commit 83116e5784473bb30494899848912268f582b2f5
author Janis Danisevskis <jdanis@google.com> Tue Apr 06 13:36:58 2021 -0700
committer Janis Danisevskis <jdanis@google.com> Tue Apr 06 13:41:06 2021 -0700
tree 9e3ad34d6ecc8b579cd5b8cddfa500ba494dce53
parent e93d40cada3dc93b7fcc82d36cd7c3d7da2171fd

Keystore 2.0: Fix permission check for device attestation.

A permission check was missing guarding device unique attestation.

Test: N/A
Change-Id: I4c870f50fafacc8b1731c3fed6a846c72b035646

keystore2/src/security_level.rs

diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 20f7226..50d697e 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -372,7 +372,7 @@
         if params.iter().any(|kp| kp.tag == Tag::INCLUDE_UNIQUE_ID) {
             check_key_permission(KeyPerm::gen_unique_id(), key, &None).context(concat!(
                 "In add_certificate_parameters: ",
-                "Caller does not have the permission for device unique attestation."
+                "Caller does not have the permission to generate a unique ID"
             ))?;
         }
 

keystore2/src/utils.rs

diff --git a/keystore2/src/utils.rs b/keystore2/src/utils.rs
index 7b58205..48e9bfb 100644
--- a/keystore2/src/utils.rs
+++ b/keystore2/src/utils.rs
@@ -91,7 +91,13 @@
 
 /// This function checks whether a given tag corresponds to the access of device identifiers.
 pub fn is_device_id_attestation_tag(tag: Tag) -> bool {
-    matches!(tag, Tag::ATTESTATION_ID_IMEI | Tag::ATTESTATION_ID_MEID | Tag::ATTESTATION_ID_SERIAL)
+    matches!(
+        tag,
+        Tag::ATTESTATION_ID_IMEI
+            | Tag::ATTESTATION_ID_MEID
+            | Tag::ATTESTATION_ID_SERIAL
+            | Tag::DEVICE_UNIQUE_ATTESTATION
+    )
 }
 
 /// This function checks whether the calling app has the Android permissions needed to attest device