Merge "Keystore 2.0: Add safe crypto wrapper"
diff --git a/keystore2/aidl/Android.bp b/keystore2/aidl/Android.bp
index 3b2dff0..00be2b7 100644
--- a/keystore2/aidl/Android.bp
+++ b/keystore2/aidl/Android.bp
@@ -28,3 +28,22 @@
         },
     },
 }
+
+aidl_interface {
+    name: "android.security.authorizations",
+    srcs: [ "android/security/authorizations/*.aidl" ],
+    imports: [ "android.hardware.security.keymint" ],
+    unstable: true,
+    backend: {
+        java: {
+            sdk_version: "module_current",
+        },
+        rust: {
+            enabled: true,
+        },
+        ndk: {
+            enabled: true,
+        }
+    },
+}
+
diff --git a/keystore2/aidl/android/security/authorizations/IKeystoreAuthorization.aidl b/keystore2/aidl/android/security/authorizations/IKeystoreAuthorization.aidl
new file mode 100644
index 0000000..d3e80ee
--- /dev/null
+++ b/keystore2/aidl/android/security/authorizations/IKeystoreAuthorization.aidl
@@ -0,0 +1,35 @@
+// Copyright 2020, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package android.security.authorizations;
+
+import android.hardware.security.keymint.HardwareAuthToken;
+
+/**
+* IKeystoreAuthorization interface exposes the methods for other system components to
+* provide keystore with the information required to enforce authorizations on key usage.
+*/
+interface IKeystoreAuthorization {
+
+    /**
+    * Allows the Android authenticators to hand over an auth token to Keystore.
+    * Callers require 'AddAuth' permission.
+    * ## Error conditions:
+    * `ResponseCode::SYSTEM_ERROR` - if failed to store the auth token in the database or if failed
+    * to add the auth token to the operation, if it is a per-op auth token.
+    *
+    * @param authToken The auth token created by an authenticator, upon user authentication.
+    */
+    void addAuthToken(in HardwareAuthToken authToken);
+}