Merge "Fixed auth_token_table tests"
diff --git a/keystore/Android.bp b/keystore/Android.bp
index 7bc1c20..68a81e6 100644
--- a/keystore/Android.bp
+++ b/keystore/Android.bp
@@ -204,13 +204,15 @@
     name: "libkeystore_test",
     defaults: ["keystore_defaults"],
 
-    srcs: ["auth_token_table.cpp"],
+    srcs: [
+        "auth_token_table.cpp",
+        "authorization_set.cpp",
+    ],
     static_libs: ["libgtest_main"],
     shared_libs: [
         "android.hardware.keymaster@3.0",
         "libhidlbase",
         "libhwbinder",
-        "libkeymaster_messages",
         "libutils",
     ],
     export_shared_lib_headers: [
diff --git a/keystore/auth_token_table.cpp b/keystore/auth_token_table.cpp
index 46b644d..e54febe 100644
--- a/keystore/auth_token_table.cpp
+++ b/keystore/auth_token_table.cpp
@@ -77,12 +77,12 @@
     return time.tv_sec;
 }
 
-void AuthTokenTable::AddAuthenticationToken(const HardwareAuthToken* auth_token) {
-    Entry new_entry(auth_token, clock_function_());
+void AuthTokenTable::AddAuthenticationToken(std::unique_ptr<const HardwareAuthToken>&& auth_token) {
+    Entry new_entry(std::move(auth_token), clock_function_());
     //STOPSHIP: debug only, to be removed
     ALOGD("AddAuthenticationToken: timestamp = %llu (%llu), time_received = %lld",
         static_cast<unsigned long long>(new_entry.timestamp_host_order()),
-        static_cast<unsigned long long>(auth_token->timestamp),
+        static_cast<unsigned long long>(new_entry.token().timestamp),
         static_cast<long long>(new_entry.time_received()));
 
     RemoveEntriesSupersededBy(new_entry);
@@ -137,13 +137,13 @@
     if (op_handle == 0) return OP_HANDLE_REQUIRED;
 
     auto matching_op = find_if(
-        entries_, [&](Entry& e) { return e.token()->challenge == op_handle && !e.completed(); });
+        entries_, [&](Entry& e) { return e.token().challenge == op_handle && !e.completed(); });
 
     if (matching_op == entries_.end()) return AUTH_TOKEN_NOT_FOUND;
 
     if (!matching_op->SatisfiesAuth(sids, auth_type)) return AUTH_TOKEN_WRONG_SID;
 
-    *found = matching_op->token();
+    *found = &matching_op->token();
     return OK;
 }
 
@@ -172,7 +172,7 @@
     }
 
     newest_match->UpdateLastUse(now);
-    *found = newest_match->token();
+    *found = &newest_match->token();
     return OK;
 }
 
@@ -202,7 +202,7 @@
 }
 
 void AuthTokenTable::MarkCompleted(const uint64_t op_handle) {
-    auto found = find_if(entries_, [&](Entry& e) { return e.token()->challenge == op_handle; });
+    auto found = find_if(entries_, [&](Entry& e) { return e.token().challenge == op_handle; });
     if (found == entries_.end()) return;
 
     assert(!IsSupersededBySomeEntry(*found));
@@ -211,8 +211,8 @@
     if (IsSupersededBySomeEntry(*found)) entries_.erase(found);
 }
 
-AuthTokenTable::Entry::Entry(const HardwareAuthToken* token, time_t current_time)
-    : token_(token), time_received_(current_time), last_use_(current_time),
+AuthTokenTable::Entry::Entry(std::unique_ptr<const HardwareAuthToken>&& token, time_t current_time)
+    : token_(std::move(token)), time_received_(current_time), last_use_(current_time),
       operation_completed_(token_->challenge == 0) {}
 
 uint64_t AuthTokenTable::Entry::timestamp_host_order() const {
diff --git a/keystore/auth_token_table.h b/keystore/auth_token_table.h
index 0056b26..3e3ff6e 100644
--- a/keystore/auth_token_table.h
+++ b/keystore/auth_token_table.h
@@ -17,7 +17,6 @@
 #include <memory>
 #include <vector>
 
