cryptohome: minimize usage of keyset index in Mount
Remove passing raw keyset index from most of the interfaces in Mount.
We still need the index in places for key managements, but at least we
are mostly not passing it around. Usage of VaultKeyset::legacy_index is
valid because we always populate it on Load path within
Homedirs:LoadVaultKeysetForUser
BUG=chromium:1124561
TEST=unittest
Change-Id: I6e606ed731ce33aa568264acb628e4b79ad7d615
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2465549
Tested-by: Daniil Lunev <dlunev@chromium.org>
Commit-Queue: Daniil Lunev <dlunev@chromium.org>
Reviewed-by: Leo Lai <cylai@google.com>
diff --git a/cryptohome/homedirs.cc b/cryptohome/homedirs.cc
index 038096b..5e888bb 100644
--- a/cryptohome/homedirs.cc
+++ b/cryptohome/homedirs.cc
@@ -138,13 +138,11 @@
bool HomeDirs::AreCredentialsValid(const Credentials& creds) {
std::unique_ptr<VaultKeyset> vk(
vault_keyset_factory()->New(platform_, crypto_));
- return GetValidKeyset(creds, vk.get(), nullptr /* key_index */,
- nullptr /* error */);
+ return GetValidKeyset(creds, vk.get(), nullptr /* error */);
}
bool HomeDirs::GetValidKeyset(const Credentials& creds,
VaultKeyset* vk,
- int* key_index,
MountError* error) {
if (error)
*error = MOUNT_ERROR_NONE;
@@ -193,8 +191,6 @@
platform_->FileExists(base::FilePath(kLockedToSingleUserFile));
if (vk->Decrypt(creds.passkey(), locked_to_single_user,
&last_crypto_error)) {
- if (key_index)
- *key_index = index;
return true;
}
}
@@ -469,8 +465,7 @@
credentials.GetObfuscatedUsername(system_salt_);
std::unique_ptr<VaultKeyset> vk(
vault_keyset_factory()->New(platform_, crypto_));
- if (!GetValidKeyset(credentials, vk.get(), nullptr /* key_index */,
- nullptr /* error */)) {
+ if (!GetValidKeyset(credentials, vk.get(), nullptr /* error */)) {
// Differentiate between failure and non-existent.
if (!credentials.key_data().label().empty()) {
vk.reset(
@@ -562,8 +557,7 @@
std::unique_ptr<VaultKeyset> vk(
vault_keyset_factory()->New(platform_, crypto_));
- if (!GetValidKeyset(existing_credentials, vk.get(), nullptr /* key_index */,
- nullptr /* error */)) {
+ if (!GetValidKeyset(existing_credentials, vk.get(), nullptr /* error */)) {
// Differentiate between failure and non-existent.
if (!existing_credentials.key_data().label().empty()) {
vk.reset(
@@ -680,8 +674,7 @@
std::unique_ptr<VaultKeyset> vk(
vault_keyset_factory()->New(platform_, crypto_));
- if (!GetValidKeyset(credentials, vk.get(), nullptr /* key_index */,
- nullptr /* error */)) {
+ if (!GetValidKeyset(credentials, vk.get(), nullptr /* error */)) {
// Differentiate between failure and non-existent.
if (!credentials.key_data().label().empty()) {
vk.reset(GetVaultKeyset(obfuscated, credentials.key_data().label()));
@@ -1177,11 +1170,12 @@
std::unique_ptr<VaultKeyset> vk(
vault_keyset_factory()->New(platform_, crypto_));
int key_index = -1;
- if (!GetValidKeyset(oldcreds, vk.get(), &key_index, nullptr /* error */)) {
+ if (!GetValidKeyset(oldcreds, vk.get(), nullptr /* error */)) {
LOG(ERROR) << "Can not retrieve keyset for the user: "
<< newcreds.username();
return false;
}
+ key_index = vk->legacy_index();
if (key_index == -1) {
LOG(ERROR) << "Attempted migration of key-less mount.";
return false;
@@ -1304,8 +1298,7 @@
if (!credentials_checked) {
// Make sure the credential can actually be used for sign-in.
