Revert "Restore "Add "Unlocked device required" parameter to keys""
This reverts commit 05900c1ad8.
Reason for revert: Regression in creating auth-bound keys
Bug: 73773914
Bug: 67752510
Change-Id: I2b247ec871d2a0a2adb9100559e4c821aeba265d
This commit is contained in:
Brian Young
parent
05900c1ad8
commit
ccb492da44
8 changed files with 4 additions and 51 deletions
|
|
@ -84,7 +84,6 @@ cc_binary {
|
||||||
srcs: ["keystore_cli.cpp"],
|
srcs: ["keystore_cli.cpp"],
|
||||||
shared_libs: [
|
shared_libs: [
|
||||||
"android.hardware.keymaster@3.0",
|
"android.hardware.keymaster@3.0",
|
||||||
"android.hardware.keymaster@4.0",
|
|
||||||
"libbinder",
|
"libbinder",
|
||||||
"libcrypto",
|
"libcrypto",
|
||||||
"libcutils",
|
"libcutils",
|
||||||
|
|
@ -110,8 +109,8 @@ cc_binary {
|
||||||
srcs: ["keystore_cli_v2.cpp"],
|
srcs: ["keystore_cli_v2.cpp"],
|
||||||
shared_libs: [
|
shared_libs: [
|
||||||
"android.hardware.confirmationui@1.0",
|
"android.hardware.confirmationui@1.0",
|
||||||
|
"android.hardware.keymaster@3.0",
|
||||||
"libbinder",
|
"libbinder",
|
||||||
"android.hardware.keymaster@4.0",
|
|
||||||
"libchrome",
|
"libchrome",
|
||||||
"libutils",
|
"libutils",
|
||||||
"libhidlbase",
|
"libhidlbase",
|
||||||
|
|
|
||||||
|
|
@ -71,7 +71,7 @@ interface IKeystoreService {
|
||||||
in byte[] entropy);
|
in byte[] entropy);
|
||||||
int abort(IBinder handle);
|
int abort(IBinder handle);
|
||||||
boolean isOperationAuthorized(IBinder token);
|
boolean isOperationAuthorized(IBinder token);
|
||||||
int addAuthToken(in byte[] authToken, in int userId);
|
int addAuthToken(in byte[] authToken);
|
||||||
int onUserAdded(int userId, int parentId);
|
int onUserAdded(int userId, int parentId);
|
||||||
int onUserRemoved(int userId);
|
int onUserRemoved(int userId);
|
||||||
int attestKey(String alias, in KeymasterArguments params, out KeymasterCertificateChain chain);
|
int attestKey(String alias, in KeymasterArguments params, out KeymasterCertificateChain chain);
|
||||||
|
|
|
||||||
|
|
@ -83,7 +83,6 @@ using keymaster::TAG_RESET_SINCE_ID_ROTATION;
|
||||||
using keymaster::TAG_RSA_PUBLIC_EXPONENT;
|
using keymaster::TAG_RSA_PUBLIC_EXPONENT;
|
||||||
using keymaster::TAG_USAGE_EXPIRE_DATETIME;
|
using keymaster::TAG_USAGE_EXPIRE_DATETIME;
|
||||||
using keymaster::TAG_USER_AUTH_TYPE;
|
using keymaster::TAG_USER_AUTH_TYPE;
|
||||||
using keymaster::TAG_USER_ID;
|
|
||||||
using keymaster::TAG_USER_SECURE_ID;
|
using keymaster::TAG_USER_SECURE_ID;
|
||||||
|
|
||||||
using keymaster::NullOr;
|
using keymaster::NullOr;
|
||||||
|
|
|
||||||
|
|
@ -372,7 +372,6 @@ Status KeyStoreService::lock(int32_t userId, int32_t* aidl_return) {
|
||||||
return Status::ok();
|
return Status::ok();
|
||||||
}
|
}
|
||||||
|
|
||||||
enforcement_policy.set_device_locked(true, userId);
|
|
||||||
mKeyStore->lock(userId);
|
mKeyStore->lock(userId);
|
||||||
*aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
|
*aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
|
||||||
return Status::ok();
|
return Status::ok();
|
||||||
|
|
@ -401,7 +400,6 @@ Status KeyStoreService::unlock(int32_t userId, const String16& pw, int32_t* aidl
|
||||||
return Status::ok();
|
return Status::ok();
|
||||||
}
|
}
|
||||||
|
|
||||||
enforcement_policy.set_device_locked(false, userId);
|
|
||||||
const String8 password8(pw);
|
const String8 password8(pw);
|
||||||
// read master key, decrypt with password, initialize mMasterKey*.
