From 68cca7a7c6cfb718fe9992c3c07a719c7d3750d4 Mon Sep 17 00:00:00 2001
From: Seth Moore <sethmo@google.com>
Date: Mon, 28 Mar 2022 16:21:12 -0700
Subject: Inform the remote provisioner when a key may have been consumed

Every time we create a credential, contact the Provisioner app and tell
it that a key was generated. This may not strictly be true, but the
provisioner has heuristics to ensure that it only contacts the backend
if necessary. So, at most, we're spinning a few extra cycles whenever
a new credential is created (which is a rare occurence) to ensure that
we have RKP keys available for future requests.

Test: CtsIdentityTestCases
Fixes: 224771551
Change-Id: I6dd20635e6933842a95242e6d0cbfb9bf8c8f734
---
 .../security/identity/CredstoreIdentityCredentialStore.java | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'identity/java')

diff --git a/identity/java/android/security/identity/CredstoreIdentityCredentialStore.java b/identity/java/android/security/identity/CredstoreIdentityCredentialStore.java
index fb0880ce3521..bbaf0862f923 100644
--- a/identity/java/android/security/identity/CredstoreIdentityCredentialStore.java
+++ b/identity/java/android/security/identity/CredstoreIdentityCredentialStore.java
@@ -19,7 +19,10 @@ package android.security.identity;
 import android.annotation.NonNull;
 import android.annotation.Nullable;
 import android.content.Context;
+import android.os.RemoteException;
 import android.os.ServiceManager;
+import android.security.GenerateRkpKey;
+import android.security.keymaster.KeymasterDefs;
 
 class CredstoreIdentityCredentialStore extends IdentityCredentialStore {
 
@@ -104,6 +107,16 @@ class CredstoreIdentityCredentialStore extends IdentityCredentialStore {
         try {
             IWritableCredential wc;
             wc = mStore.createCredential(credentialName, docType);
+            try {
+                GenerateRkpKey keyGen = new GenerateRkpKey(mContext);
+                // We don't know what the security level is for the backing keymint, so go ahead and
+                // poke the provisioner for both TEE and SB.
+                keyGen.notifyKeyGenerated(KeymasterDefs.KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT);
+                keyGen.notifyKeyGenerated(KeymasterDefs.KM_SECURITY_LEVEL_STRONGBOX);
+            } catch (RemoteException e) {
+                // Not really an error state. Does not apply at all if RKP is unsupported or
+                // disabled on a given device.
+            }
             return new CredstoreWritableIdentityCredential(mContext, credentialName, docType, wc);
         } catch (android.os.RemoteException e) {
             throw new RuntimeException("Unexpected RemoteException ", e);
-- 
cgit v1.2.3-59-g8ed1b