Invalidate existing keys when platform_key_generation_id is set
setPlatformKeyGenerationId() is called when a new key is generated.
Invalidate previous keys for the user by setting their recovery status
to RECOVERY_STATUS_PERMANENT_FAILURE.
Bug: 131214837
Test: atest RecoverableKeyStoreDbTest
Change-Id: I0333f1f715d9e3a41c9cc9a957faff1e0b2d6537
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java
index c739650..1dffcf9 100644
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java
@@ -333,6 +333,7 @@
String[] selectionArguments = new String[] {String.valueOf(userId)};
ensureUserMetadataEntryExists(userId);
+ invalidateKeysForUser(userId);
return db.update(UserMetadataEntry.TABLE_NAME, values, selection, selectionArguments);
}
@@ -394,16 +395,13 @@
/**
* Updates status of old keys to {@code RecoveryController.RECOVERY_STATUS_PERMANENT_FAILURE}.
*/
- public void invalidateKeysWithOldGenerationId(int userId, int newGenerationId) {
+ public void invalidateKeysForUser(int userId) {
SQLiteDatabase db = mKeyStoreDbHelper.getWritableDatabase();
ContentValues values = new ContentValues();
values.put(KeysEntry.COLUMN_NAME_RECOVERY_STATUS,
RecoveryController.RECOVERY_STATUS_PERMANENT_FAILURE);
- String selection =
- KeysEntry.COLUMN_NAME_USER_ID + " = ? AND "
- + KeysEntry.COLUMN_NAME_GENERATION_ID + " < ?";
- db.update(KeysEntry.TABLE_NAME, values, selection,
- new String[] {String.valueOf(userId), String.valueOf(newGenerationId)});
+ String selection = KeysEntry.COLUMN_NAME_USER_ID + " = ?";
+ db.update(KeysEntry.TABLE_NAME, values, selection, new String[] {String.valueOf(userId)});
}
/**
diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbTest.java
index bac8414..7a20af4 100644
--- a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbTest.java
+++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbTest.java
@@ -329,6 +329,31 @@
assertEquals(serialNumber, mRecoverableKeyStoreDb.getUserSerialNumbers().get(userId));
}
+ @Test
+ public void setPlatformKeyGenerationId_invalidatesExistingKeysForUser() {
+ int userId = 42;
+ int generationId = 110;
+ int uid = 1009;
+ int status = 120;
+ String alias = "test";
+ byte[] nonce = getUtf8Bytes("nonce");
+ byte[] keyMaterial = getUtf8Bytes("keymaterial");
+ byte[] keyMetadata = null;
+
+ WrappedKey wrappedKey =
+ new WrappedKey(nonce, keyMaterial, keyMetadata, generationId, status);
+ mRecoverableKeyStoreDb.insertKey(userId, uid, alias, wrappedKey);
+
+ WrappedKey retrievedKey = mRecoverableKeyStoreDb.getKey(uid, alias);
+ assertThat(retrievedKey.getRecoveryStatus()).isEqualTo(status);
+
+ mRecoverableKeyStoreDb.setPlatformKeyGenerationId(userId, generationId + 1);
+
+ retrievedKey = mRecoverableKeyStoreDb.getKey(uid, alias);
+ assertThat(retrievedKey.getRecoveryStatus())
+ .isEqualTo(RecoveryController.RECOVERY_STATUS_PERMANENT_FAILURE);
+ }
+
@Test
public void removeUserFromAllTables_removesData() throws Exception {
@@ -439,7 +464,7 @@
}
@Test
- public void testInvalidateKeysWithOldGenerationId_withSingleKey() {
+ public void testInvalidateKeysForUser_withSingleKey() {
int userId = 12;
int uid = 1009;
int generationId = 6;
@@ -458,7 +483,7 @@
assertThat(retrievedKey.getRecoveryStatus()).isEqualTo(status);
mRecoverableKeyStoreDb.setRecoveryStatus(uid, alias, status2);
- mRecoverableKeyStoreDb.invalidateKeysWithOldGenerationId(userId, generationId + 1);
+ mRecoverableKeyStoreDb.invalidateKeysForUser(userId);
retrievedKey = mRecoverableKeyStoreDb.getKey(uid, alias);
assertThat(retrievedKey.getRecoveryStatus())