Remove legacy functions from IKeystoreService.aidl
In preparation for making the keystore service asynchronous we remove
redundant legacy functionality from the protocol.
This patch removes the functions get_pubkey, sign, verify, generate,
and import_key. Which have long been superseded by exportKey
(get_pubkey), begin/update/finish (sign, verify), generateKey
(generate), and importKey (import_key).
This patch also removes the implementations of these functions from
key_store_service and updates keystore-engine which still used the
legacy functionality.
It also remove the call isOperationAuthorized which was unused.
Test: Keystore CTS tests
Bug: 109769728
Change-Id: I0de359b3e43fd72faa9d1511f84b7c024968c884
diff --git a/keystore-engine/Android.mk b/keystore-engine/Android.mk
index c995dfc..e65e011 100644
--- a/keystore-engine/Android.mk
+++ b/keystore-engine/Android.mk
@@ -32,7 +32,9 @@
libhidlbase \
libkeystore_aidl \
libkeystore_binder \
+ libkeystore_parcelables \
liblog \
+ libbase \
libutils
LOCAL_ADDITIONAL_DEPENDENCIES := $(LOCAL_PATH)/Android.mk
diff --git a/keystore-engine/keystore_backend_binder.cpp b/keystore-engine/keystore_backend_binder.cpp
index 79b0ec3..cd407c8 100644
--- a/keystore-engine/keystore_backend_binder.cpp
+++ b/keystore-engine/keystore_backend_binder.cpp
@@ -22,20 +22,61 @@
#include "keystore_backend_binder.h"
+#include <android-base/logging.h>
#include <android/security/IKeystoreService.h>
#include <binder/IServiceManager.h>
+#include <keystore/KeyCharacteristics.h>
+#include <keystore/KeymasterArguments.h>
+#include <keystore/KeymasterBlob.h>
+#include <keystore/OperationResult.h>
+#include <keystore/keymaster_types.h>
#include <keystore/keystore.h>
#include <keystore/keystore_hidl_support.h>
+#include <keystore/keystore_return_types.h>
using android::security::IKeystoreService;
using namespace android;
-using keystore::blob2hidlVec;
using keystore::hidl_vec;
+using android::hardware::keymaster::V4_0::Algorithm;
+using android::hardware::keymaster::V4_0::authorizationValue;
+using android::hardware::keymaster::V4_0::Digest;
+using android::hardware::keymaster::V4_0::KeyFormat;
+using android::hardware::keymaster::V4_0::KeyParameter;
+using android::hardware::keymaster::V4_0::KeyPurpose;
+using android::hardware::keymaster::V4_0::NullOr;
+using android::hardware::keymaster::V4_0::PaddingMode;
+using android::hardware::keymaster::V4_0::TAG_ALGORITHM;
+using android::hardware::keymaster::V4_0::TAG_DIGEST;
+using android::hardware::keymaster::V4_0::TAG_PADDING;
+using android::security::keymaster::ExportResult;
+using android::security::keymaster::KeyCharacteristics;
+using android::security::keymaster::KeymasterArguments;
+using android::security::keymaster::KeymasterBlob;
+using android::security::keymaster::OperationResult;
+
+using KSReturn = keystore::KeyStoreNativeReturnCode;
+
namespace {
const char keystore_service_name[] = "android.security.keystore";
+constexpr int32_t UID_SELF = -1;
};
+#define AT __func__ << ":" << __LINE__ << " "
+
+static NullOr<const Algorithm&> getKeyAlgoritmFromKeyCharacteristics(
+ const ::android::security::keymaster::KeyCharacteristics& characteristics) {
+ for (const auto& param : characteristics.hardwareEnforced.getParameters()) {
+ auto algo = authorizationValue(TAG_ALGORITHM, param);