-#include <hardware/hw_auth_token.h>
 #include <keystore/authorization_set.h>
 
 #ifndef KEYSTORE_AUTH_TOKEN_TABLE_H_
@@ -61,7 +60,7 @@
     /**
      * Add an authorization token to the table.  The table takes ownership of the argument.
      */
-    void AddAuthenticationToken(const HardwareAuthToken* token);
+    void AddAuthenticationToken(std::unique_ptr<const HardwareAuthToken>&& auth_token);
 
     /**
      * Find an authorization token that authorizes the operation specified by \p operation_handle on
@@ -97,7 +96,7 @@
 
     class Entry {
       public:
-        Entry(const HardwareAuthToken* token, time_t current_time);
+        Entry(std::unique_ptr<const HardwareAuthToken>&& token, time_t current_time);
         Entry(Entry&& entry) { *this = std::move(entry); }
 
         void operator=(Entry&& rhs) {
@@ -127,7 +126,7 @@
 
         void mark_completed() { operation_completed_ = true; }
 
-        const HardwareAuthToken* token() { return token_.get(); }
+        const HardwareAuthToken& token() { return *token_.get(); }
         time_t time_received() const { return time_received_; }
         bool completed() const { return operation_completed_; }
         uint64_t timestamp_host_order() const;
diff --git a/keystore/include/keystore/keymaster_tags.h b/keystore/include/keystore/keymaster_tags.h
index 05a33cd..1b3e71b 100644
--- a/keystore/include/keystore/keymaster_tags.h
+++ b/keystore/include/keystore/keymaster_tags.h
@@ -60,7 +60,6 @@
  */
 
 #include <android/hardware/keymaster/3.0/IHwKeymasterDevice.h>
-#include <hardware/hw_auth_token.h>
 #include <type_traits>
 
 namespace keystore {
diff --git a/keystore/include/keystore/keystore_hidl_support.h b/keystore/include/keystore/keystore_hidl_support.h
index 3c64d2a..2a4d1eb 100644
--- a/keystore/include/keystore/keystore_hidl_support.h
+++ b/keystore/include/keystore/keystore_hidl_support.h
@@ -19,6 +19,7 @@
 #define KEYSTORE_KEYSTORE_HIDL_SUPPORT_H_
 
 #include <android/hardware/keymaster/3.0/IKeymasterDevice.h>
+#include <hardware/hw_auth_token.h>
 #include <hidl/Status.h>
 #include <keystore/keymaster_tags.h>
 #include <ostream>
@@ -121,6 +122,38 @@
     return result;
 }
 
+template <typename T, typename InIter>
+inline static InIter copy_bytes_from_iterator(T* value, InIter src) {
+    uint8_t* value_ptr = reinterpret_cast<uint8_t*>(value);
+    std::copy(src, src + sizeof(value), value_ptr);
+    return src + sizeof(value);
+}
+
+inline static HardwareAuthToken hidlVec2AuthToken(const hidl_vec<uint8_t>& buffer) {
+    HardwareAuthToken token;
+    static_assert(
+        std::is_same<decltype(token.hmac), ::android::hardware::hidl_array<uint8_t, 32>>::value,
+        "This function assumes token HMAC is 32 bytes, but it might not be.");
+    static_assert(1 /* version size */ + sizeof(token.challenge) + sizeof(token.userId) +
+                          sizeof(token.authenticatorId) + sizeof(token.authenticatorType) +
+                          sizeof(token.timestamp) + 32 /* HMAC size */
+                      == sizeof(hw_auth_token_t),
+                  "HardwareAuthToken content size does not match hw_auth_token_t size");
+
+    if (buffer.size() != sizeof(hw_auth_token_t)) return {};
+
+    auto pos = buffer.begin();
+    ++pos; // skip first byte
+    pos = copy_bytes_from_iterator(&token.challenge, pos);
+    pos = copy_bytes_from_iterator(&token.userId, pos);
+    pos = copy_bytes_from_iterator(&token.authenticatorId, pos);
+    pos = copy_bytes_from_iterator(&token.authenticatorType, pos);
+    pos = copy_bytes_from_iterator(&token.timestamp, pos);
+    pos = std::copy(pos, pos + token.hmac.size(), &token.hmac[0]);
+
+    return token;
+}
+
 inline std::string hidlVec2String(const hidl_vec<uint8_t>& value) {
     return std::string(reinterpret_cast<const std::string::value_type*>(&value[0]), value.size());
 }
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 59485dc..c2879c8 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -40,6 +40,8 @@
 #include "keystore_utils.h"
 #include <keystore/keystore_hidl_support.h>
 
