Move keystore to Keymaster4
Test: CTS
Change-Id: I6b7fa300f505ee685b1fe503edea3188225a98e3
diff --git a/keystore/keymaster_enforcement.cpp b/keystore/keymaster_enforcement.cpp
index c27ec6b..16d1354 100644
--- a/keystore/keymaster_enforcement.cpp
+++ b/keystore/keymaster_enforcement.cpp
@@ -117,6 +117,7 @@
ErrorCode KeymasterEnforcement::AuthorizeOperation(const KeyPurpose purpose, const km_id_t keyid,
const AuthorizationSet& auth_set,
const AuthorizationSet& operation_params,
+ const HardwareAuthToken& auth_token,
uint64_t op_handle, bool is_begin_operation) {
if (is_public_key_algorithm(auth_set)) {
switch (purpose) {
@@ -127,23 +128,23 @@
case KeyPurpose::DECRYPT:
case KeyPurpose::SIGN:
- case KeyPurpose::DERIVE_KEY:
break;
+
case KeyPurpose::WRAP_KEY:
return ErrorCode::INCOMPATIBLE_PURPOSE;
};
};
if (is_begin_operation)
- return AuthorizeBegin(purpose, keyid, auth_set, operation_params);
+ return AuthorizeBegin(purpose, keyid, auth_set, operation_params, auth_token);
else
- return AuthorizeUpdateOrFinish(auth_set, operation_params, op_handle);
+ return AuthorizeUpdateOrFinish(auth_set, auth_token, op_handle);
}
// For update and finish the only thing to check is user authentication, and then only if it's not
// timeout-based.
ErrorCode KeymasterEnforcement::AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set,
- const AuthorizationSet& operation_params,
+ const HardwareAuthToken& auth_token,
uint64_t op_handle) {
int auth_type_index = -1;
for (size_t pos = 0; pos < auth_set.size(); ++pos) {
@@ -176,9 +177,9 @@
if (user_secure_id.isOk()) {
authentication_required = true;
int auth_timeout_index = -1;
- if (AuthTokenMatches(auth_set, operation_params, user_secure_id.value(),
- auth_type_index, auth_timeout_index, op_handle,
- false /* is_begin_operation */))
+ if (auth_token.mac.size() &&
+ AuthTokenMatches(auth_set, auth_token, user_secure_id.value(), auth_type_index,
+ auth_timeout_index, op_handle, false /* is_begin_operation */))
return ErrorCode::OK;
}
}
@@ -190,7 +191,8 @@
ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const km_id_t keyid,
const AuthorizationSet& auth_set,
- const AuthorizationSet& operation_params) {
+ const AuthorizationSet& operation_params,
+ NullOr<const HardwareAuthToken&> auth_token) {
// Find some entries that may be needed to handle KM_TAG_USER_SECURE_ID
int auth_timeout_index = -1;
int auth_type_index = -1;
@@ -272,9 +274,9 @@
if (auth_timeout_index != -1) {
auto secure_id = authorizationValue(TAG_USER_SECURE_ID, param);
authentication_required = true;
- if (secure_id.isOk() &&
- AuthTokenMatches(auth_set, operation_params, secure_id.value(), auth_type_index,
- auth_timeout_index, 0 /* op_handle */,
+ if (secure_id.isOk() && auth_token.isOk() &&
+ AuthTokenMatches(auth_set, auth_token.value(), secure_id.value(),
+ auth_type_index, auth_timeout_index, 0 /* op_handle */,
true /* is_begin_operation */))
auth_token_matched = true;
}
@@ -286,7 +288,6 @@
/* Tags should never be in key auths. */
case Tag::INVALID:
- case Tag::AUTH_TOKEN:
