Merge "Don't clear kesytore after 5 auth failures."
diff --git a/keystore-engine/keystore_backend_binder.cpp b/keystore-engine/keystore_backend_binder.cpp
index 9a7c63e..8b5a584 100644
--- a/keystore-engine/keystore_backend_binder.cpp
+++ b/keystore-engine/keystore_backend_binder.cpp
@@ -211,9 +211,9 @@
promise = new OperationResultPromise();
future = promise->get_future();
- binder_result = service->finish(promise, handle, KeymasterArguments(params),
- std::vector<uint8_t>() /* signature */,
- std::vector<uint8_t>() /* entropy */, &error_code);
+ binder_result = service->finish(
+ promise, handle, KeymasterArguments(params), std::vector<uint8_t>() /* input */,
+ std::vector<uint8_t>() /* signature */, std::vector<uint8_t>() /* entropy */, &error_code);
if (!binder_result.isOk()) {
LOG(ERROR) << AT << "communication error while calling keystore";
diff --git a/keystore/binder/android/security/keystore/IKeystoreService.aidl b/keystore/binder/android/security/keystore/IKeystoreService.aidl
index f92c796..f230043 100644
--- a/keystore/binder/android/security/keystore/IKeystoreService.aidl
+++ b/keystore/binder/android/security/keystore/IKeystoreService.aidl
@@ -41,8 +41,6 @@
int exist(String name, int uid);
@UnsupportedAppUsage
String[] list(String namePrefix, int uid);
- @UnsupportedAppUsage
- int reset();
int onUserPasswordChanged(int userId, String newPassword);
int lock(int userId);
int unlock(int userId, String userPassword);
@@ -68,7 +66,7 @@
int begin(in IKeystoreOperationResultCallback cb, IBinder appToken, String alias, int purpose, boolean pruneable,
in KeymasterArguments params, in byte[] entropy, int uid);
int update(in IKeystoreOperationResultCallback cb, IBinder token, in KeymasterArguments params, in byte[] input);
- int finish(in IKeystoreOperationResultCallback cb, IBinder token, in KeymasterArguments params, in byte[] signature,
+ int finish(in IKeystoreOperationResultCallback cb, IBinder token, in KeymasterArguments params, in byte[] input, in byte[] signature,
in byte[] entropy);
int abort(in IKeystoreResponseCallback cb, IBinder token);
int addAuthToken(in byte[] authToken);
diff --git a/keystore/include/keystore/keystore_client.h b/keystore/include/keystore/keystore_client.h
index d8e63c4..cb27268 100644
--- a/keystore/include/keystore/keystore_client.h
+++ b/keystore/include/keystore/keystore_client.h
@@ -160,7 +160,7 @@
// keymaster_error_t on failure.
virtual KeyStoreNativeReturnCode
finishOperation(uint64_t handle, const keystore::AuthorizationSet& input_parameters,
- const std::string& signature_to_verify,
+ const std::string& input_data, const std::string& signature_to_verify,
keystore::AuthorizationSet* output_parameters, std::string* output_data) = 0;
// Aborts the operation associated with |handle|. Returns KM_ERROR_OK on
diff --git a/keystore/include/keystore/keystore_client_impl.h b/keystore/include/keystore/keystore_client_impl.h
index 6726fe5..ed8ac44 100644
--- a/keystore/include/keystore/keystore_client_impl.h
+++ b/keystore/include/keystore/keystore_client_impl.h
@@ -76,6 +76,7 @@
std::string* output_data) override;
KeyStoreNativeReturnCode finishOperation(uint64_t handle,
const keystore::AuthorizationSet& input_parameters,
+ const std::string& input_data,
const std::string& signature_to_verify,
keystore::AuthorizationSet* output_parameters,
std::string* output_data) override;
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 7028e72..5adc199 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -339,18 +339,6 @@
return Status::ok();
}
