Enforce TRUSTED_CONFIRMATION_REQUIRED am: b2a4f0b195

am: d1091e1d50

Change-Id: Icef070ae345b858d8086730153ca1f02c9b85ab2

5 files changed, 29 insertions, 5 deletions

diff --git a/android_keymaster/keymaster_enforcement.cpp b/android_keymaster/keymaster_enforcement.cpp
index e8bc2b2..bc42511 100644
--- a/android_keymaster/keymaster_enforcement.cpp
+++ b/android_keymaster/keymaster_enforcement.cpp
@@ -147,22 +147,30 @@ KeymasterEnforcement::AuthorizeUpdateOrFinish(const AuthProxy& auth_set,
                                               const AuthorizationSet& operation_params,
                                               keymaster_operation_handle_t op_handle) {
     int auth_type_index = -1;
+    int trusted_confirmation_index = -1;
     for (size_t pos = 0; pos < auth_set.size(); ++pos) {
         switch (auth_set[pos].tag) {
-        case KM_TAG_NO_AUTH_REQUIRED:
-        case KM_TAG_AUTH_TIMEOUT:
-            // If no auth is required or if auth is timeout-based, we have nothing to check.
-            return KM_ERROR_OK;
-
         case KM_TAG_USER_AUTH_TYPE:
             auth_type_index = pos;
             break;
 
+        case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED:
+            trusted_confirmation_index = pos;
+            break;
+        case KM_TAG_NO_AUTH_REQUIRED:
+        case KM_TAG_AUTH_TIMEOUT:
+        // If no auth is required or if auth is timeout-based, we have nothing to check.
         default:
             break;
         }
     }
 
+    // TODO verify trusted confirmation mac once we have a shared secret established
+    // For now, since we do not have such a service, any token offered here must be invalid.
+    if (trusted_confirmation_index != -1) {
+        return KM_ERROR_NO_USER_CONFIRMATION;
+    }
+
     // Note that at this point we should be able to assume that authentication is required, because
     // authentication is required if KM_TAG_NO_AUTH_REQUIRED is absent.  However, there are legacy
     // keys which have no authentication-related tags, so we assume that absence is equivalent to
@@ -345,6 +353,7 @@ keymaster_error_t KeymasterEnforcement::AuthorizeBegin(const keymaster_purpose_t
         case KM_TAG_UNIQUE_ID:
         case KM_TAG_RESET_SINCE_ID_ROTATION:
         case KM_TAG_ALLOW_WHILE_ON_BODY:
+        case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED:
             break;
 
         /* TODO(bcyoung): This is currently handled in keystore, but may move to keymaster in the
diff --git a/android_keymaster/keymaster_tags.cpp b/android_keymaster/keymaster_tags.cpp
index 7ee3728..b26d0ee 100644
--- a/android_keymaster/keymaster_tags.cpp
+++ b/android_keymaster/keymaster_tags.cpp
@@ -109,6 +109,8 @@ const char* StringifyTag(keymaster_tag_t tag) {
         return "KM_TAG_RESET_SINCE_ID_ROTATION";
     case KM_TAG_ALLOW_WHILE_ON_BODY:
         return "KM_TAG_ALLOW_WHILE_ON_BODY";
+    case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED:
+        return "KM_TAG_TRUSTED_CONFIRMATION_REQUIRED";
     case KM_TAG_UNLOCKED_DEVICE_REQUIRED:
         return "KM_TAG_UNLOCKED_DEVICE_REQUIRED";
     case KM_TAG_ATTESTATION_CHALLENGE:
@@ -181,6 +183,7 @@ DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_MEID);
 DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_MANUFACTURER);
 DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_MODEL);
 DEFINE_KEYMASTER_TAG(KM_BOOL, TAG_UNLOCKED_DEVICE_REQUIRED);
+DEFINE_KEYMASTER_TAG(KM_BOOL, TAG_TRUSTED_CONFIRMATION_REQUIRED);
 
 // DEFINE_KEYMASTER_ENUM_TAG is used to create TypedEnumTag instances for each enum keymaster tag.
 
diff --git a/include/keymaster/attestation_record.h b/include/keymaster/attestation_record.h
index 6c97c4b..905252d 100644
--- a/include/keymaster/attestation_record.h
+++ b/include/keymaster/attestation_record.h
@@ -71,6 +71,7 @@ typedef struct km_auth_list {
     ASN1_INTEGER* user_auth_type;
     ASN1_INTEGER* auth_timeout;
     ASN1_NULL* allow_while_on_body;
+    ASN1_NULL* trusted_confirmation_required;
     ASN1_NULL* unlocked_device_required;
     ASN1_NULL* all_applications;
     ASN1_OCTET_STRING* application_id;
diff --git a/include/keymaster/keymaster_tags.h b/include/keymaster/keymaster_tags.h
index ac614fe..daa7b19 100644
--- a/include/keymaster/keymaster_tags.h
+++ b/include/keymaster/keymaster_tags.h
@@ -154,6 +154,7 @@ DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_NO_AUTH_REQUIRED);
 DECLARE_KEYMASTER_TAG(KM_UINT, TAG_AUTH_TIMEOUT);
 DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_ALLOW_WHILE_ON_BODY);
 DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_UNLOCKED_DEVICE_REQUIRED);
+DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_TRUSTED_CONFIRMATION_REQUIRED);
 DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_ALL_APPLICATIONS);
 DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_APPLICATION_ID);
 DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_APPLICATION_DATA);
diff --git a/km_openssl/attestation_record.cpp b/km_openssl/attestation_record.cpp
index 2c94bbf..279088d 100644
--- a/km_openssl/attestation_record.cpp
+++ b/km_openssl/attestation_record.cpp
@@ -229,6 +229,9 @@ keymaster_error_t build_auth_list(const AuthorizationSet& auth_list, KM_AUTH_LIS
         case KM_TAG_CALLER_NONCE:
             bool_ptr = &record->caller_nonce;
             break;
+        case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED:
+            bool_ptr = &record->trusted_confirmation_required;
+            break;
 
         /* Byte arrays*/
         case KM_TAG_APPLICATION_ID:
@@ -707,6 +710,13 @@ keymaster_error_t extract_auth_list(const KM_AUTH_LIST* record, AuthorizationSet
                               record->attestation_id_model->length))
         return KM_ERROR_MEMORY_ALLOCATION_FAILED;
 
+    // Trusted confirmation required
+    if (record->trusted_confirmation_required) {
+        if (!auth_list->push_back(TAG_NO_AUTH_REQUIRED)) {
+            return KM_ERROR_MEMORY_ALLOCATION_FAILED;
+        }
+    }
+
     return KM_ERROR_OK;
 }