Keystore 2.0: Fix permission check for device attestation.
A permission check was missing guarding device unique attestation.
Test: N/A
Change-Id: I4c870f50fafacc8b1731c3fed6a846c72b035646
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 20f7226..50d697e 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -372,7 +372,7 @@
if params.iter().any(|kp| kp.tag == Tag::INCLUDE_UNIQUE_ID) {
check_key_permission(KeyPerm::gen_unique_id(), key, &None).context(concat!(
"In add_certificate_parameters: ",
- "Caller does not have the permission for device unique attestation."
+ "Caller does not have the permission to generate a unique ID"
))?;
}
diff --git a/keystore2/src/utils.rs b/keystore2/src/utils.rs
index 7b58205..48e9bfb 100644
--- a/keystore2/src/utils.rs
+++ b/keystore2/src/utils.rs
@@ -91,7 +91,13 @@
/// This function checks whether a given tag corresponds to the access of device identifiers.
pub fn is_device_id_attestation_tag(tag: Tag) -> bool {
- matches!(tag, Tag::ATTESTATION_ID_IMEI | Tag::ATTESTATION_ID_MEID | Tag::ATTESTATION_ID_SERIAL)
+ matches!(
+ tag,
+ Tag::ATTESTATION_ID_IMEI
+ | Tag::ATTESTATION_ID_MEID
+ | Tag::ATTESTATION_ID_SERIAL
+ | Tag::DEVICE_UNIQUE_ATTESTATION
+ )
}
/// This function checks whether the calling app has the Android permissions needed to attest device