Restore "Add "Unlocked device required" parameter to keys"
dd a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.
This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.
This reverts commit ccb492da4478a11210b1a7aa885ad38958ca837f.
Test: CTS tests in I8a5affd1eaed176756175158e3057e44934fffed
Bug: 67752510
Merged-In: I485e0855c4a09073e067c1a628f7d93eab489483
Change-Id: I485e0855c4a09073e067c1a628f7d93eab489483
(cherry picked from f6125de02d20382521c0d0177479079c5a0371ea)
diff --git a/keystore/keymaster_enforcement.cpp b/keystore/keymaster_enforcement.cpp
index 3e8c25c..5a6e591 100644
--- a/keystore/keymaster_enforcement.cpp
+++ b/keystore/keymaster_enforcement.cpp
@@ -223,6 +223,8 @@
bool caller_nonce_authorized_by_key = false;
bool authentication_required = false;
bool auth_token_matched = false;
+ bool unlocked_device_required = false;
+ int32_t user_id = -1;
for (auto& param : auth_set) {
@@ -283,7 +285,7 @@
break;
case Tag::USER_ID:
- // TODO(67752510)
+ user_id = authorizationValue(TAG_USER_ID, param).value();
break;
case Tag::CALLER_NONCE:
@@ -291,7 +293,7 @@
break;
case Tag::UNLOCKED_DEVICE_REQUIRED:
- // TODO(67752510)
+ unlocked_device_required = true;
break;
/* Tags should never be in key auths. */
@@ -364,6 +366,19 @@
}
}
+ if (unlocked_device_required && is_device_locked(user_id)) {
+ switch (purpose) {
+ case KeyPurpose::ENCRYPT:
+ case KeyPurpose::VERIFY:
+ /* These are okay */
+ break;
+ case KeyPurpose::DECRYPT:
+ case KeyPurpose::SIGN:
+ case KeyPurpose::WRAP_KEY:
+ return ErrorCode::DEVICE_LOCKED;
+ };
+ }
+
if (authentication_required && !auth_token_matched) {
ALOGE("Auth required but no matching auth token found");
return ErrorCode::KEY_USER_NOT_AUTHENTICATED;