commit 2364368f9562b92d7ce4c5405695a1810cabbca5
author TreeHugger Robot <treehugger-gerrit@google.com> Thu Jan 04 14:24:16 2018 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Thu Jan 04 14:24:16 2018 +0000
tree e8b2e6d32f1ef2e3e7fae19bb007e5e353a42180
parent d7876e63715e7adb43be86c6d99176dbb15233b9
parent e2c341539c77efa6404efb28cd20063723da737a

Merge "Allow Device IDs in Key attestation request"

keystore/key_store_service.cpp

diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index a61f7dc..00d20bc 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -1547,14 +1547,15 @@
         return Status::ok();
     }
 
-    if (isDeviceIdAttestationRequested(params)) {
-        // There is a dedicated attestDeviceIds() method for device ID attestation.
+    uid_t callingUid = IPCThreadState::self()->getCallingUid();
+
+    if (isDeviceIdAttestationRequested(params) && (callingUid != AID_SYSTEM)) {
+        // Only the system context may request Device ID attestation combined with key attestation.
+        // Otherwise, There is a dedicated attestDeviceIds() method for device ID attestation.
         *aidl_return = static_cast<int32_t>(KeyStoreServiceReturnCode(ErrorCode::INVALID_ARGUMENT));
         return Status::ok();
     }
 
-    uid_t callingUid = IPCThreadState::self()->getCallingUid();
-
     AuthorizationSet mutableParams = params.getParameters();
     KeyStoreServiceReturnCode rc = updateParamsForAttestation(callingUid, &mutableParams);
     if (!rc.isOk()) {