Don't allow using raw public keys to init recovery service any more (c98c8436) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java

+1 −7

Original line number	Diff line number	Diff line
		@@ -194,15 +194,9 @@ public class RecoverableKeyStoreManager {
		try {
		certXml = CertXml.parse(recoveryServiceCertFile);
		} catch (CertParsingException e) {
		// TODO: Do not use raw key bytes anymore once the other components are updated
		Log.d(TAG, "Failed to parse the input as a cert file: " + HexDump.toHexString(
		recoveryServiceCertFile));
		PublicKey publicKey = parseEcPublicKey(recoveryServiceCertFile);
		if (mDatabase.setRecoveryServicePublicKey(userId, uid, publicKey) > 0) {
		mDatabase.setShouldCreateSnapshot(userId, uid, true);
		}
		Log.d(TAG, "Successfully set the input as the raw public key");
		return;
		throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage());
		}

		// Check serial number

+10 −4

Original line number	Diff line number	Diff line
		@@ -440,19 +440,25 @@ public class RecoverableKeyStoreManagerTest {
		}

		@Test
		public void initRecoveryService_succeedsWithRawPublicKey() throws Exception {
		public void initRecoveryService_throwsIfRawPublicKey() throws Exception {
		int uid = Binder.getCallingUid();
		int userId = UserHandle.getCallingUserId();
		mRecoverableKeyStoreDb.setShouldCreateSnapshot(userId, uid, false);

		mRecoverableKeyStoreManager.initRecoveryService(ROOT_CERTIFICATE_ALIAS, TEST_PUBLIC_KEY);
		try {
		mRecoverableKeyStoreManager
		.initRecoveryService(ROOT_CERTIFICATE_ALIAS, TEST_PUBLIC_KEY);
		fail("should have thrown");
		} catch (ServiceSpecificException e) {
		assertThat(e.errorCode).isEqualTo(ERROR_BAD_CERTIFICATE_FORMAT);
		}

		assertThat(mRecoverableKeyStoreDb.getShouldCreateSnapshot(userId, uid)).isTrue();
		assertThat(mRecoverableKeyStoreDb.getShouldCreateSnapshot(userId, uid)).isFalse();
		assertThat(mRecoverableKeyStoreDb.getRecoveryServiceCertPath(userId, uid,
		DEFAULT_ROOT_CERT_ALIAS)).isNull();
		assertThat(mRecoverableKeyStoreDb.getRecoveryServiceCertSerial(userId, uid,
		DEFAULT_ROOT_CERT_ALIAS)).isNull();
		assertThat(mRecoverableKeyStoreDb.getRecoveryServicePublicKey(userId, uid)).isNotNull();
		assertThat(mRecoverableKeyStoreDb.getRecoveryServicePublicKey(userId, uid)).isNull();
		}

		@Test