summaryrefslogtreecommitdiff
path: root/keystore2/src/super_key.rs
diff options
context:
space:
mode:
Diffstat (limited to 'keystore2/src/super_key.rs')
-rw-r--r--keystore2/src/super_key.rs240
1 files changed, 102 insertions, 138 deletions
diff --git a/keystore2/src/super_key.rs b/keystore2/src/super_key.rs
index 74e3e560..f0002131 100644
--- a/keystore2/src/super_key.rs
+++ b/keystore2/src/super_key.rs
@@ -25,6 +25,7 @@ use crate::{
error::Error,
error::ResponseCode,
key_parameter::{KeyParameter, KeyParameterValue},
+ ks_err,
legacy_blob::LegacyBlobLoader,
legacy_importer::LegacyImporter,
raw_device::KeyMintDevice,
@@ -156,19 +157,17 @@ pub struct SuperKey {
impl AesGcm for SuperKey {
fn decrypt(&self, data: &[u8], iv: &[u8], tag: &[u8]) -> Result<ZVec> {
if self.algorithm == SuperEncryptionAlgorithm::Aes256Gcm {
- aes_gcm_decrypt(data, iv, tag, &self.key)
- .context("In SuperKey::decrypt: Decryption failed.")
+ aes_gcm_decrypt(data, iv, tag, &self.key).context(ks_err!("Decryption failed."))
} else {
- Err(Error::sys()).context("In SuperKey::decrypt: Key is not an AES key.")
+ Err(Error::sys()).context(ks_err!("Key is not an AES key."))
}
}
fn encrypt(&self, plaintext: &[u8]) -> Result<(Vec<u8>, Vec<u8>, Vec<u8>)> {
if self.algorithm == SuperEncryptionAlgorithm::Aes256Gcm {
- aes_gcm_encrypt(plaintext, &self.key)
- .context("In SuperKey::encrypt: Encryption failed.")
+ aes_gcm_encrypt(plaintext, &self.key).context(ks_err!("Encryption failed."))
} else {
- Err(Error::sys()).context("In SuperKey::encrypt: Key is not an AES key.")
+ Err(Error::sys()).context(ks_err!("Key is not an AES key."))
}
}
}
@@ -203,7 +202,7 @@ impl LockedKey {
.as_ref()
.map(|(key_blob, _)| KeyBlob::Ref(key_blob))
.ok_or(Error::Rc(ResponseCode::KEY_NOT_FOUND))
- .context("In LockedKey::decrypt: Missing key blob info.")?;
+ .context(ks_err!("Missing key blob info."))?;
let key_params = vec![
KeyParameterValue::Algorithm(Algorithm::AES),
KeyParameterValue::KeySize(256),
@@ -270,10 +269,7 @@ impl SkmState {
self.key_index.insert(id, Arc::downgrade(super_key));
Ok(())
} else {
- Err(Error::sys()).context(format!(
- "In add_key_to_key_index: cannot add key with ID {:?}",
- super_key.id
- ))
+ Err(Error::sys()).context(ks_err!("Cannot add key with ID {:?}", super_key.id))
}
}
}
@@ -290,8 +286,8 @@ impl SuperKeyManager {
log::info!("In set_up_boot_level_cache: called for a second time");
return Ok(());
}
- let level_zero_key = get_level_zero_key(db)
- .context("In set_up_boot_level_cache: get_level_zero_key failed")?;
+ let level_zero_key =
+ get_level_zero_key(db).context(ks_err!("get_level_zero_key failed"))?;
skm_guard.data.boot_level_key_cache =
Some(Mutex::new(BootLevelKeyCache::new(level_zero_key)));
log::info!("Starting boot level watcher.");
@@ -307,11 +303,11 @@ impl SuperKeyManager {
/// Blocks waiting for system property changes, so must be run in its own thread.
fn watch_boot_level(skm: Arc<RwLock<Self>>) -> Result<()> {
let mut w = PropertyWatcher::new("keystore.boot_level")
- .context("In watch_boot_level: PropertyWatcher::new failed")?;
+ .context(ks_err!("PropertyWatcher::new failed"))?;
loop {
let level = w
.read(|_n, v| v.parse::<usize>().map_err(std::convert::Into::into))
- .context("In watch_boot_level: read of property failed")?;
+ .context(ks_err!("read of property failed"))?;
// This scope limits the skm_guard life, so we don't hold the skm_guard while
// waiting.
