diff options
| author | Shawn Willden <swillden@google.com> | 2019-10-02 08:58:22 -0600 |
|---|---|---|
| committer | Huizi Yang <yanghuiz@google.com> | 2019-10-09 16:05:13 -0700 |
| commit | a093bf43e5237e56704dc244f28deaa7d416991f (patch) | |
| tree | 3b6d85a5c6b5925001ae83a898277f3507e1f9b2 | |
| parent | 0137c899f3d273681a77a8cade47963d1867ff2b (diff) | |
Encrypt AES-256 keystore master keys.
ag/5984229 that added support for AES-256 master keys inadvertently
caused them not to be encyrpted by the user's password. This is less
damaging to security than it might appear because these keys are also
encrypted by Keymaster, in the TEE or StrongBox.
Bug: 141955555
Test: Manually verify password is encryption on a userdebug build.
Change-Id: Ic5e82546df67346e4c348273cf4fe2bac382c9dc
Merged-In: Ie44a4097e058bd5b9e45aa73115c266b9570a4fc
(cherry picked from commit 58e675567c446b77c6ec83d8e07fecbd829f60ae)
| -rw-r--r-- | keystore/blob.cpp | 2 | ||||
| -rw-r--r-- | keystore/blob.h | 1 |
2 files changed, 2 insertions, 1 deletions
diff --git a/keystore/blob.cpp b/keystore/blob.cpp index d21c691..72f6493 100644 --- a/keystore/blob.cpp +++ b/keystore/blob.cpp @@ -150,7 +150,7 @@ Blob::Blob(const uint8_t* value, size_t valueLength, const uint8_t* info, uint8_ mBlob.version = CURRENT_BLOB_VERSION; mBlob.type = uint8_t(type); - if (type == TYPE_MASTER_KEY) { + if (type == TYPE_MASTER_KEY || type == TYPE_MASTER_KEY_AES256) { mBlob.flags = KEYSTORE_FLAG_ENCRYPTED; } else { mBlob.flags = KEYSTORE_FLAG_NONE; diff --git a/keystore/blob.h b/keystore/blob.h index 665e07a..08ad18f 100644 --- a/keystore/blob.h +++ b/keystore/blob.h @@ -80,6 +80,7 @@ typedef enum { TYPE_KEY_PAIR = 3, TYPE_KEYMASTER_10 = 4, TYPE_KEY_CHARACTERISTICS = 5, + TYPE_MASTER_KEY_AES256 = 7, } BlobType; class Entropy; |