Revert "Revert "Implement addAuthToken method of IKeystoreAuthorization ...""
This reverts commit 96f410658821497db0f562c2ba2bc359bc3b1dfc.
Reason for revert: This change does not have an impact on the observed behavior, It can land by itself.
Change-Id: I7e1ff63d0bae77b4382047eaaacb8d34e31e2bc4
diff --git a/keystore2/src/authorization.rs b/keystore2/src/authorization.rs
new file mode 100644
index 0000000..08ae07c
--- /dev/null
+++ b/keystore2/src/authorization.rs
@@ -0,0 +1,68 @@
+// Copyright 2020, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This module implements IKeyAuthorization AIDL interface.
+
+use crate::error::map_or_log_err;
+use crate::globals::ENFORCEMENTS;
+use crate::permission::KeystorePerm;
+use crate::utils::check_keystore_permission;
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ HardwareAuthToken::HardwareAuthToken, HardwareAuthenticatorType::HardwareAuthenticatorType,
+ Timestamp::Timestamp,
+};
+use android_security_authorization::binder::{Interface, Result as BinderResult};
+use android_security_authorization:: aidl::android::security::authorization::IKeystoreAuthorization::{
+ BnKeystoreAuthorization, IKeystoreAuthorization,
+};
+use anyhow::{Context, Result};
+use binder::IBinder;
+
+/// This struct is defined to implement the aforementioned AIDL interface.
+/// As of now, it is an empty struct.
+pub struct AuthorizationManager;
+
+impl AuthorizationManager {
+ /// Create a new instance of Keystore Authorization service.
+ pub fn new_native_binder() -> Result<impl IKeystoreAuthorization> {
+ let result = BnKeystoreAuthorization::new_binder(Self);
+ result.as_binder().set_requesting_sid(true);
+ Ok(result)
+ }
+
+ fn add_auth_token(&self, auth_token: &HardwareAuthToken) -> Result<()> {
+ //check keystore permission
+ check_keystore_permission(KeystorePerm::add_auth()).context("In add_auth_token.")?;
+
+ //TODO: Keymint's HardwareAuthToken aidl needs to implement Copy/Clone
+ let auth_token_copy = HardwareAuthToken {
+ challenge: auth_token.challenge,
+ userId: auth_token.userId,
+ authenticatorId: auth_token.authenticatorId,
+ authenticatorType: HardwareAuthenticatorType(auth_token.authenticatorType.0),
+ timestamp: Timestamp { milliSeconds: auth_token.timestamp.milliSeconds },
+ mac: auth_token.mac.clone(),
+ };
+ ENFORCEMENTS.add_auth_token(auth_token_copy)?;
+ Ok(())
+ }
+}
+
+impl Interface for AuthorizationManager {}
+
+impl IKeystoreAuthorization for AuthorizationManager {
+ fn addAuthToken(&self, auth_token: &HardwareAuthToken) -> BinderResult<()> {
+ map_or_log_err(self.add_auth_token(auth_token), Ok)
+ }
+}
diff --git a/keystore2/src/keystore2_main.rs b/keystore2/src/keystore2_main.rs
index 8607eef..c75cfc8 100644
--- a/keystore2/src/keystore2_main.rs
+++ b/keystore2/src/keystore2_main.rs
@@ -16,6 +16,7 @@
use binder::Interface;
use keystore2::apc::ApcManager;
+use keystore2::authorization::AuthorizationManager;
use keystore2::background_task_handler::Message;
use keystore2::globals::{BACKGROUND_TASK_HANDLER, ENFORCEMENTS};
use keystore2::service::KeystoreService;
@@ -25,6 +26,7 @@
static KS2_SERVICE_NAME: &str = "android.system.keystore2";
static APC_SERVICE_NAME: &str = "android.security.apc";
+static AUTHORIZATION_SERVICE_NAME: &str = "android.security.authorization";
/// Keystore 2.0 takes one argument which is a path indicating its designated working directory.
fn main() {
@@ -78,6 +80,14 @@
panic!("Failed to register service {} because of {:?}.", APC_SERVICE_NAME, e);
});
+ let authorization_service = AuthorizationManager::new_native_binder().unwrap_or_else(|e| {
+ panic!("Failed to create service {} because of {:?}.", AUTHORIZATION_SERVICE_NAME, e);
+ });
+ binder::add_service(AUTHORIZATION_SERVICE_NAME, authorization_service.as_binder())
+ .unwrap_or_else(|e| {
+ panic!("Failed to register service {} because of {:?}.", AUTHORIZATION_SERVICE_NAME, e);
+ });
+
info!("Successfully registered Keystore 2.0 service.");
info!("Joining thread pool now.");
diff --git a/keystore2/src/lib.rs b/keystore2/src/lib.rs
index f73cd59..240998e 100644
--- a/keystore2/src/lib.rs
+++ b/keystore2/src/lib.rs
@@ -17,6 +17,7 @@
pub mod apc;
pub mod auth_token_handler;
+pub mod authorization;
pub mod background_task_handler;
pub mod database;
pub mod enforcements;