+ if (algo.isOk()) return algo;
+ }
+ for (const auto& param : characteristics.softwareEnforced.getParameters()) {
+ auto algo = authorizationValue(TAG_ALGORITHM, param);
+ if (algo.isOk()) return algo;
+ }
+ return {};
+}
+
int32_t KeystoreBackendBinder::sign(const char* key_id, const uint8_t* in, size_t len,
uint8_t** reply, size_t* reply_len) {
sp<IServiceManager> sm = defaultServiceManager();
@@ -43,20 +84,88 @@
sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
if (service == nullptr) {
- ALOGE("could not contact keystore");
+ LOG(ERROR) << AT << "could not contact keystore";
return -1;
}
- auto inBlob = blob2hidlVec(in, len);
- std::vector<uint8_t> reply_vec;
- auto ret = service->sign(String16(key_id), inBlob, &reply_vec);
- if (!ret.isOk()) {
+ KeyCharacteristics keyCharacteristics;
+ String16 key_name16(key_id);
+ int32_t aidl_result;
+ auto binder_result = service->getKeyCharacteristics(
+ key_name16, KeymasterBlob(), KeymasterBlob(), UID_SELF, &keyCharacteristics, &aidl_result);
+ if (!binder_result.isOk()) {
+ LOG(ERROR) << AT << "communication error while calling keystore";
+ return -1;
+ }
+ if (KSReturn(aidl_result).isOk()) {
+ LOG(ERROR) << AT << "getKeyCharacteristics failed: " << aidl_result;
+ }
+
+ auto algorithm = getKeyAlgoritmFromKeyCharacteristics(keyCharacteristics);
+ if (!algorithm.isOk()) {
+ LOG(ERROR) << AT << "could not get algorithm from key characteristics";
return -1;
}
- hidl_vec<uint8_t> reply_hidl(reply_vec); // makes copy
- *reply = reply_hidl.releaseData();
- *reply_len = reply_vec.size();
+ hidl_vec<KeyParameter> params(3);
+ params[0] = Authorization(TAG_DIGEST, Digest::NONE);
+ params[1] = Authorization(TAG_PADDING, PaddingMode::NONE);
+ params[2] = Authorization(TAG_ALGORITHM, algorithm.value());
+
+ android::sp<android::IBinder> token(new android::BBinder);
+ OperationResult result;
+ binder_result = service->begin(token, key_name16, (int)KeyPurpose::SIGN, true /*pruneable*/,
+ KeymasterArguments(params), std::vector<uint8_t>() /* entropy */,
+ UID_SELF, &result);
+ if (!binder_result.isOk()) {
+ LOG(ERROR) << AT << "communication error while calling keystore";
+ return -1;
+ }
+ if (!result.resultCode.isOk()) {
+ LOG(ERROR) << AT << "begin failed: " << int32_t(result.resultCode);
+ return -1;
+ }
+ auto handle = std::move(result.token);
+
+ do {
+ binder_result = service->update(handle, KeymasterArguments(params),
+ std::vector<uint8_t>(in, in + len), &result);
+ if (!binder_result.isOk()) {
+ LOG(ERROR) << AT << "communication error while calling keystore";
+ return -1;
+ }
+ if (!result.resultCode.isOk()) {
+ LOG(ERROR) << AT << "update failed: " << int32_t(result.resultCode);
+ return -1;
+ }
+ if (result.inputConsumed > len) {
+ LOG(ERROR) << AT << "update consumed more data than provided";
+ service->abort(handle, &aidl_result);
+ return -1;
+ }
+ len -= result.inputConsumed;
+ in += result.inputConsumed;
+ } while (len > 0);
+
+ binder_result =
+ service->finish(handle, KeymasterArguments(params), std::vector<uint8_t>() /* signature */,
+ std::vector<uint8_t>() /* entropy */, &result);
+ if (!binder_result.isOk()) {
+ LOG(ERROR) << AT << "communication error while calling keystore";
+ return -1;
+ }
+ if (!result.resultCode.isOk()) {
+ LOG(ERROR) << AT << "finish failed: " << int32_t(result.resultCode);
+ return -1;
