identity: Check freshness of verification token in TA.
A problem where credstore didn't always use the TA-generated challenge
in the verification token was fixed in aosp/1619825. With this bug-fix
we can now reliably check that the passed-in verification token is
always fresh.
Bug: 181893400
Test: atest android.security.identity.cts on emulator
Test: atest VtsHalIdentityTargetTest
Change-Id: Iffdf026475da6321764561972aae27a82ab94530
diff --git a/identity/aidl/default/common/IdentityCredential.cpp b/identity/aidl/default/common/IdentityCredential.cpp
index 9477997..c8ee0dd 100644
--- a/identity/aidl/default/common/IdentityCredential.cpp
+++ b/identity/aidl/default/common/IdentityCredential.cpp
@@ -253,14 +253,17 @@
}
}
- // Feed the auth token to secure hardware.
- if (!hwProxy_->setAuthToken(authToken.challenge, authToken.userId, authToken.authenticatorId,
- int(authToken.authenticatorType), authToken.timestamp.milliSeconds,
- authToken.mac, verificationToken_.challenge,
- verificationToken_.timestamp.milliSeconds,
- int(verificationToken_.securityLevel), verificationToken_.mac)) {
- return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
- IIdentityCredentialStore::STATUS_INVALID_DATA, "Invalid Auth Token"));
+ // Feed the auth token to secure hardware only if they're valid.
+ if (authToken.timestamp.milliSeconds != 0) {
+ if (!hwProxy_->setAuthToken(
+ authToken.challenge, authToken.userId, authToken.authenticatorId,
+ int(authToken.authenticatorType), authToken.timestamp.milliSeconds,
+ authToken.mac, verificationToken_.challenge,
+ verificationToken_.timestamp.milliSeconds,
+ int(verificationToken_.securityLevel), verificationToken_.mac)) {
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
+ IIdentityCredentialStore::STATUS_INVALID_DATA, "Invalid Auth Token"));
+ }
}
// We'll be feeding ACPs interleaved with certificates from the reader
diff --git a/identity/aidl/default/libeic/EicPresentation.c b/identity/aidl/default/libeic/EicPresentation.c
index 5e9a280..9e033b3 100644
--- a/identity/aidl/default/libeic/EicPresentation.c
+++ b/identity/aidl/default/libeic/EicPresentation.c
@@ -336,6 +336,18 @@
int verificationTokenSecurityLevel,
const uint8_t* verificationTokenMac,
size_t verificationTokenMacSize) {
+ // It doesn't make sense to accept any tokens if eicPresentationCreateAuthChallenge()
+ // was never called.
+ if (ctx->authChallenge == 0) {
+ eicDebug("Trying validate tokens when no auth-challenge was previously generated");
+ return false;
+ }
+ // At least the verification-token must have the same challenge as what was generated.
+ if (verificationTokenChallenge != ctx->authChallenge) {
+ eicDebug("Challenge in verification token does not match the challenge "
+ "previously generated");
+ return false;
+ }
if (!eicOpsValidateAuthToken(
challenge, secureUserId, authenticatorId, hardwareAuthenticatorType, timeStamp, mac,
macSize, verificationTokenChallenge, verificationTokenTimestamp,
@@ -360,18 +372,9 @@
return false;
}
+ // Only ACP with auth-on-every-presentation - those with timeout == 0 - need the
+ // challenge to match...
if (timeoutMillis == 0) {
- if (ctx->authTokenChallenge == 0) {
- eicDebug("No challenge in authToken");
- return false;
- }
-
- // If we didn't create a challenge, too bad but user auth with
- // timeoutMillis set to 0 needs it.
- if (ctx->authChallenge == 0) {
- eicDebug("No challenge was created for this session");
- return false;
- }
if (ctx->authTokenChallenge != ctx->authChallenge) {
eicDebug("Challenge in authToken (%" PRIu64
") doesn't match the challenge "