Revert "Delegate auth token parsing to HAL."
This reverts commit 76f21b2676092911ab030c3dde1489902c00ab71.
Reason for revert: b/36637075
Bug: 36637075
Change-Id: Ica737cf96d14086aae7918f8bf2f86a36555d03b
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 4c1f360..cd81674 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -893,9 +893,9 @@
}
}
-static inline void addAuthTokenToParams(AuthorizationSet* params, const hidl_vec<uint8_t>* token) {
+static inline void addAuthTokenToParams(AuthorizationSet* params, const HardwareAuthToken* token) {
if (token) {
- params->push_back(TAG_AUTH_TOKEN, *token);
+ params->push_back(TAG_AUTH_TOKEN, authToken2HidlVec(*token));
}
}
@@ -944,7 +944,7 @@
return;
}
- const hidl_vec<uint8_t>* authToken = NULL;
+ const HardwareAuthToken* authToken = NULL;
// Merge these characteristics with the ones cached when the key was generated or imported
Blob charBlob;
@@ -1050,7 +1050,7 @@
assert(characteristics.softwareEnforced.size() == 0);
if (authToken) {
- mOperationMap.setOperationAuthToken(operationToken, *authToken);
+ mOperationMap.setOperationAuthToken(operationToken, authToken);
}
// Return the authentication lookup result. If this is a per operation
// auth'd key then the resultCode will be ::OP_AUTH_NEEDED and the
@@ -1197,7 +1197,7 @@
if (!mOperationMap.getOperation(token, &handle, &keyid, &purpose, &dev, &characteristics)) {
return false;
}
- const hidl_vec<uint8_t>* authToken = NULL;
+ const HardwareAuthToken* authToken = NULL;
mOperationMap.getOperationAuthToken(token, &authToken);
AuthorizationSet ignored;
auto authResult = addOperationAuthTokenIfNeeded(token, &ignored);
@@ -1205,25 +1205,38 @@
}
KeyStoreServiceReturnCode KeyStoreService::addAuthToken(const uint8_t* token, size_t length) {
+ // TODO(swillden): When gatekeeper and fingerprint are ready, this should be updated to
+ // receive a HardwareAuthToken, rather than an opaque byte array.
+
if (!checkBinderPermission(P_ADD_AUTH)) {
ALOGW("addAuthToken: permission denied for %d", IPCThreadState::self()->getCallingUid());
return ResponseCode::PERMISSION_DENIED;
}
+ if (length != sizeof(hw_auth_token_t)) {
+ return ErrorCode::INVALID_ARGUMENT;
+ }
- hidl_vec<uint8_t> hidl_token;
- hidl_token.setToExternal(const_cast<uint8_t*>(token), length);
+ hw_auth_token_t authToken;
+ memcpy(reinterpret_cast<void*>(&authToken), token, sizeof(hw_auth_token_t));
+ if (authToken.version != 0) {
+ return ErrorCode::INVALID_ARGUMENT;
+ }
- ErrorCode error;
- KeyStoreServiceReturnCode rc =
- KS_HANDLE_HIDL_ERROR(mKeyStore->getDevice()->parseHardwareAuthToken(
- hidl_token, [&](ErrorCode hidlError, const HardwareAuthTokenInfo& tokenInfo) {
- error = hidlError;
- if (error == ErrorCode::OK) {
- mAuthTokenTable.AddAuthenticationToken(hidl_token, tokenInfo);
- }
- }));
- if (rc.isOk()) rc = error;
- return rc;
+ std::unique_ptr<HardwareAuthToken> hidlAuthToken(new HardwareAuthToken);
+ hidlAuthToken->challenge = authToken.challenge;
+ hidlAuthToken->userId = authToken.user_id;
+ hidlAuthToken->authenticatorId = authToken.authenticator_id;
+ hidlAuthToken->authenticatorType = authToken.authenticator_type;
+ hidlAuthToken->timestamp = authToken.timestamp;
+ static_assert(
+ std::is_same<decltype(hidlAuthToken->hmac),
+ ::android::hardware::hidl_array<uint8_t, sizeof(authToken.hmac)>>::value,
+ "This function assumes token HMAC is 32 bytes, but it might not be.");
+ std::copy(authToken.hmac, authToken.hmac + sizeof(authToken.hmac), hidlAuthToken->hmac.data());
+
+ // The table takes ownership of authToken.
+ mAuthTokenTable.AddAuthenticationToken(hidlAuthToken.release());
+ return ResponseCode::NO_ERROR;
}
constexpr size_t KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE = 1024;
@@ -1494,20 +1507,18 @@
}
/**
- * Get the auth token for this operation from the auth token table. The caller does not acquire
- * ownership of the auth token.
+ * Get the auth token for this operation from the auth token table.
*
- * Returns:
- * ResponseCode::NO_ERROR if the auth token was set or none was required.
- *
- * ::OP_AUTH_NEEDED if it is a per op authorization, no authorization token exists for that
- * operation and failOnTokenMissing is false.
- *
- * KM_ERROR_KEY_USER_NOT_AUTHENTICATED if there is no valid auth token for the operation
+ * Returns ResponseCode::NO_ERROR if the auth token was set or none was required.
+ * ::OP_AUTH_NEEDED if it is a per op authorization, no
+ * authorization token exists for that operation and
+ * failOnTokenMissing is false.
+ * KM_ERROR_KEY_USER_NOT_AUTHENTICATED if there is no valid auth
+ * token for the operation
*/
KeyStoreServiceReturnCode KeyStoreService::getAuthToken(const KeyCharacteristics& characteristics,
uint64_t handle, KeyPurpose purpose,
- const hidl_vec<uint8_t>** authToken,
+ const HardwareAuthToken** authToken,
bool failOnTokenMissing) {
AuthorizationSet allCharacteristics;
@@ -1549,7 +1560,7 @@
*/
KeyStoreServiceReturnCode KeyStoreService::addOperationAuthTokenIfNeeded(const sp<IBinder>& token,
AuthorizationSet* params) {
- const hidl_vec<uint8_t>* authToken = nullptr;
+ const HardwareAuthToken* authToken = nullptr;
mOperationMap.getOperationAuthToken(token, &authToken);
if (!authToken) {
km_device_t dev;
@@ -1565,7 +1576,7 @@
return result;
}
if (authToken) {
- mOperationMap.setOperationAuthToken(token, *authToken);
+ mOperationMap.setOperationAuthToken(token, authToken);
}
}
addAuthTokenToParams(params, authToken);