credstore: signingKeyBlob was moved from finishRetrieval() to startRetrieval().
The implementation of the Identity Credential TA in constrained environments may need to incrementally update the HMAC-SHA256 of DeviceAuthencation CBOR to avoid keeping the entire CBOR structure in memory. To do this they need to calculate the derived key before starting to build the CBOR so they need access to the signingKey earlier on. Update credstore to pass the signingKey earlier. Bug: 150390415 Test: atest android.security.identity.cts Test: VtsHalIdentityTargetTest Change-Id: If2479a10f80fba748591c30aa7b8662e1063787e
This commit is contained in:
David Zeuthen
parent
24dce34ad5
commit
55975ecbcf
1 changed files with 23 additions and 22 deletions
|
|
@ -242,8 +242,28 @@ Status Credential::getEntries(const vector<uint8_t>& requestMessage,
|
|||
}
|
||||
}
|
||||
|
||||
Status status = halBinder_->startRetrieval(selectedProfiles, aidlAuthToken, requestMessage,
|
||||
sessionTranscript, readerSignature, requestCounts);
|
||||
// Note that the selectAuthKey() method is only called if a CryptoObject is involved at
|
||||
// the Java layer. So we could end up with no previously selected auth key and we may
|
||||
// need one.
|
||||
const AuthKeyData* authKey = selectedAuthKey_;
|
||||
if (sessionTranscript.size() > 0) {
|
||||
if (authKey == nullptr) {
|
||||
authKey = data_->selectAuthKey(allowUsingExhaustedKeys);
|
||||
if (authKey == nullptr) {
|
||||
return Status::fromServiceSpecificError(
|
||||
ICredentialStore::ERROR_NO_AUTHENTICATION_KEY_AVAILABLE,
|
||||
"No suitable authentication key available");
|
||||
}
|
||||
}
|
||||
}
|
||||
vector<uint8_t> signingKeyBlob;
|
||||
if (authKey != nullptr) {
|
||||
signingKeyBlob = authKey->keyBlob;
|
||||
}
|
||||
|
||||
Status status =
|
||||
halBinder_->startRetrieval(selectedProfiles, aidlAuthToken, requestMessage, signingKeyBlob,
|
||||
sessionTranscript, readerSignature, requestCounts);
|
||||
if (!status.isOk() && status.exceptionCode() == binder::Status::EX_SERVICE_SPECIFIC) {
|
||||
int code = status.serviceSpecificErrorCode();
|
||||
if (code == IIdentityCredentialStore::STATUS_EPHEMERAL_PUBLIC_KEY_NOT_FOUND) {
|
||||
|
|
@ -319,26 +339,7 @@ Status Credential::getEntries(const vector<uint8_t>& requestMessage,
|
|||
ret.resultNamespaces.push_back(resultNamespaceParcel);
|
||||
}
|
||||
|
||||
// Note that the selectAuthKey() method is only called if a CryptoObject is involved at
|
||||
// the Java layer. So we could end up with no previously selected auth key and we may
|
||||
// need one.
|
||||
const AuthKeyData* authKey = selectedAuthKey_;
|
||||
if (sessionTranscript.size() > 0) {
|
||||
if (authKey == nullptr) {
|
||||
authKey = data_->selectAuthKey(allowUsingExhaustedKeys);
|
||||
if (authKey == nullptr) {
|
||||
return Status::fromServiceSpecificError(
|
||||
ICredentialStore::ERROR_NO_AUTHENTICATION_KEY_AVAILABLE,
|
||||
"No suitable authentication key available");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
vector<uint8_t> signingKeyBlob;
|
||||
if (authKey != nullptr) {
|
||||
signingKeyBlob = authKey->keyBlob;
|
||||
}
|
||||
status = halBinder_->finishRetrieval(signingKeyBlob, &ret.mac, &ret.deviceNameSpaces);
|
||||
status = halBinder_->finishRetrieval(&ret.mac, &ret.deviceNameSpaces);
|
||||
if (!status.isOk()) {
|
||||
return halStatusToGenericError(status);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue