Move keystore to Keymaster4

Test: CTS
Change-Id: I6b7fa300f505ee685b1fe503edea3188225a98e3
diff --git a/keystore/keymaster_enforcement.cpp b/keystore/keymaster_enforcement.cpp
index c27ec6b..16d1354 100644
--- a/keystore/keymaster_enforcement.cpp
+++ b/keystore/keymaster_enforcement.cpp
@@ -117,6 +117,7 @@
 ErrorCode KeymasterEnforcement::AuthorizeOperation(const KeyPurpose purpose, const km_id_t keyid,
                                                    const AuthorizationSet& auth_set,
                                                    const AuthorizationSet& operation_params,
+                                                   const HardwareAuthToken& auth_token,
                                                    uint64_t op_handle, bool is_begin_operation) {
     if (is_public_key_algorithm(auth_set)) {
         switch (purpose) {
@@ -127,23 +128,23 @@
 
         case KeyPurpose::DECRYPT:
         case KeyPurpose::SIGN:
-        case KeyPurpose::DERIVE_KEY:
             break;
+
         case KeyPurpose::WRAP_KEY:
             return ErrorCode::INCOMPATIBLE_PURPOSE;
         };
     };
 
     if (is_begin_operation)
-        return AuthorizeBegin(purpose, keyid, auth_set, operation_params);
+        return AuthorizeBegin(purpose, keyid, auth_set, operation_params, auth_token);
     else
-        return AuthorizeUpdateOrFinish(auth_set, operation_params, op_handle);
+        return AuthorizeUpdateOrFinish(auth_set, auth_token, op_handle);
 }
 
 // For update and finish the only thing to check is user authentication, and then only if it's not
 // timeout-based.
 ErrorCode KeymasterEnforcement::AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set,
-                                                        const AuthorizationSet& operation_params,
+                                                        const HardwareAuthToken& auth_token,
                                                         uint64_t op_handle) {
     int auth_type_index = -1;
     for (size_t pos = 0; pos < auth_set.size(); ++pos) {
@@ -176,9 +177,9 @@
         if (user_secure_id.isOk()) {
             authentication_required = true;
             int auth_timeout_index = -1;
-            if (AuthTokenMatches(auth_set, operation_params, user_secure_id.value(),
-                                 auth_type_index, auth_timeout_index, op_handle,
-                                 false /* is_begin_operation */))
+            if (auth_token.mac.size() &&
+                AuthTokenMatches(auth_set, auth_token, user_secure_id.value(), auth_type_index,
+                                 auth_timeout_index, op_handle, false /* is_begin_operation */))
                 return ErrorCode::OK;
         }
     }
@@ -190,7 +191,8 @@
 
 ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const km_id_t keyid,
                                                const AuthorizationSet& auth_set,
-                                               const AuthorizationSet& operation_params) {
+                                               const AuthorizationSet& operation_params,
+                                               NullOr<const HardwareAuthToken&> auth_token) {
     // Find some entries that may be needed to handle KM_TAG_USER_SECURE_ID
     int auth_timeout_index = -1;
     int auth_type_index = -1;
@@ -272,9 +274,9 @@
             if (auth_timeout_index != -1) {
                 auto secure_id = authorizationValue(TAG_USER_SECURE_ID, param);
                 authentication_required = true;
-                if (secure_id.isOk() &&
-                    AuthTokenMatches(auth_set, operation_params, secure_id.value(), auth_type_index,
-                                     auth_timeout_index, 0 /* op_handle */,
+                if (secure_id.isOk() && auth_token.isOk() &&
+                    AuthTokenMatches(auth_set, auth_token.value(), secure_id.value(),
+                                     auth_type_index, auth_timeout_index, 0 /* op_handle */,
                                      true /* is_begin_operation */))
                     auth_token_matched = true;
             }
@@ -286,7 +288,6 @@
 
         /* Tags should never be in key auths. */
         case Tag::INVALID:
-        case Tag::AUTH_TOKEN:
         case Tag::ROOT_OF_TRUST:
         case Tag::APPLICATION_DATA:
         case Tag::ATTESTATION_CHALLENGE:
@@ -311,21 +312,18 @@
         case Tag::PADDING:
         case Tag::NONCE:
         case Tag::MIN_MAC_LENGTH:
-        case Tag::KDF:
         case Tag::EC_CURVE:
 
