Password is only used in PBKDF2
Ensure that the secret that LockSettingsService passes us, which we
somewhat inaccurately call a "password", is used only as input to PBKDF2
by wrapping it in a Password type.
Bug: 163866361
Test: keystore2_test
Change-Id: I5eb964cb9ffe97902dfeec17c328766f79aa5646
diff --git a/keystore2/src/legacy_blob.rs b/keystore2/src/legacy_blob.rs
index 3fc77b7..5f40ece 100644
--- a/keystore2/src/legacy_blob.rs
+++ b/keystore2/src/legacy_blob.rs
@@ -26,7 +26,7 @@
SecurityLevel::SecurityLevel, Tag::Tag, TagType::TagType,
};
use anyhow::{Context, Result};
-use keystore2_crypto::{aes_gcm_decrypt, derive_key_from_password, ZVec};
+use keystore2_crypto::{aes_gcm_decrypt, Password, ZVec};
use std::collections::{HashMap, HashSet};
use std::{convert::TryInto, fs::File, path::Path, path::PathBuf};
use std::{
@@ -1036,7 +1036,7 @@
}
/// Load and decrypt legacy super key blob.
- pub fn load_super_key(&self, user_id: u32, pw: &[u8]) -> Result<Option<ZVec>> {
+ pub fn load_super_key(&self, user_id: u32, pw: &Password) -> Result<Option<ZVec>> {
let path = self.make_super_key_filename(user_id);
let blob = Self::read_generic_blob(&path)
.context("In load_super_key: While loading super key.")?;
@@ -1046,7 +1046,8 @@
Blob {
value: BlobValue::PwEncrypted { iv, tag, data, salt, key_size }, ..
} => {
- let key = derive_key_from_password(pw, Some(&salt), key_size)
+ let key = pw
+ .derive_key(Some(&salt), key_size)
.context("In load_super_key: Failed to derive key from password.")?;
let blob = aes_gcm_decrypt(&data, &iv, &tag, &key).context(
"In load_super_key: while trying to decrypt legacy super key blob.",
@@ -1294,7 +1295,7 @@
Some(&error::Error::Rc(ResponseCode::LOCKED))
);
- key_manager.unlock_user_key(&mut db, 0, PASSWORD, &legacy_blob_loader)?;
+ key_manager.unlock_user_key(&mut db, 0, &(PASSWORD.into()), &legacy_blob_loader)?;
if let (Some((Blob { flags, value: _ }, _params)), Some(cert), Some(chain)) =
legacy_blob_loader.load_by_uid_alias(10223, "authbound", Some(&key_manager))?