Return the auth token to begin call when timestamp token is required. Accoding to the KM HAL specification, we need to pass the matching authtoken to begin() when timeout bound token is required along with a timestamp token. Bug: 186362193 Test: CtsVerifier->FingerprintBoundTest Change-Id: I52aebfbac70ad5390039e1cbe9bf2b8705a561a0

commit: e093b55a974cfa861f1f30f3dea9d1e6db0e3261 [log] [tgz]
author: Hasini Gunasinghe <hasinitg@google.com> Fri Apr 30 20:05:31 2021 +0000
committer: Hasini Gunasinghe <hasinitg@google.com> Fri Apr 30 20:05:31 2021 +0000
tree: 40f89074bc600d6a9bb316acd511da1d4b00053d
parent: fc1693723e10f76501f72668898058e6ab2c56c7 [diff] [blame]
diff --git a/keystore2/src/enforcements.rs b/keystore2/src/enforcements.rs
index 378b72f..04d1f77 100644
--- a/keystore2/src/enforcements.rs
+++ b/keystore2/src/enforcements.rs

@@ -682,9 +682,10 @@
             // So the HAT cannot be presented on create. So on update/finish we present both
             // an per-op-bound auth token and a timestamp token.
             (Some(_), true, true) => (None, DeferredAuthState::TimeStampedOpAuthRequired),
-            (Some(hat), true, false) => {
-                (None, DeferredAuthState::TimeStampRequired(hat.take_auth_token()))
-            }
+            (Some(hat), true, false) => (
+                Some(hat.auth_token().clone()),
+                DeferredAuthState::TimeStampRequired(hat.take_auth_token()),
+            ),
             (Some(hat), false, true) => {
                 (Some(hat.take_auth_token()), DeferredAuthState::OpAuthRequired)
             }
commit	e093b55a974cfa861f1f30f3dea9d1e6db0e3261	[log] [tgz]
author	Hasini Gunasinghe <hasinitg@google.com>	Fri Apr 30 20:05:31 2021 +0000
committer	Hasini Gunasinghe <hasinitg@google.com>	Fri Apr 30 20:05:31 2021 +0000
tree	40f89074bc600d6a9bb316acd511da1d4b00053d
parent	fc1693723e10f76501f72668898058e6ab2c56c7 [diff] [blame]