Keystore2: Batching listing of key entries
Add methods to the keystore2 interface for the following:
* Getting the total number of entries in a given domain and namespace.
* Get a batch of key descriptors starting past a given value.
See the keystore2 change for detailed description.
Bug: 222287335
Test: See keystore2 change.
Change-Id: I449fcebf032af77374c4eed980966dec6878e00c
diff --git a/keystore2/aidl/aidl_api/android.system.keystore2/current/android/system/keystore2/IKeystoreService.aidl b/keystore2/aidl/aidl_api/android.system.keystore2/current/android/system/keystore2/IKeystoreService.aidl
index 5ed5d37..d2f03cf 100644
--- a/keystore2/aidl/aidl_api/android.system.keystore2/current/android/system/keystore2/IKeystoreService.aidl
+++ b/keystore2/aidl/aidl_api/android.system.keystore2/current/android/system/keystore2/IKeystoreService.aidl
@@ -38,8 +38,13 @@
android.system.keystore2.IKeystoreSecurityLevel getSecurityLevel(in android.hardware.security.keymint.SecurityLevel securityLevel);
android.system.keystore2.KeyEntryResponse getKeyEntry(in android.system.keystore2.KeyDescriptor key);
void updateSubcomponent(in android.system.keystore2.KeyDescriptor key, in @nullable byte[] publicCert, in @nullable byte[] certificateChain);
+ /**
+ * @deprecated use listEntriesBatched instead.
+ */
android.system.keystore2.KeyDescriptor[] listEntries(in android.system.keystore2.Domain domain, in long nspace);
void deleteKey(in android.system.keystore2.KeyDescriptor key);
android.system.keystore2.KeyDescriptor grant(in android.system.keystore2.KeyDescriptor key, in int granteeUid, in int accessVector);
void ungrant(in android.system.keystore2.KeyDescriptor key, in int granteeUid);
+ int getNumberOfEntries(in android.system.keystore2.Domain domain, in long nspace);
+ android.system.keystore2.KeyDescriptor[] listEntriesBatched(in android.system.keystore2.Domain domain, in long nspace, in @nullable String startingPastAlias);
}
diff --git a/keystore2/aidl/android/system/keystore2/IKeystoreService.aidl b/keystore2/aidl/android/system/keystore2/IKeystoreService.aidl
index fd5f162..9beac0a 100644
--- a/keystore2/aidl/android/system/keystore2/IKeystoreService.aidl
+++ b/keystore2/aidl/android/system/keystore2/IKeystoreService.aidl
@@ -110,6 +110,9 @@
/**
* List all entries accessible by the caller in the given `domain` and `nspace`.
+ * If the number of entries accessible by the caller is greater than could fit in one Binder
+ * transaction, a truncated list may be returned. Use `listEntriesBatched` in this case to
+ * list all entries in batches.
*
* Callers must have the `GET_INFO` permission for the requested namespace to list all the
* entries.
@@ -130,6 +133,7 @@
* Note: `namespace` is a keyword in C++, the underscore disambiguates.
*
* @return List of KeyDescriptors.
+ * @deprecated use listEntriesBatched instead.
*/
KeyDescriptor[] listEntries(in Domain domain, in long nspace);
@@ -188,4 +192,58 @@
* for the designated key.
*/
void ungrant(in KeyDescriptor key, in int granteeUid);
+
+ /**
+ * Get the number of entries accessible to the caller in the given `domain` and `nspace`.
+ *
+ * Callers must have the `GET_INFO` permission for the requested namespace determine the number
+ * of entries.
+ *
+ * ## Error conditions
+ * `ResponseCode::INVALID_ARGUMENT` if `domain` is other than `Domain::APP` or `Domain::SELINUX`
+ * `ResponseCode::PERMISSION_DENIED` if the caller does not have the permission `GET_INFO`
+ * For the requested namespace.
+ *
+ * @param domain If `Domain::APP` is passed, returns all keys associated with the caller's UID
+ * and the namespace parameter is ignored.
+ * If `Domain::SELINUX` is passed, returns all keys associated with the given
+ * namespace.
+ *
+ * @param nspace The SELinux keystore2_key namespace if `domain` is `Domain::SELINUX`,
+ * ignored otherwise.
+ *
+ * @return Number of entries.
+ */
+ int getNumberOfEntries(in Domain domain, in long nspace);
+
+ /**
+ * List all entries accessible by the caller in the given `domain` and
+ * `nspace`, starting with the first entry greater than `startingPastAlias`.
+ * If the number of entries accessible by the caller is greater than could fit in one Binder
+ * transaction, a truncated list will be returned.
+ *
+ * See the `listEntries` variant above for calling permissions and documentation of the
+ * `domain` and `nspace` parameters.
+ *
+ * Notes:
+ * Consistency: The order of entries returned by this method is stable across calls.
+ * If entries have been deleted or added to Keystore between calls to
+ * this method, then some entries may be missing from the combined listing.
+ *
+ * Length of returned list: If Keystore estimates that the returned list would exceed
+ * the Binder transaction size limit, it will return a smaller number of entries than
+ * are available. Subsequent calls to this method need to be made with different
+ * starting points.
+ *
+ * @param domain See `listEntries`
+ *
+ * @param nspace See `listEntries`
+ *
+ * @param startingPastAlias Only return aliases lexicographically bigger than this value.
+ *
+ * @return List of KeyDescriptors.
+ */
+ KeyDescriptor[] listEntriesBatched(in Domain domain, in long nspace,
+ in @nullable String startingPastAlias);
+
}