Add auth token fetching
Auth tokens are now fetched from the table in begin update and finish if
needed. Begin will not fail on a missing/expired auth token since some
authorization requires a valid operation handle.
This doesn't yet do any enforcement of the token beyond what the auth
token table does, that should happen in the keymaster auth code when it
is done.
This also includes the key in the operation map since authorization
works based off that and not the handle.
Change-Id: I62a395b74a925b819f4cde75ae3bfab8b8928cd1
diff --git a/keystore/auth_token_table.h b/keystore/auth_token_table.h
index d1184e9..7c18367 100644
--- a/keystore/auth_token_table.h
+++ b/keystore/auth_token_table.h
@@ -19,6 +19,7 @@
#include <hardware/hw_auth_token.h>
#include <keymaster/authorization_set.h>
+#include <keymaster/key_blob.h>
#ifndef SYSTEM_KEYMASTER_AUTH_TOKEN_TABLE_H
#define SYSTEM_KEYMASTER_AUTH_TOKEN_TABLE_H
@@ -53,6 +54,7 @@
// (e.g. new fingerprint enrolled).
OP_HANDLE_REQUIRED = -4, // The key requires auth per use but op_handle was zero.
AUTH_TOKEN_NOT_FOUND = -5,
+ AUTH_BAD_PARAMS = -6,
};
/**
@@ -89,6 +91,27 @@
}
/**
+ * Find an authorization token that authorizes the operation specified by \p handle on
+ * a key with the characteristics specified in \p blob.
+ *
+ * The table retains ownership of the returned object.
+ */
+ Error FindAuthorization(const keymaster_key_blob_t& blob, keymaster_operation_handle_t handle,
+ const hw_auth_token_t** found) {
+ KeyBlob key(blob);
+ if (key.error()) {
+ return AUTH_BAD_PARAMS;
+ }
+ AuthorizationSet auths(key.unenforced());
+ for (auto param : key.enforced()) {
+ auths.push_back(param);
+ }
+ return FindAuthorization(auths, handle, found);
+
+ }
+
+
+ /**
* Mark operation completed. This allows tokens associated with the specified operation to be
* superseded by new tokens.
*/