Unbind Attestation keys when freeing up namespace.

In https://android-review.googlesource.com/c/platform/system/security/+/1698833 we added a check only for client keys. However, this means that on application deletion only the keystore keys related to the application are unbound and the attestation keys get orphaned. Through this change, I am planning to unbind the attestation keys related to the application as well. Change-Id: I1c9d1ac6d6943cc53f5d74653e3da72cd4f2adf7 Test: atest keystore2_test BUG: 232534682
2022-05-24 16:40:43 +00:00 · 2022-05-24 16:40:43 +00:00 · 1a98f9cca9
commit 1a98f9cca9
parent 2575230d42
1 changed files with 8 additions and 8 deletions
--- a/keystore2/src/database.rs
+++ b/keystore2/src/database.rs
@ -2893,33 +2893,33 @@ impl KeystoreDB {
                "DELETE FROM persistent.keymetadata
                WHERE keyentryid IN (
                    SELECT id FROM persistent.keyentry
-                    WHERE domain = ? AND namespace = ? AND key_type = ?
+                    WHERE domain = ? AND namespace = ? AND (key_type = ? OR key_type = ?)
                );",
-                params![domain.0, namespace, KeyType::Client],
+                params![domain.0, namespace, KeyType::Client, KeyType::Attestation],
            )
            .context("Trying to delete keymetadata.")?;
            tx.execute(
                "DELETE FROM persistent.keyparameter
                WHERE keyentryid IN (
                    SELECT id FROM persistent.keyentry
-                    WHERE domain = ? AND namespace = ? AND key_type = ?
+                    WHERE domain = ? AND namespace = ? AND (key_type = ? OR key_type = ?)
                );",
-                params![domain.0, namespace, KeyType::Client],
+                params![domain.0, namespace, KeyType::Client, KeyType::Attestation],
            )
            .context("Trying to delete keyparameters.")?;
            tx.execute(
                "DELETE FROM persistent.grant
                WHERE keyentryid IN (
                    SELECT id FROM persistent.keyentry
-                    WHERE domain = ? AND namespace = ? AND key_type = ?
+                    WHERE domain = ? AND namespace = ? AND (key_type = ? OR key_type = ?)
                );",
-                params![domain.0, namespace, KeyType::Client],
+                params![domain.0, namespace, KeyType::Client, KeyType::Attestation],
            )
            .context("Trying to delete grants.")?;
            tx.execute(
                "DELETE FROM persistent.keyentry
-                 WHERE domain = ? AND namespace = ? AND key_type = ?;",
-                params![domain.0, namespace, KeyType::Client],
+                 WHERE domain = ? AND namespace = ? AND (key_type = ? OR key_type = ?);",
+                params![domain.0, namespace, KeyType::Client, KeyType::Attestation],
            )
            .context("Trying to delete keyentry.")?;
            Ok(()).need_gc()