-Status KeyStoreService::reset(int32_t* aidl_return) {
- if (!checkBinderPermission(P_RESET)) {
- *aidl_return = static_cast<int32_t>(ResponseCode::PERMISSION_DENIED);
- return Status::ok();
- }
-
- uid_t callingUid = IPCThreadState::self()->getCallingUid();
- mKeyStore->resetUser(get_user_id(callingUid), false);
- *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
- return Status::ok();
-}
-
Status KeyStoreService::onUserPasswordChanged(int32_t userId, const String16& password,
int32_t* aidl_return) {
if (!checkBinderPermission(P_PASSWORD)) {
@@ -892,6 +880,7 @@
Status KeyStoreService::finish(const ::android::sp<IKeystoreOperationResultCallback>& cb,
const ::android::sp<::android::IBinder>& token,
const ::android::security::keymaster::KeymasterArguments& params,
+ const ::std::vector<uint8_t>& input,
const ::std::vector<uint8_t>& signature,
const ::std::vector<uint8_t>& entropy, int32_t* _aidl_return) {
if (!checkAllowedOperationParams(params.getParameters())) {
@@ -903,7 +892,7 @@
return AIDL_RETURN(ErrorCode::INVALID_OPERATION_HANDLE);
}
- dev->finish(token, params.getParameters(), {}, signature, entropy,
+ dev->finish(token, params.getParameters(), input, signature, entropy,
[this, cb, token](OperationResult result_) {
mKeyStore->removeOperationDevice(token);
cb->onFinished(result_);
diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h
index 0d7c170..a395e6c 100644
--- a/keystore/key_store_service.h
+++ b/keystore/key_store_service.h
@@ -66,7 +66,6 @@
::android::binder::Status listUidsOfAuthBoundKeys(std::vector<::std::string>* uids,
int32_t* _aidl_return) override;
- ::android::binder::Status reset(int32_t* _aidl_return) override;
::android::binder::Status onUserPasswordChanged(int32_t userId,
const ::android::String16& newPassword,
int32_t* _aidl_return) override;
@@ -126,8 +125,8 @@
finish(const ::android::sp<::android::security::keystore::IKeystoreOperationResultCallback>& cb,
const ::android::sp<::android::IBinder>& token,
const ::android::security::keymaster::KeymasterArguments& params,
- const ::std::vector<uint8_t>& signature, const ::std::vector<uint8_t>& entropy,
- int32_t* _aidl_return) override;
+ const ::std::vector<uint8_t>& input, const ::std::vector<uint8_t>& signature,
+ const ::std::vector<uint8_t>& entropy, int32_t* _aidl_return) override;
::android::binder::Status
abort(const ::android::sp<::android::security::keystore::IKeystoreResponseCallback>& cb,
const ::android::sp<::android::IBinder>& token, int32_t* _aidl_return) override;
diff --git a/keystore/keystore_cli.cpp b/keystore/keystore_cli.cpp
index 2705a19..428a9bc 100644
--- a/keystore/keystore_cli.cpp
+++ b/keystore/keystore_cli.cpp
@@ -47,21 +47,6 @@
/* [WRONG_PASSWORD + 3] = */ "Wrong password (4 tries left)",
};
-#define NO_ARG_INT_RETURN(cmd) \
- do { \
- if (strcmp(argv[1], #cmd) == 0) { \
- int32_t ret = -1; \
- service->cmd(&ret); \
- if (ret < 0) { \
- fprintf(stderr, "%s: could not connect: %d\n", argv[0], ret); \
- return 1; \
- } else { \
- printf(#cmd ": %s (%d)\n", responses[ret], ret); \
- return 0; \
- } \
- } \
- } while (0)
-
#define SINGLE_ARG_INT_RETURN(cmd) \
do { \
if (strcmp(argv[1], #cmd) == 0) { \
@@ -242,8 +227,6 @@
argc < 4 ? -1 : atoi(argv[3]));
}
- NO_ARG_INT_RETURN(reset);
-
// TODO: notifyUserPasswordChanged
SINGLE_INT_ARG_INT_RETURN(lock);
diff --git a/keystore/keystore_cli_v2.cpp b/keystore/keystore_cli_v2.cpp
index b46b221..4f69eb0 100644
--- a/keystore/keystore_cli_v2.cpp
+++ b/keystore/keystore_cli_v2.cpp
@@ -416,16 +416,10 @@
return result.getErrorCode();
}
AuthorizationSet empty_params;
