diff options
| author | 2022-03-28 16:21:12 -0700 | |
|---|---|---|
| committer | 2022-03-28 16:29:21 -0700 | |
| commit | 68cca7a7c6cfb718fe9992c3c07a719c7d3750d4 (patch) | |
| tree | 6281ee7540e962def06d44888272af721c527fa4 /identity | |
| parent | dd1a3bae159206ec183cf2776f95ea4c6313b1be (diff) | |
Inform the remote provisioner when a key may have been consumed
Every time we create a credential, contact the Provisioner app and tell
it that a key was generated. This may not strictly be true, but the
provisioner has heuristics to ensure that it only contacts the backend
if necessary. So, at most, we're spinning a few extra cycles whenever
a new credential is created (which is a rare occurence) to ensure that
we have RKP keys available for future requests.
Test: CtsIdentityTestCases
Fixes: 224771551
Change-Id: I6dd20635e6933842a95242e6d0cbfb9bf8c8f734
Diffstat (limited to 'identity')
| -rw-r--r-- | identity/java/android/security/identity/CredstoreIdentityCredentialStore.java | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/identity/java/android/security/identity/CredstoreIdentityCredentialStore.java b/identity/java/android/security/identity/CredstoreIdentityCredentialStore.java index fb0880ce3521..bbaf0862f923 100644 --- a/identity/java/android/security/identity/CredstoreIdentityCredentialStore.java +++ b/identity/java/android/security/identity/CredstoreIdentityCredentialStore.java @@ -19,7 +19,10 @@ package android.security.identity; import android.annotation.NonNull; import android.annotation.Nullable; import android.content.Context; +import android.os.RemoteException; import android.os.ServiceManager; +import android.security.GenerateRkpKey; +import android.security.keymaster.KeymasterDefs; class CredstoreIdentityCredentialStore extends IdentityCredentialStore { @@ -104,6 +107,16 @@ class CredstoreIdentityCredentialStore extends IdentityCredentialStore { try { IWritableCredential wc; wc = mStore.createCredential(credentialName, docType); + try { + GenerateRkpKey keyGen = new GenerateRkpKey(mContext); + // We don't know what the security level is for the backing keymint, so go ahead and + // poke the provisioner for both TEE and SB. + keyGen.notifyKeyGenerated(KeymasterDefs.KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT); + keyGen.notifyKeyGenerated(KeymasterDefs.KM_SECURITY_LEVEL_STRONGBOX); + } catch (RemoteException e) { + // Not really an error state. Does not apply at all if RKP is unsupported or + // disabled on a given device. + } return new CredstoreWritableIdentityCredential(mContext, credentialName, docType, wc); } catch (android.os.RemoteException e) { throw new RuntimeException("Unexpected RemoteException ", e); |