Support and use TAG_ALLOW_WHILE_ON_BODY
There are three changes in this CL:
1. Persist all characteristics provided at the time of key creation.
We do this to avoid device-specific keymaster implementations
stripping keys they are not aware of.
2. Add an onDeviceOffBody API method that will be called whenever a
wearable device is detected to have been removed.
3. Check whether a key was created with TAG_ALLOW_WHILE_ON_BODY and
the device has gone off-body since the last auth event when
deciding whether it can be used.
BUG: 30701680
BUG: 28911985
Change-Id: I6be3af3dee8e576fe713dfdd726502d8b333f224
diff --git a/keystore/IKeystoreService.cpp b/keystore/IKeystoreService.cpp
index 384e423..7df03c7 100644
--- a/keystore/IKeystoreService.cpp
+++ b/keystore/IKeystoreService.cpp
@@ -1352,6 +1352,24 @@
return ret;
}
+ virtual int32_t onDeviceOffBody()
+ {
+ Parcel data, reply;
+ data.writeInterfaceToken(IKeystoreService::getInterfaceDescriptor());
+ status_t status = remote()->transact(BnKeystoreService::ON_DEVICE_OFF_BODY, data, &reply);
+ if (status != NO_ERROR) {
+ ALOGD("onDeviceOffBody() could not contact remote: %d\n", status);
+ return -1;
+ }
+ int32_t err = reply.readExceptionCode();
+ int32_t ret = reply.readInt32();
+ if (err < 0) {
+ ALOGD("onDeviceOffBody() caught exception %d\n", err);
+ return -1;
+ }
+ return ret;
+ }
+
};
IMPLEMENT_META_INTERFACE(KeystoreService, "android.security.IKeystoreService");
@@ -1862,6 +1880,14 @@
return NO_ERROR;
}
+ case ON_DEVICE_OFF_BODY: {
+ CHECK_INTERFACE(IKeystoreService, data, reply);
+ int32_t ret = onDeviceOffBody();
+ reply->writeNoException();
+ reply->writeInt32(ret);
+
+ return NO_ERROR;
+ }
default:
return BBinder::onTransact(code, data, reply, flags);
}