Hasini Gunasinghe | 9ec096c | 2020-11-17 00:45:44 +0000 | [diff] [blame] | 1 | // Copyright 2020, The Android Open Source Project |
| 2 | // |
| 3 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | // you may not use this file except in compliance with the License. |
| 5 | // You may obtain a copy of the License at |
| 6 | // |
| 7 | // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | // |
| 9 | // Unless required by applicable law or agreed to in writing, software |
| 10 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | // See the License for the specific language governing permissions and |
| 13 | // limitations under the License. |
| 14 | |
| 15 | //! This module defines the AuthTokenHandler enum and its methods. AuthTokenHandler enum represents |
| 16 | //! the different states an auth token and an associated verification token can be expressed during |
| 17 | //! the operation life cycle. |
Hasini Gunasinghe | 9ec096c | 2020-11-17 00:45:44 +0000 | [diff] [blame] | 18 | use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{ |
| 19 | HardwareAuthToken::HardwareAuthToken, VerificationToken::VerificationToken, |
| 20 | }; |
| 21 | use anyhow::{Context, Result}; |
| 22 | use std::sync::mpsc::Receiver; |
| 23 | |
| 24 | /// AuthTokenHandler enum has five different variants which are described by the comments above |
Hasini Gunasinghe | 888dd35 | 2020-11-17 23:08:39 +0000 | [diff] [blame] | 25 | // each variant, as follows. |
| 26 | #[derive(Debug)] |
Hasini Gunasinghe | 9ec096c | 2020-11-17 00:45:44 +0000 | [diff] [blame] | 27 | pub enum AuthTokenHandler { |
| 28 | /// Used when an operation does not require an auth token for authorization. |
| 29 | NoAuthRequired, |
| 30 | /// Used to represent the intermediate state between the time the operation is found to be |
| 31 | /// requiring per-op auth and the time the auth token for the operation is found. |
| 32 | OpAuthRequired, |
| 33 | /// Used to represent the intermediate state between the time the operation is found to be |
| 34 | /// using a time_out key with STRONGBOX keymint, and the time a verficiation token is requested |
| 35 | /// from the worker thread which obtains verification tokens from the TEE KeyMint. |
| 36 | VerificationRequired(HardwareAuthToken), |
| 37 | /// Used to represent the intermediate state between the time a verification token is requested |
| 38 | /// from the worker thread which obtains verification tokens from the TEE KeyMint and the time |
| 39 | /// the verification token is received from the worker thread. |
| 40 | Channel(Receiver<(HardwareAuthToken, VerificationToken)>), |
| 41 | /// Used to represent the final state for all operations requiring an auth token for |
| 42 | /// authorization, after the matching auth token (and the associated verification token if |
| 43 | /// required) is found. |
| 44 | Token(HardwareAuthToken, Option<VerificationToken>), |
| 45 | } |
| 46 | |
| 47 | impl AuthTokenHandler { |
Hasini Gunasinghe | 9ec096c | 2020-11-17 00:45:44 +0000 | [diff] [blame] | 48 | /// If Channel variant, block on it until the verification token is sent by the |
Hasini Gunasinghe | 888dd35 | 2020-11-17 23:08:39 +0000 | [diff] [blame] | 49 | /// keystore2 worker thread which obtains verification tokens from TEE Keymint and converts the |
| 50 | /// object from Channel variant to Token variant. |
| 51 | /// Retrieve auth token and verification token from the Token variant of an AuthTokenHandler |
| 52 | /// instance. |
| 53 | pub fn retrieve_auth_and_verification_tokens( |
| 54 | &mut self, |
| 55 | ) -> Result<(Option<&HardwareAuthToken>, Option<&VerificationToken>)> { |
| 56 | // Converts to Token variant if Channel variant found, after retrieving the |
| 57 | // VerificationToken |
Hasini Gunasinghe | 9ec096c | 2020-11-17 00:45:44 +0000 | [diff] [blame] | 58 | if let AuthTokenHandler::Channel(recv) = self { |
| 59 | let (auth_token, verification_token) = |
| 60 | recv.recv().context("In receive_verification_token: sender disconnected.")?; |
| 61 | *self = AuthTokenHandler::Token(auth_token, Some(verification_token)); |
Hasini Gunasinghe | 888dd35 | 2020-11-17 23:08:39 +0000 | [diff] [blame] | 62 | } |
| 63 | // get the tokens from the Token variant |
| 64 | if let AuthTokenHandler::Token(auth_token, optional_verification_token) = self { |
| 65 | Ok((Some(auth_token), optional_verification_token.as_ref())) |
Hasini Gunasinghe | 9ec096c | 2020-11-17 00:45:44 +0000 | [diff] [blame] | 66 | } else { |
Hasini Gunasinghe | 888dd35 | 2020-11-17 23:08:39 +0000 | [diff] [blame] | 67 | Ok((None, None)) |
| 68 | } |
| 69 | } |
| 70 | |
| 71 | /// Retrieve auth token from VerificationRequired and Token variants of an |
| 72 | /// AuthTokenHandler instance. This method is useful when we only expect an auth token and |
| 73 | /// do not expect a verification token. |
| 74 | pub fn get_auth_token(&self) -> Option<&HardwareAuthToken> { |
| 75 | match self { |
| 76 | AuthTokenHandler::VerificationRequired(auth_token) => Some(auth_token), |
| 77 | AuthTokenHandler::Token(auth_token, _) => Some(auth_token), |
| 78 | _ => None, |
Hasini Gunasinghe | 9ec096c | 2020-11-17 00:45:44 +0000 | [diff] [blame] | 79 | } |
| 80 | } |
| 81 | } |