Revert "Restore "Add "Unlocked device required" parameter to keys""

This reverts commit 05900c1ad8. Reason for revert: Regression in creating auth-bound keys Bug: 73773914 Bug: 67752510 Change-Id: I2b247ec871d2a0a2adb9100559e4c821aeba265d
2018-02-22 23:36:01 +00:00 · 2018-02-22 23:36:01 +00:00 · ccb492da44
commit ccb492da44
parent 05900c1ad8
8 changed files with 4 additions and 51 deletions
--- a/keystore/Android.bp
+++ b/keystore/Android.bp
@ -84,7 +84,6 @@ cc_binary {
    srcs: ["keystore_cli.cpp"],
    shared_libs: [
        "android.hardware.keymaster@3.0",
-        "android.hardware.keymaster@4.0",
        "libbinder",
        "libcrypto",
        "libcutils",
@ -110,8 +109,8 @@ cc_binary {
    srcs: ["keystore_cli_v2.cpp"],
    shared_libs: [
        "android.hardware.confirmationui@1.0",
+        "android.hardware.keymaster@3.0",
        "libbinder",
-        "android.hardware.keymaster@4.0",
        "libchrome",
        "libutils",
        "libhidlbase",
--- a/keystore/binder/android/security/IKeystoreService.aidl
+++ b/keystore/binder/android/security/IKeystoreService.aidl
@ -71,7 +71,7 @@ interface IKeystoreService {
        in byte[] entropy);
    int abort(IBinder handle);
    boolean isOperationAuthorized(IBinder token);
-    int addAuthToken(in byte[] authToken, in int userId);
+    int addAuthToken(in byte[] authToken);
    int onUserAdded(int userId, int parentId);
    int onUserRemoved(int userId);
    int attestKey(String alias, in KeymasterArguments params, out KeymasterCertificateChain chain);
--- a/keystore/include/keystore/keymaster_types.h
+++ b/keystore/include/keystore/keymaster_types.h
@ -83,7 +83,6 @@ using keymaster::TAG_RESET_SINCE_ID_ROTATION;
 using keymaster::TAG_RSA_PUBLIC_EXPONENT;
 using keymaster::TAG_USAGE_EXPIRE_DATETIME;
 using keymaster::TAG_USER_AUTH_TYPE;
-using keymaster::TAG_USER_ID;
 using keymaster::TAG_USER_SECURE_ID;

 using keymaster::NullOr;
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@ -372,7 +372,6 @@ Status KeyStoreService::lock(int32_t userId, int32_t* aidl_return) {
        return Status::ok();
    }

-    enforcement_policy.set_device_locked(true, userId);
    mKeyStore->lock(userId);
    *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
    return Status::ok();
@ -401,7 +400,6 @@ Status KeyStoreService::unlock(int32_t userId, const String16& pw, int32_t* aidl
        return Status::ok();
    }

-    enforcement_policy.set_device_locked(false, userId);
    const String8 password8(pw);
    // read master key, decrypt with password, initialize mMasterKey*.
    *aidl_return = static_cast<int32_t>(mKeyStore->readMasterKey(password8, userId));
@ -1468,7 +1466,7 @@ Status KeyStoreService::isOperationAuthorized(const sp<IBinder>& token, bool* ai
 }

 Status KeyStoreService::addAuthToken(const ::std::vector<uint8_t>& authTokenAsVector,
-                                     int32_t userId, int32_t* aidl_return) {
+                                     int32_t* aidl_return) {

    // TODO(swillden): When gatekeeper and fingerprint are ready, this should be updated to
    // receive a HardwareAuthToken, rather than an opaque byte array.
@ -1490,8 +1488,6 @@ Status KeyStoreService::addAuthToken(const ::std::vector<uint8_t>& authTokenAsVe
        return Status::ok();
    }

