Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 68cca7a7 authored by Seth Moore's avatar Seth Moore
Browse files

Inform the remote provisioner when a key may have been consumed 

Every time we create a credential, contact the Provisioner app and tell
it that a key was generated. This may not strictly be true, but the
provisioner has heuristics to ensure that it only contacts the backend
if necessary. So, at most, we're spinning a few extra cycles whenever
a new credential is created (which is a rare occurence) to ensure that
we have RKP keys available for future requests.

Test: CtsIdentityTestCases
Fixes: 224771551
Change-Id: I6dd20635e6933842a95242e6d0cbfb9bf8c8f734
parent dd1a3bae

identity/java/android/security/identity/CredstoreIdentityCredentialStore.java

+13 −0
Original line number Diff line number Diff line
@@ -19,7 +19,10 @@ package android.security.identity; 
import android.annotation.NonNull;

import android.annotation.Nullable;

import android.content.Context;

import android.os.RemoteException;

import android.os.ServiceManager;

import android.security.GenerateRkpKey;

import android.security.keymaster.KeymasterDefs;



class CredstoreIdentityCredentialStore extends IdentityCredentialStore {
@@ -104,6 +107,16 @@ class CredstoreIdentityCredentialStore extends IdentityCredentialStore { 
        try {

            IWritableCredential wc;

            wc = mStore.createCredential(credentialName, docType);

            try {

                GenerateRkpKey keyGen = new GenerateRkpKey(mContext);

                // We don't know what the security level is for the backing keymint, so go ahead and

                // poke the provisioner for both TEE and SB.

                keyGen.notifyKeyGenerated(KeymasterDefs.KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT);

                keyGen.notifyKeyGenerated(KeymasterDefs.KM_SECURITY_LEVEL_STRONGBOX);

            } catch (RemoteException e) {

                // Not really an error state. Does not apply at all if RKP is unsupported or

                // disabled on a given device.

            }

            return new CredstoreWritableIdentityCredential(mContext, credentialName, docType, wc);

        } catch (android.os.RemoteException e) {

            throw new RuntimeException("Unexpected RemoteException ", e);