Keystore 2.0: Add back dependency on KeyMint AIDL spec.
We are using SecurityLevel, KeyParameter, and HardwareAuthenticatorType
from the KeyMint spec now, instead of defining our own versions of these
types.
Test: keystore2_test
Change-Id: I0080382cb3619f7153ea3a6e49bb7b5f4b23f15b
diff --git a/keystore2/src/key_parameter.rs b/keystore2/src/key_parameter.rs
index 5355d93..5698c96 100644
--- a/keystore2/src/key_parameter.rs
+++ b/keystore2/src/key_parameter.rs
@@ -25,9 +25,7 @@
KeyParameter::KeyParameter as KmKeyParameter, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
SecurityLevel::SecurityLevel, Tag::Tag,
};
-use android_system_keystore2::aidl::android::system::keystore2::{
- Authorization::Authorization, SecurityLevel::SecurityLevel as KsSecurityLevel,
-};
+use android_system_keystore2::aidl::android::system::keystore2::Authorization::Authorization;
use anyhow::{Context, Result};
use rusqlite::types::{FromSql, Null, ToSql, ToSqlOutput};
use rusqlite::{Result as SqlResult, Row};
@@ -241,10 +239,8 @@
/// an internal KeyParameter representation to produce the Authorization wire type.
pub fn into_authorization(self) -> Authorization {
Authorization {
- securityLevel: KsSecurityLevel(self.security_level.0),
- keyParameter: crate::utils::keyparam_km_to_ks(
- &self.key_parameter_value.convert_to_wire(),
- ),
+ securityLevel: self.security_level,
+ keyParameter: self.key_parameter_value.convert_to_wire(),
}
}
}
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 0b5889e..24b665e 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -18,22 +18,21 @@
use android_hardware_keymint::aidl::android::hardware::keymint::{
Algorithm::Algorithm, ByteArray::ByteArray, Certificate::Certificate as KmCertificate,
- IKeyMintDevice::IKeyMintDevice, KeyCharacteristics::KeyCharacteristics, KeyFormat::KeyFormat,
- KeyParameter::KeyParameter as KmParam, KeyPurpose::KeyPurpose, SecurityLevel::SecurityLevel,
- Tag::Tag,
+ HardwareAuthenticatorType::HardwareAuthenticatorType, IKeyMintDevice::IKeyMintDevice,
+ KeyCharacteristics::KeyCharacteristics, KeyFormat::KeyFormat, KeyParameter::KeyParameter,
+ KeyPurpose::KeyPurpose, SecurityLevel::SecurityLevel, Tag::Tag,
};
use android_system_keystore2::aidl::android::system::keystore2::{
- AuthenticatorSpec::AuthenticatorSpec, AuthenticatorType::AuthenticatorType,
- CreateOperationResponse::CreateOperationResponse, Domain::Domain,
- IKeystoreOperation::IKeystoreOperation, IKeystoreSecurityLevel::BnKeystoreSecurityLevel,
+ AuthenticatorSpec::AuthenticatorSpec, CreateOperationResponse::CreateOperationResponse,
+ Domain::Domain, IKeystoreOperation::IKeystoreOperation,
+ IKeystoreSecurityLevel::BnKeystoreSecurityLevel,
IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
- KeyMetadata::KeyMetadata, KeyParameter::KeyParameter, KeyParameters::KeyParameters,
- SecurityLevel::SecurityLevel as KsSecurityLevel,
+ KeyMetadata::KeyMetadata, KeyParameters::KeyParameters,
};
use crate::globals::DB;
use crate::permission::KeyPerm;
-use crate::utils::{check_key_permission, keyparam_km_to_ks, keyparam_ks_to_km, Asp};
+use crate::utils::{check_key_permission, Asp};
use crate::{
database::{KeyEntry, KeyEntryLoadBits, SubComponentType},
operation::KeystoreOperation,
@@ -168,7 +167,7 @@
Ok(KeyMetadata {
key,
- keySecurityLevel: KsSecurityLevel(self.security_level.0),
+ keySecurityLevel: self.security_level,
certificate: cert,
certificateChain: cert_chain,
authorizations: crate::utils::key_parameters_to_authorizations(key_parameters),
@@ -232,22 +231,24 @@
// Check if we need an authorization token.