// It is also the easiest way to get a valid keyset.
- if (!GetValidKeyset(creds, vk.get(), nullptr /* key_index */,
- nullptr /* error */)) {
+ if (!GetValidKeyset(creds, vk.get(), nullptr /* error */)) {
LOG(WARNING) << "The provided credentials are incorrect or invalid"
" for LE credential reset, reset skipped.";
return;
diff --git a/cryptohome/homedirs.h b/cryptohome/homedirs.h
index bf629aa..4b90fcd 100644
--- a/cryptohome/homedirs.h
+++ b/cryptohome/homedirs.h
@@ -167,14 +167,13 @@
const std::string& obfuscated_username) const;
// Returns true if a valid keyset can be decrypted with |creds|. If true,
- // |vk| will contain the decrypted value, and |key_index|, if non-null, will
- // contain the key index. If false, |vk| will contain the last failed keyset
- // attempt, and |error|, if non-null, will contain the error details.
+ // |vk| will contain the decrypted value, and if false, |vk| will contain
+ // the last failed keyset attempt, and |error|, if non-null, will contain
+ // the error details.
// NOTE: The LE Credential Keysets are only considered when the key label
// provided via |creds| is non-empty.
virtual bool GetValidKeyset(const Credentials& creds,
VaultKeyset* vk,
- int* key_index,
MountError* error);
// Loads the vault keyset for the supplied obfuscated username and index.
diff --git a/cryptohome/mock_homedirs.h b/cryptohome/mock_homedirs.h
index 5c2eb42..6e0a24c 100644
--- a/cryptohome/mock_homedirs.h
+++ b/cryptohome/mock_homedirs.h
@@ -37,7 +37,7 @@
MOCK_METHOD(bool, AreCredentialsValid, (const Credentials&), (override));
MOCK_METHOD(bool,
GetValidKeyset,
- (const Credentials&, VaultKeyset*, int*, MountError*),
+ (const Credentials&, VaultKeyset*, MountError*),
(override));
MOCK_METHOD(bool, Remove, (const std::string&), (override));
MOCK_METHOD(bool,
diff --git a/cryptohome/mount.cc b/cryptohome/mount.cc
index 0e45a66..c7f0684 100644
--- a/cryptohome/mount.cc
+++ b/cryptohome/mount.cc
@@ -356,9 +356,7 @@
VaultKeyset vault_keyset;
vault_keyset.Initialize(platform_, crypto_);
MountError local_mount_error = MOUNT_ERROR_NONE;
- int index = -1;
- if (!DecryptVaultKeyset(credentials, &vault_keyset, &index,
- &local_mount_error)) {
+ if (!DecryptVaultKeyset(credentials, &vault_keyset, &local_mount_error)) {
*mount_error = local_mount_error;
if (recreate_on_decrypt_fatal && local_mount_error == MOUNT_ERROR_FATAL) {
LOG(ERROR) << "cryptohome must be re-created because of fatal error.";
@@ -387,7 +385,7 @@
if (!vault_keyset.serialized().has_wrapped_chaps_key()) {
vault_keyset.CreateRandomChapsKey();
- ReEncryptVaultKeyset(credentials, index, &vault_keyset);
+ ReEncryptVaultKeyset(credentials, &vault_keyset);
}
SecureBlob local_chaps_key(vault_keyset.chaps_key().begin(),
@@ -523,7 +521,7 @@
}
}
- mount_key_index_ = index;
+ mount_key_index_ = vault_keyset.legacy_index();
MountHelper::Options mount_opts = {
mount_type_, mount_args.to_migrate_from_ecryptfs, mount_args.shadow_only};
@@ -692,10 +690,8 @@
credentials.challenge_credentials_keyset_info();
}
- // TODO(wad) move to storage by label-derivative and not number.