@@ -322,14 +318,14 @@ impl SuperKeyManager {
.boot_level_key_cache
.as_mut()
.ok_or_else(Error::sys)
- .context("In watch_boot_level: Boot level cache not initialized")?
+ .context(ks_err!("Boot level cache not initialized"))?
.get_mut()
.unwrap();
if level < MAX_MAX_BOOT_LEVEL {
log::info!("Read keystore.boot_level value {}", level);
boot_level_key_cache
.advance_boot_level(level)
- .context("In watch_boot_level: advance_boot_level failed")?;
+ .context(ks_err!("advance_boot_level failed"))?;
} else {
log::info!(
"keystore.boot_level {} hits maximum {}, finishing.",
@@ -340,7 +336,7 @@ impl SuperKeyManager {
break;
}
}
- w.wait().context("In watch_boot_level: property wait failed")?;
+ w.wait().context(ks_err!("property wait failed"))?;
}
Ok(())
}
@@ -363,7 +359,7 @@ impl SuperKeyManager {
) -> Result<()> {
self.data
.add_key_to_key_index(&super_key)
- .context("In install_per_boot_key_for_user: add_key_to_key_index failed")?;
+ .context(ks_err!("add_key_to_key_index failed"))?;
self.data.user_keys.entry(user).or_default().per_boot = Some(super_key);
Ok(())
}
@@ -379,7 +375,7 @@ impl SuperKeyManager {
.as_ref()
.map(|b| b.lock().unwrap().aes_key(*level as usize))
.transpose()
- .context("In lookup_key: aes_key failed")?
+ .context(ks_err!("aes_key failed"))?
.flatten()
.map(|key| {
Arc::new(SuperKey {
@@ -425,12 +421,12 @@ impl SuperKeyManager {
// For backward compatibility we need to check if there is a super key present.
let super_key = legacy_blob_loader
.load_super_key(user, pw)
- .context("In create_new_key: Failed to load legacy key blob.")?;
+ .context(ks_err!("Failed to load legacy key blob."))?;
let super_key = match super_key {
None => {
// No legacy file was found. So we generate a new key.
generate_aes256_key()
- .context("In create_new_key: Failed to generate AES 256 key.")?
+ .context(ks_err!("Failed to generate AES 256 key."))?
}
Some(key) => key,
};
@@ -442,10 +438,10 @@ impl SuperKeyManager {
Self::encrypt_with_password(&super_key, pw).context("In create_new_key.")
},
)
- .context("In unlock_user_key: Failed to get key id.")?;
+ .context(ks_err!("Failed to get key id."))?;
self.populate_cache_from_super_key_blob(user, USER_SUPER_KEY.algorithm, entry, pw)
- .context("In unlock_user_key.")?;
+ .context(ks_err!())?;
Ok(())
}
@@ -459,12 +455,12 @@ impl SuperKeyManager {
Ok(if let Some(key_id) = SuperKeyIdentifier::from_metadata(metadata) {
let super_key = self
.lookup_key(&key_id)
- .context("In unwrap_key: lookup_key failed")?
+ .context(ks_err!("lookup_key failed"))?
.ok_or(Error::Rc(ResponseCode::LOCKED))
- .context("In unwrap_key: Required super decryption key is not in memory.")?;
+ .context(ks_err!("Required super decryption key is not in memory."))?;
KeyBlob::Sensitive {
key: Self::unwrap_key_with_key(blob, metadata, &super_key)
- .context("In unwrap_key: unwrap_key_with_key failed")?,
+ .context(ks_err!("unwrap_key_with_key failed"))?,
reencrypt_with: super_key.reencrypt_with.as_ref().unwrap_or(&super_key).clone(),
force_reencrypt: super_key.reencrypt_with.is_some(),
}
@@ -477,14 +473,11 @@ impl SuperKeyManager {
fn unwrap_key_with_key(blob: &[u8], metadata: &BlobMetaData, key: &SuperKey) -> Result<ZVec> {
match key.algorithm {
SuperEncryptionAlgorithm::Aes256Gcm => match (metadata.iv(), metadata.aead_tag()) {
- (Some(iv), Some(tag)) => key
- .decrypt(blob, iv, tag)
- .context("In unwrap_key_with_key: Failed to decrypt the key blob."),
- (iv, tag) => Err(Error::Rc(ResponseCode::VALUE_CORRUPTED)).context(format!(
- concat!(
- "In unwrap_key_with_key: Key has incomplete metadata.",
- "Present: iv: {}, aead_tag: {}."