+#include <hardware/hw_auth_token.h>
+
 namespace keystore {
 
 using namespace android;
@@ -1539,8 +1541,7 @@
         "This function assumes token HMAC is 32 bytes, but it might not be.");
     std::copy(authToken.hmac, authToken.hmac + sizeof(authToken.hmac), hidlAuthToken->hmac.data());
 
-    // The table takes ownership of authToken.
-    mAuthTokenTable.AddAuthenticationToken(hidlAuthToken.release());
+    mAuthTokenTable.AddAuthenticationToken(std::move(hidlAuthToken));
     *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
     return Status::ok();
 }
diff --git a/keystore/keymaster_enforcement.cpp b/keystore/keymaster_enforcement.cpp
index 4cee57d..c27ec6b 100644
--- a/keystore/keymaster_enforcement.cpp
+++ b/keystore/keymaster_enforcement.cpp
@@ -29,6 +29,8 @@
 #include <hardware/hw_auth_token.h>
 #include <list>
 
+#include <keystore/keystore_hidl_support.h>
+
 namespace keystore {
 
 class AccessTimeMap {
@@ -482,12 +484,11 @@
               sizeof(hw_auth_token_t), auth_token_blob.value().size());
         return false;
     }
-
-    hw_auth_token_t auth_token;
-    memcpy(&auth_token, &auth_token_blob.value()[0], sizeof(hw_auth_token_t));
-    if (auth_token.version != HW_AUTH_TOKEN_VERSION) {
+    uint8_t auth_token_version = auth_token_blob.value()[0];
+    HardwareAuthToken auth_token = hidlVec2AuthToken(auth_token_blob.value());
+    if (auth_token_version != HW_AUTH_TOKEN_VERSION) {
         ALOGE("Bug: Auth token is the version %hhu (or is not an auth token). Expected %d",
-              auth_token.version, HW_AUTH_TOKEN_VERSION);
+              auth_token_version, HW_AUTH_TOKEN_VERSION);
         return false;
     }
 
@@ -502,9 +503,9 @@
         return false;
     }
 
-    if (user_secure_id != auth_token.user_id && user_secure_id != auth_token.authenticator_id) {
+    if (user_secure_id != auth_token.userId && user_secure_id != auth_token.authenticatorId) {
         ALOGI("Auth token SIDs %" PRIu64 " and %" PRIu64 " do not match key SID %" PRIu64,
-              auth_token.user_id, auth_token.authenticator_id, user_secure_id);
+              auth_token.userId, auth_token.authenticatorId, user_secure_id);
         return false;
     }
 
@@ -513,11 +514,11 @@
         return false;
     }
 
-    assert(auth_set[auth_type_index].tag == KM_TAG_USER_AUTH_TYPE);
+    assert(auth_set[auth_type_index].tag == TAG_USER_AUTH_TYPE);
     auto key_auth_type_mask = authorizationValue(TAG_USER_AUTH_TYPE, auth_set[auth_type_index]);
     if (!key_auth_type_mask.isOk()) return false;
 
-    uint32_t token_auth_type = ntoh(auth_token.authenticator_type);
+    uint32_t token_auth_type = ntoh(auth_token.authenticatorType);
     if ((uint32_t(key_auth_type_mask.value()) & token_auth_type) == 0) {
         ALOGE("Key requires match of auth type mask 0%uo, but token contained 0%uo",
               key_auth_type_mask.value(), token_auth_type);
@@ -525,7 +526,7 @@
     }
 