+ }
+
+ hidl_vec<uint8_t> reply_hidl(result.data);
+ if (reply_len) {
+ *reply_len = reply_hidl.size();
+ }
+ if (reply) {
+ *reply = reply_hidl.releaseData();
+ }
return 0;
}
@@ -67,18 +176,29 @@
sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
if (service == nullptr) {
- ALOGE("could not contact keystore");
+ LOG(ERROR) << AT << "could not contact keystore";
return -1;
}
- std::vector<uint8_t> pubkey_vec;
- auto ret = service->get_pubkey(String16(key_id), &pubkey_vec);
- if (!ret.isOk()) {
+ ExportResult result;
+ auto binder_result = service->exportKey(String16(key_id), static_cast<int32_t>(KeyFormat::X509),
+ KeymasterBlob() /* clientId */,
+ KeymasterBlob() /* appData */, UID_SELF, &result);
+ if (!binder_result.isOk()) {
+ LOG(ERROR) << AT << "communication error while calling keystore";
+ return -1;
+ }
+ if (!result.resultCode.isOk()) {
+ LOG(ERROR) << AT << "exportKey failed: " << int32_t(result.resultCode);
return -1;
}
- hidl_vec<uint8_t> hidl_pubkey(pubkey_vec); // makes copy
- *pubkey = hidl_pubkey.releaseData(); // caller should clean up memory.
- *pubkey_len = pubkey_vec.size();
+ hidl_vec<uint8_t> reply_hidl(result.exportData);
+ if (pubkey_len) {
+ *pubkey_len = reply_hidl.size();
+ }
+ if (pubkey) {
+ *pubkey = reply_hidl.releaseData();
+ }
return 0;
}
diff --git a/keystore/binder/android/security/IKeystoreService.aidl b/keystore/binder/android/security/IKeystoreService.aidl
index db55062..c490eda 100644
--- a/keystore/binder/android/security/IKeystoreService.aidl
+++ b/keystore/binder/android/security/IKeystoreService.aidl
@@ -42,12 +42,6 @@
int lock(int userId);
int unlock(int userId, String userPassword);
int isEmpty(int userId);
- int generate(String name, int uid, int keyType, int keySize, int flags,
- in KeystoreArguments args);
- int import_key(String name, in byte[] data, int uid, int flags);
- byte[] sign(String name, in byte[] data);
- int verify(String name, in byte[] data, in byte[] signature);
- byte[] get_pubkey(String name);
String grant(String name, int granteeUid);
int ungrant(String name, int granteeUid);
long getmtime(String name, int uid);
@@ -70,7 +64,6 @@
OperationResult finish(IBinder token, in KeymasterArguments params, in byte[] signature,
in byte[] entropy);
int abort(IBinder handle);
- boolean isOperationAuthorized(IBinder token);
int addAuthToken(in byte[] authToken);
int onUserAdded(int userId, int parentId);
int onUserRemoved(int userId);
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 2aaa625..dcf1acb 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -420,188 +420,6 @@
return Status::ok();
}
-Status KeyStoreService::generate(const String16& name, int32_t targetUid, int32_t keyType,
- int32_t keySize, int32_t flags,
- const ::android::security::KeystoreArguments& keystoreArgs,
- int32_t* aidl_return) {
- const Vector<sp<KeystoreArg>>* args = &(keystoreArgs.getArguments());
- targetUid = getEffectiveUid(targetUid);
- KeyStoreServiceReturnCode result =
- checkBinderPermissionAndKeystoreState(P_INSERT, targetUid, flags & KEYSTORE_FLAG_ENCRYPTED);
- if (!result.isOk()) {
- *aidl_return = static_cast<int32_t>(result);
- return Status::ok();
- }
-
- keystore::AuthorizationSet params;
- add_legacy_key_authorizations(keyType, ¶ms);
-
- switch (keyType) {
- case EVP_PKEY_EC: {