- ),
+ (Some(iv), Some(tag)) => {
+ key.decrypt(blob, iv, tag).context(ks_err!("Failed to decrypt the key blob."))
+ }
+ (iv, tag) => Err(Error::Rc(ResponseCode::VALUE_CORRUPTED)).context(ks_err!(
+ "Key has incomplete metadata. Present: iv: {}, aead_tag: {}.",
iv.is_some(),
tag.is_some(),
)),
@@ -494,14 +487,12 @@ impl SuperKeyManager {
(Some(public_key), Some(salt), Some(iv), Some(aead_tag)) => {
ECDHPrivateKey::from_private_key(&key.key)
.and_then(|k| k.decrypt_message(public_key, salt, iv, blob, aead_tag))
- .context(
- "In unwrap_key_with_key: Failed to decrypt the key blob with ECDH.",
- )
+ .context(ks_err!("Failed to decrypt the key blob with ECDH."))
}
(public_key, salt, iv, aead_tag) => {
- Err(Error::Rc(ResponseCode::VALUE_CORRUPTED)).context(format!(
+ Err(Error::Rc(ResponseCode::VALUE_CORRUPTED)).context(ks_err!(
concat!(
- "In unwrap_key_with_key: Key has incomplete metadata.",
+ "Key has incomplete metadata. ",
"Present: public_key: {}, salt: {}, iv: {}, aead_tag: {}."
),
public_key.is_some(),
@@ -526,14 +517,12 @@ impl SuperKeyManager {
) -> Result<bool> {
let key_in_db = db
.key_exists(Domain::APP, user_id as u64 as i64, USER_SUPER_KEY.alias, KeyType::Super)
- .context("In super_key_exists_in_db_for_user.")?;
+ .context(ks_err!())?;
if key_in_db {
Ok(key_in_db)
} else {
- legacy_importer
- .has_super_key(user_id)
- .context("In super_key_exists_in_db_for_user: Trying to query legacy db.")
+ legacy_importer.has_super_key(user_id).context(ks_err!("Trying to query legacy db."))
}
}
@@ -550,13 +539,13 @@ impl SuperKeyManager {
let alias = &USER_SUPER_KEY;
let result = legacy_importer
.with_try_import_super_key(user_id, pw, || db.load_super_key(alias, user_id))
- .context("In check_and_unlock_super_key. Failed to load super key")?;
+ .context(ks_err!("Failed to load super key"))?;
match result {
Some((_, entry)) => {
let super_key = self
.populate_cache_from_super_key_blob(user_id, alias.algorithm, entry, pw)
- .context("In check_and_unlock_super_key.")?;
+ .context(ks_err!())?;
Ok(UserState::LskfUnlocked(super_key))
}
None => Ok(UserState::Uninitialized),
@@ -578,17 +567,17 @@ impl SuperKeyManager {
) -> Result<UserState> {
let super_key_exists_in_db = self
.super_key_exists_in_db_for_user(db, legacy_importer, user_id)
- .context("In check_and_initialize_super_key. Failed to check if super key exists.")?;
+ .context(ks_err!("Failed to check if super key exists."))?;
if super_key_exists_in_db {
Ok(UserState::LskfLocked)
} else if let Some(pw) = pw {
// Generate a new super key.
- let super_key = generate_aes256_key()
- .context("In check_and_initialize_super_key: Failed to generate AES 256 key.")?;
+ let super_key =
+ generate_aes256_key().context(ks_err!("Failed to generate AES 256 key."))?;
// Derive an AES256 key from the password and re-encrypt the super key
// before we insert it in the database.
