Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 26cbb6b0 authored by Robert Berry's avatar Robert Berry
Browse files

Fail KeySyncTask if the PlatformKey can't be used to decrypt 

Currently just uploads an empty set of keys, and thinks the key sync
was successful. (i.e., does not sync again afterwards.)

Bug: 72299798
Test: adb shell am instrument -w -e package
com.android.server.locksettings.recoverablekeystore
com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner

Change-Id: I7342f93bd205777688a737d6e1ec8c1ab5b5f7a5
parent 6e97afc1

services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java

+3 −1
Original line number Diff line number Diff line
@@ -36,6 +36,7 @@ import java.nio.ByteBuffer; 
import java.nio.ByteOrder;

import java.nio.charset.StandardCharsets;

import java.security.GeneralSecurityException;

import java.security.InvalidAlgorithmParameterException;

import java.security.InvalidKeyException;

import java.security.KeyStoreException;

import java.security.MessageDigest;
@@ -301,7 +302,8 @@ public class KeySyncTask implements Runnable { 
     */

    private Map<String, SecretKey> getKeysToSync(int recoveryAgentUid)

            throws InsecureUserException, KeyStoreException, UnrecoverableKeyException,

            NoSuchAlgorithmException, NoSuchPaddingException, BadPlatformKeyException {

            NoSuchAlgorithmException, NoSuchPaddingException, BadPlatformKeyException,

            InvalidKeyException, InvalidAlgorithmParameterException {

        PlatformKeyManager platformKeyManager = mPlatformKeyManagerFactory.newInstance();

        PlatformDecryptionKey decryptKey = platformKeyManager.getDecryptKey(mUserId);

        Map<String, WrappedKey> wrappedKeys = mRecoverableKeyStoreDb.getAllKeys(

services/core/java/com/android/server/locksettings/recoverablekeystore/WrappedKey.java

+6 −15
Original line number Diff line number Diff line
@@ -184,7 +184,8 @@ public class WrappedKey { 
    public static Map<String, SecretKey> unwrapKeys(

            PlatformDecryptionKey platformKey,

            Map<String, WrappedKey> wrappedKeys)

            throws NoSuchAlgorithmException, NoSuchPaddingException, BadPlatformKeyException {

            throws NoSuchAlgorithmException, NoSuchPaddingException, BadPlatformKeyException,

            InvalidKeyException, InvalidAlgorithmParameterException {

        HashMap<String, SecretKey> unwrappedKeys = new HashMap<>();

        Cipher cipher = Cipher.getInstance(KEY_WRAP_CIPHER_ALGORITHM);

        int platformKeyGenerationId = platformKey.getGenerationId();
@@ -201,20 +202,10 @@ public class WrappedKey { 
                        platformKey.getGenerationId()));

            }



            try {

            cipher.init(

                    Cipher.UNWRAP_MODE,

                    platformKey.getKey(),

                    new GCMParameterSpec(GCM_TAG_LENGTH_BITS, wrappedKey.getNonce()));

            } catch (InvalidKeyException | InvalidAlgorithmParameterException e) {

                Log.e(TAG,

                        String.format(

                                Locale.US,

                                "Could not init Cipher to unwrap recoverable key with alias '%s'",

                                alias),

                        e);

                continue;

            }

            SecretKey key;

            try {

                key = (SecretKey) cipher.unwrap(