Unbind Attestation keys when freeing up namespace.

In https://android-review.googlesource.com/c/platform/system/security/+/1698833 we added a check only for client keys. However, this means that on application deletion only the keystore keys related to the application are unbound and the attestation keys get orphaned. Through this change, I am planning to unbind the attestation keys related to the application as well. Change-Id: I1c9d1ac6d6943cc53f5d74653e3da72cd4f2adf7 Merged-In: I1c9d1ac6d6943cc53f5d74653e3da72cd4f2adf7 Test: atest keystore2_test BUG: 232534682 Ignore-AOSP-First: Picking from AOSP
author: Vikram Gaur <vikramgaur@google.com> 2022-05-24 16:40:43 +0000
committer: Seth Moore <sethmo@google.com> 2022-05-27 22:27:30 +0000
commit: d337c7727196f42af70aa93ab84f7c8b48cd9486 (patch)
tree: 9194ea173d28ec1e64a3791bb6b5351c8664eccf
parent: 7b28cace73002c7e6f186c2ce308893bfb55035f (diff)
download: security-d337c7727196f42af70aa93ab84f7c8b48cd9486.tar.gz
1 files changed, 8 insertions, 8 deletions
diff --git a/keystore2/src/database.rs b/keystore2/src/database.rs
index 6b74e3c8..a3979bd5 100644
--- a/keystore2/src/database.rs
+++ b/keystore2/src/database.rs
@@ -2893,33 +2893,33 @@ impl KeystoreDB {
                 "DELETE FROM persistent.keymetadata
                 WHERE keyentryid IN (
                     SELECT id FROM persistent.keyentry
-                    WHERE domain = ? AND namespace = ? AND key_type = ?
+                    WHERE domain = ? AND namespace = ? AND (key_type = ? OR key_type = ?)
                 );",
-                params![domain.0, namespace, KeyType::Client],
+                params![domain.0, namespace, KeyType::Client, KeyType::Attestation],
             )
             .context("Trying to delete keymetadata.")?;
             tx.execute(
                 "DELETE FROM persistent.keyparameter
                 WHERE keyentryid IN (
                     SELECT id FROM persistent.keyentry
-                    WHERE domain = ? AND namespace = ? AND key_type = ?
+                    WHERE domain = ? AND namespace = ? AND (key_type = ? OR key_type = ?)
                 );",
-                params![domain.0, namespace, KeyType::Client],
+                params![domain.0, namespace, KeyType::Client, KeyType::Attestation],
             )
             .context("Trying to delete keyparameters.")?;
             tx.execute(
                 "DELETE FROM persistent.grant
                 WHERE keyentryid IN (
                     SELECT id FROM persistent.keyentry
-                    WHERE domain = ? AND namespace = ? AND key_type = ?
+                    WHERE domain = ? AND namespace = ? AND (key_type = ? OR key_type = ?)
                 );",
-                params![domain.0, namespace, KeyType::Client],
+                params![domain.0, namespace, KeyType::Client, KeyType::Attestation],
             )
             .context("Trying to delete grants.")?;
             tx.execute(
                 "DELETE FROM persistent.keyentry
-                 WHERE domain = ? AND namespace = ? AND key_type = ?;",
-                params![domain.0, namespace, KeyType::Client],
+                 WHERE domain = ? AND namespace = ? AND (key_type = ? OR key_type = ?);",
+                params![domain.0, namespace, KeyType::Client, KeyType::Attestation],
             )
             .context("Trying to delete keyentry.")?;
             Ok(()).need_gc()
author	Vikram Gaur <vikramgaur@google.com>	2022-05-24 16:40:43 +0000
committer	Seth Moore <sethmo@google.com>	2022-05-27 22:27:30 +0000
commit	d337c7727196f42af70aa93ab84f7c8b48cd9486 (patch)
tree	9194ea173d28ec1e64a3791bb6b5351c8664eccf
parent	7b28cace73002c7e6f186c2ce308893bfb55035f (diff)
download	security-d337c7727196f42af70aa93ab84f7c8b48cd9486.tar.gz