Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / b2ffa420da26414379b31807eec76ec8c9f3b0a9^! / . / keystore / auth_token_table.cpp
commitb2ffa420da26414379b31807eec76ec8c9f3b0a9[log] [tgz]
authorShawn Willden <swillden@google.com>Wed Jun 17 12:18:55 2015 -0600
committerShawn Willden <swillden@google.com>Wed Jun 17 13:38:45 2015 -0600
treee2ae4e4d2b65aee58ed7eafaf4ec70c95327a660
parent3a7d9e626fa6c0e116c07be912c319aad6e08614 [diff] [blame]
Don't check authorizations for pubkey operations.

Bug: 21877150
Change-Id: I43dafb66fc3246f4d8e3bf4743fbdcbe072468d1

diff --git a/keystore/auth_token_table.cpp b/keystore/auth_token_table.cpp
index 98731b3..c6e5843 100644
--- a/keystore/auth_token_table.cpp
+++ b/keystore/auth_token_table.cpp

@@ -60,18 +60,33 @@
     }
 }
 
-inline bool KeyRequiresAuthentication(const AuthorizationSet& key_info) {
-    return key_info.find(TAG_NO_AUTH_REQUIRED) == -1;
+inline bool is_secret_key_operation(keymaster_algorithm_t algorithm, keymaster_purpose_t purpose) {
+    if ((algorithm != KM_ALGORITHM_RSA || algorithm != KM_ALGORITHM_EC))
+        return true;
+    if (purpose == KM_PURPOSE_SIGN || purpose == KM_PURPOSE_DECRYPT)
+        return true;
+    return false;
 }
 
-inline bool KeyRequiresAuthPerOperation(const AuthorizationSet& key_info) {
-    return key_info.find(TAG_AUTH_TIMEOUT) == -1;
+inline bool KeyRequiresAuthentication(const AuthorizationSet& key_info,
+                                      keymaster_purpose_t purpose) {
+    keymaster_algorithm_t algorithm = KM_ALGORITHM_AES;
+    key_info.GetTagValue(TAG_ALGORITHM, &algorithm);
+    return is_secret_key_operation(algorithm, purpose) && key_info.find(TAG_NO_AUTH_REQUIRED) == -1;
+}
+
+inline bool KeyRequiresAuthPerOperation(const AuthorizationSet& key_info,
+                                        keymaster_purpose_t purpose) {
+    keymaster_algorithm_t algorithm = KM_ALGORITHM_AES;
+    key_info.GetTagValue(TAG_ALGORITHM, &algorithm);
+    return is_secret_key_operation(algorithm, purpose) && key_info.find(TAG_AUTH_TIMEOUT) == -1;
 }
 
 AuthTokenTable::Error AuthTokenTable::FindAuthorization(const AuthorizationSet& key_info,
+                                                        keymaster_purpose_t purpose,
                                                         keymaster_operation_handle_t op_handle,
                                                         const hw_auth_token_t** found) {
-    if (!KeyRequiresAuthentication(key_info))
+    if (!KeyRequiresAuthentication(key_info, purpose))
         return AUTH_NOT_REQUIRED;
 
     hw_authenticator_type_t auth_type = HW_AUTH_NONE;
@@ -80,7 +95,7 @@
     std::vector<uint64_t> key_sids;
     ExtractSids(key_info, &key_sids);
 
-    if (KeyRequiresAuthPerOperation(key_info))
+    if (KeyRequiresAuthPerOperation(key_info, purpose))
         return FindAuthPerOpAuthorization(key_sids, auth_type, op_handle, found);
     else
         return FindTimedAuthorization(key_sids, auth_type, key_info, found);