|
// read master key, decrypt with password, initialize mMasterKey*.
|
||||||
*aidl_return = static_cast<int32_t>(mKeyStore->readMasterKey(password8, userId));
|
*aidl_return = static_cast<int32_t>(mKeyStore->readMasterKey(password8, userId));
|
||||||
|
|
@ -1468,7 +1466,7 @@ Status KeyStoreService::isOperationAuthorized(const sp<IBinder>& token, bool* ai
|
||||||
}
|
}
|
||||||
|
|
||||||
Status KeyStoreService::addAuthToken(const ::std::vector<uint8_t>& authTokenAsVector,
|
Status KeyStoreService::addAuthToken(const ::std::vector<uint8_t>& authTokenAsVector,
|
||||||
int32_t userId, int32_t* aidl_return) {
|
int32_t* aidl_return) {
|
||||||
|
|
||||||
// TODO(swillden): When gatekeeper and fingerprint are ready, this should be updated to
|
// TODO(swillden): When gatekeeper and fingerprint are ready, this should be updated to
|
||||||
// receive a HardwareAuthToken, rather than an opaque byte array.
|
// receive a HardwareAuthToken, rather than an opaque byte array.
|
||||||
|
|
@ -1490,8 +1488,6 @@ Status KeyStoreService::addAuthToken(const ::std::vector<uint8_t>& authTokenAsVe
|
||||||
return Status::ok();
|
return Status::ok();
|
||||||
}
|
}
|
||||||
|
|
||||||
enforcement_policy.set_device_locked(false, userId);
|
|
||||||
|
|
||||||
mAuthTokenTable.AddAuthenticationToken(hidlVec2AuthToken(hidl_vec<uint8_t>(authTokenAsVector)));
|
mAuthTokenTable.AddAuthenticationToken(hidlVec2AuthToken(hidl_vec<uint8_t>(authTokenAsVector)));
|
||||||
*aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
|
*aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
|
||||||
return Status::ok();
|
return Status::ok();
|
||||||
|
|
|
||||||
|
|
@ -145,7 +145,7 @@ class KeyStoreService : public android::security::BnKeystoreService,
|
||||||
int32_t* _aidl_return) override;
|
int32_t* _aidl_return) override;
|
||||||
::android::binder::Status isOperationAuthorized(const ::android::sp<::android::IBinder>& token,
|
::android::binder::Status isOperationAuthorized(const ::android::sp<::android::IBinder>& token,
|
||||||
bool* _aidl_return) override;
|
bool* _aidl_return) override;
|
||||||
::android::binder::Status addAuthToken(const ::std::vector<uint8_t>& authToken, int32_t userId,
|
::android::binder::Status addAuthToken(const ::std::vector<uint8_t>& authToken,
|
||||||
int32_t* _aidl_return) override;
|
int32_t* _aidl_return) override;
|
||||||
::android::binder::Status onUserAdded(int32_t userId, int32_t parentId,
|
::android::binder::Status onUserAdded(int32_t userId, int32_t parentId,
|
||||||
int32_t* _aidl_return) override;
|
int32_t* _aidl_return) override;
|
||||||
|
|
|
||||||
|
|
@ -223,8 +223,6 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k
|
||||||
bool caller_nonce_authorized_by_key = false;
|
bool caller_nonce_authorized_by_key = false;
|
||||||
bool authentication_required = false;
|
bool authentication_required = false;
|
||||||
bool auth_token_matched = false;
|
bool auth_token_matched = false;
|
||||||
bool unlocked_device_required = false;
|
|
||||||
int32_t user_id = -1;
|
|
||||||
|
|
||||||
for (auto& param : auth_set) {
|
for (auto& param : auth_set) {
|
||||||
|
|
||||||
|
|
@ -284,18 +282,10 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case Tag::USER_ID:
