From 86af3557e3dc0f6e4fa2c0d56f840eb4247f9f4f Mon Sep 17 00:00:00 2001
From: Shawn Willden <swillden@google.com>
Date: Wed, 24 Jun 2015 07:21:54 -0700
Subject: [PATCH] Add purpose to vold-generated keymaster1 keys.

Also remove the app ID and additional padding and digest options.

Bug: 22009890
Change-Id: Ibff9bbd0e0c11d651d11fac85d4ac907588f1cd2
---
 cryptfs.c | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/cryptfs.c b/cryptfs.c
index bde0f26..a905ff6 100644
--- a/cryptfs.c
+++ b/cryptfs.c
@@ -90,7 +90,6 @@
 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
 #define RSA_EXPONENT 0x10001
 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1  // Maximum one try per second
-#define KEYMASTER_CRYPTFS_APP_ID "vold cryptfs"
 
 #define RETRY_MOUNT_ATTEMPTS 10
 #define RETRY_MOUNT_DELAY_SECONDS 1
@@ -203,13 +202,12 @@ static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
             keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE),
             keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT),
 
-            /* Padding & digest specifications.  We'll use none/none, but add better options
-             * just in case we want to use them later.  Actual selection is done at operation
-             * time, but restricted to options specified at keygen. */
+	    /* The only allowed purpose for this key is signing. */
+	    keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN),
+
+            /* Padding & digest specifications. */
             keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
-            keymaster_param_enum(KM_TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN),
             keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
-            keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_SHA_2_256),
 
             /* Require that the key be usable in standalone mode.  File system isn't available. */
             keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE),
@@ -217,10 +215,6 @@ static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
             /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */
             keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED),
 
-            /* Set app ID to a value keystore will never use */
-            keymaster_param_blob(KM_TAG_APPLICATION_ID, (uint8_t*)KEYMASTER_CRYPTFS_APP_ID,
-                                 sizeof(KEYMASTER_CRYPTFS_APP_ID)),
-
             /* Rate-limit key usage attempts, to rate-limit brute force */
             keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT),
         };