commit b9433b507b4fafe1408f2dd7c00a05234624b3f9
author Qi Wu <siofive@google.com> Tue Dec 01 14:52:46 2020 +0800
committer Janis Danisevskis <jdanis@google.com> Tue Jan 26 08:45:31 2021 -0800
tree 0b1b203d072af7625a2be0baef9dce19f17a52d6
parent 1e292289b7d7f741bc23289fc88d575ade5c0593

Keystore 2.0: Enforcement for limited use keys.

Bug: b/174140443
Test: atest keystore2_test
Change-Id: I6433b7c7f305d67d8e77277990f732d634801f10

keystore2/src/security_level.rs

diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index d8787bd..dad241a 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -34,7 +34,7 @@
 use crate::globals::ENFORCEMENTS;
 use crate::key_parameter::KeyParameter as KsKeyParam;
 use crate::key_parameter::KeyParameterValue as KsKeyParamValue;
-use crate::utils::{check_key_permission, Asp};
+use crate::utils::{check_key_permission, uid_to_android_user, Asp};
 use crate::{database::KeyIdGuard, globals::DB};
 use crate::{
     database::{DateTime, KeyMetaData, KeyMetaEntry, KeyType},
@@ -48,7 +48,6 @@
 use crate::{
     error::{self, map_km_error, map_or_log_err, Error, ErrorCode},
     utils::key_characteristics_to_internal,
-    utils::uid_to_android_user,
 };
 use anyhow::{Context, Result};
 use binder::{IBinder, Interface, ThreadState};
@@ -173,7 +172,7 @@
         // so that we can use it by reference like the blob provided by the key descriptor.
         // Otherwise, we would have to clone the blob from the key descriptor.
         let scoping_blob: Vec<u8>;
-        let (km_blob, key_id_guard, key_parameters) = match key.domain {
+        let (km_blob, key_properties, key_id_guard) = match key.domain {
             Domain::BLOB => {
                 check_key_permission(KeyPerm::use_(), key, &None)
                     .context("In create_operation: checking use permission for Domain::BLOB.")?;
@@ -212,7 +211,11 @@
                         ))
                     }
                 };
-                (&scoping_blob, Some(key_id_guard), Some(key_entry.into_key_parameters()))
+                (
+                    &scoping_blob,
+                    Some((key_id_guard.id(), key_entry.into_key_parameters())),
+                    Some(key_id_guard),
+                )
             }
         };
 
@@ -229,8 +232,8 @@
         let (immediate_hat, mut auth_info) = ENFORCEMENTS
             .authorize_create(
                 purpose,
-                key_parameters.as_deref(),
-                operation_parameters,
+                key_properties.as_ref(),
+                operation_parameters.as_ref(),
                 // TODO b/178222844 Replace this with the configuration returned by
                 //      KeyMintDevice::getHardwareInfo.
                 //      For now we assume that strongbox implementations need secure timestamps.