- let (encrypted_super_key, blob_metadata) = Self::encrypt_with_password(&super_key, pw)
- .context("In check_and_initialize_super_key.")?;
+ let (encrypted_super_key, blob_metadata) =
+ Self::encrypt_with_password(&super_key, pw).context(ks_err!())?;
let key_entry = db
.store_super_key(
@@ -598,7 +587,7 @@ impl SuperKeyManager {
&blob_metadata,
&KeyMetaData::new(),
)
- .context("In check_and_initialize_super_key. Failed to store super key.")?;
+ .context(ks_err!("Failed to store super key."))?;
let super_key = self
.populate_cache_from_super_key_blob(
@@ -607,7 +596,7 @@ impl SuperKeyManager {
key_entry,
pw,
)
- .context("In check_and_initialize_super_key.")?;
+ .context(ks_err!())?;
Ok(UserState::LskfUnlocked(super_key))
} else {
Ok(UserState::Uninitialized)
@@ -623,9 +612,7 @@ impl SuperKeyManager {
pw: &Password,
) -> Result<Arc<SuperKey>> {
let super_key = Self::extract_super_key_from_key_entry(algorithm, entry, pw, None)
- .context(
- "In populate_cache_from_super_key_blob. Failed to extract super key from key entry",
- )?;
+ .context(ks_err!("Failed to extract super key from key entry"))?;
self.install_per_boot_key_for_user(user_id, super_key.clone())?;
Ok(super_key)
}
@@ -646,20 +633,19 @@ impl SuperKeyManager {
) {
(Some(&EncryptedBy::Password), Some(salt), Some(iv), Some(tag)) => {
// Note that password encryption is AES no matter the value of algorithm.
- let key = pw.derive_key(Some(salt), AES_256_KEY_LENGTH).context(
- "In extract_super_key_from_key_entry: Failed to generate key from password.",
- )?;
+ let key = pw
+ .derive_key(salt, AES_256_KEY_LENGTH)
+ .context(ks_err!("Failed to generate key from password."))?;
- aes_gcm_decrypt(blob, iv, tag, &key).context(
- "In extract_super_key_from_key_entry: Failed to decrypt key blob.",
- )?
+ aes_gcm_decrypt(blob, iv, tag, &key)
+ .context(ks_err!("Failed to decrypt key blob."))?
}
(enc_by, salt, iv, tag) => {
- return Err(Error::Rc(ResponseCode::VALUE_CORRUPTED)).context(format!(
+ return Err(Error::Rc(ResponseCode::VALUE_CORRUPTED)).context(ks_err!(
concat!(
- "In extract_super_key_from_key_entry: Super key has incomplete metadata.",
- "encrypted_by: {:?}; Present: salt: {}, iv: {}, aead_tag: {}."
- ),
+ "Super key has incomplete metadata.",
+ "encrypted_by: {:?}; Present: salt: {}, iv: {}, aead_tag: {}."
+ ),
enc_by,
salt.is_some(),
iv.is_some(),
@@ -674,8 +660,7 @@ impl SuperKeyManager {
reencrypt_with,
}))
} else {
- Err(Error::Rc(ResponseCode::VALUE_CORRUPTED))
- .context("In extract_super_key_from_key_entry: No key blob info.")
+ Err(Error::Rc(ResponseCode::VALUE_CORRUPTED)).context(ks_err!("No key blob info."))
}
}
@@ -686,13 +671,13 @@ impl SuperKeyManager {
) -> Result<(Vec<u8>, BlobMetaData)> {
let salt = generate_salt().context("In encrypt_with_password: Failed to generate salt.")?;
let derived_key = pw
- .derive_key(Some(&salt), AES_256_KEY_LENGTH)
- .context("In encrypt_with_password: Failed to derive password.")?;
+ .derive_key(&salt, AES_256_KEY_LENGTH)
+ .context(ks_err!("Failed to derive password."))?;
let mut metadata = BlobMetaData::new();
metadata.add(BlobMetaEntry::EncryptedBy(EncryptedBy::Password));
metadata.add(BlobMetaEntry::Salt(salt));
let (encrypted_key, iv, tag) = aes_gcm_encrypt(super_key, &derived_key)
- .context("In encrypt_with_password: Failed to encrypt new super key.")?;
+ .context(ks_err!("Failed to encrypt new super key."))?;
metadata.add(BlobMetaEntry::Iv(iv));
metadata.add(BlobMetaEntry::AeadTag(tag));
Ok((encrypted_key, metadata))
@@ -711,17 +696,17 @@ impl SuperKeyManager {
) -> Result<(Vec<u8>, BlobMetaData)> {
match self
.get_user_state(db, legacy_importer, user_id)
- .context("In super_encrypt. Failed to get user state.")?
+ .context(ks_err!("Failed to get user state."))?
