drgreen/android_frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Inform the remote provisioner when a key may have been consumed

Browse Source 
Every time we create a credential, contact the Provisioner app and tell
it that a key was generated. This may not strictly be true, but the
provisioner has heuristics to ensure that it only contacts the backend
if necessary. So, at most, we're spinning a few extra cycles whenever
a new credential is created (which is a rare occurence) to ensure that
we have RKP keys available for future requests.

Test: CtsIdentityTestCases
Fixes: 224771551
Change-Id: I6dd20635e6933842a95242e6d0cbfb9bf8c8f734
This commit is contained in:
Seth Moore 2022-03-28 16:21:12 -07:00
parent dd1a3bae15
commit 68cca7a7c6
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
identity/java/android/security/identity/CredstoreIdentityCredentialStore.java
View File

@ -19,7 +19,10 @@ package android.security.identity;
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.content.Context;
import android.os.RemoteException;
import android.os.ServiceManager;
import android.security.GenerateRkpKey;
import android.security.keymaster.KeymasterDefs;
class CredstoreIdentityCredentialStore extends IdentityCredentialStore {
@ -104,6 +107,16 @@ class CredstoreIdentityCredentialStore extends IdentityCredentialStore {
try {
IWritableCredential wc;
wc = mStore.createCredential(credentialName, docType);
try {
GenerateRkpKey keyGen = new GenerateRkpKey(mContext);
// We don't know what the security level is for the backing keymint, so go ahead and
// poke the provisioner for both TEE and SB.
keyGen.notifyKeyGenerated(KeymasterDefs.KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT);
keyGen.notifyKeyGenerated(KeymasterDefs.KM_SECURITY_LEVEL_STRONGBOX);
} catch (RemoteException e) {
// Not really an error state. Does not apply at all if RKP is unsupported or
// disabled on a given device.
}
return new CredstoreWritableIdentityCredential(mContext, credentialName, docType, wc);
} catch (android.os.RemoteException e) {
throw new RuntimeException("Unexpected RemoteException ", e);