Fix logic for token searching on authorize_create

We only need to check that a token with a given auth type exists if
a key has a timeout bound policy. In that case, we should match that
a given token may be found with the configured authorization type.

However, if a key's parameters indicate unlocked device is required,
then any token will do. We don't care about the auth type. If the key
parameters require per-operation authentication, then the type of
authentication will be checked later, after a fresh authentication.

Test: CtsVerifier - Unloced Device Required
Test: CstKeystoreTestCases
Bug: 206762528
Change-Id: Icdffc42084854b298e8798d99312e9f829aee753
1 file changed