{
UserState::LskfUnlocked(super_key) => {
Self::encrypt_with_aes_super_key(key_blob, &super_key)
- .context("In super_encrypt_on_key_init. Failed to encrypt the key.")
+ .context(ks_err!("Failed to encrypt the key."))
}
UserState::LskfLocked => {
- Err(Error::Rc(ResponseCode::LOCKED)).context("In super_encrypt. Device is locked.")
+ Err(Error::Rc(ResponseCode::LOCKED)).context(ks_err!("Device is locked."))
}
UserState::Uninitialized => Err(Error::Rc(ResponseCode::UNINITIALIZED))
- .context("In super_encrypt. LSKF is not setup for the user."),
+ .context(ks_err!("LSKF is not setup for the user.")),
}
}
@@ -733,12 +718,11 @@ impl SuperKeyManager {
super_key: &SuperKey,
) -> Result<(Vec<u8>, BlobMetaData)> {
if super_key.algorithm != SuperEncryptionAlgorithm::Aes256Gcm {
- return Err(Error::sys())
- .context("In encrypt_with_aes_super_key: unexpected algorithm");
+ return Err(Error::sys()).context(ks_err!("unexpected algorithm"));
}
let mut metadata = BlobMetaData::new();
let (encrypted_key, iv, tag) = aes_gcm_encrypt(key_blob, &(super_key.key))
- .context("In encrypt_with_aes_super_key: Failed to encrypt new super key.")?;
+ .context(ks_err!("Failed to encrypt new super key."))?;
metadata.add(BlobMetaEntry::Iv(iv));
metadata.add(BlobMetaEntry::AeadTag(tag));
super_key.id.add_to_metadata(&mut metadata);
@@ -762,37 +746,29 @@ impl SuperKeyManager {
SuperEncryptionType::None => Ok((key_blob.to_vec(), BlobMetaData::new())),
SuperEncryptionType::LskfBound => self
.super_encrypt_on_key_init(db, legacy_importer, user_id, key_blob)
- .context(concat!(
- "In handle_super_encryption_on_key_init. ",
- "Failed to super encrypt with LskfBound key."
- )),
+ .context(ks_err!("Failed to super encrypt with LskfBound key.")),
SuperEncryptionType::ScreenLockBound => {
let entry =
self.data.user_keys.get(&user_id).and_then(|e| e.screen_lock_bound.as_ref());
if let Some(super_key) = entry {
- Self::encrypt_with_aes_super_key(key_blob, super_key).context(concat!(
- "In handle_super_encryption_on_key_init. ",
- "Failed to encrypt with ScreenLockBound key."
- ))
+ Self::encrypt_with_aes_super_key(key_blob, super_key)
+ .context(ks_err!("Failed to encrypt with ScreenLockBound key."))
} else {
// Symmetric key is not available, use public key encryption
- let loaded =
- db.load_super_key(&USER_SCREEN_LOCK_BOUND_P521_KEY, user_id).context(
- "In handle_super_encryption_on_key_init: load_super_key failed.",
- )?;
- let (key_id_guard, key_entry) = loaded.ok_or_else(Error::sys).context(
- "In handle_super_encryption_on_key_init: User ECDH key missing.",
- )?;
- let public_key =
- key_entry.metadata().sec1_public_key().ok_or_else(Error::sys).context(
- "In handle_super_encryption_on_key_init: sec1_public_key missing.",
- )?;
+ let loaded = db
+ .load_super_key(&USER_SCREEN_LOCK_BOUND_P521_KEY, user_id)
+ .context(ks_err!("load_super_key failed."))?;
+ let (key_id_guard, key_entry) =
+ loaded.ok_or_else(Error::sys).context(ks_err!("User ECDH key missing."))?;
+ let public_key = key_entry
+ .metadata()
+ .sec1_public_key()
+ .ok_or_else(Error::sys)
+ .context(ks_err!("sec1_public_key missing."))?;
let mut metadata = BlobMetaData::new();
let (ephem_key, salt, iv, encrypted_key, aead_tag) =
- ECDHPrivateKey::encrypt_message(public_key, key_blob).context(concat!(
- "In handle_super_encryption_on_key_init: ",
- "ECDHPrivateKey::encrypt_message failed."