     if (auth_timeout_index != -1 && is_begin_operation) {
-        assert(auth_set[auth_timeout_index].tag == KM_TAG_AUTH_TIMEOUT);
+        assert(auth_set[auth_timeout_index].tag == TAG_AUTH_TIMEOUT);
         auto auth_token_timeout =
             authorizationValue(TAG_AUTH_TIMEOUT, auth_set[auth_timeout_index]);
         if (!auth_token_timeout.isOk()) return false;
diff --git a/keystore/keymaster_enforcement.h b/keystore/keymaster_enforcement.h
index 4f22f01..28d546a 100644
--- a/keystore/keymaster_enforcement.h
+++ b/keystore/keymaster_enforcement.h
@@ -121,7 +121,7 @@
     /*
      * Returns true if the specified auth_token is older than the specified timeout.
      */
-    virtual bool auth_token_timed_out(const hw_auth_token_t& token, uint32_t timeout) const = 0;
+    virtual bool auth_token_timed_out(const HardwareAuthToken& token, uint32_t timeout) const = 0;
 
     /*
      * Get current time in seconds from some starting point.  This value is used to compute relative
@@ -138,7 +138,7 @@
      * Returns true if the specified auth_token has a valid signature, or if signature validation is
      * not available.
      */
-    virtual bool ValidateTokenSignature(const hw_auth_token_t& token) const = 0;
+    virtual bool ValidateTokenSignature(const HardwareAuthToken& token) const = 0;
 
   private:
     ErrorCode AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set,
diff --git a/keystore/keystore_keymaster_enforcement.h b/keystore/keystore_keymaster_enforcement.h
index 0389201..3cdf649 100644
--- a/keystore/keystore_keymaster_enforcement.h
+++ b/keystore/keystore_keymaster_enforcement.h
@@ -73,13 +73,13 @@
         return now_date > expiration_date;
     }
 
-    bool auth_token_timed_out(const hw_auth_token_t&, uint32_t) const {
+    bool auth_token_timed_out(const HardwareAuthToken&, uint32_t) const {
         // Assume the token has not timed out, because AuthTokenTable would not have returned it if
         // the timeout were past.  Secure hardware will also check timeouts if it supports them.
         return false;
     }
 
-    bool ValidateTokenSignature(const hw_auth_token_t&) const override {
+    bool ValidateTokenSignature(const HardwareAuthToken&) const override {
         // Non-secure world cannot validate token signatures because it doesn't have access to the
         // signing key. Assume the token is good.
         return true;
diff --git a/keystore/tests/Android.bp b/keystore/tests/Android.bp
index cc89681..5718b73 100644
--- a/keystore/tests/Android.bp
+++ b/keystore/tests/Android.bp
@@ -1,6 +1,5 @@
 // Unit test for AuthTokenTable
-// TODO: enable after fixing b/68149839
-/*
+
 cc_test {
     cflags: [
         "-Wall",
@@ -17,4 +16,3 @@
     ],
     shared_libs: ["libkeymaster_messages"],
 }
-*/
diff --git a/keystore/tests/auth_token_table_test.cpp b/keystore/tests/auth_token_table_test.cpp
index 1b31cf5..5206ba2 100644
--- a/keystore/tests/auth_token_table_test.cpp
+++ b/keystore/tests/auth_token_table_test.cpp
@@ -16,21 +16,17 @@
 
 #include <gtest/gtest.h>
 
-#include <keymaster/android_keymaster_utils.h>
+#include <endian.h>
 #include <keymaster/logger.h>
 
 #include "../auth_token_table.h"
 
 using std::vector;
 
-inline bool operator==(const hw_auth_token_t& a, const hw_auth_token_t& b) {
-    return (memcmp(&a, &b, sizeof(a)) == 0);
-}
-
-namespace keymaster {
+namespace keystore {
 namespace test {
 
-class StdoutLogger : public Logger {
+class StdoutLogger : public keymaster::Logger {
   public:
     StdoutLogger() { set_instance(this); }
 
