commit 9a947d573bb1843bc742d5be1e518a640335363b
author Brian Young <bcyoung@google.com> Fri Feb 23 18:03:14 2018 +0000
committer Brian C. Young <bcyoung@google.com> Wed Mar 28 08:38:57 2018 -0700
tree 5e447077e51a389f27e23b632212b6c8f2ebd54c
parent 9371e95bb0aa3df0a433c711de071f92be5de4d8

Restore "Add "Unlocked device required" parameter to keys"

dd a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.

This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.

This reverts commit ccb492da4478a11210b1a7aa885ad38958ca837f.

Test: CTS tests in I8a5affd1eaed176756175158e3057e44934fffed

Bug: 67752510

Merged-In: I485e0855c4a09073e067c1a628f7d93eab489483
Change-Id: I485e0855c4a09073e067c1a628f7d93eab489483
(cherry picked from f6125de02d20382521c0d0177479079c5a0371ea)

keystore/Android.bp

diff --git a/keystore/Android.bp b/keystore/Android.bp
index 60ac0d5..c98b78f 100644
--- a/keystore/Android.bp
+++ b/keystore/Android.bp
@@ -109,8 +109,8 @@
     srcs: ["keystore_cli_v2.cpp"],
     shared_libs: [
         "android.hardware.confirmationui@1.0",
-        "android.hardware.keymaster@4.0",
         "libbinder",
+        "android.hardware.keymaster@4.0",
         "libchrome",
         "libutils",
         "libhidlbase",

keystore/key_store_service.cpp

diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 8be07f8..a716498 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -367,6 +367,7 @@
         return Status::ok();
     }
 
+    enforcement_policy.set_device_locked(true, userId);
     mKeyStore->lock(userId);
     *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
     return Status::ok();
@@ -395,6 +396,7 @@
         return Status::ok();
     }
 
+    enforcement_policy.set_device_locked(false, userId);
     const String8 password8(pw);
     // read master key, decrypt with password, initialize mMasterKey*.
     *aidl_return = static_cast<int32_t>(mKeyStore->readMasterKey(password8, userId));
@@ -2226,9 +2228,10 @@
     return error;
 }
 
-Status KeyStoreService::onKeyguardVisibilityChanged(bool /*isShowing*/, int32_t /*userId*/,
-                                                    int32_t* /*aidl_return*/) {
-    // TODO(67752510)
+Status KeyStoreService::onKeyguardVisibilityChanged(bool isShowing, int32_t userId,
+                                                    int32_t* aidl_return) {
+    enforcement_policy.set_device_locked(isShowing, userId);
+    *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
 
     return Status::ok();
 }

keystore/keymaster_enforcement.cpp

diff --git a/keystore/keymaster_enforcement.cpp b/keystore/keymaster_enforcement.cpp
index 3e8c25c..5a6e591 100644
--- a/keystore/keymaster_enforcement.cpp
+++ b/keystore/keymaster_enforcement.cpp
@@ -223,6 +223,8 @@
     bool caller_nonce_authorized_by_key = false;
     bool authentication_required = false;
     bool auth_token_matched = false;
+    bool unlocked_device_required = false;
+    int32_t user_id = -1;
 
     for (auto& param : auth_set) {
 
@@ -283,7 +285,7 @@
             break;
 
         case Tag::USER_ID:
-            // TODO(67752510)
+            user_id = authorizationValue(TAG_USER_ID, param).value();
             break;
 
         case Tag::CALLER_NONCE:
@@ -291,7 +293,7 @@
             break;
 
         case Tag::UNLOCKED_DEVICE_REQUIRED:
-            // TODO(67752510)
+            unlocked_device_required = true;
             break;
 
         /* Tags should never be in key auths. */
@@ -364,6 +366,19 @@
         }
     }
 
+    if (unlocked_device_required && is_device_locked(user_id)) {
+        switch (purpose) {
+        case KeyPurpose::ENCRYPT:
+        case KeyPurpose::VERIFY:
+            /* These are okay */
+            break;
+        case KeyPurpose::DECRYPT:
+        case KeyPurpose::SIGN:
+        case KeyPurpose::WRAP_KEY:
+            return ErrorCode::DEVICE_LOCKED;
+        };
+    }
+
     if (authentication_required && !auth_token_matched) {
         ALOGE("Auth required but no matching auth token found");
         return ErrorCode::KEY_USER_NOT_AUTHENTICATED;

keystore/keystore_keymaster_enforcement.h

diff --git a/keystore/keystore_keymaster_enforcement.h b/keystore/keystore_keymaster_enforcement.h
index 04f974f..e114ea9 100644
--- a/keystore/keystore_keymaster_enforcement.h
+++ b/keystore/keystore_keymaster_enforcement.h
@@ -85,14 +85,18 @@
         return true;
     }
 
-    bool is_device_locked(int32_t /*userId*/) const override {
-        // TODO(67752510)
-        return false;
+    bool is_device_locked(int32_t userId) const override {
+        // If we haven't had a set call for this user yet, assume the device is locked.
+        if (mIsDeviceLockedForUser.count(userId) == 0) return true;
+        return mIsDeviceLockedForUser.find(userId)->second;
     }
 
-    void set_device_locked(bool /*isLocked*/, int32_t /*userId*/) {
-        // TODO(67752510)
+    void set_device_locked(bool isLocked, int32_t userId) {
+        mIsDeviceLockedForUser[userId] = isLocked;
     }
+
+  private:
+    std::map<int32_t, bool> mIsDeviceLockedForUser;
 };
 
 } // namespace keystore