diff options
| author | Janis Danisevskis <jdanis@google.com> | 2021-04-14 19:20:57 -0700 |
|---|---|---|
| committer | Rubin Xu <rubinxu@google.com> | 2021-04-16 14:21:40 +0100 |
| commit | cbe7e963ab96d4fdaf91124f420f73dccc97ee51 (patch) | |
| tree | 18d643c3c070cd38cc4bc864a7f2028f4d907535 /keystore | |
| parent | 3ccd60f47e0649d23a4b98b1403123e8ee19c5d9 (diff) | |
Keystore 2.0: Add key migration API.
The key migration API is required by locksettingsservice to move the
synthetic password key out of AID_SYSTEM to protect it from deletion
when the user removes credentials from AID_SYSTEM.
Bug: 184664830
Test: N/A
Change-Id: I8d0ffb79870affc8ac055574b6f808a984aa5e52
Diffstat (limited to 'keystore')
| -rw-r--r-- | keystore/java/android/security/AndroidKeyStoreMaintenance.java | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/keystore/java/android/security/AndroidKeyStoreMaintenance.java b/keystore/java/android/security/AndroidKeyStoreMaintenance.java index 82639def02de..919a93b8f107 100644 --- a/keystore/java/android/security/AndroidKeyStoreMaintenance.java +++ b/keystore/java/android/security/AndroidKeyStoreMaintenance.java @@ -22,6 +22,7 @@ import android.os.ServiceManager; import android.os.ServiceSpecificException; import android.security.maintenance.IKeystoreMaintenance; import android.system.keystore2.Domain; +import android.system.keystore2.KeyDescriptor; import android.system.keystore2.ResponseCode; import android.util.Log; @@ -33,6 +34,9 @@ public class AndroidKeyStoreMaintenance { private static final String TAG = "AndroidKeyStoreMaintenance"; public static final int SYSTEM_ERROR = ResponseCode.SYSTEM_ERROR; + public static final int INVALID_ARGUMENT = ResponseCode.INVALID_ARGUMENT; + public static final int PERMISSION_DENIED = ResponseCode.PERMISSION_DENIED; + public static final int KEY_NOT_FOUND = ResponseCode.KEY_NOT_FOUND; private static IKeystoreMaintenance getService() { return IKeystoreMaintenance.Stub.asInterface( @@ -148,4 +152,35 @@ public class AndroidKeyStoreMaintenance { Log.e(TAG, "Error while reporting device off body event.", e); } } + + /** + * Migrates a key given by the source descriptor to the location designated by the destination + * descriptor. + * + * @param source - The key to migrate may be specified by Domain.APP, Domain.SELINUX, or + * Domain.KEY_ID. The caller needs the permissions use, delete, and grant for the + * source namespace. + * @param destination - The new designation for the key may be specified by Domain.APP or + * Domain.SELINUX. The caller need the permission rebind for the destination + * namespace. + * + * @return * 0 on success + * * KEY_NOT_FOUND if the source did not exists. + * * PERMISSION_DENIED if any of the required permissions was missing. + * * INVALID_ARGUMENT if the destination was occupied or any domain value other than + * the allowed once were specified. + * * SYSTEM_ERROR if an unexpected error occurred. + */ + public static int migrateKeyNamespace(KeyDescriptor source, KeyDescriptor destination) { + try { + getService().migrateKeyNamespace(source, destination); + return 0; + } catch (ServiceSpecificException e) { + Log.e(TAG, "migrateKeyNamespace failed", e); + return e.errorCode; + } catch (Exception e) { + Log.e(TAG, "Can not connect to keystore", e); + return SYSTEM_ERROR; + } + } } |