// Lookup authorization token and request VerificationToken if required.
- let purpose = operation_parameters.iter().find(|p| p.tag == Tag::PURPOSE.0).map_or(
+ let purpose = operation_parameters.iter().find(|p| p.tag == Tag::PURPOSE).map_or(
Err(Error::Km(ErrorCode::INVALID_ARGUMENT))
.context("In create_operation: No operation purpose specified."),
|kp| Ok(KeyPurpose(kp.integer)),
)?;
- let km_params =
- operation_parameters.iter().map(|p| keyparam_ks_to_km(p)).collect::<Vec<KmParam>>();
-
let km_dev: Box<dyn IKeyMintDevice> = self
.keymint
.get_interface()
.context("In create_operation: Failed to get KeyMint device")?;
let (begin_result, upgraded_blob) = loop {
- match map_km_error(km_dev.begin(purpose, &km_blob, &km_params, &Default::default())) {
+ match map_km_error(km_dev.begin(
+ purpose,
+ &km_blob,
+ &operation_parameters,
+ &Default::default(),
+ )) {
Ok(result) => break (result, None),
Err(Error::Km(ErrorCode::TOO_MANY_OPERATIONS)) => {
self.operation_db
@@ -256,13 +257,14 @@
continue;
}
Err(Error::Km(ErrorCode::KEY_REQUIRES_UPGRADE)) => {
- let upgraded_blob = map_km_error(km_dev.upgradeKey(&km_blob, &km_params))
- .context("In create_operation: Upgrade failed.")?;
+ let upgraded_blob =
+ map_km_error(km_dev.upgradeKey(&km_blob, &operation_parameters))
+ .context("In create_operation: Upgrade failed.")?;
break loop {
match map_km_error(km_dev.begin(
purpose,
&upgraded_blob,
- &km_params,
+ &operation_parameters,
&Default::default(),
)) {
Ok(result) => break (result, Some(upgraded_blob)),
@@ -321,13 +323,7 @@
operationChallenge: None,
parameters: match begin_result.params.len() {
0 => None,
- _ => Some(KeyParameters {
- keyParameter: begin_result
- .params
- .iter()
- .map(|p| keyparam_km_to_ks(p))
- .collect(),
- }),
+ _ => Some(KeyParameters { keyParameter: begin_result.params }),
},
})
}
@@ -364,7 +360,7 @@
let mut key_characteristics: KeyCharacteristics = Default::default();
let mut certificate_chain: Vec<KmCertificate> = Default::default();
map_km_error(km_dev.generateKey(
- ¶ms.iter().map(|p| keyparam_ks_to_km(p)).collect::<Vec<KmParam>>(),
+ ¶ms,
&mut blob,
&mut key_characteristics,
&mut certificate_chain,
@@ -406,7 +402,7 @@
let format = params
.iter()
- .find(|p| p.tag == Tag::ALGORITHM.0)
+ .find(|p| p.tag == Tag::ALGORITHM)
.ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
.context("No KeyParameter 'Algorithm'.")