- params.push_back(TAG_ALGORITHM, Algorithm::EC);
- if (keySize == -1) {
- keySize = EC_DEFAULT_KEY_SIZE;
- } else if (keySize < EC_MIN_KEY_SIZE || keySize > EC_MAX_KEY_SIZE) {
- ALOGI("invalid key size %d", keySize);
- *aidl_return = static_cast<int32_t>(ResponseCode::SYSTEM_ERROR);
- return Status::ok();
- }
- params.push_back(TAG_KEY_SIZE, keySize);
- break;
- }
- case EVP_PKEY_RSA: {
- params.push_back(TAG_ALGORITHM, Algorithm::RSA);
- if (keySize == -1) {
- keySize = RSA_DEFAULT_KEY_SIZE;
- } else if (keySize < RSA_MIN_KEY_SIZE || keySize > RSA_MAX_KEY_SIZE) {
- ALOGI("invalid key size %d", keySize);
- *aidl_return = static_cast<int32_t>(ResponseCode::SYSTEM_ERROR);
- return Status::ok();
- }
- params.push_back(TAG_KEY_SIZE, keySize);
- unsigned long exponent = RSA_DEFAULT_EXPONENT;
- if (args->size() > 1) {
- ALOGI("invalid number of arguments: %zu", args->size());
- *aidl_return = static_cast<int32_t>(ResponseCode::SYSTEM_ERROR);
- return Status::ok();
- } else if (args->size() == 1) {
- const sp<KeystoreArg>& expArg = args->itemAt(0);
- if (expArg != nullptr) {
- Unique_BIGNUM pubExpBn(BN_bin2bn(
- reinterpret_cast<const unsigned char*>(expArg->data()), expArg->size(), nullptr));
- if (pubExpBn.get() == nullptr) {
- ALOGI("Could not convert public exponent to BN");
- *aidl_return = static_cast<int32_t>(ResponseCode::SYSTEM_ERROR);
- return Status::ok();
- }
- exponent = BN_get_word(pubExpBn.get());
- if (exponent == 0xFFFFFFFFL) {
- ALOGW("cannot represent public exponent as a long value");
- *aidl_return = static_cast<int32_t>(ResponseCode::SYSTEM_ERROR);
- return Status::ok();
- }
- } else {
- ALOGW("public exponent not read");
- *aidl_return = static_cast<int32_t>(ResponseCode::SYSTEM_ERROR);
- return Status::ok();
- }
- }
- params.push_back(TAG_RSA_PUBLIC_EXPONENT, exponent);
- break;
- }
- default: {
- ALOGW("Unsupported key type %d", keyType);
- *aidl_return = static_cast<int32_t>(ResponseCode::SYSTEM_ERROR);
- return Status::ok();
- }
- }
-
- int32_t aidl_result;
- android::security::keymaster::KeyCharacteristics unused_characteristics;
- auto rc = generateKey(name, KeymasterArguments(params.hidl_data()), ::std::vector<uint8_t>(),
- targetUid, flags, &unused_characteristics, &aidl_result);
- if (!KeyStoreServiceReturnCode(aidl_result).isOk()) {
- ALOGW("generate failed: %d", int32_t(aidl_result));
- }
- *aidl_return = aidl_result;
- return Status::ok();
-}
-
-Status KeyStoreService::import_key(const String16& name, const ::std::vector<uint8_t>& data,
- int targetUid, int32_t flags, int32_t* aidl_return) {
-
- const uint8_t* ptr = &data[0];
-
- Unique_PKCS8_PRIV_KEY_INFO pkcs8(d2i_PKCS8_PRIV_KEY_INFO(nullptr, &ptr, data.size()));
- if (!pkcs8.get()) {
- *aidl_return = static_cast<int32_t>(ResponseCode::SYSTEM_ERROR);
- return Status::ok();
- }
- Unique_EVP_PKEY pkey(EVP_PKCS82PKEY(pkcs8.get()));
- if (!pkey.get()) {
- *aidl_return = static_cast<int32_t>(ResponseCode::SYSTEM_ERROR);
- return Status::ok();
- }
- int type = EVP_PKEY_type(pkey->type);
- AuthorizationSet params;
- add_legacy_key_authorizations(type, ¶ms);
- switch (type) {
- case EVP_PKEY_RSA:
- params.push_back(TAG_ALGORITHM, Algorithm::RSA);
- break;
- case EVP_PKEY_EC:
- params.push_back(TAG_ALGORITHM, Algorithm::EC);
- break;
- default:
- ALOGW("Unsupported key type %d", type);
