Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 653eca5956247f769fab463f89952fcc8df34bf5
commit653eca5956247f769fab463f89952fcc8df34bf5[log] [tgz]
authorSeth Moore <sethmo@google.com>Fri Nov 19 16:52:19 2021 -0800
committerSeth Moore <sethmo@google.com>Mon Nov 29 12:51:19 2021 -0800
treeab7b1606253a3750a6e00189fefab6620857a624
parent03ed04fcfbc914a541bc5db5e2be77dfe7513197 [diff]
Fix logic for token searching on authorize_create

We only need to check that a token with a given auth type exists if
a key has a timeout bound policy. In that case, we should match that
a given token may be found with the configured authorization type.

However, if a key's parameters indicate unlocked device is required,
then any token will do. We don't care about the auth type. If the key
parameters require per-operation authentication, then the type of
authentication will be checked later, after a fresh authentication.

Test: CtsVerifier - Unloced Device Required
Test: CstKeystoreTestCases
Bug: 206762528
Change-Id: Icdffc42084854b298e8798d99312e9f829aee753
1 file changed
tree: ab7b1606253a3750a6e00189fefab6620857a624
  1. fsverity/
  2. fsverity_init/
  3. identity/
  4. keystore/
  5. keystore-engine/
  6. keystore2/
  7. ondevice-signing/
  8. provisioner/
  9. rustfmt.toml ⇨ ../../build/soong/scripts/rustfmt.toml
  10. .clang-format
  11. .gitignore
  12. Android.bp
  13. METADATA
  14. MODULE_LICENSE_APACHE2
  15. NOTICE
  16. OWNERS
  17. PREUPLOAD.cfg