.and_then(|p| match Algorithm(p.integer) {
@@ -419,7 +415,7 @@
let km_dev: Box<dyn IKeyMintDevice> = self.keymint.get_interface()?;
map_km_error(km_dev.importKey(
- ¶ms.iter().map(|p| keyparam_ks_to_km(p)).collect::<Vec<KmParam>>(),
+ ¶ms,
format,
key_data,
&mut blob,
@@ -495,7 +491,7 @@
let pw_sid = authenticators
.iter()
.find_map(|a| match a.authenticatorType {
- AuthenticatorType::PASSWORD => Some(a.authenticatorId),
+ HardwareAuthenticatorType::PASSWORD => Some(a.authenticatorId),
_ => None,
})
.ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
@@ -504,7 +500,7 @@
let fp_sid = authenticators
.iter()
.find_map(|a| match a.authenticatorType {
- AuthenticatorType::FINGERPRINT => Some(a.authenticatorId),
+ HardwareAuthenticatorType::FINGERPRINT => Some(a.authenticatorId),
_ => None,
})
.ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
@@ -517,7 +513,7 @@
wrapped_data,
wrapping_key_blob,
masking_key,
- ¶ms.iter().map(|p| keyparam_ks_to_km(p)).collect::<Vec<KmParam>>(),
+ ¶ms,
pw_sid,
fp_sid,
&mut blob,
diff --git a/keystore2/src/service.rs b/keystore2/src/service.rs
index d0c44e0..e17a2ef 100644
--- a/keystore2/src/service.rs
+++ b/keystore2/src/service.rs
@@ -32,7 +32,6 @@
Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
IKeystoreService::BnKeystoreService, IKeystoreService::IKeystoreService,
KeyDescriptor::KeyDescriptor, KeyEntryResponse::KeyEntryResponse, KeyMetadata::KeyMetadata,
- SecurityLevel::SecurityLevel as KsSecurityLevel,
};
use anyhow::{anyhow, Context, Result};
use binder::{IBinder, Interface, ThreadState};
@@ -98,7 +97,7 @@
nspace: key_entry.id(),
..Default::default()
},
- keySecurityLevel: KsSecurityLevel(key_entry.sec_level().0),
+ keySecurityLevel: key_entry.sec_level(),
certificate: key_entry.take_cert(),
certificateChain: key_entry.take_cert_chain(),
authorizations: key_parameters_to_authorizations(key_entry.into_key_parameters()),
@@ -194,7 +193,7 @@
impl IKeystoreService for KeystoreService {
fn getSecurityLevel(
&self,
- security_level: KsSecurityLevel,
+ security_level: SecurityLevel,
) -> binder::public_api::Result<Box<dyn IKeystoreSecurityLevel>> {
map_or_log_err(self.get_security_level(SecurityLevel(security_level.0)), Ok)
}
diff --git a/keystore2/src/utils.rs b/keystore2/src/utils.rs
index 66a7e50..1c678c3 100644
--- a/keystore2/src/utils.rs
+++ b/keystore2/src/utils.rs
@@ -19,11 +19,10 @@
use crate::permission::{KeyPerm, KeyPermSet, KeystorePerm};
use crate::{error::Error, key_parameter::KeyParameterValue};
use android_hardware_keymint::aidl::android::hardware::keymint::{
- KeyCharacteristics::KeyCharacteristics, KeyParameter::KeyParameter as KmParam,
- SecurityLevel::SecurityLevel, Tag::Tag,
+ KeyCharacteristics::KeyCharacteristics, SecurityLevel::SecurityLevel,
};
use android_system_keystore2::aidl::android::system::keystore2::{
- Authorization::Authorization, KeyDescriptor::KeyDescriptor, KeyParameter::KeyParameter,
+ Authorization::Authorization, KeyDescriptor::KeyDescriptor,
};
use anyhow::{anyhow, Context};
use binder::{FromIBinder, SpIBinder, ThreadState};
@@ -78,40 +77,6 @@
})
}
-/// This function converts a `KeyParameter` from the keystore2 AIDL
-/// bindings into a `KeyParameter` from the keymint AIDL bindings.
-/// TODO This is a temporary workaround until the keymint AIDL spec
-/// lands.
-pub fn keyparam_ks_to_km(p: &KeyParameter) -> KmParam {
- KmParam {
- tag: Tag(p.tag),
- boolValue: p.boolValue,
- integer: p.integer,
- longInteger: p.longInteger,
- blob: match &p.blob {
- Some(b) => b.clone(),
- None => vec![],
- },
- }
-}
-
-/// This function converts a `KeyParameter` from the keymint AIDL
-/// bindings into a `KeyParameter` from the keystore2 AIDL bindings.
-/// TODO This is a temporary workaround until the keymint AIDL spec
-/// lands.
-pub fn keyparam_km_to_ks(p: &KmParam) -> KeyParameter {
- KeyParameter {
- tag: p.tag.0,
- boolValue: p.boolValue,
- integer: p.integer,
- longInteger: p.longInteger,
- blob: match p.blob.len() {
- 0 => None,
- _ => Some(p.blob.clone()),
- },
- }
-}
-
/// Thread safe wrapper around SpIBinder. It is safe to have SpIBinder smart pointers to the
/// same object in multiple threads, but cloning a SpIBinder is not thread safe.
/// Keystore frequently hands out binder tokens to the security level interface. If this