|
|
||||||
user_id = authorizationValue(TAG_USER_ID, param).value();
|
|
||||||
break;
|
|
||||||
|
|
||||||
case Tag::CALLER_NONCE:
|
case Tag::CALLER_NONCE:
|
||||||
caller_nonce_authorized_by_key = true;
|
caller_nonce_authorized_by_key = true;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case Tag::UNLOCKED_DEVICE_REQUIRED:
|
|
||||||
unlocked_device_required = true;
|
|
||||||
break;
|
|
||||||
|
|
||||||
/* Tags should never be in key auths. */
|
/* Tags should never be in key auths. */
|
||||||
case Tag::INVALID:
|
case Tag::INVALID:
|
||||||
case Tag::ROOT_OF_TRUST:
|
case Tag::ROOT_OF_TRUST:
|
||||||
|
|
@ -366,19 +356,6 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (unlocked_device_required && is_device_locked(user_id)) {
|
|
||||||
switch (purpose) {
|
|
||||||
case KeyPurpose::ENCRYPT:
|
|
||||||
case KeyPurpose::VERIFY:
|
|
||||||
/* These are okay */
|
|
||||||
break;
|
|
||||||
case KeyPurpose::DECRYPT:
|
|
||||||
case KeyPurpose::SIGN:
|
|
||||||
case KeyPurpose::WRAP_KEY:
|
|
||||||
return ErrorCode::DEVICE_LOCKED;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
if (authentication_required && !auth_token_matched) {
|
if (authentication_required && !auth_token_matched) {
|
||||||
ALOGE("Auth required but no matching auth token found");
|
ALOGE("Auth required but no matching auth token found");
|
||||||
return ErrorCode::KEY_USER_NOT_AUTHENTICATED;
|
return ErrorCode::KEY_USER_NOT_AUTHENTICATED;
|
||||||
|
|
|
||||||
|
|
@ -142,11 +142,6 @@ class KeymasterEnforcement {
|
||||||
*/
|
*/
|
||||||
virtual bool ValidateTokenSignature(const HardwareAuthToken& token) const = 0;
|
virtual bool ValidateTokenSignature(const HardwareAuthToken& token) const = 0;
|
||||||
|
|
||||||
/*
|
|
||||||
* Returns true if the device screen is currently locked for the specified user.
|
|
||||||
*/
|
|
||||||
virtual bool is_device_locked(int32_t userId) const = 0;
|
|
||||||
|
|
||||||
private:
|
private:
|
||||||
ErrorCode AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set,
|
ErrorCode AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set,
|
||||||
const HardwareAuthToken& auth_token, uint64_t op_handle);
|
const HardwareAuthToken& auth_token, uint64_t op_handle);
|
||||||
|
|
|
||||||
|
|
@ -84,19 +84,6 @@ class KeystoreKeymasterEnforcement : public KeymasterEnforcement {
|
||||||
// signing key. Assume the token is good.
|
// signing key. Assume the token is good.
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool is_device_locked(int32_t userId) const override {
|
|
||||||
// If we haven't had a set call for this user yet, assume the device is locked.
|
|
||||||
if (mIsDeviceLockedForUser.count(userId) == 0) return true;
|
|
||||||
return mIsDeviceLockedForUser.find(userId)->second;
|
|
||||||
}
|
|
||||||
|
|
||||||
void set_device_locked(bool isLocked, int32_t userId) {
|
|
||||||
mIsDeviceLockedForUser[userId] = isLocked;
|
|
||||||
}
|
|
||||||
|
|
||||||
private:
|
|
||||||
std::map<int32_t, bool> mIsDeviceLockedForUser;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
} // namespace keystore
|
} // namespace keystore
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue