Support and use TAG_ALLOW_WHILE_ON_BODY
There are three changes in this CL:
1. Persist all characteristics provided at the time of key creation.
We do this to avoid device-specific keymaster implementations
stripping keys they are not aware of.
2. Add an onDeviceOffBody API method that will be called whenever a
wearable device is detected to have been removed.
3. Check whether a key was created with TAG_ALLOW_WHILE_ON_BODY and
the device has gone off-body since the last auth event when
deciding whether it can be used.
BUG: 30701680
BUG: 28911985
Change-Id: I6be3af3dee8e576fe713dfdd726502d8b333f224
diff --git a/keystore/auth_token_table.h b/keystore/auth_token_table.h
index a2f1446..76cf816 100644
--- a/keystore/auth_token_table.h
+++ b/keystore/auth_token_table.h
@@ -42,7 +42,7 @@
class AuthTokenTable {
public:
AuthTokenTable(size_t max_entries = 32, time_t (*clock_function)() = clock_gettime_raw)
- : max_entries_(max_entries), clock_function_(clock_function) {}
+ : max_entries_(max_entries), last_off_body_(clock_function()), clock_function_(clock_function) {}
enum Error {
OK,
@@ -95,6 +95,12 @@
*/
void MarkCompleted(const keymaster_operation_handle_t op_handle);
+ /**
+ * Update the last_off_body_ timestamp so that tokens which remain authorized only so long as
+ * the device stays on body can be revoked.
+ */
+ void onDeviceOffBody();
+
void Clear();
size_t size() { return entries_.size(); }
@@ -155,6 +161,7 @@
std::vector<Entry> entries_;
size_t max_entries_;
+ time_t last_off_body_;
time_t (*clock_function_)();
};