@@ -66,26 +62,27 @@
     AuthTokenTable table;
 }
 
-static hw_auth_token_t* make_token(uint64_t rsid, uint64_t ssid = 0, uint64_t challenge = 0,
-                                   uint64_t timestamp = 0) {
-    hw_auth_token_t* token = new hw_auth_token_t;
-    token->user_id = rsid;
-    token->authenticator_id = ssid;
-    token->authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD));
+static std::unique_ptr<const HardwareAuthToken> make_token(uint64_t rsid, uint64_t ssid = 0,
+                                                     uint64_t challenge = 0,
+                                                     uint64_t timestamp = 0) {
+    std::unique_ptr<HardwareAuthToken> token(new HardwareAuthToken);
+    token->userId = rsid;
+    token->authenticatorId = ssid;
+    token->authenticatorType = htonl(static_cast<uint32_t>(HardwareAuthenticatorType::PASSWORD));
     token->challenge = challenge;
-    token->timestamp = hton(timestamp);
+    token->timestamp = htonq(timestamp);
     return token;
 }
 
 static AuthorizationSet make_set(uint64_t rsid, uint32_t timeout = 10000) {
     AuthorizationSetBuilder builder;
     builder.Authorization(TAG_USER_ID, 10)
-        .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
+        .Authorization(TAG_USER_AUTH_TYPE, HardwareAuthenticatorType::PASSWORD)
         .Authorization(TAG_USER_SECURE_ID, rsid);
     // Use timeout == 0 to indicate tags that require auth per operation.
     if (timeout != 0)
         builder.Authorization(TAG_AUTH_TIMEOUT, timeout);
-    return builder.build();
+    return builder;
 }
 
 // Tests obviously run so fast that a real-time clock with a one-second granularity rarely changes
@@ -102,26 +99,26 @@
     table.AddAuthenticationToken(make_token(3, 4));
     EXPECT_EQ(2U, table.size());
 
-    const hw_auth_token_t* found;
+    const HardwareAuthToken* found;
 
-    ASSERT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(1U, found->user_id);
-    EXPECT_EQ(2U, found->authenticator_id);
+    ASSERT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(1U, found->userId);
+    EXPECT_EQ(2U, found->authenticatorId);
 
-    ASSERT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(1U, found->user_id);
-    EXPECT_EQ(2U, found->authenticator_id);
+    ASSERT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(1U, found->userId);
+    EXPECT_EQ(2U, found->authenticatorId);
 
-    ASSERT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(3U, found->user_id);
-    EXPECT_EQ(4U, found->authenticator_id);
+    ASSERT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(3U, found->userId);
+    EXPECT_EQ(4U, found->authenticatorId);
 
-    ASSERT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(4), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(3U, found->user_id);
-    EXPECT_EQ(4U, found->authenticator_id);
+    ASSERT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(4), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(3U, found->userId);
+    EXPECT_EQ(4U, found->authenticatorId);
 
     ASSERT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
-              table.FindAuthorization(make_set(5), KM_PURPOSE_SIGN, 0, &found));
+              table.FindAuthorization(make_set(5), KeyPurpose::SIGN, 0, &found));
 }
 
 TEST(AuthTokenTableTest, FlushTable) {
@@ -131,13 +128,13 @@
     table.AddAuthenticationToken(make_token(2));
     table.AddAuthenticationToken(make_token(3));
 
-    const hw_auth_token_t* found;
+    const HardwareAuthToken* found;
 
     // All three should be in the table.
     EXPECT_EQ(3U, table.size());
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KM_PURPOSE_SIGN, 0, &found));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KeyPurpose::SIGN, 0, &found));
 
     table.Clear();
     EXPECT_EQ(0U, table.size());
@@ -150,36 +147,36 @@
     table.AddAuthenticationToken(make_token(2));
     table.AddAuthenticationToken(make_token(3));
 
-    const hw_auth_token_t* found;
+    const HardwareAuthToken* found;
 
     // All three should be in the table.
     EXPECT_EQ(3U, table.size());
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KM_PURPOSE_SIGN, 0, &found));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KeyPurpose::SIGN, 0, &found));
 
     table.AddAuthenticationToken(make_token(4));
 
     // Oldest should be gone.
     EXPECT_EQ(3U, table.size());
     EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
-              table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0, &found));
+              table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0, &found));
 
     // Others should be there, including the new one (4).  Search for it first, then the others, so
     // 4 becomes the least recently used.
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(4), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KM_PURPOSE_SIGN, 0, &found));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(4), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KeyPurpose::SIGN, 0, &found));
 
     table.AddAuthenticationToken(make_token(5));
 
