Throw ServiceSpecificException if calling app tries to initialize

certificates with lower version. Earlier, the code just returned
silently, giving no indication that updating certs failed.

Change-Id: I3eb1b9f423791a655b47b3e76c20a170e2b632c0
Bug: 77533356
Test: runtest frameworks-services -p
    com.android.server.locksettings.recoverablekeystore

1 files changed, 14 insertions, 0 deletions

diff --git a/core/java/android/security/keystore/recovery/RecoveryController.java b/core/java/android/security/keystore/recovery/RecoveryController.java
index 281822a342f9..f351c5afa579 100644
--- a/core/java/android/security/keystore/recovery/RecoveryController.java
+++ b/core/java/android/security/keystore/recovery/RecoveryController.java
@@ -250,6 +250,16 @@ public class RecoveryController {
      */
     public static final int ERROR_INVALID_CERTIFICATE = 28;
 
+
+    /**
+     * Failed because the provided certificate contained serial version which is lower that the
+     * version device is already initialized with. It is not possible to downgrade serial version of
+     * the provided certificate.
+     *
+     * @hide
+     */
+    public static final int ERROR_DOWNGRADE_CERTIFICATE = 29;
+
     private final ILockSettings mBinder;
     private final KeyStore mKeyStore;
 
@@ -340,6 +350,10 @@ public class RecoveryController {
                     || e.errorCode == ERROR_INVALID_CERTIFICATE) {
                 throw new CertificateException("Invalid certificate for recovery service", e);
             }
+            if (e.errorCode == ERROR_DOWNGRADE_CERTIFICATE) {
+                throw new CertificateException(
+                        "Downgrading certificate serial version isn't supported.", e);
+            }
             throw wrapUnexpectedServiceSpecificException(e);
         }
     }