Add credstore system daemon.
The credstore system daemon is sitting below the Identity Credential
Framework APIs and on top of the Identity Credential HALs. Its main
job is to store credential data and provide a way for applications to
communicate with the secure hardware abstracted by the HAL.
This daemon runs as an unprivileged user, credstore.
The auth-tokens needed by credstore are supplied by keystore and this
CL includes the requisite changes to keystore for this to work.
Bug: 111446262
Test: CTS tests for Framework APIs
Change-Id: Ieb4d59852a143482436a1c418c25ed96e25c0047
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 5adc199..5bc5a78 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -38,6 +38,7 @@
#include <android/hardware/confirmationui/1.0/IConfirmationUI.h>
#include <android/hardware/keymaster/3.0/IHwKeymasterDevice.h>
+#include <keymasterV4_0/keymaster_utils.h>
#include "defaults.h"
#include "key_proto_handler.h"
@@ -946,6 +947,24 @@
return Status::ok();
}
+Status KeyStoreService::getAuthTokenForCredstore(int64_t challenge, int64_t secureUserId,
+ int32_t authTokenMaxAgeMillis,
+ std::vector<uint8_t>* _aidl_return) {
+ uid_t callingUid = IPCThreadState::self()->getCallingUid();
+ if (callingUid != AID_CREDSTORE) {
+ return Status::fromServiceSpecificError(static_cast<int32_t>(0));
+ }
+
+ auto [err, authToken] = mKeyStore->getAuthTokenTable().FindAuthorizationForCredstore(
+ challenge, secureUserId, authTokenMaxAgeMillis);
+ std::vector<uint8_t> ret;
+ if (err == AuthTokenTable::OK) {
+ ret = android::hardware::keymaster::V4_0::support::authToken2HidlVec(authToken);
+ }
+ *_aidl_return = ret;
+ return Status::ok();
+}
+
bool isDeviceIdAttestationRequested(const KeymasterArguments& params) {
const hardware::hidl_vec<KeyParameter>& paramsVec = params.getParameters();
for (size_t i = 0; i < paramsVec.size(); ++i) {