     // 5 should have replaced 4.
     EXPECT_EQ(3U, table.size());
     EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
-              table.FindAuthorization(make_set(4), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(5), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KM_PURPOSE_SIGN, 0, &found));
+              table.FindAuthorization(make_set(4), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(5), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KeyPurpose::SIGN, 0, &found));
 
     table.AddAuthenticationToken(make_token(6));
     table.AddAuthenticationToken(make_token(7));
@@ -187,12 +184,12 @@
     // 2 and 5 should be gone
     EXPECT_EQ(3U, table.size());
     EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
-              table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0, &found));
+              table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0, &found));
     EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
-              table.FindAuthorization(make_set(5), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(6), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(7), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KM_PURPOSE_SIGN, 0, &found));
+              table.FindAuthorization(make_set(5), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(6), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(7), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KeyPurpose::SIGN, 0, &found));
 
     table.AddAuthenticationToken(make_token(8));
     table.AddAuthenticationToken(make_token(9));
@@ -201,75 +198,75 @@
     // Only the three most recent should be there.
     EXPECT_EQ(3U, table.size());
     EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
-              table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0, &found));
+              table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0, &found));
     EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
-              table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0, &found));
+              table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0, &found));
     EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
-              table.FindAuthorization(make_set(3), KM_PURPOSE_SIGN, 0, &found));
+              table.FindAuthorization(make_set(3), KeyPurpose::SIGN, 0, &found));
     EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
-              table.FindAuthorization(make_set(4), KM_PURPOSE_SIGN, 0, &found));
+              table.FindAuthorization(make_set(4), KeyPurpose::SIGN, 0, &found));
     EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
-              table.FindAuthorization(make_set(5), KM_PURPOSE_SIGN, 0, &found));
+              table.FindAuthorization(make_set(5), KeyPurpose::SIGN, 0, &found));
     EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
-              table.FindAuthorization(make_set(6), KM_PURPOSE_SIGN, 0, &found));
+              table.FindAuthorization(make_set(6), KeyPurpose::SIGN, 0, &found));
     EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
-              table.FindAuthorization(make_set(7), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(8), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(9), KM_PURPOSE_SIGN, 0, &found));
+              table.FindAuthorization(make_set(7), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(8), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(9), KeyPurpose::SIGN, 0, &found));
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(make_set(10), KM_PURPOSE_SIGN, 0, &found));
+              table.FindAuthorization(make_set(10), KeyPurpose::SIGN, 0, &found));
 }
 
 TEST(AuthTokenTableTest, AuthenticationNotRequired) {
     AuthTokenTable table;
-    const hw_auth_token_t* found;
+    const HardwareAuthToken* found;
 
     EXPECT_EQ(AuthTokenTable::AUTH_NOT_REQUIRED,
               table.FindAuthorization(
-                  AuthorizationSetBuilder().Authorization(TAG_NO_AUTH_REQUIRED).build(),
-                  KM_PURPOSE_SIGN, 0 /* no challenge */, &found));
+                  AuthorizationSetBuilder().Authorization(TAG_NO_AUTH_REQUIRED),
+                  KeyPurpose::SIGN, 0 /* no challenge */, &found));
 }
 
 TEST(AuthTokenTableTest, OperationHandleNotFound) {
     AuthTokenTable table;
-    const hw_auth_token_t* found;
+    const HardwareAuthToken* found;
 
     table.AddAuthenticationToken(make_token(1, 0, 1, 5));
     EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
-              table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+              table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
                                       2 /* non-matching challenge */, &found));
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+              table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
                                       1 /* matching challenge */, &found));
     table.MarkCompleted(1);
     EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
-              table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+              table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
                                       1 /* used challenge */, &found));
 }
 
 TEST(AuthTokenTableTest, OperationHandleRequired) {
     AuthTokenTable table;
-    const hw_auth_token_t* found;
+    const HardwareAuthToken* found;
 
     table.AddAuthenticationToken(make_token(1));
     EXPECT_EQ(AuthTokenTable::OP_HANDLE_REQUIRED,
-              table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+              table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
                                       0 /* no op handle */, &found));
 }
 