- ))?;
+ ECDHPrivateKey::encrypt_message(public_key, key_blob)
+ .context(ks_err!("ECDHPrivateKey::encrypt_message failed."))?;
metadata.add(BlobMetaEntry::PublicKey(ephem_key));
metadata.add(BlobMetaEntry::Salt(salt));
metadata.add(BlobMetaEntry::Iv(iv));
@@ -806,13 +782,11 @@ impl SuperKeyManager {
let key_id = SuperKeyIdentifier::BootLevel(level);
let super_key = self
.lookup_key(&key_id)
- .context("In handle_super_encryption_on_key_init: lookup_key failed")?
+ .context(ks_err!("lookup_key failed"))?
.ok_or(Error::Rc(ResponseCode::LOCKED))
- .context("In handle_super_encryption_on_key_init: Boot stage key absent")?;
- Self::encrypt_with_aes_super_key(key_blob, &super_key).context(concat!(
- "In handle_super_encryption_on_key_init: ",
- "Failed to encrypt with BootLevel key."
- ))
+ .context(ks_err!("Boot stage key absent"))?;
+ Self::encrypt_with_aes_super_key(key_blob, &super_key)
+ .context(ks_err!("Failed to encrypt with BootLevel key."))
}
}
}
@@ -828,7 +802,7 @@ impl SuperKeyManager {
KeyBlob::Sensitive { reencrypt_with: super_key, .. } => {
let (key, metadata) =
Self::encrypt_with_aes_super_key(key_after_upgrade, super_key)
- .context("In reencrypt_if_required: Failed to re-super-encrypt key.")?;
+ .context(ks_err!("Failed to re-super-encrypt key."))?;
Ok((KeyBlob::NonSensitive(key), Some(metadata)))
}
_ => Ok((KeyBlob::Ref(key_after_upgrade), None)),
@@ -857,28 +831,22 @@ impl SuperKeyManager {
} else {
let (super_key, public_key) = match key_type.algorithm {
SuperEncryptionAlgorithm::Aes256Gcm => (
- generate_aes256_key()
- .context("In get_or_create_super_key: Failed to generate AES 256 key.")?,
+ generate_aes256_key().context(ks_err!("Failed to generate AES 256 key."))?,
None,
),
SuperEncryptionAlgorithm::EcdhP521 => {
let key = ECDHPrivateKey::generate()
- .context("In get_or_create_super_key: Failed to generate ECDH key")?;
+ .context(ks_err!("Failed to generate ECDH key"))?;
(
- key.private_key()
- .context("In get_or_create_super_key: private_key failed")?,
- Some(
- key.public_key()
- .context("In get_or_create_super_key: public_key failed")?,
- ),
+ key.private_key().context(ks_err!("private_key failed"))?,
+ Some(key.public_key().context(ks_err!("public_key failed"))?),
)
}
};
// Derive an AES256 key from the password and re-encrypt the super key
// before we insert it in the database.
let (encrypted_super_key, blob_metadata) =
- Self::encrypt_with_password(&super_key, password)
- .context("In get_or_create_super_key.")?;
+ Self::encrypt_with_password(&super_key, password).context(ks_err!())?;
let mut key_metadata = KeyMetaData::new();
if let Some(pk) = public_key {
key_metadata.add(KeyMetaEntry::Sec1PublicKey(pk));
@@ -891,7 +859,7 @@ impl SuperKeyManager {
&blob_metadata,
&key_metadata,
)
- .context("In get_or_create_super_key. Failed to store super key.")?;
+ .context(ks_err!("Failed to store super key."))?;
Ok(Arc::new(SuperKey {
algorithm: key_type.algorithm,
key: super_key,
@@ -926,7 +894,7 @@ impl SuperKeyManager {
screen_lock_bound
} else {
self.get_or_create_super_key(db, user_id, &USER_SCREEN_LOCK_BOUND_KEY, password, None)
- .context("In unlock_screen_lock_bound_key: Trying to get or create symmetric key.")?
+ .context(ks_err!("Trying to get or create symmetric key."))?
};
let ecdh = if let Some(screen_lock_bound_private) = screen_lock_bound_private {
@@ -941,7 +909,7 @@ impl SuperKeyManager {
password,
Some(aes.clone()),
)
- .context("In unlock_screen_lock_bound_key: Trying to get or create asymmetric key.")?
+ .context(ks_err!("Trying to get or create asymmetric key."))?
