Merge "Keystore 2.0: Fix permission check for device attestation."
diff --git a/keystore2/aidl/Android.bp b/keystore2/aidl/Android.bp
index 183096c..0db2f9d 100644
--- a/keystore2/aidl/Android.bp
+++ b/keystore2/aidl/Android.bp
@@ -55,6 +55,7 @@
},
ndk: {
enabled: true,
+ apps_enabled: false,
}
},
}
@@ -93,6 +94,7 @@
},
ndk: {
enabled: true,
+ apps_enabled: false,
}
},
}
@@ -135,6 +137,7 @@
},
ndk: {
enabled: true,
+ apps_enabled: false,
}
},
}
diff --git a/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl b/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
index 86472eb..01616b1 100644
--- a/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
+++ b/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
@@ -25,6 +25,7 @@
* provide keystore with the information required to enforce authorizations on key usage.
* @hide
*/
+ @SensitiveData
interface IKeystoreAuthorization {
/**
diff --git a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
index 280500c..21ddd9b 100644
--- a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
+++ b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
@@ -17,13 +17,12 @@
import android.system.keystore2.Domain;
import android.security.maintenance.UserState;
-// TODO: mark the interface with @SensitiveData when the annotation is ready (b/176110256).
-
/**
* IKeystoreMaintenance interface exposes the methods for adding/removing users and changing the
* user's password.
* @hide
*/
+ @SensitiveData
interface IKeystoreMaintenance {
/**
diff --git a/keystore2/src/km_compat/km_compat_type_conversion.h b/keystore2/src/km_compat/km_compat_type_conversion.h
index c2b4669..e3240e9 100644
--- a/keystore2/src/km_compat/km_compat_type_conversion.h
+++ b/keystore2/src/km_compat/km_compat_type_conversion.h
@@ -665,13 +665,19 @@
}
break;
case KMV1::Tag::ATTESTATION_ID_SERIAL:
- // TODO This tag is missing from 4.0 keymaster_tags.h
+ if (auto v = KMV1::authorizationValue(KMV1::TAG_ATTESTATION_ID_SERIAL, kp)) {
+ return V4_0::makeKeyParameter(V4_0::TAG_ATTESTATION_ID_SERIAL, v->get());
+ }
break;
case KMV1::Tag::ATTESTATION_ID_IMEI:
- // TODO This tag is missing from 4.0 keymaster_tags.h
+ if (auto v = KMV1::authorizationValue(KMV1::TAG_ATTESTATION_ID_IMEI, kp)) {
+ return V4_0::makeKeyParameter(V4_0::TAG_ATTESTATION_ID_IMEI, v->get());
+ }
break;
case KMV1::Tag::ATTESTATION_ID_MEID:
- // TODO This tag is missing from 4.0 keymaster_tags.h
+ if (auto v = KMV1::authorizationValue(KMV1::TAG_ATTESTATION_ID_MEID, kp)) {
+ return V4_0::makeKeyParameter(V4_0::TAG_ATTESTATION_ID_MEID, v->get());
+ }
break;
case KMV1::Tag::ATTESTATION_ID_MANUFACTURER:
if (auto v = KMV1::authorizationValue(KMV1::TAG_ATTESTATION_ID_MANUFACTURER, kp)) {
@@ -971,13 +977,19 @@
}
break;
case V4_0::Tag::ATTESTATION_ID_SERIAL:
- // TODO This tag is missing from 4.0 keymaster_tags.h
+ if (auto v = unwrapper(V4_0::authorizationValue(V4_0::TAG_ATTESTATION_ID_SERIAL, kp))) {
+ return KMV1::makeKeyParameter(KMV1::TAG_ATTESTATION_ID_SERIAL, v->get());
+ }
break;
case V4_0::Tag::ATTESTATION_ID_IMEI:
- // TODO This tag is missing from 4.0 keymaster_tags.h
+ if (auto v = unwrapper(V4_0::authorizationValue(V4_0::TAG_ATTESTATION_ID_IMEI, kp))) {
+ return KMV1::makeKeyParameter(KMV1::TAG_ATTESTATION_ID_IMEI, v->get());
+ }
break;
case V4_0::Tag::ATTESTATION_ID_MEID:
- // TODO This tag is missing from 4.0 keymaster_tags.h
+ if (auto v = unwrapper(V4_0::authorizationValue(V4_0::TAG_ATTESTATION_ID_MEID, kp))) {
+ return KMV1::makeKeyParameter(KMV1::TAG_ATTESTATION_ID_MEID, v->get());
+ }
break;
case V4_0::Tag::ATTESTATION_ID_MANUFACTURER:
if (auto v =