diff options
author | Matthew Maurer <mmaurer@google.com> | 2019-04-03 10:36:43 -0700 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2019-04-03 10:36:43 -0700 |
commit | 73c7ed6a6f55c1333929b713936e6b023d41c811 (patch) | |
tree | 7711cdb139442c42dba9ef896c057c86a14c982c | |
parent | 135c773309c3fe53caa02f29834c9d628fb7d7d8 (diff) | |
parent | d1091e1d50d1579e02c919d733f25bae8c78df79 (diff) | |
download | android_system_keymaster-73c7ed6a6f55c1333929b713936e6b023d41c811.tar.gz android_system_keymaster-73c7ed6a6f55c1333929b713936e6b023d41c811.tar.bz2 android_system_keymaster-73c7ed6a6f55c1333929b713936e6b023d41c811.zip |
Enforce TRUSTED_CONFIRMATION_REQUIRED am: b2a4f0b195
am: d1091e1d50
Change-Id: Icef070ae345b858d8086730153ca1f02c9b85ab2
-rw-r--r-- | android_keymaster/keymaster_enforcement.cpp | 19 | ||||
-rw-r--r-- | android_keymaster/keymaster_tags.cpp | 3 | ||||
-rw-r--r-- | include/keymaster/attestation_record.h | 1 | ||||
-rw-r--r-- | include/keymaster/keymaster_tags.h | 1 | ||||
-rw-r--r-- | km_openssl/attestation_record.cpp | 10 |
5 files changed, 29 insertions, 5 deletions
diff --git a/android_keymaster/keymaster_enforcement.cpp b/android_keymaster/keymaster_enforcement.cpp index e8bc2b2..bc42511 100644 --- a/android_keymaster/keymaster_enforcement.cpp +++ b/android_keymaster/keymaster_enforcement.cpp @@ -147,22 +147,30 @@ KeymasterEnforcement::AuthorizeUpdateOrFinish(const AuthProxy& auth_set, const AuthorizationSet& operation_params, keymaster_operation_handle_t op_handle) { int auth_type_index = -1; + int trusted_confirmation_index = -1; for (size_t pos = 0; pos < auth_set.size(); ++pos) { switch (auth_set[pos].tag) { - case KM_TAG_NO_AUTH_REQUIRED: - case KM_TAG_AUTH_TIMEOUT: - // If no auth is required or if auth is timeout-based, we have nothing to check. - return KM_ERROR_OK; - case KM_TAG_USER_AUTH_TYPE: auth_type_index = pos; break; + case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED: + trusted_confirmation_index = pos; + break; + case KM_TAG_NO_AUTH_REQUIRED: + case KM_TAG_AUTH_TIMEOUT: + // If no auth is required or if auth is timeout-based, we have nothing to check. default: break; } } + // TODO verify trusted confirmation mac once we have a shared secret established + // For now, since we do not have such a service, any token offered here must be invalid. + if (trusted_confirmation_index != -1) { + return KM_ERROR_NO_USER_CONFIRMATION; + } + // Note that at this point we should be able to assume that authentication is required, because // authentication is required if KM_TAG_NO_AUTH_REQUIRED is absent. However, there are legacy // keys which have no authentication-related tags, so we assume that absence is equivalent to @@ -345,6 +353,7 @@ keymaster_error_t KeymasterEnforcement::AuthorizeBegin(const keymaster_purpose_t case KM_TAG_UNIQUE_ID: case KM_TAG_RESET_SINCE_ID_ROTATION: case KM_TAG_ALLOW_WHILE_ON_BODY: + case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED: break; /* TODO(bcyoung): This is currently handled in keystore, but may move to keymaster in the diff --git a/android_keymaster/keymaster_tags.cpp b/android_keymaster/keymaster_tags.cpp index 7ee3728..b26d0ee 100644 --- a/android_keymaster/keymaster_tags.cpp +++ b/android_keymaster/keymaster_tags.cpp @@ -109,6 +109,8 @@ const char* StringifyTag(keymaster_tag_t tag) { return "KM_TAG_RESET_SINCE_ID_ROTATION"; case KM_TAG_ALLOW_WHILE_ON_BODY: return "KM_TAG_ALLOW_WHILE_ON_BODY"; + case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED: + return "KM_TAG_TRUSTED_CONFIRMATION_REQUIRED"; case KM_TAG_UNLOCKED_DEVICE_REQUIRED: return "KM_TAG_UNLOCKED_DEVICE_REQUIRED"; case KM_TAG_ATTESTATION_CHALLENGE: @@ -181,6 +183,7 @@ DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_MEID); DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_MANUFACTURER); DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_MODEL); DEFINE_KEYMASTER_TAG(KM_BOOL, TAG_UNLOCKED_DEVICE_REQUIRED); +DEFINE_KEYMASTER_TAG(KM_BOOL, TAG_TRUSTED_CONFIRMATION_REQUIRED); // DEFINE_KEYMASTER_ENUM_TAG is used to create TypedEnumTag instances for each enum keymaster tag. diff --git a/include/keymaster/attestation_record.h b/include/keymaster/attestation_record.h index 6c97c4b..905252d 100644 --- a/include/keymaster/attestation_record.h +++ b/include/keymaster/attestation_record.h @@ -71,6 +71,7 @@ typedef struct km_auth_list { ASN1_INTEGER* user_auth_type; ASN1_INTEGER* auth_timeout; ASN1_NULL* allow_while_on_body; + ASN1_NULL* trusted_confirmation_required; ASN1_NULL* unlocked_device_required; ASN1_NULL* all_applications; ASN1_OCTET_STRING* application_id; diff --git a/include/keymaster/keymaster_tags.h b/include/keymaster/keymaster_tags.h index ac614fe..daa7b19 100644 --- a/include/keymaster/keymaster_tags.h +++ b/include/keymaster/keymaster_tags.h @@ -154,6 +154,7 @@ DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_NO_AUTH_REQUIRED); DECLARE_KEYMASTER_TAG(KM_UINT, TAG_AUTH_TIMEOUT); DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_ALLOW_WHILE_ON_BODY); DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_UNLOCKED_DEVICE_REQUIRED); +DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_TRUSTED_CONFIRMATION_REQUIRED); DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_ALL_APPLICATIONS); DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_APPLICATION_ID); DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_APPLICATION_DATA); diff --git a/km_openssl/attestation_record.cpp b/km_openssl/attestation_record.cpp index 2c94bbf..279088d 100644 --- a/km_openssl/attestation_record.cpp +++ b/km_openssl/attestation_record.cpp @@ -229,6 +229,9 @@ keymaster_error_t build_auth_list(const AuthorizationSet& auth_list, KM_AUTH_LIS case KM_TAG_CALLER_NONCE: bool_ptr = &record->caller_nonce; break; + case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED: + bool_ptr = &record->trusted_confirmation_required; + break; /* Byte arrays*/ case KM_TAG_APPLICATION_ID: @@ -707,6 +710,13 @@ keymaster_error_t extract_auth_list(const KM_AUTH_LIST* record, AuthorizationSet record->attestation_id_model->length)) return KM_ERROR_MEMORY_ALLOCATION_FAILED; + // Trusted confirmation required + if (record->trusted_confirmation_required) { + if (!auth_list->push_back(TAG_NO_AUTH_REQUIRED)) { + return KM_ERROR_MEMORY_ALLOCATION_FAILED; + } + } + return KM_ERROR_OK; } |