Fix logic for token searching on authorize_create We only need to check that a token with a given auth type exists if a key has a timeout bound policy. In that case, we should match that a given token may be found with the configured authorization type. However, if a key's parameters indicate unlocked device is required, then any token will do. We don't care about the auth type. If the key parameters require per-operation authentication, then the type of authentication will be checked later, after a fresh authentication. Test: CtsVerifier - Unloced Device Required Test: CstKeystoreTestCases Bug: 206762528 Change-Id: Icdffc42084854b298e8798d99312e9f829aee753

commit: 653eca5956247f769fab463f89952fcc8df34bf5 [log] [tgz]
author: Seth Moore <sethmo@google.com> Fri Nov 19 16:52:19 2021 -0800
committer: Seth Moore <sethmo@google.com> Mon Nov 29 12:51:19 2021 -0800
tree: ab7b1606253a3750a6e00189fefab6620857a624
parent: 03ed04fcfbc914a541bc5db5e2be77dfe7513197 [diff]
diff --git a/keystore2/src/enforcements.rs b/keystore2/src/enforcements.rs
index 997e739..2407525 100644
--- a/keystore2/src/enforcements.rs
+++ b/keystore2/src/enforcements.rs

@@ -629,7 +629,7 @@
 
         let hat_and_last_off_body = if need_auth_token {
             let hat_and_last_off_body = Self::find_auth_token(|hat: &AuthTokenEntry| {
-                if let (Some(auth_type), true) = (user_auth_type, has_sids) {
+                if let (Some(auth_type), true) = (user_auth_type, timeout_bound) {
                     hat.satisfies(&user_secure_ids, auth_type)
                 } else {
                     unlocked_device_required
commit	653eca5956247f769fab463f89952fcc8df34bf5	[log] [tgz]
author	Seth Moore <sethmo@google.com>	Fri Nov 19 16:52:19 2021 -0800
committer	Seth Moore <sethmo@google.com>	Mon Nov 29 12:51:19 2021 -0800
tree	ab7b1606253a3750a6e00189fefab6620857a624
parent	03ed04fcfbc914a541bc5db5e2be77dfe7513197 [diff]