         /* Tags not used for operations. */
         case Tag::BLOB_USAGE_REQUIREMENTS:
-        case Tag::EXPORTABLE:
 
         /* Algorithm specific parameters not used for access control. */
         case Tag::RSA_PUBLIC_EXPONENT:
-        case Tag::ECIES_SINGLE_HASH_MODE:
 
         /* Informational tags. */
         case Tag::CREATION_DATETIME:
         case Tag::ORIGIN:
-        case Tag::ROLLBACK_RESISTANT:
+        case Tag::ROLLBACK_RESISTANCE:
 
         /* Tags handled when KM_TAG_USER_SECURE_ID is handled */
         case Tag::NO_AUTH_REQUIRED:
@@ -336,20 +334,16 @@
         case Tag::ASSOCIATED_DATA:
 
         /* Tags that are implicitly verified by secure side */
-        case Tag::ALL_APPLICATIONS:
         case Tag::APPLICATION_ID:
         case Tag::OS_VERSION:
         case Tag::OS_PATCHLEVEL:
 
-        /* Ignored pending removal */
-        case Tag::USER_ID:
-        case Tag::ALL_USERS:
-
         /* TODO(swillden): Handle these */
         case Tag::INCLUDE_UNIQUE_ID:
         case Tag::UNIQUE_ID:
         case Tag::RESET_SINCE_ID_ROTATION:
         case Tag::ALLOW_WHILE_ON_BODY:
+        case Tag::HARDWARE_TYPE:
             break;
 
         case Tag::BOOTLOADER_ONLY:
@@ -465,7 +459,7 @@
 }
 
 bool KeymasterEnforcement::AuthTokenMatches(const AuthorizationSet& auth_set,
-                                            const AuthorizationSet& operation_params,
+                                            const HardwareAuthToken& auth_token,
                                             const uint64_t user_secure_id,
                                             const int auth_type_index, const int auth_timeout_index,
                                             const uint64_t op_handle,
@@ -473,25 +467,6 @@
     assert(auth_type_index < static_cast<int>(auth_set.size()));
     assert(auth_timeout_index < static_cast<int>(auth_set.size()));
 
-    auto auth_token_blob = operation_params.GetTagValue(TAG_AUTH_TOKEN);
-    if (!auth_token_blob.isOk()) {
-        ALOGE("Authentication required, but auth token not provided");
-        return false;
-    }
-
-    if (auth_token_blob.value().size() != sizeof(hw_auth_token_t)) {
-        ALOGE("Bug: Auth token is the wrong size (%zu expected, %zu found)",
-              sizeof(hw_auth_token_t), auth_token_blob.value().size());
-        return false;
-    }
-    uint8_t auth_token_version = auth_token_blob.value()[0];
-    HardwareAuthToken auth_token = hidlVec2AuthToken(auth_token_blob.value());
-    if (auth_token_version != HW_AUTH_TOKEN_VERSION) {
-        ALOGE("Bug: Auth token is the version %hhu (or is not an auth token). Expected %d",
-              auth_token_version, HW_AUTH_TOKEN_VERSION);
-        return false;
-    }
-
     if (!ValidateTokenSignature(auth_token)) {
         ALOGE("Auth token signature invalid");
         return false;
@@ -518,10 +493,9 @@
     auto key_auth_type_mask = authorizationValue(TAG_USER_AUTH_TYPE, auth_set[auth_type_index]);
     if (!key_auth_type_mask.isOk()) return false;
 
-    uint32_t token_auth_type = ntoh(auth_token.authenticatorType);
-    if ((uint32_t(key_auth_type_mask.value()) & token_auth_type) == 0) {
+    if ((uint32_t(key_auth_type_mask.value()) & auth_token.authenticatorType) == 0) {
         ALOGE("Key requires match of auth type mask 0%uo, but token contained 0%uo",
-              key_auth_type_mask.value(), token_auth_type);
+              key_auth_type_mask.value(), auth_token.authenticatorType);
         return false;
     }