 TEST(AuthTokenTableTest, AuthSidChanged) {
     AuthTokenTable table;
-    const hw_auth_token_t* found;
+    const HardwareAuthToken* found;
 
     table.AddAuthenticationToken(make_token(1, 3, /* op handle */ 1));
     EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_WRONG_SID,
-              table.FindAuthorization(make_set(2, 0 /* no timeout */), KM_PURPOSE_SIGN,
+              table.FindAuthorization(make_set(2, 0 /* no timeout */), KeyPurpose::SIGN,
                                       1 /* op handle */, &found));
 }
 
 TEST(AuthTokenTableTest, TokenExpired) {
     AuthTokenTable table(5, monotonic_clock);
-    const hw_auth_token_t* found;
+    const HardwareAuthToken* found;
 
     auto key_info = make_set(1, 5 /* five second timeout */);
 
@@ -281,17 +278,17 @@
     // keymaster when the found token is passed to it.
     table.AddAuthenticationToken(make_token(1, 0));
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(key_info, KM_PURPOSE_SIGN, 0 /* no op handle */, &found));
+              table.FindAuthorization(key_info, KeyPurpose::SIGN, 0 /* no op handle */, &found));
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(key_info, KM_PURPOSE_SIGN, 0 /* no op handle */, &found));
+              table.FindAuthorization(key_info, KeyPurpose::SIGN, 0 /* no op handle */, &found));
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(key_info, KM_PURPOSE_SIGN, 0 /* no op handle */, &found));
+              table.FindAuthorization(key_info, KeyPurpose::SIGN, 0 /* no op handle */, &found));
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(key_info, KM_PURPOSE_SIGN, 0 /* no op handle */, &found));
+              table.FindAuthorization(key_info, KeyPurpose::SIGN, 0 /* no op handle */, &found));
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(key_info, KM_PURPOSE_SIGN, 0 /* no op handle */, &found));
+              table.FindAuthorization(key_info, KeyPurpose::SIGN, 0 /* no op handle */, &found));
     EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_EXPIRED,
-              table.FindAuthorization(key_info, KM_PURPOSE_SIGN, 0 /* no op handle */, &found));
+              table.FindAuthorization(key_info, KeyPurpose::SIGN, 0 /* no op handle */, &found));
 }
 
 TEST(AuthTokenTableTest, MarkNonexistentEntryCompleted) {
@@ -302,15 +299,15 @@
 
 TEST(AuthTokenTableTest, SupersededEntries) {
     AuthTokenTable table;
-    const hw_auth_token_t* found;
+    const HardwareAuthToken* found;
 
     // Add two identical tokens, without challenges.  The second should supersede the first, based
     // on timestamp (fourth arg to make_token).
     table.AddAuthenticationToken(make_token(1, 0, 0, 0));
     table.AddAuthenticationToken(make_token(1, 0, 0, 1));
     EXPECT_EQ(1U, table.size());
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(1U, ntoh(found->timestamp));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(1U, ntohq(found->timestamp));
 
     // Add a third token, this with a different RSID.  It should not be superseded.
     table.AddAuthenticationToken(make_token(2, 0, 0, 2));
@@ -320,10 +317,10 @@
     table.AddAuthenticationToken(make_token(1, 0, 0, 3));
     table.AddAuthenticationToken(make_token(2, 0, 0, 4));
     EXPECT_EQ(2U, table.size());
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(3U, ntoh(found->timestamp));
-    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0, &found));
-    EXPECT_EQ(4U, ntoh(found->timestamp));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(3U, ntohq(found->timestamp));
+    EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0, &found));
+    EXPECT_EQ(4U, ntohq(found->timestamp));
 
     // Add another, this one with a challenge value.  It should supersede the old one since it is
     // newer, and matches other than the challenge.
@@ -338,13 +335,13 @@
     // Should be able to find each of them, by specifying their challenge, with a key that is not
     // timed (timed keys don't care about challenges).
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(make_set(1, 0 /* no timeout*/), KM_PURPOSE_SIGN,
+              table.FindAuthorization(make_set(1, 0 /* no timeout*/), KeyPurpose::SIGN,
                                       1 /* challenge */, &found));
-    EXPECT_EQ(5U, ntoh(found->timestamp));
+    EXPECT_EQ(5U, ntohq(found->timestamp));
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+              table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
                                       2 /* challenge */, &found));
-    EXPECT_EQ(6U, ntoh(found->timestamp));
+    EXPECT_EQ(6U, ntohq(found->timestamp));
 