- if (!StoreVaultKeysetForUser(obfuscated_username,
- 0, // first key
- &vault_keyset)) {
+ vault_keyset.set_legacy_index(0); // first key
+ if (!StoreVaultKeysetForUser(obfuscated_username, &vault_keyset)) {
LOG(ERROR) << "Failed to store vault keyset for new user";
return false;
}
@@ -734,8 +730,7 @@
timestamp -= base::TimeDelta::FromSeconds(time_shift_sec);
keyset.mutable_serialized()->set_last_activity_timestamp(
timestamp.ToInternalValue());
- if (!StoreTimestampForUser(obfuscated_username, active_key_index,
- &keyset)) {
+ if (!StoreTimestampForUser(obfuscated_username, &keyset)) {
return false;
}
if (user_timestamp_cache_->initialized()) {
@@ -747,8 +742,8 @@
}
bool Mount::StoreVaultKeysetForUser(const std::string& obfuscated_username,
- int index,
VaultKeyset* vault_keyset) const {
+ int index = vault_keyset->legacy_index();
if (index < 0 || index > kKeyFileMax) {
LOG(ERROR) << "Attempted to store an invalid key index: " << index;
return false;
@@ -764,12 +759,12 @@
if (MessageDifferencer::Equals(vault_keyset->serialized(),
keyset.serialized())) {
LOG(INFO) << "Only the timestamp has changed, should not store keyset.";
- return StoreTimestampForUser(obfuscated_username, index, vault_keyset);
+ return StoreTimestampForUser(obfuscated_username, vault_keyset);
}
}
}
if (vault_keyset->serialized().has_last_activity_timestamp()) {
- if (!StoreTimestampForUser(obfuscated_username, index, vault_keyset)) {
+ if (!StoreTimestampForUser(obfuscated_username, vault_keyset)) {
return false;
}
}
@@ -782,8 +777,8 @@
}
bool Mount::StoreTimestampForUser(const std::string& obfuscated_username,
- int index,
VaultKeyset* vault_keyset) const {
+ int index = vault_keyset->legacy_index();
Timestamp timestamp;
timestamp.set_timestamp(vault_keyset->serialized().last_activity_timestamp());
std::string timestamp_str;
@@ -888,11 +883,10 @@
bool Mount::DecryptVaultKeyset(const Credentials& credentials,
VaultKeyset* vault_keyset,
- int* index,
MountError* error) const {
*error = MOUNT_ERROR_NONE;
- if (!homedirs_->GetValidKeyset(credentials, vault_keyset, index, error))
+ if (!homedirs_->GetValidKeyset(credentials, vault_keyset, error))
return false;
// Calling EnsureTpm here handles the case where a user logged in while
@@ -905,14 +899,13 @@
crypto_->EnsureTpm(false);
}
- vault_keyset->set_legacy_index(*index);
if (!ShouldReSaveKeyset(vault_keyset)) {
return true;
}
// This is not considered a fatal error. Re-saving with the desired
// protection is ideal, but not required.
- ReEncryptVaultKeyset(credentials, *index, vault_keyset);
+ ReEncryptVaultKeyset(credentials, vault_keyset);
return true;
}
@@ -945,7 +938,6 @@
}
bool Mount::ReEncryptVaultKeyset(const Credentials& credentials,
- int key_index,
VaultKeyset* vault_keyset) const {
// Save the initial serialized proto so we can roll-back any changes if we
// failed to re-save.