- *aidl_return = static_cast<int32_t>(ResponseCode::SYSTEM_ERROR);
- return Status::ok();
- }
-
- int import_result;
- auto rc = importKey(name, KeymasterArguments(params.hidl_data()),
- static_cast<int32_t>(KeyFormat::PKCS8), data, targetUid, flags,
- /*outCharacteristics*/ nullptr, &import_result);
-
- if (!KeyStoreServiceReturnCode(import_result).isOk()) {
- ALOGW("importKey failed: %d", int32_t(import_result));
- }
- *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
- return Status::ok();
-}
-
-Status KeyStoreService::sign(const String16& name, const ::std::vector<uint8_t>& data,
- ::std::vector<uint8_t>* out) {
- if (!checkBinderPermission(P_SIGN)) {
- return Status::fromServiceSpecificError(
- static_cast<int32_t>(ResponseCode::PERMISSION_DENIED));
- }
- hidl_vec<uint8_t> legacy_out;
- KeyStoreServiceReturnCode res =
- doLegacySignVerify(name, data, &legacy_out, hidl_vec<uint8_t>(), KeyPurpose::SIGN);
- if (!res.isOk()) {
- return Status::fromServiceSpecificError((res));
- }
- *out = legacy_out;
- return Status::ok();
-}
-
-Status KeyStoreService::verify(const String16& name, const ::std::vector<uint8_t>& data,
- const ::std::vector<uint8_t>& signature, int32_t* aidl_return) {
- if (!checkBinderPermission(P_VERIFY)) {
- return Status::fromServiceSpecificError(
- static_cast<int32_t>(ResponseCode::PERMISSION_DENIED));
- }
- *aidl_return = static_cast<int32_t>(
- doLegacySignVerify(name, data, nullptr, signature, KeyPurpose::VERIFY));
- return Status::ok();
-}
-
-/*
- * TODO: The abstraction between things stored in hardware and regular blobs
- * of data stored on the filesystem should be moved down to keystore itself.
- * Unfortunately the Java code that calls this has naming conventions that it
- * knows about. Ideally keystore shouldn't be used to store random blobs of
- * data.
- *
- * Until that happens, it's necessary to have a separate "get_pubkey" and
- * "del_key" since the Java code doesn't really communicate what it's
- * intentions are.
- */
-Status KeyStoreService::get_pubkey(const String16& name, ::std::vector<uint8_t>* pubKey) {
- android::security::keymaster::ExportResult result;
- KeymasterBlob clientId;
- KeymasterBlob appData;
- exportKey(name, static_cast<int32_t>(KeyFormat::X509), clientId, appData, UID_SELF, &result);
- if (!result.resultCode.isOk()) {
- ALOGW("export failed: %d", int32_t(result.resultCode));
- return Status::fromServiceSpecificError(static_cast<int32_t>(result.resultCode));
- }
-
- if (pubKey) *pubKey = std::move(result.exportData);
- return Status::ok();
-}
-
Status KeyStoreService::grant(const String16& name, int32_t granteeUid,
::android::String16* aidl_return) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
@@ -1562,14 +1380,6 @@
return Status::ok();
}
-Status KeyStoreService::isOperationAuthorized(const sp<IBinder>& token, bool* aidl_return) {
- AuthorizationSet ignored;
- KeyStoreServiceReturnCode rc;
- std::tie(rc, std::ignore) = getOperationAuthTokenIfNeeded(token);
- *aidl_return = rc.isOk();
- return Status::ok();
-}
-
Status KeyStoreService::addAuthToken(const ::std::vector<uint8_t>& authTokenAsVector,
int32_t* aidl_return) {
@@ -2139,117 +1949,6 @@
return {ResponseCode::NO_ERROR, op.authToken};
}
-/**
- * Translate a result value to a legacy return value. All keystore errors are
- * preserved and keymaster errors become SYSTEM_ERRORs
