Merge changes from topics "niap-asym-write-pi-dev", "niap-asym-write-api-pi-dev" into pi-dev
am: de5eee4f9e
Change-Id: I4c4dadc2be7d69547283eda3567468cbfefd1074
diff --git a/keystore/Android.bp b/keystore/Android.bp
index 60ac0d5..c98b78f 100644
--- a/keystore/Android.bp
+++ b/keystore/Android.bp
@@ -109,8 +109,8 @@
srcs: ["keystore_cli_v2.cpp"],
shared_libs: [
"android.hardware.confirmationui@1.0",
- "android.hardware.keymaster@4.0",
"libbinder",
+ "android.hardware.keymaster@4.0",
"libchrome",
"libutils",
"libhidlbase",
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 13b3df1..9bd76fd 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -367,6 +367,7 @@
return Status::ok();
}
+ enforcement_policy.set_device_locked(true, userId);
mKeyStore->lock(userId);
*aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
return Status::ok();
@@ -395,6 +396,7 @@
return Status::ok();
}
+ enforcement_policy.set_device_locked(false, userId);
const String8 password8(pw);
// read master key, decrypt with password, initialize mMasterKey*.
*aidl_return = static_cast<int32_t>(mKeyStore->readMasterKey(password8, userId));
@@ -2229,9 +2231,10 @@
return error;
}
-Status KeyStoreService::onKeyguardVisibilityChanged(bool /*isShowing*/, int32_t /*userId*/,
- int32_t* /*aidl_return*/) {
- // TODO(67752510)
+Status KeyStoreService::onKeyguardVisibilityChanged(bool isShowing, int32_t userId,
+ int32_t* aidl_return) {
+ enforcement_policy.set_device_locked(isShowing, userId);
+ *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
return Status::ok();
}
diff --git a/keystore/keymaster_enforcement.cpp b/keystore/keymaster_enforcement.cpp
index 3e8c25c..5a6e591 100644
--- a/keystore/keymaster_enforcement.cpp
+++ b/keystore/keymaster_enforcement.cpp
@@ -223,6 +223,8 @@
bool caller_nonce_authorized_by_key = false;
bool authentication_required = false;
bool auth_token_matched = false;
+ bool unlocked_device_required = false;
+ int32_t user_id = -1;
for (auto& param : auth_set) {
@@ -283,7 +285,7 @@
break;
case Tag::USER_ID:
- // TODO(67752510)
+ user_id = authorizationValue(TAG_USER_ID, param).value();
break;
case Tag::CALLER_NONCE:
@@ -291,7 +293,7 @@
break;
case Tag::UNLOCKED_DEVICE_REQUIRED:
- // TODO(67752510)
+ unlocked_device_required = true;
break;
/* Tags should never be in key auths. */
@@ -364,6 +366,19 @@
}
}
+ if (unlocked_device_required && is_device_locked(user_id)) {
+ switch (purpose) {
+ case KeyPurpose::ENCRYPT:
+ case KeyPurpose::VERIFY:
+ /* These are okay */
+ break;
+ case KeyPurpose::DECRYPT:
+ case KeyPurpose::SIGN:
+ case KeyPurpose::WRAP_KEY:
+ return ErrorCode::DEVICE_LOCKED;
+ };
+ }
+
if (authentication_required && !auth_token_matched) {
ALOGE("Auth required but no matching auth token found");
return ErrorCode::KEY_USER_NOT_AUTHENTICATED;
diff --git a/keystore/keystore_keymaster_enforcement.h b/keystore/keystore_keymaster_enforcement.h
index 04f974f..e114ea9 100644
--- a/keystore/keystore_keymaster_enforcement.h
+++ b/keystore/keystore_keymaster_enforcement.h
@@ -85,14 +85,18 @@
return true;
}
- bool is_device_locked(int32_t /*userId*/) const override {
- // TODO(67752510)
- return false;
+ bool is_device_locked(int32_t userId) const override {
+ // If we haven't had a set call for this user yet, assume the device is locked.
+ if (mIsDeviceLockedForUser.count(userId) == 0) return true;
+ return mIsDeviceLockedForUser.find(userId)->second;
}
- void set_device_locked(bool /*isLocked*/, int32_t /*userId*/) {
- // TODO(67752510)
+ void set_device_locked(bool isLocked, int32_t userId) {
+ mIsDeviceLockedForUser[userId] = isLocked;
}
+
+ private:
+ std::map<int32_t, bool> mIsDeviceLockedForUser;
};
} // namespace keystore