Add authorization binder methods
Add methods for sending an auth token to keystore and to query the
authorization state of a given operation. These methods are currently
stubs until authorization is implemented.
Change-Id: I0f97ffb3afe19c1f1d8a00bfc95e27616e7cb06c
diff --git a/keystore/IKeystoreService.cpp b/keystore/IKeystoreService.cpp
index 3818acf..af81525 100644
--- a/keystore/IKeystoreService.cpp
+++ b/keystore/IKeystoreService.cpp
@@ -975,7 +975,6 @@
{
Parcel data, reply;
data.writeInterfaceToken(IKeystoreService::getInterfaceDescriptor());
- data.writeInt32(bufLength);
data.writeByteArray(bufLength, buf);
status_t status = remote()->transact(BnKeystoreService::ADD_RNG_ENTROPY, data, &reply);
if (status != NO_ERROR) {
@@ -1205,7 +1204,7 @@
Parcel data, reply;
data.writeInterfaceToken(IKeystoreService::getInterfaceDescriptor());
data.writeStrongBinder(token);
- status_t status = remote()->transact(BnKeystoreService::FINISH, data, &reply);
+ status_t status = remote()->transact(BnKeystoreService::ABORT, data, &reply);
if (status != NO_ERROR) {
ALOGD("abort() could not contact remote: %d\n", status);
return KM_ERROR_UNKNOWN_ERROR;
@@ -1218,6 +1217,45 @@
}
return ret;
}
+
+ virtual bool isOperationAuthorized(const sp<IBinder>& token)
+ {
+ Parcel data, reply;
+ data.writeInterfaceToken(IKeystoreService::getInterfaceDescriptor());
+ data.writeStrongBinder(token);
+ status_t status = remote()->transact(BnKeystoreService::IS_OPERATION_AUTHORIZED, data,
+ &reply);
+ if (status != NO_ERROR) {
+ ALOGD("isOperationAuthorized() could not contact remote: %d\n", status);
+ return false;
+ }
+ int32_t err = reply.readExceptionCode();
+ int32_t ret = reply.readInt32();
+ if (err < 0) {
+ ALOGD("isOperationAuthorized() caught exception %d\n", err);
+ return false;
+ }
+ return ret == 1;
+ }
+
+ virtual int32_t addAuthToken(const uint8_t* token, size_t length)
+ {
+ Parcel data, reply;
+ data.writeInterfaceToken(IKeystoreService::getInterfaceDescriptor());
+ data.writeByteArray(length, token);
+ status_t status = remote()->transact(BnKeystoreService::ADD_AUTH_TOKEN, data, &reply);
+ if (status != NO_ERROR) {
+ ALOGD("addAuthToken() could not contact remote: %d\n", status);
+ return -1;
+ }
+ int32_t err = reply.readExceptionCode();
+ int32_t ret = reply.readInt32();
+ if (err < 0) {
+ ALOGD("addAuthToken() caught exception %d\n", err);
+ return -1;
+ }
+ return ret;
+ };
};
IMPLEMENT_META_INTERFACE(KeystoreService, "android.security.IKeystoreService");
@@ -1689,6 +1727,27 @@
return NO_ERROR;
}
+ case IS_OPERATION_AUTHORIZED: {
+ CHECK_INTERFACE(IKeystoreService, data, reply);
+ sp<IBinder> token = data.readStrongBinder();
+ bool result = isOperationAuthorized(token);
+ reply->writeNoException();
+ reply->writeInt32(result ? 1 : 0);
+
+ return NO_ERROR;
+ }
+ case ADD_AUTH_TOKEN: {
+ CHECK_INTERFACE(IKeystoreService, data, reply);
+ sp<IBinder> token = data.readStrongBinder();
+ const uint8_t* token_bytes = NULL;
+ size_t size = 0;
+ readByteArray(data, &token_bytes, &size);
+ int32_t result = addAuthToken(token_bytes, size);
+ reply->writeNoException();
+ reply->writeInt32(result);
+
+ return NO_ERROR;
+ }
default:
return BBinder::onTransact(code, data, reply, flags);
}
diff --git a/keystore/include/keystore/IKeystoreService.h b/keystore/include/keystore/IKeystoreService.h
index f671077..7d64086 100644
--- a/keystore/include/keystore/IKeystoreService.h
+++ b/keystore/include/keystore/IKeystoreService.h
@@ -132,6 +132,8 @@
UPDATE = IBinder::FIRST_CALL_TRANSACTION + 32,
FINISH = IBinder::FIRST_CALL_TRANSACTION + 33,
ABORT = IBinder::FIRST_CALL_TRANSACTION + 34,
+ IS_OPERATION_AUTHORIZED = IBinder::FIRST_CALL_TRANSACTION + 35,
+ ADD_AUTH_TOKEN = IBinder::FIRST_CALL_TRANSACTION + 36,
};
DECLARE_META_INTERFACE(KeystoreService);
@@ -225,6 +227,10 @@
virtual int32_t abort(const sp<IBinder>& handle) = 0;
+ virtual bool isOperationAuthorized(const sp<IBinder>& handle) = 0;
+
+ virtual int32_t addAuthToken(const uint8_t* token, size_t length) = 0;
+
};
// ----------------------------------------------------------------------------
diff --git a/keystore/keystore.cpp b/keystore/keystore.cpp
index 46bc174..fc7aa5d 100644
--- a/keystore/keystore.cpp
+++ b/keystore/keystore.cpp
@@ -2793,6 +2793,20 @@
return ::NO_ERROR;
}
+ bool isOperationAuthorized(const sp<IBinder>& token) {
+ const keymaster1_device_t* dev;
+ keymaster_operation_handle_t handle;
+ if(!mOperationMap.getOperation(token, &handle, &dev)) {
+ return false;
+ }
+ // TODO: Check authorization.
+ return true;
+ }
+
+ int32_t addAuthToken(const uint8_t* /*token*/, size_t /*length*/) {
+ return KM_ERROR_UNIMPLEMENTED;
+ }
+
private:
inline bool isKeystoreUnlocked(State state) {
switch (state) {