Merge "Adding KEY_PERMANENTLY_INVALIDATED to ResponseCode"
am: 3e9cd87e48
Change-Id: Ic25254b5586b42bd282b8ef75dfe6b3973eca630
diff --git a/keystore/blob.cpp b/keystore/blob.cpp
index f9485a4..9dd85d6 100644
--- a/keystore/blob.cpp
+++ b/keystore/blob.cpp
@@ -420,7 +420,16 @@
if (rawBlobIsEncrypted(*rawBlob)) {
rc = AES_gcm_decrypt(rawBlob->value /* in */, rawBlob->value /* out */, encryptedLength,
aes_key, rawBlob->initialization_vector, rawBlob->aead_tag);
- if (rc != ResponseCode::NO_ERROR) return rc;
+ if (rc != ResponseCode::NO_ERROR) {
+ // If the blob was superencrypted and decryption failed, it is
+ // almost certain that decryption is failing due to a user's
+ // changed master key.
+ if ((rawBlob->flags & KEYSTORE_FLAG_SUPER_ENCRYPTED) &&
+ (rc == ResponseCode::VALUE_CORRUPTED)) {
+ return ResponseCode::KEY_PERMANENTLY_INVALIDATED;
+ }
+ return rc;
+ }
}
} else if (rawBlob->version < 3) {
blobv2& v2blob = reinterpret_cast<blobv2&>(*rawBlob);
diff --git a/keystore/include/keystore/keystore.h b/keystore/include/keystore/keystore.h
index a1d4c81..3aed8c2 100644
--- a/keystore/include/keystore/keystore.h
+++ b/keystore/include/keystore/keystore.h
@@ -44,6 +44,7 @@
SIGNATURE_INVALID = 14,
OP_AUTH_NEEDED = 15, // Auth is needed for this operation before it can be used.
KEY_ALREADY_EXISTS = 16,
+ KEY_PERMANENTLY_INVALIDATED = 17,
};
/*