Merge "Do not clear critical keys in clear_uid()" into oc-dev
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 95c0109..248fa00 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -662,6 +662,17 @@
for (uint32_t i = 0; i < aliases.size(); i++) {
String8 name8(aliases[i]);
String8 filename(mKeyStore->getKeyNameForUidWithDir(name8, targetUid, ::TYPE_ANY));
+
+ if (get_app_id(targetUid) == AID_SYSTEM) {
+ Blob keyBlob;
+ ResponseCode responseCode =
+ mKeyStore->get(filename.string(), &keyBlob, ::TYPE_ANY, get_user_id(targetUid));
+ if (responseCode == ResponseCode::NO_ERROR && keyBlob.isCriticalToDeviceEncryption()) {
+ // Do not clear keys critical to device encryption under system uid.
+ continue;
+ }
+ }
+
mKeyStore->del(filename.string(), ::TYPE_ANY, get_user_id(targetUid));
// del() will fail silently if no cached characteristics are present for this alias.