-    enforcement_policy.set_device_locked(false, userId);
-
    mAuthTokenTable.AddAuthenticationToken(hidlVec2AuthToken(hidl_vec<uint8_t>(authTokenAsVector)));
    *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
    return Status::ok();
--- a/keystore/key_store_service.h
+++ b/keystore/key_store_service.h
@ -145,7 +145,7 @@ class KeyStoreService : public android::security::BnKeystoreService,
                                    int32_t* _aidl_return) override;
    ::android::binder::Status isOperationAuthorized(const ::android::sp<::android::IBinder>& token,
                                                    bool* _aidl_return) override;
-    ::android::binder::Status addAuthToken(const ::std::vector<uint8_t>& authToken, int32_t userId,
+    ::android::binder::Status addAuthToken(const ::std::vector<uint8_t>& authToken,
                                           int32_t* _aidl_return) override;
    ::android::binder::Status onUserAdded(int32_t userId, int32_t parentId,
                                          int32_t* _aidl_return) override;
--- a/keystore/keymaster_enforcement.cpp
+++ b/keystore/keymaster_enforcement.cpp
@ -223,8 +223,6 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k
    bool caller_nonce_authorized_by_key = false;
    bool authentication_required = false;
    bool auth_token_matched = false;
-    bool unlocked_device_required = false;
-    int32_t user_id = -1;

    for (auto& param : auth_set) {

@ -284,18 +282,10 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k
            }
            break;

-        case Tag::USER_ID:
-            user_id = authorizationValue(TAG_USER_ID, param).value();
-            break;
-
        case Tag::CALLER_NONCE:
            caller_nonce_authorized_by_key = true;
            break;

-        case Tag::UNLOCKED_DEVICE_REQUIRED:
-            unlocked_device_required = true;
-            break;
-
        /* Tags should never be in key auths. */
        case Tag::INVALID:
        case Tag::ROOT_OF_TRUST:
@ -366,19 +356,6 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k
        }
    }

-    if (unlocked_device_required && is_device_locked(user_id)) {
-        switch (purpose) {
-        case KeyPurpose::ENCRYPT:
-        case KeyPurpose::VERIFY:
-            /* These are okay */
-            break;
-        case KeyPurpose::DECRYPT:
-        case KeyPurpose::SIGN:
-        case KeyPurpose::WRAP_KEY:
-            return ErrorCode::DEVICE_LOCKED;
-        };
-    }
-
    if (authentication_required && !auth_token_matched) {
        ALOGE("Auth required but no matching auth token found");
        return ErrorCode::KEY_USER_NOT_AUTHENTICATED;
--- a/keystore/keymaster_enforcement.h
+++ b/keystore/keymaster_enforcement.h
@ -142,11 +142,6 @@ class KeymasterEnforcement {
     */
    virtual bool ValidateTokenSignature(const HardwareAuthToken& token) const = 0;

-    /*
-     * Returns true if the device screen is currently locked for the specified user.
-     */
-    virtual bool is_device_locked(int32_t userId) const = 0;
-
  private:
    ErrorCode AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set,
                                      const HardwareAuthToken& auth_token, uint64_t op_handle);
--- a/keystore/keystore_keymaster_enforcement.h
+++ b/keystore/keystore_keymaster_enforcement.h
@ -84,19 +84,6 @@ class KeystoreKeymasterEnforcement : public KeymasterEnforcement {
        // signing key. Assume the token is good.
        return true;
    }
-
-    bool is_device_locked(int32_t userId) const override {
-        // If we haven't had a set call for this user yet, assume the device is locked.
-        if (mIsDeviceLockedForUser.count(userId) == 0) return true;
-        return mIsDeviceLockedForUser.find(userId)->second;
-    }
-
-    void set_device_locked(bool isLocked, int32_t userId) {
-        mIsDeviceLockedForUser[userId] = isLocked;
-    }
-
-  private:
-    std::map<int32_t, bool> mIsDeviceLockedForUser;
 };

 } // namespace keystore