     // Add another, without a challenge, and the same timestamp as the last one.  This new one
     // actually could be considered already-superseded, but the table doesn't handle that case,
@@ -352,31 +349,31 @@
     table.AddAuthenticationToken(make_token(1, 0, 0, 6));
     EXPECT_EQ(4U, table.size());
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0 /* challenge */, &found));
-    EXPECT_EQ(6U, ntoh(found->timestamp));
+              table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0 /* challenge */, &found));
+    EXPECT_EQ(6U, ntohq(found->timestamp));
 
     // Add another without a challenge but an increased timestamp. This should supersede the
     // previous challenge-free entry.
     table.AddAuthenticationToken(make_token(1, 0, 0, 7));
     EXPECT_EQ(4U, table.size());
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+              table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
                                       2 /* challenge */, &found));
-    EXPECT_EQ(6U, ntoh(found->timestamp));
+    EXPECT_EQ(6U, ntohq(found->timestamp));
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0 /* challenge */, &found));
-    EXPECT_EQ(7U, ntoh(found->timestamp));
+              table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0 /* challenge */, &found));
+    EXPECT_EQ(7U, ntohq(found->timestamp));
 
     // Mark the entry with challenge 2 as complete.  Since there's a newer challenge-free entry, the
     // challenge entry will be superseded.
     table.MarkCompleted(2);
     EXPECT_EQ(3U, table.size());
     EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
-              table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+              table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
                                       2 /* challenge */, &found));
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0 /* challenge */, &found));
-    EXPECT_EQ(7U, ntoh(found->timestamp));
+              table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0 /* challenge */, &found));
+    EXPECT_EQ(7U, ntohq(found->timestamp));
 
     // Add another SID 1 entry with a challenge.  It supersedes the previous SID 1 entry with
     // no challenge (timestamp 7), but not the one with challenge 1 (timestamp 5).
@@ -384,19 +381,19 @@
     EXPECT_EQ(3U, table.size());
 
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+              table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
                                       1 /* challenge */, &found));
-    EXPECT_EQ(5U, ntoh(found->timestamp));
+    EXPECT_EQ(5U, ntohq(found->timestamp));
 
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+              table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
                                       3 /* challenge */, &found));
-    EXPECT_EQ(8U, ntoh(found->timestamp));
+    EXPECT_EQ(8U, ntohq(found->timestamp));
 
     // SID 2 entry is still there.
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0 /* challenge */, &found));
-    EXPECT_EQ(4U, ntoh(found->timestamp));
+              table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0 /* challenge */, &found));
+    EXPECT_EQ(4U, ntohq(found->timestamp));
 
     // Mark the entry with challenge 3 as complete.  Since the older challenge 1 entry is
     // incomplete, nothing is superseded.
@@ -404,24 +401,24 @@
     EXPECT_EQ(3U, table.size());
 
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+              table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
                                       1 /* challenge */, &found));
-    EXPECT_EQ(5U, ntoh(found->timestamp));
+    EXPECT_EQ(5U, ntohq(found->timestamp));
 
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0 /* challenge */, &found));
-    EXPECT_EQ(8U, ntoh(found->timestamp));
+              table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0 /* challenge */, &found));
+    EXPECT_EQ(8U, ntohq(found->timestamp));
 
     // Mark the entry with challenge 1 as complete.  Since there's a newer one (with challenge 3,
     // completed), the challenge 1 entry is superseded and removed.
     table.MarkCompleted(1);
     EXPECT_EQ(2U, table.size());
     EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
-              table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+              table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
                                       1 /* challenge */, &found));
     EXPECT_EQ(AuthTokenTable::OK,
-              table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0 /* challenge */, &found));
-    EXPECT_EQ(8U, ntoh(found->timestamp));
+              table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0 /* challenge */, &found));
+    EXPECT_EQ(8U, ntohq(found->timestamp));
 }
 
 }  // namespace keymaster