@@ -975,7 +967,7 @@
// label uniqueness. This means that we will still be able to use the
// lack of KeyData in the future as input to migration.
if (!StoreVaultKeysetForUser(credentials.GetObfuscatedUsername(system_salt_),
- key_index, vault_keyset)) {
+ vault_keyset)) {
LOG(ERROR) << "Write to master key failed";
vault_keyset->mutable_serialized()->CopyFrom(old_serialized);
return false;
diff --git a/cryptohome/mount.h b/cryptohome/mount.h
index a9bdda9..5dc6a14 100644
--- a/cryptohome/mount.h
+++ b/cryptohome/mount.h
@@ -302,11 +302,9 @@
std::string* filename_key_signature) const;
virtual bool StoreVaultKeysetForUser(const std::string& obfuscated_username,
- int index,
VaultKeyset* vault_keyset) const;
virtual bool StoreTimestampForUser(const std::string& obfuscated_username,
- int index,
VaultKeyset* vault_keyset) const;
// Encrypts and adds the VaultKeyset to the serialized store
@@ -325,7 +323,6 @@
// credentials - The Credentials for the user
// vault_keyset (IN/OUT) - The VaultKeyset to save
bool ReEncryptVaultKeyset(const Credentials& credentials,
- int index,
VaultKeyset* vault_keyset) const;
// Check if the vault keyset needs re-encryption.
@@ -341,11 +338,9 @@
// Parameters
// credentials - The user credentials to use
// vault_keyset (OUT) - The unencrypted vault keyset on success
- // index (OUT) - The keyset index from disk
// error (OUT) - The specific error when decrypting
bool DecryptVaultKeyset(const Credentials& credentials,
VaultKeyset* vault_keyset,
- int* index,
MountError* error) const;
base::FilePath GetUserTimestampFileForUser(
diff --git a/cryptohome/mount_unittest.cc b/cryptohome/mount_unittest.cc
index b27b181..b86cec7 100644
--- a/cryptohome/mount_unittest.cc
+++ b/cryptohome/mount_unittest.cc
@@ -1231,7 +1231,6 @@
.WillOnce(DoAll(SaveArg<1>(&migrated_keyset), Return(true)));
EXPECT_CALL(platform_, FileExists(base::FilePath(kLockedToSingleUserFile)))
.WillRepeatedly(Return(false));
- int key_index = 0;
user->InjectKeyset(&platform_, true);
@@ -1239,8 +1238,7 @@
// lead to a call to DeclareTpmFirmwareStable().
EXPECT_CALL(tpm_, DeclareTpmFirmwareStable());
vault_keyset.mutable_serialized()->CopyFrom(serialized);
- EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
- &error));
+ EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &error));
ASSERT_EQ(error, MOUNT_ERROR_NONE);
ASSERT_NE(migrated_keyset.size(), 0);
@@ -1335,13 +1333,11 @@
.WillOnce(DoAll(SaveArg<1>(&migrated_keyset), Return(true)));
EXPECT_CALL(platform_, FileExists(base::FilePath(kLockedToSingleUserFile)))
.WillRepeatedly(Return(false));
- int key_index = 0;
user->InjectKeyset(&platform_, true);
vault_keyset.mutable_serialized()->CopyFrom(serialized);
- EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
- &error));
+ EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &error));
ASSERT_EQ(error, MOUNT_ERROR_NONE);
ASSERT_NE(migrated_keyset.size(), 0);
@@ -1403,12 +1399,10 @@
VaultKeyset vault_keyset;
vault_keyset.Initialize(&platform_, mount_->crypto());
MountError error;
- int key_index = -1;
// First we decrypt the vault to load the chaps key.
- ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
- &error));
- EXPECT_EQ(key_index, 0);
+ ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &error));
+ EXPECT_EQ(vault_keyset.legacy_index(), 0);
EXPECT_EQ(vault_keyset.serialized().has_wrapped_chaps_key(), true);
SecureBlob local_chaps(vault_keyset.chaps_key().begin(),
@@ -1424,8 +1418,7 @@
user->InjectKeyset(&platform_, true);
- ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
- &error));
+ ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &error));
// Compare the pre mount chaps key to the post mount key.