- */
-KeyStoreServiceReturnCode KeyStoreService::translateResultToLegacyResult(int32_t result) {
- if (result > 0) return static_cast<ResponseCode>(result);
- return ResponseCode::SYSTEM_ERROR;
-}
-
-static NullOr<const Algorithm&> getKeyAlgoritmFromKeyCharacteristics(
- const ::android::security::keymaster::KeyCharacteristics& characteristics) {
- for (const auto& param : characteristics.hardwareEnforced.getParameters()) {
- auto algo = authorizationValue(TAG_ALGORITHM, param);
- if (algo.isOk()) return algo;
- }
- for (const auto& param : characteristics.softwareEnforced.getParameters()) {
- auto algo = authorizationValue(TAG_ALGORITHM, param);
- if (algo.isOk()) return algo;
- }
- return {};
-}
-
-void KeyStoreService::addLegacyBeginParams(const String16& name, AuthorizationSet* params) {
- // All legacy keys are DIGEST_NONE/PAD_NONE.
- params->push_back(TAG_DIGEST, Digest::NONE);
- params->push_back(TAG_PADDING, PaddingMode::NONE);
-
- // Look up the algorithm of the key.
- ::android::security::keymaster::KeyCharacteristics characteristics;
- int32_t result;
- auto rc = getKeyCharacteristics(name, ::android::security::keymaster::KeymasterBlob(),
- ::android::security::keymaster::KeymasterBlob(), UID_SELF,
- &characteristics, &result);
- if (!rc.isOk()) {
- ALOGE("Failed to get key characteristics");
- return;
- }
- auto algorithm = getKeyAlgoritmFromKeyCharacteristics(characteristics);
- if (!algorithm.isOk()) {
- ALOGE("getKeyCharacteristics did not include KM_TAG_ALGORITHM");
- return;
- }
- params->push_back(TAG_ALGORITHM, algorithm.value());
-}
-
-KeyStoreServiceReturnCode KeyStoreService::doLegacySignVerify(const String16& name,
- const hidl_vec<uint8_t>& data,
- hidl_vec<uint8_t>* out,
- const hidl_vec<uint8_t>& signature,
- KeyPurpose purpose) {
-
- std::basic_stringstream<uint8_t> outBuffer;
- OperationResult result;
- AuthorizationSet inArgs;
- addLegacyBeginParams(name, &inArgs);
- sp<IBinder> appToken(new BBinder);
- sp<IBinder> token;
-
- begin(appToken, name, static_cast<int32_t>(purpose), true,
- KeymasterArguments(inArgs.hidl_data()), ::std::vector<uint8_t>(), UID_SELF, &result);
- if (!result.resultCode.isOk()) {
- if (result.resultCode == ResponseCode::KEY_NOT_FOUND) {
- ALOGW("Key not found");
- } else {
- ALOGW("Error in begin: %d", int32_t(result.resultCode));
- }
- return translateResultToLegacyResult(result.resultCode);
- }
- inArgs.Clear();
- token = result.token;
- size_t consumed = 0;
- size_t lastConsumed = 0;
- hidl_vec<uint8_t> data_view;
- do {
- data_view.setToExternal(const_cast<uint8_t*>(&data[consumed]), data.size() - consumed);
- update(token, KeymasterArguments(inArgs.hidl_data()), data_view, &result);
- if (result.resultCode != ResponseCode::NO_ERROR) {
- ALOGW("Error in update: %d", int32_t(result.resultCode));
- return translateResultToLegacyResult(result.resultCode);
- }
- if (out) {
- outBuffer.write(&result.data[0], result.data.size());
- }
- lastConsumed = result.inputConsumed;
- consumed += lastConsumed;
- } while (consumed < data.size() && lastConsumed > 0);
-
- if (consumed != data.size()) {
- ALOGW("Not all data consumed. Consumed %zu of %zu", consumed, data.size());
- return ResponseCode::SYSTEM_ERROR;
- }
-
- finish(token, KeymasterArguments(inArgs.hidl_data()), signature, ::std::vector<uint8_t>(),