case Tag::ROOT_OF_TRUST:
case Tag::APPLICATION_DATA:
case Tag::ATTESTATION_CHALLENGE:
@@ -311,21 +312,18 @@
case Tag::PADDING:
case Tag::NONCE:
case Tag::MIN_MAC_LENGTH:
- case Tag::KDF:
case Tag::EC_CURVE:
/* Tags not used for operations. */
case Tag::BLOB_USAGE_REQUIREMENTS:
- case Tag::EXPORTABLE:
/* Algorithm specific parameters not used for access control. */
case Tag::RSA_PUBLIC_EXPONENT:
- case Tag::ECIES_SINGLE_HASH_MODE:
/* Informational tags. */
case Tag::CREATION_DATETIME:
case Tag::ORIGIN:
- case Tag::ROLLBACK_RESISTANT:
+ case Tag::ROLLBACK_RESISTANCE:
/* Tags handled when KM_TAG_USER_SECURE_ID is handled */
case Tag::NO_AUTH_REQUIRED:
@@ -336,20 +334,16 @@
case Tag::ASSOCIATED_DATA:
/* Tags that are implicitly verified by secure side */
- case Tag::ALL_APPLICATIONS:
case Tag::APPLICATION_ID:
case Tag::OS_VERSION:
case Tag::OS_PATCHLEVEL:
- /* Ignored pending removal */
- case Tag::USER_ID:
- case Tag::ALL_USERS:
-
/* TODO(swillden): Handle these */
case Tag::INCLUDE_UNIQUE_ID:
case Tag::UNIQUE_ID:
case Tag::RESET_SINCE_ID_ROTATION:
case Tag::ALLOW_WHILE_ON_BODY:
+ case Tag::HARDWARE_TYPE:
break;
case Tag::BOOTLOADER_ONLY:
@@ -465,7 +459,7 @@
}
bool KeymasterEnforcement::AuthTokenMatches(const AuthorizationSet& auth_set,
- const AuthorizationSet& operation_params,
+ const HardwareAuthToken& auth_token,
const uint64_t user_secure_id,
const int auth_type_index, const int auth_timeout_index,
const uint64_t op_handle,
@@ -473,25 +467,6 @@
assert(auth_type_index < static_cast<int>(auth_set.size()));
assert(auth_timeout_index < static_cast<int>(auth_set.size()));
- auto auth_token_blob = operation_params.GetTagValue(TAG_AUTH_TOKEN);
- if (!auth_token_blob.isOk()) {
- ALOGE("Authentication required, but auth token not provided");
- return false;
- }
-
- if (auth_token_blob.value().size() != sizeof(hw_auth_token_t)) {
- ALOGE("Bug: Auth token is the wrong size (%zu expected, %zu found)",
- sizeof(hw_auth_token_t), auth_token_blob.value().size());
- return false;
- }
- uint8_t auth_token_version = auth_token_blob.value()[0];
- HardwareAuthToken auth_token = hidlVec2AuthToken(auth_token_blob.value());
- if (auth_token_version != HW_AUTH_TOKEN_VERSION) {
- ALOGE("Bug: Auth token is the version %hhu (or is not an auth token). Expected %d",
- auth_token_version, HW_AUTH_TOKEN_VERSION);
- return false;
- }
-
if (!ValidateTokenSignature(auth_token)) {
ALOGE("Auth token signature invalid");
return false;
@@ -518,10 +493,9 @@
auto key_auth_type_mask = authorizationValue(TAG_USER_AUTH_TYPE, auth_set[auth_type_index]);
if (!key_auth_type_mask.isOk()) return false;
- uint32_t token_auth_type = ntoh(auth_token.authenticatorType);
- if ((uint32_t(key_auth_type_mask.value()) & token_auth_type) == 0) {
+ if ((uint32_t(key_auth_type_mask.value()) & auth_token.authenticatorType) == 0) {
ALOGE("Key requires match of auth type mask 0%uo, but token contained 0%uo",
- key_auth_type_mask.value(), token_auth_type);
+ key_auth_type_mask.value(), auth_token.authenticatorType);
return false;
}