Merge "Keystore 2.0: Add safe crypto wrapper"
diff --git a/keystore2/aidl/Android.bp b/keystore2/aidl/Android.bp
index 3b2dff0..00be2b7 100644
--- a/keystore2/aidl/Android.bp
+++ b/keystore2/aidl/Android.bp
@@ -28,3 +28,22 @@
},
},
}
+
+aidl_interface {
+ name: "android.security.authorizations",
+ srcs: [ "android/security/authorizations/*.aidl" ],
+ imports: [ "android.hardware.security.keymint" ],
+ unstable: true,
+ backend: {
+ java: {
+ sdk_version: "module_current",
+ },
+ rust: {
+ enabled: true,
+ },
+ ndk: {
+ enabled: true,
+ }
+ },
+}
+
diff --git a/keystore2/aidl/android/security/authorizations/IKeystoreAuthorization.aidl b/keystore2/aidl/android/security/authorizations/IKeystoreAuthorization.aidl
new file mode 100644
index 0000000..d3e80ee
--- /dev/null
+++ b/keystore2/aidl/android/security/authorizations/IKeystoreAuthorization.aidl
@@ -0,0 +1,35 @@
+// Copyright 2020, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package android.security.authorizations;
+
+import android.hardware.security.keymint.HardwareAuthToken;
+
+/**
+* IKeystoreAuthorization interface exposes the methods for other system components to
+* provide keystore with the information required to enforce authorizations on key usage.
+*/
+interface IKeystoreAuthorization {
+
+ /**
+ * Allows the Android authenticators to hand over an auth token to Keystore.
+ * Callers require 'AddAuth' permission.
+ * ## Error conditions:
+ * `ResponseCode::SYSTEM_ERROR` - if failed to store the auth token in the database or if failed
+ * to add the auth token to the operation, if it is a per-op auth token.
+ *
+ * @param authToken The auth token created by an authenticator, upon user authentication.
+ */
+ void addAuthToken(in HardwareAuthToken authToken);
+}