Revert "Revert "Implement addAuthToken method of IKeystoreAuthorization ...""
This reverts commit 96f410658821497db0f562c2ba2bc359bc3b1dfc.
Reason for revert: This change does not have an impact on the observed behavior, It can land by itself.
Change-Id: I7e1ff63d0bae77b4382047eaaacb8d34e31e2bc4
diff --git a/keystore2/Android.bp b/keystore2/Android.bp
index 354a6d6..bf91e4b 100644
--- a/keystore2/Android.bp
+++ b/keystore2/Android.bp
@@ -20,6 +20,7 @@
rustlibs: [
"android.hardware.security.keymint-rust",
"android.security.apc-rust",
+ "android.security.authorization-rust",
"android.security.compat-rust",
"android.system.keystore2-rust",
"libanyhow",
@@ -48,9 +49,9 @@
rustlibs: [
"android.hardware.security.keymint-rust",
"android.security.apc-rust",
+ "android.security.authorization-rust",
"android.security.compat-rust",
"android.system.keystore2-rust",
- "android.hardware.security.keymint-rust",
"libandroid_logger",
"libanyhow",
"libbinder_rs",
diff --git a/keystore2/aidl/Android.bp b/keystore2/aidl/Android.bp
index 0d05dfe..696f38e 100644
--- a/keystore2/aidl/Android.bp
+++ b/keystore2/aidl/Android.bp
@@ -28,8 +28,8 @@
}
aidl_interface {
- name: "android.security.authorizations",
- srcs: [ "android/security/authorizations/*.aidl" ],
+ name: "android.security.authorization",
+ srcs: [ "android/security/authorization/*.aidl" ],
imports: [ "android.hardware.security.keymint" ],
unstable: true,
backend: {
diff --git a/keystore2/aidl/android/security/authorizations/IKeystoreAuthorization.aidl b/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
similarity index 96%
rename from keystore2/aidl/android/security/authorizations/IKeystoreAuthorization.aidl
rename to keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
index d3e80ee..48364f4 100644
--- a/keystore2/aidl/android/security/authorizations/IKeystoreAuthorization.aidl
+++ b/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
@@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-package android.security.authorizations;
+package android.security.authorization;
import android.hardware.security.keymint.HardwareAuthToken;
diff --git a/keystore2/src/authorization.rs b/keystore2/src/authorization.rs
new file mode 100644
index 0000000..08ae07c
--- /dev/null
+++ b/keystore2/src/authorization.rs
@@ -0,0 +1,68 @@
+// Copyright 2020, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This module implements IKeyAuthorization AIDL interface.
+
+use crate::error::map_or_log_err;
+use crate::globals::ENFORCEMENTS;
+use crate::permission::KeystorePerm;
+use crate::utils::check_keystore_permission;
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ HardwareAuthToken::HardwareAuthToken, HardwareAuthenticatorType::HardwareAuthenticatorType,
+ Timestamp::Timestamp,
+};
+use android_security_authorization::binder::{Interface, Result as BinderResult};
+use android_security_authorization:: aidl::android::security::authorization::IKeystoreAuthorization::{
+ BnKeystoreAuthorization, IKeystoreAuthorization,
+};
+use anyhow::{Context, Result};
+use binder::IBinder;
+
+/// This struct is defined to implement the aforementioned AIDL interface.
+/// As of now, it is an empty struct.
+pub struct AuthorizationManager;
+
+impl AuthorizationManager {
+ /// Create a new instance of Keystore Authorization service.
+ pub fn new_native_binder() -> Result<impl IKeystoreAuthorization> {
+ let result = BnKeystoreAuthorization::new_binder(Self);
+ result.as_binder().set_requesting_sid(true);
+ Ok(result)
+ }
+
+ fn add_auth_token(&self, auth_token: &HardwareAuthToken) -> Result<()> {
+ //check keystore permission
+ check_keystore_permission(KeystorePerm::add_auth()).context("In add_auth_token.")?;
+
+ //TODO: Keymint's HardwareAuthToken aidl needs to implement Copy/Clone
+ let auth_token_copy = HardwareAuthToken {
+ challenge: auth_token.challenge,
+ userId: auth_token.userId,
+ authenticatorId: auth_token.authenticatorId,
+ authenticatorType: HardwareAuthenticatorType(auth_token.authenticatorType.0),
+ timestamp: Timestamp { milliSeconds: auth_token.timestamp.milliSeconds },
+ mac: auth_token.mac.clone(),
+ };
+ ENFORCEMENTS.add_auth_token(auth_token_copy)?;
+ Ok(())
+ }
+}
+
+impl Interface for AuthorizationManager {}
+
+impl IKeystoreAuthorization for AuthorizationManager {
+ fn addAuthToken(&self, auth_token: &HardwareAuthToken) -> BinderResult<()> {
+ map_or_log_err(self.add_auth_token(auth_token), Ok)
+ }
+}
diff --git a/keystore2/src/keystore2_main.rs b/keystore2/src/keystore2_main.rs
index 8607eef..c75cfc8 100644
--- a/keystore2/src/keystore2_main.rs
+++ b/keystore2/src/keystore2_main.rs
@@ -16,6 +16,7 @@
use binder::Interface;
use keystore2::apc::ApcManager;
+use keystore2::authorization::AuthorizationManager;
use keystore2::background_task_handler::Message;
use keystore2::globals::{BACKGROUND_TASK_HANDLER, ENFORCEMENTS};
use keystore2::service::KeystoreService;
@@ -25,6 +26,7 @@
static KS2_SERVICE_NAME: &str = "android.system.keystore2";
static APC_SERVICE_NAME: &str = "android.security.apc";
+static AUTHORIZATION_SERVICE_NAME: &str = "android.security.authorization";
/// Keystore 2.0 takes one argument which is a path indicating its designated working directory.
fn main() {
@@ -78,6 +80,14 @@
panic!("Failed to register service {} because of {:?}.", APC_SERVICE_NAME, e);
});
+ let authorization_service = AuthorizationManager::new_native_binder().unwrap_or_else(|e| {
+ panic!("Failed to create service {} because of {:?}.", AUTHORIZATION_SERVICE_NAME, e);
+ });
+ binder::add_service(AUTHORIZATION_SERVICE_NAME, authorization_service.as_binder())
+ .unwrap_or_else(|e| {
+ panic!("Failed to register service {} because of {:?}.", AUTHORIZATION_SERVICE_NAME, e);
+ });
+
info!("Successfully registered Keystore 2.0 service.");
info!("Joining thread pool now.");
diff --git a/keystore2/src/lib.rs b/keystore2/src/lib.rs
index f73cd59..240998e 100644
--- a/keystore2/src/lib.rs
+++ b/keystore2/src/lib.rs
@@ -17,6 +17,7 @@
pub mod apc;
pub mod auth_token_handler;
+pub mod authorization;
pub mod background_task_handler;
pub mod database;
pub mod enforcements;