diff options
author | Vikram Gaur <vikramgaur@google.com> | 2022-05-24 16:40:43 +0000 |
---|---|---|
committer | Seth Moore <sethmo@google.com> | 2022-05-27 22:27:30 +0000 |
commit | d337c7727196f42af70aa93ab84f7c8b48cd9486 (patch) | |
tree | 9194ea173d28ec1e64a3791bb6b5351c8664eccf | |
parent | 7b28cace73002c7e6f186c2ce308893bfb55035f (diff) | |
download | security-d337c7727196f42af70aa93ab84f7c8b48cd9486.tar.gz |
Unbind Attestation keys when freeing up namespace.
In https://android-review.googlesource.com/c/platform/system/security/+/1698833
we added a check only for client keys. However, this means that on application deletion only the keystore keys related to the
application are unbound and the attestation keys get orphaned.
Through this change, I am planning to unbind the attestation keys
related to the application as well.
Change-Id: I1c9d1ac6d6943cc53f5d74653e3da72cd4f2adf7
Merged-In: I1c9d1ac6d6943cc53f5d74653e3da72cd4f2adf7
Test: atest keystore2_test
BUG: 232534682
Ignore-AOSP-First: Picking from AOSP
-rw-r--r-- | keystore2/src/database.rs | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/keystore2/src/database.rs b/keystore2/src/database.rs index 6b74e3c8..a3979bd5 100644 --- a/keystore2/src/database.rs +++ b/keystore2/src/database.rs @@ -2893,33 +2893,33 @@ impl KeystoreDB { "DELETE FROM persistent.keymetadata WHERE keyentryid IN ( SELECT id FROM persistent.keyentry - WHERE domain = ? AND namespace = ? AND key_type = ? + WHERE domain = ? AND namespace = ? AND (key_type = ? OR key_type = ?) );", - params![domain.0, namespace, KeyType::Client], + params![domain.0, namespace, KeyType::Client, KeyType::Attestation], ) .context("Trying to delete keymetadata.")?; tx.execute( "DELETE FROM persistent.keyparameter WHERE keyentryid IN ( SELECT id FROM persistent.keyentry - WHERE domain = ? AND namespace = ? AND key_type = ? + WHERE domain = ? AND namespace = ? AND (key_type = ? OR key_type = ?) );", - params![domain.0, namespace, KeyType::Client], + params![domain.0, namespace, KeyType::Client, KeyType::Attestation], ) .context("Trying to delete keyparameters.")?; tx.execute( "DELETE FROM persistent.grant WHERE keyentryid IN ( SELECT id FROM persistent.keyentry - WHERE domain = ? AND namespace = ? AND key_type = ? + WHERE domain = ? AND namespace = ? AND (key_type = ? OR key_type = ?) );", - params![domain.0, namespace, KeyType::Client], + params![domain.0, namespace, KeyType::Client, KeyType::Attestation], ) .context("Trying to delete grants.")?; tx.execute( "DELETE FROM persistent.keyentry - WHERE domain = ? AND namespace = ? AND key_type = ?;", - params![domain.0, namespace, KeyType::Client], + WHERE domain = ? AND namespace = ? AND (key_type = ? OR key_type = ?);", + params![domain.0, namespace, KeyType::Client, KeyType::Attestation], ) .context("Trying to delete keyentry.")?; Ok(()).need_gc() |