Check that caller has correct permissions when attesting device IDs
+ ran rustfmt to satisfy upload hooks.
Bug: 181114803
Test: atest keystore2_test
Test: atest KeyAttestationTest
Test: Disable all userspace permission checks, generate key setting
AttestationUtils.ID_TYPE_SERIAL, ensure it fails with message "Caller
does not have the permission to attest device identifiers"
Change-Id: Ia458e2b3d850c6a48424de8baceec162cd83e60d
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 5e1ce84..bb2e1a2 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -37,7 +37,10 @@
use crate::key_parameter::KeyParameter as KsKeyParam;
use crate::key_parameter::KeyParameterValue as KsKeyParamValue;
use crate::super_key::{KeyBlob, SuperKeyManager};
-use crate::utils::{check_key_permission, uid_to_android_user, Asp};
+use crate::utils::{
+ check_device_attestation_permissions, check_key_permission, is_device_id_attestation_tag,
+ uid_to_android_user, Asp,
+};
use crate::{
database::{
BlobMetaData, BlobMetaEntry, DateTime, KeyEntry, KeyEntryLoadBits, KeyMetaData,
@@ -355,6 +358,15 @@
))?;
}
+ // If the caller requests any device identifier attestation tag, check that they hold the
+ // correct Android permission.
+ if params.iter().any(|kp| is_device_id_attestation_tag(kp.tag)) {
+ check_device_attestation_permissions().context(concat!(
+ "In add_certificate_parameters: ",
+ "Caller does not have the permission to attest device identifiers."
+ ))?;
+ }
+
// If we are generating/importing an asymmetric key, we need to make sure
// that NOT_BEFORE and NOT_AFTER are present.
match params.iter().find(|kp| kp.tag == Tag::ALGORITHM) {