Allow Device IDs in Key attestation request
Change Keystore to allow inclusion of device identifiers in the key
attestation request - but if, and only if, the request is coming from
the system context.
This was not supported previously as Device ID attestation was done
separately with an ephemeral key.
But as KeyChain-generated keys need to include device identifiers,
Keystore is changed to allow that, but only for attestation requests
from the system context.
Bug: 63388672
Test: cts-tradefed run commandAndExit cts-dev -a armeabi-v7a -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.DeviceOwnerTest#testKeyManagement
Change-Id: Ibbcf0c51931b644b98ab78b21e92a1edf571dc05
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 137ab48..1db3f23 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -1539,14 +1539,15 @@
return Status::ok();
}
- if (isDeviceIdAttestationRequested(params)) {
- // There is a dedicated attestDeviceIds() method for device ID attestation.
+ uid_t callingUid = IPCThreadState::self()->getCallingUid();
+
+ if (isDeviceIdAttestationRequested(params) && (callingUid != AID_SYSTEM)) {
+ // Only the system context may request Device ID attestation combined with key attestation.
+ // Otherwise, There is a dedicated attestDeviceIds() method for device ID attestation.
*aidl_return = static_cast<int32_t>(KeyStoreServiceReturnCode(ErrorCode::INVALID_ARGUMENT));
return Status::ok();
}
- uid_t callingUid = IPCThreadState::self()->getCallingUid();
-
AuthorizationSet mutableParams = params.getParameters();
KeyStoreServiceReturnCode rc = updateParamsForAttestation(callingUid, &mutableParams);
if (!rc.isOk()) {