Implement addAuthToken method of IKeystoreAuthorization AIDL interface.
This CL adds only addAuthToken method. Remaining methods will be added
in the upcoming seperate CLs, so that each of them can land
independently.
Bug: 159475191
Test: TBD
Change-Id: I4a092119c45e8ea1eb7e3564a62c4689f32f4025
diff --git a/keystore2/Android.bp b/keystore2/Android.bp
index 354a6d6..bf91e4b 100644
--- a/keystore2/Android.bp
+++ b/keystore2/Android.bp
@@ -20,6 +20,7 @@
rustlibs: [
"android.hardware.security.keymint-rust",
"android.security.apc-rust",
+ "android.security.authorization-rust",
"android.security.compat-rust",
"android.system.keystore2-rust",
"libanyhow",
@@ -48,9 +49,9 @@
rustlibs: [
"android.hardware.security.keymint-rust",
"android.security.apc-rust",
+ "android.security.authorization-rust",
"android.security.compat-rust",
"android.system.keystore2-rust",
- "android.hardware.security.keymint-rust",
"libandroid_logger",
"libanyhow",
"libbinder_rs",
diff --git a/keystore2/aidl/Android.bp b/keystore2/aidl/Android.bp
index 0d05dfe..696f38e 100644
--- a/keystore2/aidl/Android.bp
+++ b/keystore2/aidl/Android.bp
@@ -28,8 +28,8 @@
}
aidl_interface {
- name: "android.security.authorizations",
- srcs: [ "android/security/authorizations/*.aidl" ],
+ name: "android.security.authorization",
+ srcs: [ "android/security/authorization/*.aidl" ],
imports: [ "android.hardware.security.keymint" ],
unstable: true,
backend: {
diff --git a/keystore2/aidl/android/security/authorizations/IKeystoreAuthorization.aidl b/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
similarity index 96%
rename from keystore2/aidl/android/security/authorizations/IKeystoreAuthorization.aidl
rename to keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
index d3e80ee..48364f4 100644
--- a/keystore2/aidl/android/security/authorizations/IKeystoreAuthorization.aidl
+++ b/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
@@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-package android.security.authorizations;
+package android.security.authorization;
import android.hardware.security.keymint.HardwareAuthToken;
diff --git a/keystore2/src/authorization.rs b/keystore2/src/authorization.rs
new file mode 100644
index 0000000..08ae07c
--- /dev/null
+++ b/keystore2/src/authorization.rs
@@ -0,0 +1,68 @@
+// Copyright 2020, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This module implements IKeyAuthorization AIDL interface.
+
+use crate::error::map_or_log_err;
+use crate::globals::ENFORCEMENTS;
+use crate::permission::KeystorePerm;
+use crate::utils::check_keystore_permission;
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ HardwareAuthToken::HardwareAuthToken, HardwareAuthenticatorType::HardwareAuthenticatorType,
+ Timestamp::Timestamp,
+};
+use android_security_authorization::binder::{Interface, Result as BinderResult};
+use android_security_authorization:: aidl::android::security::authorization::IKeystoreAuthorization::{
+ BnKeystoreAuthorization, IKeystoreAuthorization,
+};
+use anyhow::{Context, Result};
+use binder::IBinder;
+
+/// This struct is defined to implement the aforementioned AIDL interface.
+/// As of now, it is an empty struct.
+pub struct AuthorizationManager;
+
+impl AuthorizationManager {
+ /// Create a new instance of Keystore Authorization service.
+ pub fn new_native_binder() -> Result<impl IKeystoreAuthorization> {
+ let result = BnKeystoreAuthorization::new_binder(Self);
+ result.as_binder().set_requesting_sid(true);
+ Ok(result)
+ }
+
+ fn add_auth_token(&self, auth_token: &HardwareAuthToken) -> Result<()> {
+ //check keystore permission
+ check_keystore_permission(KeystorePerm::add_auth()).context("In add_auth_token.")?;
+
+ //TODO: Keymint's HardwareAuthToken aidl needs to implement Copy/Clone
+ let auth_token_copy = HardwareAuthToken {
+ challenge: auth_token.challenge,
+ userId: auth_token.userId,
+ authenticatorId: auth_token.authenticatorId,
+ authenticatorType: HardwareAuthenticatorType(auth_token.authenticatorType.0),
+ timestamp: Timestamp { milliSeconds: auth_token.timestamp.milliSeconds },
+ mac: auth_token.mac.clone(),
+ };
+ ENFORCEMENTS.add_auth_token(auth_token_copy)?;
+ Ok(())
+ }
+}
+
+impl Interface for AuthorizationManager {}
+
+impl IKeystoreAuthorization for AuthorizationManager {
+ fn addAuthToken(&self, auth_token: &HardwareAuthToken) -> BinderResult<()> {
+ map_or_log_err(self.add_auth_token(auth_token), Ok)
+ }
+}
diff --git a/keystore2/src/keystore2_main.rs b/keystore2/src/keystore2_main.rs
index 8607eef..c75cfc8 100644
--- a/keystore2/src/keystore2_main.rs
+++ b/keystore2/src/keystore2_main.rs
@@ -16,6 +16,7 @@
use binder::Interface;
use keystore2::apc::ApcManager;
+use keystore2::authorization::AuthorizationManager;
use keystore2::background_task_handler::Message;
use keystore2::globals::{BACKGROUND_TASK_HANDLER, ENFORCEMENTS};
use keystore2::service::KeystoreService;
@@ -25,6 +26,7 @@
static KS2_SERVICE_NAME: &str = "android.system.keystore2";
static APC_SERVICE_NAME: &str = "android.security.apc";
+static AUTHORIZATION_SERVICE_NAME: &str = "android.security.authorization";
/// Keystore 2.0 takes one argument which is a path indicating its designated working directory.
fn main() {
@@ -78,6 +80,14 @@
panic!("Failed to register service {} because of {:?}.", APC_SERVICE_NAME, e);
});
+ let authorization_service = AuthorizationManager::new_native_binder().unwrap_or_else(|e| {
+ panic!("Failed to create service {} because of {:?}.", AUTHORIZATION_SERVICE_NAME, e);
+ });
+ binder::add_service(AUTHORIZATION_SERVICE_NAME, authorization_service.as_binder())
+ .unwrap_or_else(|e| {
+ panic!("Failed to register service {} because of {:?}.", AUTHORIZATION_SERVICE_NAME, e);
+ });
+
info!("Successfully registered Keystore 2.0 service.");
info!("Joining thread pool now.");
diff --git a/keystore2/src/lib.rs b/keystore2/src/lib.rs
index f73cd59..240998e 100644
--- a/keystore2/src/lib.rs
+++ b/keystore2/src/lib.rs
@@ -17,6 +17,7 @@
pub mod apc;
pub mod auth_token_handler;
+pub mod authorization;
pub mod background_task_handler;
pub mod database;
pub mod enforcements;