- size_t num_input_bytes_consumed;
std::string output_data;
- result = keystore->updateOperation(handle, empty_params, "data_to_sign",
- &num_input_bytes_consumed, &output_params, &output_data);
- if (!result.isOk()) {
- printf("Sign: UpdateOperation failed: %d\n", result.getErrorCode());
- return result.getErrorCode();
- }
- result = keystore->finishOperation(handle, empty_params, std::string() /*signature_to_verify*/,
- &output_params, &output_data);
+ result = keystore->finishOperation(handle, empty_params, "data_to_sign",
+ std::string() /*signature_to_verify*/, &output_params,
+ &output_data);
if (!result.isOk()) {
printf("Sign: FinishOperation failed: %d\n", result.getErrorCode());
return result.getErrorCode();
@@ -436,18 +430,8 @@
output_data.clear();
result =
keystore->beginOperation(KeyPurpose::VERIFY, name, sign_params, &output_params, &handle);
- if (!result.isOk()) {
- printf("Verify: BeginOperation failed: %d\n", result.getErrorCode());
- return result.getErrorCode();
- }
- result = keystore->updateOperation(handle, empty_params, "data_to_sign",
- &num_input_bytes_consumed, &output_params, &output_data);
- if (!result.isOk()) {
- printf("Verify: UpdateOperation failed: %d\n", result.getErrorCode());
- return result.getErrorCode();
- }
- result = keystore->finishOperation(handle, empty_params, signature_to_verify, &output_params,
- &output_data);
+ result = keystore->finishOperation(handle, empty_params, "data_to_sign", signature_to_verify,
+ &output_params, &output_data);
if (result == ErrorCode::VERIFICATION_FAILED) {
printf("Verify: Failed to verify signature.\n");
return result.getErrorCode();
diff --git a/keystore/keystore_client_impl.cpp b/keystore/keystore_client_impl.cpp
index 3fca4c9..f888683 100644
--- a/keystore/keystore_client_impl.cpp
+++ b/keystore/keystore_client_impl.cpp
@@ -166,16 +166,9 @@
return false;
}
AuthorizationSet empty_params;
- size_t num_input_bytes_consumed;
AuthorizationSet ignored_params;
- result = updateOperation(handle, empty_params, input_data, &num_input_bytes_consumed,
- &ignored_params, output_data);
- if (!result.isOk()) {
- ALOGE("UpdateOperation failed: %d", result.getErrorCode());
- return false;
- }
- result =
- finishOperation(handle, empty_params, signature_to_verify, &ignored_params, output_data);
+ result = finishOperation(handle, empty_params, input_data, signature_to_verify, &ignored_params,
+ output_data);
if (!result.isOk()) {
ALOGE("FinishOperation failed: %d", result.getErrorCode());
return false;
@@ -384,6 +377,7 @@
KeyStoreNativeReturnCode
KeystoreClientImpl::finishOperation(uint64_t handle, const AuthorizationSet& input_parameters,
+ const std::string& input_data,
const std::string& signature_to_verify,
AuthorizationSet* output_parameters, std::string* output_data) {
if (active_operations_.count(handle) == 0) {
@@ -391,12 +385,14 @@
}
int32_t error_code;
auto hidlSignature = blob2hidlVec(signature_to_verify);
+ auto hidlInput = blob2hidlVec(input_data);
android::sp<OperationResultPromise> promise(new OperationResultPromise{});
auto future = promise->get_future();
auto binder_result = keystore_->finish(
promise, active_operations_[handle],
android::security::keymaster::KeymasterArguments(input_parameters.hidl_data()),
- (std::vector<uint8_t>)hidlSignature, hidl_vec<uint8_t>(), &error_code);
+ (std::vector<uint8_t>)hidlInput, (std::vector<uint8_t>)hidlSignature, hidl_vec<uint8_t>(),
+ &error_code);
if (!binder_result.isOk()) return ResponseCode::SYSTEM_ERROR;
KeyStoreNativeReturnCode rc(error_code);
if (!rc.isOk()) return rc;