From 6064a17fa40fc73888a445958c660d942c557d8e Mon Sep 17 00:00:00 2001
From: Janis Danisevskis <jdanis@google.com>
Date: Tue, 5 Jun 2018 18:47:23 -0700
Subject: [PATCH] Fix symmetric key generation in strongbox

The strongbox flag was not passed to keystore by
AndroidKeyStoreKeyGeneratorSpi. As a result keys, that were supposed to
be generated in strongbox would silently be generated in TEE.

Test: There is no reliable way to test this other than instrumenting or
      debugging the strongbox implementation. This was done by the
      author of this patch.
Bug: 109769728
Change-Id: I8a08838440030fab7b774762c3d6af0d3b6a4ad8
Merged-In: I8a08838440030fab7b774762c3d6af0d3b6a4ad8
---
 .../keystore/AndroidKeyStoreKeyGeneratorSpi.java      | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java
index 419eb24e1cc1c..953cef7d30ffc 100644
--- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java
+++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java
@@ -301,6 +301,9 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi {
                 KeyStoreCryptoOperationUtils.getRandomBytesToMixIntoKeystoreRng(
                         mRng, (mKeySizeBits + 7) / 8);
         int flags = 0;
+        if (spec.isStrongBoxBacked()) {
+            flags |= KeyStore.FLAG_STRONGBOX;
+        }
         String keyAliasInKeystore = Credentials.USER_PRIVATE_KEY + spec.getKeystoreAlias();
         KeyCharacteristics resultingKeyCharacteristics = new KeyCharacteristics();
         boolean success = false;
@@ -314,8 +317,12 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi {
                     flags,
                     resultingKeyCharacteristics);
             if (errorCode != KeyStore.NO_ERROR) {
-                throw new ProviderException(
-                        "Keystore operation failed", KeyStore.getKeyStoreException(errorCode));
+                if (errorCode == KeyStore.HARDWARE_TYPE_UNAVAILABLE) {
+                    throw new StrongBoxUnavailableException("Failed to generate key");
+                } else {
+                    throw new ProviderException(
+                            "Keystore operation failed", KeyStore.getKeyStoreException(errorCode));
+                }
             }
             @KeyProperties.KeyAlgorithmEnum String keyAlgorithmJCA;
             try {