Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit eed080bd authored by Eric Biggers's avatar Eric Biggers
Browse files

Remove the obsolete field android.security.KeyStore.NO_ERROR 

There's no such thing as a NO_ERROR Keystore error code anymore, let
alone one whose numeric value is 1.  The field
android.security.KeyStore.NO_ERROR is a remnant from Keystore1.
NO_ERROR existed in Keystore1 because Keystore1's binder methods used a
binder exception code of 0 ("success") even on failure, so they had to
use the return value to convey a Keystore error code or NO_ERROR.
Keystore2 instead uses binder's support for service-specific errors, and
there is no NO_ERROR error code because the success case is conveyed via
the binder exception code being 0 instead of EX_SERVICE_SPECIFIC.

Therefore, this CL removes the obsolete field
android.security.KeyStore.NO_ERROR and its two users.  These users were:

- AndroidKeyStoreCipherSpiBase checked for NO_ERROR "errors" from
  createOperation().  But this case is unreachable, and the operation
  cannot continue without the CreateOperationResponse anyway.  So this
  obsolete code can just be removed.

- AuthenticationClient checked the return value of
  KeyStore#addAuthToken() against NO_ERROR.  But this method actually
  just wraps Authorization#addAuthToken() which returns 0 on success, as
  per its javadoc.  So this was a bug, though it didn't matter much
  since it just caused a misleading log message.  Check for 0 instead.

Finally, NO_ERROR did have @UnsupportedAppUsage.  But since there's no
use case for it, removing it is allowed by the non-SDK interface policy.

Bug: 326508120
Test: atest CtsKeystoreTestCases
Change-Id: I735e005d7ca39e231667dd95da533519085ba4ef
parent ed2534a1

keystore/java/android/security/KeyStore.java

+2 −7
Original line number Diff line number Diff line
@@ -17,7 +17,6 @@ 
package android.security;



import android.compat.annotation.UnsupportedAppUsage;

import android.os.Build;

import android.os.StrictMode;



/**
@@ -30,10 +29,6 @@ import android.os.StrictMode; 
 */

public class KeyStore {



    // ResponseCodes - see system/security/keystore/include/keystore/keystore.h

    @UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553)

    public static final int NO_ERROR = 1;



    // Used for UID field to indicate the calling UID.

    public static final int UID_SELF = -1;
@@ -48,8 +43,8 @@ public class KeyStore { 
     * Add an authentication record to the keystore authorization table.

     *

     * @param authToken The packed bytes of a hw_auth_token_t to be provided to keymaster.

     * @return {@code KeyStore.NO_ERROR} on success, otherwise an error value corresponding to

     * a {@code KeymasterDefs.KM_ERROR_} value or {@code KeyStore} ResponseCode.

     * @return 0 on success, otherwise an error value corresponding to a

     * {@code KeymasterDefs.KM_ERROR_} value or {@code KeyStore} ResponseCode.

     */

    public int addAuthToken(byte[] authToken) {

        StrictMode.noteDiskWrite();

keystore/java/android/security/keystore2/AndroidKeyStoreCipherSpiBase.java

+6 −8
Original line number Diff line number Diff line
@@ -359,7 +359,6 @@ abstract class AndroidKeyStoreCipherSpiBase extends CipherSpi implements KeyStor 
        } catch (KeyStoreException keyStoreException) {

            GeneralSecurityException e = KeyStoreCryptoOperationUtils.getExceptionForCipherInit(

                    mKey, keyStoreException);

            if (e != null) {

            if (e instanceof InvalidKeyException) {

                throw (InvalidKeyException) e;

            } else if (e instanceof InvalidAlgorithmParameterException) {
@@ -368,7 +367,6 @@ abstract class AndroidKeyStoreCipherSpiBase extends CipherSpi implements KeyStor 
                throw new ProviderException("Unexpected exception type", e);

            }

        }

        }



        // Now we check if we got an operation challenge. This indicates that user authorization

        // is required. And if we got a challenge we check if the authorization can possibly

keystore/java/android/security/keystore2/KeyStoreCryptoOperationUtils.java

+1 −7
Original line number Diff line number Diff line
@@ -20,7 +20,6 @@ import android.app.ActivityThread; 
import android.hardware.biometrics.BiometricManager;

import android.hardware.security.keymint.ErrorCode;

import android.security.GateKeeper;

import android.security.KeyStore;

import android.security.KeyStoreException;

import android.security.KeyStoreOperation;

import android.security.keymaster.KeymasterDefs;
@@ -131,15 +130,10 @@ abstract class KeyStoreCryptoOperationUtils { 


    /**

     * Returns the exception to be thrown by the {@code Cipher.init} method of the crypto operation

     * in response to {@code KeyStore.begin} operation or {@code null} if the {@code init} method

     * should succeed.

     * in response to a failed {code IKeystoreSecurityLevel#createOperation()}.

     */

    public static GeneralSecurityException getExceptionForCipherInit(

            AndroidKeyStoreKey key, KeyStoreException e) {

        if (e.getErrorCode() == KeyStore.NO_ERROR) {

            return null;

        }



        // Cipher-specific cases

        switch (e.getErrorCode()) {

            case KeymasterDefs.KM_ERROR_INVALID_NONCE:

services/core/java/com/android/server/biometrics/sensors/AuthenticationClient.java

+2 −2
Original line number Diff line number Diff line
@@ -256,10 +256,10 @@ public abstract class AuthenticationClient<T, O extends AuthenticateOptions> 
            // For BP, BiometricService will add the authToken to Keystore.

            if (!isBiometricPrompt() && mIsStrongBiometric) {

                final int result = KeyStore.getInstance().addAuthToken(byteToken);

                if (result != KeyStore.NO_ERROR) {

                if (result != 0) {

                    Slog.d(TAG, "Error adding auth token : " + result);

                } else {

                    Slog.d(TAG, "addAuthToken: " + result);

                    Slog.d(TAG, "addAuthToken succeeded");

                }

            } else {

                Slog.d(TAG, "Skipping addAuthToken");