};
self.data.add_key_to_key_index(&aes)?;
@@ -974,7 +942,7 @@ impl SuperKeyManager {
let encrypting_key = generate_aes256_key()?;
let km_dev: KeyMintDevice =
KeyMintDevice::get(SecurityLevel::TRUSTED_ENVIRONMENT)
- .context("In lock_screen_lock_bound_key: KeyMintDevice::get failed")?;
+ .context(ks_err!("KeyMintDevice::get failed"))?;
let mut key_params = vec![
KeyParameterValue::Algorithm(Algorithm::AES),
KeyParameterValue::KeySize(256),
@@ -1046,9 +1014,9 @@ impl SuperKeyManager {
AID_KEYSTORE,
|_, _| Ok(()),
)
- .context("In try_unlock_user_with_biometric: load_key_entry failed")?;
+ .context(ks_err!("load_key_entry failed"))?;
let km_dev: KeyMintDevice = KeyMintDevice::get(SecurityLevel::TRUSTED_ENVIRONMENT)
- .context("In try_unlock_user_with_biometric: KeyMintDevice::get failed")?;
+ .context(ks_err!("KeyMintDevice::get failed"))?;
for sid in &biometric.sids {
if let Some((auth_token_entry, _)) = db.find_auth_token_entry(|entry| {
entry.auth_token().userId == *sid || entry.auth_token().authenticatorId == *sid
@@ -1078,14 +1046,11 @@ impl SuperKeyManager {
entry.screen_lock_bound_private = Some(slbp.clone());
self.data.add_key_to_key_index(&slb)?;
self.data.add_key_to_key_index(&slbp)?;
- log::info!(concat!(
- "In try_unlock_user_with_biometric: ",
- "Successfully unlocked with biometric"
- ));
+ log::info!("Successfully unlocked with biometric");
return Ok(());
}
Err(e) => {
- log::warn!("In try_unlock_user_with_biometric: attempt failed: {:?}", e)
+ log::warn!("attempt failed: {:?}", e)
}
}
}
@@ -1110,7 +1075,7 @@ impl SuperKeyManager {
// If so, return locked user state.
if self
.super_key_exists_in_db_for_user(db, legacy_importer, user_id)
- .context("In get_user_state.")?
+ .context(ks_err!())?
{
Ok(UserState::LskfLocked)
} else {
@@ -1141,9 +1106,8 @@ impl SuperKeyManager {
Some(_) if password.is_none() => {
// Transitioning to swiping, delete only the super key in database and cache,
// and super-encrypted keys in database (and in KM).
- self.reset_user(db, legacy_importer, user_id, true).context(
- "In reset_or_init_user_and_get_user_state: Trying to delete keys from the db.",
- )?;
+ self.reset_user(db, legacy_importer, user_id, true)
+ .context(ks_err!("Trying to delete keys from the db."))?;
// Lskf is now removed in Keystore.
Ok(UserState::Uninitialized)
}
@@ -1174,7 +1138,7 @@ impl SuperKeyManager {
) -> Result<UserState> {
match self.get_per_boot_key_by_user_id_internal(user_id) {
Some(super_key) => {
- log::info!("In unlock_and_get_user_state. Trying to unlock when already unlocked.");
+ log::info!("Trying to unlock when already unlocked.");
Ok(UserState::LskfUnlocked(super_key))
}
None => {
@@ -1183,7 +1147,7 @@ impl SuperKeyManager {
// Otherwise, try to unlock the super key and if successful,
// return LskfUnlocked.
self.check_and_unlock_super_key(db, legacy_importer, user_id, password)
- .context("In unlock_and_get_user_state. Failed to unlock super key.")
+ .context(ks_err!("Failed to unlock super key."))
}
}
}
@@ -1201,9 +1165,9 @@ impl SuperKeyManager {
// Mark keys created on behalf of the user as unreferenced.
legacy_importer
.bulk_delete_user(user_id, keep_non_super_encrypted_keys)
- .context("In reset_user: Trying to delete legacy keys.")?;
+ .context(ks_err!("Trying to delete legacy keys."))?;
db.unbind_keys_for_user(user_id, keep_non_super_encrypted_keys)
- .context("In reset user. Error in unbinding keys.")?;
+ .context(ks_err!("Error in unbinding keys."))?;
// Delete super key in cache, if exists.
self.forget_all_keys_for_user(user_id);
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-14 16:22:56 +0000