Support and use TAG_ALLOW_WHILE_ON_BODY
There are three changes in this CL:
1. Persist all characteristics provided at the time of key creation.
We do this to avoid device-specific keymaster implementations
stripping keys they are not aware of.
2. Add an onDeviceOffBody API method that will be called whenever a
wearable device is detected to have been removed.
3. Check whether a key was created with TAG_ALLOW_WHILE_ON_BODY and
the device has gone off-body since the last auth event when
deciding whether it can be used.
BUG: 30701680
BUG: 28911985
Change-Id: I6be3af3dee8e576fe713dfdd726502d8b333f224
diff --git a/keystore/auth_token_table.cpp b/keystore/auth_token_table.cpp
index c6e5843..76e757b 100644
--- a/keystore/auth_token_table.cpp
+++ b/keystore/auth_token_table.cpp
@@ -138,6 +138,13 @@
if (static_cast<int64_t>(newest_match->time_received()) + timeout < static_cast<int64_t>(now))
return AUTH_TOKEN_EXPIRED;
+ if (key_info.GetTagValue(TAG_ALLOW_WHILE_ON_BODY)) {
+ if (static_cast<int64_t>(newest_match->time_received()) <
+ static_cast<int64_t>(last_off_body_)) {
+ return AUTH_TOKEN_EXPIRED;
+ }
+ }
+
newest_match->UpdateLastUse(now);
*found = newest_match->token();
return OK;
@@ -155,6 +162,10 @@
entries_.end());
}
+void AuthTokenTable::onDeviceOffBody() {
+ last_off_body_ = clock_function_();
+}
+
void AuthTokenTable::Clear() {
entries_.clear();
}