100644
--- a/keystore2/src/km_compat/lib.rs
+++ b/keystore2/src/km_compat/lib.rs
@@ -30,10 +30,9 @@
use super::*;
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Algorithm::Algorithm, BeginResult::BeginResult, BlockMode::BlockMode, Digest::Digest,
- ErrorCode::ErrorCode, HardwareAuthToken::HardwareAuthToken, IKeyMintDevice::IKeyMintDevice,
- KeyCreationResult::KeyCreationResult, KeyFormat::KeyFormat, KeyParameter::KeyParameter,
- KeyParameterValue::KeyParameterValue, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
- SecurityLevel::SecurityLevel, Tag::Tag,
+ ErrorCode::ErrorCode, IKeyMintDevice::IKeyMintDevice, KeyCreationResult::KeyCreationResult,
+ KeyFormat::KeyFormat, KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue,
+ KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, SecurityLevel::SecurityLevel, Tag::Tag,
};
use android_hardware_security_keymint::binder::{self, Strong};
use android_security_compat::aidl::android::security::compat::IKeystoreCompatService::IKeystoreCompatService;
@@ -260,7 +259,7 @@
if let Some(mut extras) = extra_params {
kps.append(&mut extras);
}
- let result = legacy.begin(purpose, &blob, &kps, &HardwareAuthToken::default());
+ let result = legacy.begin(purpose, &blob, &kps, None);
assert!(result.is_ok(), "{:?}", result);
result.unwrap()
}
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index c654c02..e4af009 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -293,8 +293,6 @@
)
.context("In create_operation.")?;
- let immediate_hat = immediate_hat.unwrap_or_default();
-
let km_blob = SUPER_KEY
.unwrap_key_if_required(&blob_metadata, km_blob)
.context("In create_operation. Failed to handle super encryption.")?;
@@ -316,7 +314,7 @@
purpose,
blob,
&operation_parameters,
- &immediate_hat,
+ immediate_hat.as_ref(),
)) {
Err(Error::Km(ErrorCode::TOO_MANY_OPERATIONS)) => {
self.operation_db.prune(caller_uid, forced)?;