Merge "Do not clear critical keys in clear_uid()" into oc-dev

commit: 48dc4ad3b9205db912b27eaed662e6f0c2ecf838 [log] [tgz]
author: TreeHugger Robot <treehugger-gerrit@google.com> Thu Apr 27 15:09:47 2017 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Thu Apr 27 15:09:47 2017 +0000
tree: cdd83eae0510a035684b0ff1ca283d1ef6f62151
parent: 5aa93e08a8715cfcec5f52fb4ffe41ba1a9bad50 [diff]
parent: 85c85e9840b9546a1919eeb23b7e9d3e2dadef69 [diff]
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 95c0109..248fa00 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp

@@ -662,6 +662,17 @@
     for (uint32_t i = 0; i < aliases.size(); i++) {
         String8 name8(aliases[i]);
         String8 filename(mKeyStore->getKeyNameForUidWithDir(name8, targetUid, ::TYPE_ANY));
+
+        if (get_app_id(targetUid) == AID_SYSTEM) {
+            Blob keyBlob;
+            ResponseCode responseCode =
+                mKeyStore->get(filename.string(), &keyBlob, ::TYPE_ANY, get_user_id(targetUid));
+            if (responseCode == ResponseCode::NO_ERROR && keyBlob.isCriticalToDeviceEncryption()) {
+                // Do not clear keys critical to device encryption under system uid.
+                continue;
+            }
+        }
+
         mKeyStore->del(filename.string(), ::TYPE_ANY, get_user_id(targetUid));
 
         // del() will fail silently if no cached characteristics are present for this alias.
commit	48dc4ad3b9205db912b27eaed662e6f0c2ecf838	[log] [tgz]
author	TreeHugger Robot <treehugger-gerrit@google.com>	Thu Apr 27 15:09:47 2017 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Thu Apr 27 15:09:47 2017 +0000
tree	cdd83eae0510a035684b0ff1ca283d1ef6f62151
parent	5aa93e08a8715cfcec5f52fb4ffe41ba1a9bad50 [diff]
parent	85c85e9840b9546a1919eeb23b7e9d3e2dadef69 [diff]