Revert "Restore "Add "Unlocked device required" parameter to keys""
This reverts commit 05900c1ad8bb08646bdcbb68a90904b86ebf1c45.
Reason for revert: Regression in creating auth-bound keys
Bug: 73773914
Bug: 67752510
Change-Id: I2b247ec871d2a0a2adb9100559e4c821aeba265d
diff --git a/keystore/Android.bp b/keystore/Android.bp
index 8b2cb62..9e882e4 100644
--- a/keystore/Android.bp
+++ b/keystore/Android.bp
@@ -84,7 +84,6 @@
srcs: ["keystore_cli.cpp"],
shared_libs: [
"android.hardware.keymaster@3.0",
- "android.hardware.keymaster@4.0",
"libbinder",
"libcrypto",
"libcutils",
@@ -110,8 +109,8 @@
srcs: ["keystore_cli_v2.cpp"],
shared_libs: [
"android.hardware.confirmationui@1.0",
+ "android.hardware.keymaster@3.0",
"libbinder",
- "android.hardware.keymaster@4.0",
"libchrome",
"libutils",
"libhidlbase",
diff --git a/keystore/binder/android/security/IKeystoreService.aidl b/keystore/binder/android/security/IKeystoreService.aidl
index 45bc070..738eb68 100644
--- a/keystore/binder/android/security/IKeystoreService.aidl
+++ b/keystore/binder/android/security/IKeystoreService.aidl
@@ -71,7 +71,7 @@
in byte[] entropy);
int abort(IBinder handle);
boolean isOperationAuthorized(IBinder token);
- int addAuthToken(in byte[] authToken, in int userId);
+ int addAuthToken(in byte[] authToken);
int onUserAdded(int userId, int parentId);
int onUserRemoved(int userId);
int attestKey(String alias, in KeymasterArguments params, out KeymasterCertificateChain chain);
diff --git a/keystore/include/keystore/keymaster_types.h b/keystore/include/keystore/keymaster_types.h
index bd61294..62b43be 100644
--- a/keystore/include/keystore/keymaster_types.h
+++ b/keystore/include/keystore/keymaster_types.h
@@ -83,7 +83,6 @@
using keymaster::TAG_RSA_PUBLIC_EXPONENT;
using keymaster::TAG_USAGE_EXPIRE_DATETIME;
using keymaster::TAG_USER_AUTH_TYPE;
-using keymaster::TAG_USER_ID;
using keymaster::TAG_USER_SECURE_ID;
using keymaster::NullOr;
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index bee9fee..89c31a5 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -372,7 +372,6 @@
return Status::ok();
}
- enforcement_policy.set_device_locked(true, userId);
mKeyStore->lock(userId);
*aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
return Status::ok();
@@ -401,7 +400,6 @@
return Status::ok();
}
- enforcement_policy.set_device_locked(false, userId);
const String8 password8(pw);
// read master key, decrypt with password, initialize mMasterKey*.
*aidl_return = static_cast<int32_t>(mKeyStore->readMasterKey(password8, userId));
@@ -1468,7 +1466,7 @@
}
Status KeyStoreService::addAuthToken(const ::std::vector<uint8_t>& authTokenAsVector,
- int32_t userId, int32_t* aidl_return) {
+ int32_t* aidl_return) {
// TODO(swillden): When gatekeeper and fingerprint are ready, this should be updated to
// receive a HardwareAuthToken, rather than an opaque byte array.
@@ -1490,8 +1488,6 @@
return Status::ok();
}
- enforcement_policy.set_device_locked(false, userId);
-
mAuthTokenTable.AddAuthenticationToken(hidlVec2AuthToken(hidl_vec<uint8_t>(authTokenAsVector)));
*aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
return Status::ok();
diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h
index b238dc4..ce809f8 100644
--- a/keystore/key_store_service.h
+++ b/keystore/key_store_service.h
@@ -145,7 +145,7 @@
int32_t* _aidl_return) override;
::android::binder::Status isOperationAuthorized(const ::android::sp<::android::IBinder>& token,
bool* _aidl_return) override;
- ::android::binder::Status addAuthToken(const ::std::vector<uint8_t>& authToken, int32_t userId,
+ ::android::binder::Status addAuthToken(const ::std::vector<uint8_t>& authToken,
int32_t* _aidl_return) override;
::android::binder::Status onUserAdded(int32_t userId, int32_t parentId,
int32_t* _aidl_return) override;
diff --git a/keystore/keymaster_enforcement.cpp b/keystore/keymaster_enforcement.cpp
index 5a6e591..d78a5a6 100644
--- a/keystore/keymaster_enforcement.cpp
+++ b/keystore/keymaster_enforcement.cpp
@@ -223,8 +223,6 @@
bool caller_nonce_authorized_by_key = false;
bool authentication_required = false;
bool auth_token_matched = false;
- bool unlocked_device_required = false;
- int32_t user_id = -1;
for (auto& param : auth_set) {
@@ -284,18 +282,10 @@
}
break;
- case Tag::USER_ID:
- user_id = authorizationValue(TAG_USER_ID, param).value();
- break;
-
case Tag::CALLER_NONCE:
caller_nonce_authorized_by_key = true;
break;
- case Tag::UNLOCKED_DEVICE_REQUIRED:
- unlocked_device_required = true;
- break;
-
/* Tags should never be in key auths. */
case Tag::INVALID:
case Tag::ROOT_OF_TRUST:
@@ -366,19 +356,6 @@
}
}
- if (unlocked_device_required && is_device_locked(user_id)) {
- switch (purpose) {
- case KeyPurpose::ENCRYPT:
- case KeyPurpose::VERIFY:
- /* These are okay */
- break;
- case KeyPurpose::DECRYPT:
- case KeyPurpose::SIGN:
- case KeyPurpose::WRAP_KEY:
- return ErrorCode::DEVICE_LOCKED;
- };
- }
-
if (authentication_required && !auth_token_matched) {
ALOGE("Auth required but no matching auth token found");
return ErrorCode::KEY_USER_NOT_AUTHENTICATED;
diff --git a/keystore/keymaster_enforcement.h b/keystore/keymaster_enforcement.h
index 6e6c54f..d7b27fc 100644
--- a/keystore/keymaster_enforcement.h
+++ b/keystore/keymaster_enforcement.h
@@ -142,11 +142,6 @@
*/
virtual bool ValidateTokenSignature(const HardwareAuthToken& token) const = 0;
- /*
- * Returns true if the device screen is currently locked for the specified user.
- */
- virtual bool is_device_locked(int32_t userId) const = 0;
-
private:
ErrorCode AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set,
const HardwareAuthToken& auth_token, uint64_t op_handle);
diff --git a/keystore/keystore_keymaster_enforcement.h b/keystore/keystore_keymaster_enforcement.h
index e114ea9..3cdf649 100644
--- a/keystore/keystore_keymaster_enforcement.h
+++ b/keystore/keystore_keymaster_enforcement.h
@@ -84,19 +84,6 @@
// signing key. Assume the token is good.
return true;
}
-
- bool is_device_locked(int32_t userId) const override {
- // If we haven't had a set call for this user yet, assume the device is locked.
- if (mIsDeviceLockedForUser.count(userId) == 0) return true;
- return mIsDeviceLockedForUser.find(userId)->second;
- }
-
- void set_device_locked(bool isLocked, int32_t userId) {
- mIsDeviceLockedForUser[userId] = isLocked;
- }
-
- private:
- std::map<int32_t, bool> mIsDeviceLockedForUser;
};
} // namespace keystore