ASSERT_EQ(local_chaps.size(), vault_keyset.chaps_key().size());
@@ -1451,24 +1444,20 @@
VaultKeyset vault_keyset;
vault_keyset.Initialize(&platform_, mount_->crypto());
MountError error;
- int key_index = -1;
EXPECT_CALL(platform_, ReadFile(user->keyset_path, _))
.Times(2)
.WillRepeatedly(DoAll(SetArgPointee<1>(user->credentials), Return(true)));
- ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
- &error));
+ ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &error));
vault_keyset.clear_chaps_key();
EXPECT_CALL(platform_, WriteFileAtomicDurable(user->keyset_path, _, _))
.WillRepeatedly(DoAll(SaveArg<1>(&(user->credentials)), Return(true)));
- ASSERT_TRUE(
- mount_->ReEncryptVaultKeyset(credentials, key_index, &vault_keyset));
+ ASSERT_TRUE(mount_->ReEncryptVaultKeyset(credentials, &vault_keyset));
user->InjectKeyset(&platform_, true);
- ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
- &error));
+ ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &error));
- EXPECT_EQ(key_index, 0);
+ EXPECT_EQ(vault_keyset.legacy_index(), 0);
EXPECT_EQ(vault_keyset.serialized().has_wrapped_chaps_key(), false);
user->InjectUserPaths(&platform_, chronos_uid_, chronos_gid_, shared_gid_,
@@ -1482,8 +1471,7 @@
EXPECT_CALL(platform_, ReadFile(user->keyset_path, _))
.WillRepeatedly(DoAll(SetArgPointee<1>(user->credentials), Return(true)));
user->InjectKeyset(&platform_, true);
- ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
- &error));
+ ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &error));
EXPECT_EQ(vault_keyset.serialized().has_wrapped_chaps_key(), true);
EXPECT_EQ(vault_keyset.chaps_key().size(), CRYPTOHOME_CHAPS_KEY_LENGTH);
}
@@ -1500,9 +1488,8 @@
pin_vault_keyset.Initialize(&platform_, mount_->crypto());
MountError error;
- int key_index = -1;
- ASSERT_TRUE(mount_->DecryptVaultKeyset(*pin_credentials_, &pin_vault_keyset,
- &key_index, &error));
+ ASSERT_TRUE(
+ mount_->DecryptVaultKeyset(*pin_credentials_, &pin_vault_keyset, &error));
}
TEST_P(MountTest, MountCryptohomeLECredentialsMigrate) {
@@ -1532,9 +1519,8 @@
SerializedVaultKeyset serialized;
MountError error;
- int key_index = -1;
- ASSERT_TRUE(mount_->DecryptVaultKeyset(*pin_credentials_, &pin_vault_keyset,
- &key_index, &error));
+ ASSERT_TRUE(
+ mount_->DecryptVaultKeyset(*pin_credentials_, &pin_vault_keyset, &error));
// Check the inserted data from migration.
ASSERT_TRUE(LoadSerializedKeyset(creds, &serialized));
@@ -1564,9 +1550,8 @@
pin_vault_keyset.Initialize(&platform_, mount_->crypto());
MountError error;
- int key_index = -1;
- ASSERT_TRUE(mount_->DecryptVaultKeyset(*pin_credentials_, &pin_vault_keyset,
- &key_index, &error));
+ ASSERT_TRUE(
+ mount_->DecryptVaultKeyset(*pin_credentials_, &pin_vault_keyset, &error));
// Check the returned data.