- &result);
- if (result.resultCode != ResponseCode::NO_ERROR) {
- ALOGW("Error in finish: %d", int32_t(result.resultCode));
- return translateResultToLegacyResult(result.resultCode);
- }
- if (out) {
- outBuffer.write(&result.data[0], result.data.size());
- }
-
- if (out) {
- auto buf = outBuffer.str();
- out->resize(buf.size());
- memcpy(&(*out)[0], buf.data(), out->size());
- }
-
- return ResponseCode::NO_ERROR;
-}
-
KeyStoreServiceReturnCode KeyStoreService::upgradeKeyBlob(const String16& name, uid_t uid,
const AuthorizationSet& params,
Blob* blob) {
diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h
index 8d3f1f2..7a48be7 100644
--- a/keystore/key_store_service.h
+++ b/keystore/key_store_service.h
@@ -64,33 +64,6 @@
::android::binder::Status unlock(int32_t userId, const ::android::String16& userPassword,
int32_t* _aidl_return) override;
::android::binder::Status isEmpty(int32_t userId, int32_t* _aidl_return) override;
- ::android::binder::Status generate(const ::android::String16& name, int32_t uid,
- int32_t keyType, int32_t keySize, int32_t flags,
- const ::android::security::KeystoreArguments& args,
- int32_t* _aidl_return) override;
- ::android::binder::Status import_key(const ::android::String16& name,
- const ::std::vector<uint8_t>& data, int32_t uid,
- int32_t flags, int32_t* _aidl_return) override;
- ::android::binder::Status sign(const ::android::String16& name,
- const ::std::vector<uint8_t>& data,
- ::std::vector<uint8_t>* _aidl_return) override;
- ::android::binder::Status verify(const ::android::String16& name,
- const ::std::vector<uint8_t>& data,
- const ::std::vector<uint8_t>& signature,
- int32_t* _aidl_return) override;
- /*
- * TODO: The abstraction between things stored in hardware and regular blobs
- * of data stored on the filesystem should be moved down to keystore itself.
- * Unfortunately the Java code that calls this has naming conventions that it
- * knows about. Ideally keystore shouldn't be used to store random blobs of
- * data.
- *
- * Until that happens, it's necessary to have a separate "get_pubkey" and
- * "del_key" since the Java code doesn't really communicate what it's
- * intentions are.
- */
- ::android::binder::Status get_pubkey(const ::android::String16& name,
- ::std::vector<uint8_t>* _aidl_return) override;
::android::binder::Status grant(const ::android::String16& name, int32_t granteeUid,
::android::String16* _aidl_return) override;
::android::binder::Status ungrant(const ::android::String16& name, int32_t granteeUid,
@@ -143,8 +116,6 @@
::android::security::keymaster::OperationResult* _aidl_return) override;
::android::binder::Status abort(const ::android::sp<::android::IBinder>& handle,
int32_t* _aidl_return) override;
- ::android::binder::Status isOperationAuthorized(const ::android::sp<::android::IBinder>& token,
- bool* _aidl_return) override;
::android::binder::Status addAuthToken(const ::std::vector<uint8_t>& authToken,
int32_t* _aidl_return) override;
::android::binder::Status onUserAdded(int32_t userId, int32_t parentId,
diff --git a/keystore/keystore_cli.cpp b/keystore/keystore_cli.cpp
index d5a8afa..b58735e 100644
--- a/keystore/keystore_cli.cpp
+++ b/keystore/keystore_cli.cpp
@@ -254,8 +254,6 @@
// TODO: generate
- SINGLE_ARG_DATA_RETURN(get_pubkey);
-
// TODO: grant
// TODO: ungrant