ASSERT_TRUE(pin_vault_keyset.serialized().flags() &
@@ -1590,11 +1575,9 @@
vault_keyset.Initialize(&platform_, mount_->crypto());
SerializedVaultKeyset serialized;
MountError error;
- int key_index = -1;
- ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
- &error));
- EXPECT_EQ(key_index, 0);
+ ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &error));
+ EXPECT_EQ(vault_keyset.legacy_index(), 0);
serialized.CopyFrom(vault_keyset.serialized());
user->InjectUserPaths(&platform_, chronos_uid_, chronos_gid_, shared_gid_,
@@ -1609,8 +1592,7 @@
user->InjectKeyset(&platform_, true);
SerializedVaultKeyset new_serialized;
- ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
- &error));
+ ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &error));
new_serialized.CopyFrom(vault_keyset.serialized());
SecureBlob lhs;
@@ -1806,8 +1788,6 @@
.WillRepeatedly(Return(true));
EXPECT_TRUE(DoMountInit());
- int key_index = 0;
-
EXPECT_CALL(platform_, FileExists(base::FilePath(kLockedToSingleUserFile)))
.WillRepeatedly(Return(false));
@@ -1824,8 +1804,7 @@
// Migrate to TPM-wrapped from the original Scrypt-wrapped
error = MOUNT_ERROR_NONE;
- EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
- &error));
+ EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &error));
ASSERT_EQ(error, MOUNT_ERROR_NONE);
ASSERT_NE(migrated_keyset.size(), 0);
@@ -1837,8 +1816,7 @@
error = MOUNT_ERROR_NONE;
user->InjectKeyset(&platform_, true);
- EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
- &error));
+ EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &error));
unsigned int flags = vault_keyset.serialized().flags();
EXPECT_EQ((flags & SerializedVaultKeyset::TPM_WRAPPED),
@@ -1850,7 +1828,7 @@
.WillOnce(DoAll(SetArgPointee<1>(migrated_keyset), Return(true)));
vault_keyset.mutable_serialized()->set_flags(
flags & ~SerializedVaultKeyset::SCRYPT_WRAPPED);
- EXPECT_TRUE(mount_->ReEncryptVaultKeyset(credentials, 0, &vault_keyset));
+ EXPECT_TRUE(mount_->ReEncryptVaultKeyset(credentials, &vault_keyset));
}
// Now we have the TPM-wrapped keyset with correct flags
@@ -1861,8 +1839,7 @@
error = MOUNT_ERROR_NONE;
user->InjectKeyset(&platform_, true);
- EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
- &error));
+ EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &error));
ASSERT_EQ(error, MOUNT_ERROR_NONE);
ASSERT_NE(migrated_keyset.size(), 0);
@@ -1875,8 +1852,7 @@
error = MOUNT_ERROR_NONE;
user->InjectKeyset(&platform_, true);
- ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
- &error));
+ ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &error));
ASSERT_EQ(error, MOUNT_ERROR_NONE);
}
@@ -1918,8 +1894,6 @@
.WillRepeatedly(Return(true));
EXPECT_TRUE(DoMountInit());
- int key_index = 0;
-
EXPECT_CALL(platform_, FileExists(base::FilePath(kLockedToSingleUserFile)))
.WillRepeatedly(Return(false));
@@ -1935,8 +1909,7 @@
MountError error;
error = MOUNT_ERROR_NONE;
- EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
- &error));
+ EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &error));
ASSERT_EQ(error, MOUNT_ERROR_NONE);
ASSERT_NE(migrated_keyset.size(), 0);
@@ -1949,7 +1922,7 @@
vault_keyset.mutable_serialized()->set_flags(
flags | SerializedVaultKeyset::TPM_WRAPPED |
SerializedVaultKeyset::SCRYPT_WRAPPED);
- EXPECT_TRUE(mount_->StoreVaultKeysetForUser(user->obfuscated_username, 0,
+ EXPECT_TRUE(mount_->StoreVaultKeysetForUser(user->obfuscated_username,
&vault_keyset));
// When we call DecryptVaultKeyset, it should re-encrypt
@@ -1957,8 +1930,7 @@
error = MOUNT_ERROR_NONE;
user->InjectKeyset(&platform_, true);
- EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
- &error));
+ EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &error));
ASSERT_EQ(error, MOUNT_ERROR_NONE);
ASSERT_NE(migrated_keyset.size(), 0);
