diff options
-rw-r--r-- | android_keymaster/android_keymaster_messages.cpp | 9 | ||||
-rw-r--r-- | android_keymaster/keymaster_enforcement.cpp | 19 | ||||
-rw-r--r-- | android_keymaster/keymaster_tags.cpp | 3 | ||||
-rw-r--r-- | include/keymaster/attestation_record.h | 1 | ||||
-rw-r--r-- | include/keymaster/keymaster_tags.h | 1 | ||||
-rw-r--r-- | km_openssl/attestation_record.cpp | 10 |
6 files changed, 34 insertions, 9 deletions
diff --git a/android_keymaster/android_keymaster_messages.cpp b/android_keymaster/android_keymaster_messages.cpp index 1c5695e..6eb6a5f 100644 --- a/android_keymaster/android_keymaster_messages.cpp +++ b/android_keymaster/android_keymaster_messages.cpp @@ -635,13 +635,14 @@ size_t ImportWrappedKeyRequest::SerializedSize() const { return sizeof(uint32_t) /* wrapped_key_data_length */ + wrapped_key.key_material_size + sizeof(uint32_t) /* wrapping_key_data_length */ + wrapping_key.key_material_size + sizeof(uint32_t) /* masking_key_data_length */ + masking_key.key_material_size + - additional_params.SerializedSize(); + additional_params.SerializedSize() + sizeof(uint64_t) /* password_sid */ + + sizeof(uint64_t) /* biometric_sid */; } uint8_t* ImportWrappedKeyRequest::Serialize(uint8_t* buf, const uint8_t* end) const { - serialize_key_blob(wrapped_key, buf, end); - serialize_key_blob(wrapping_key, buf, end); - serialize_key_blob(masking_key, buf, end); + buf = serialize_key_blob(wrapped_key, buf, end); + buf = serialize_key_blob(wrapping_key, buf, end); + buf = serialize_key_blob(masking_key, buf, end); buf = additional_params.Serialize(buf, end); buf = append_uint64_to_buf(buf, end, password_sid); return append_uint64_to_buf(buf, end, biometric_sid); diff --git a/android_keymaster/keymaster_enforcement.cpp b/android_keymaster/keymaster_enforcement.cpp index e8bc2b2..bc42511 100644 --- a/android_keymaster/keymaster_enforcement.cpp +++ b/android_keymaster/keymaster_enforcement.cpp @@ -147,22 +147,30 @@ KeymasterEnforcement::AuthorizeUpdateOrFinish(const AuthProxy& auth_set, const AuthorizationSet& operation_params, keymaster_operation_handle_t op_handle) { int auth_type_index = -1; + int trusted_confirmation_index = -1; for (size_t pos = 0; pos < auth_set.size(); ++pos) { switch (auth_set[pos].tag) { - case KM_TAG_NO_AUTH_REQUIRED: - case KM_TAG_AUTH_TIMEOUT: - // If no auth is required or if auth is timeout-based, we have nothing to check. - return KM_ERROR_OK; - case KM_TAG_USER_AUTH_TYPE: auth_type_index = pos; break; + case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED: + trusted_confirmation_index = pos; + break; + case KM_TAG_NO_AUTH_REQUIRED: + case KM_TAG_AUTH_TIMEOUT: + // If no auth is required or if auth is timeout-based, we have nothing to check. default: break; } } + // TODO verify trusted confirmation mac once we have a shared secret established + // For now, since we do not have such a service, any token offered here must be invalid. + if (trusted_confirmation_index != -1) { + return KM_ERROR_NO_USER_CONFIRMATION; + } + // Note that at this point we should be able to assume that authentication is required, because // authentication is required if KM_TAG_NO_AUTH_REQUIRED is absent. However, there are legacy // keys which have no authentication-related tags, so we assume that absence is equivalent to @@ -345,6 +353,7 @@ keymaster_error_t KeymasterEnforcement::AuthorizeBegin(const keymaster_purpose_t case KM_TAG_UNIQUE_ID: case KM_TAG_RESET_SINCE_ID_ROTATION: case KM_TAG_ALLOW_WHILE_ON_BODY: + case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED: break; /* TODO(bcyoung): This is currently handled in keystore, but may move to keymaster in the diff --git a/android_keymaster/keymaster_tags.cpp b/android_keymaster/keymaster_tags.cpp index 7ee3728..b26d0ee 100644 --- a/android_keymaster/keymaster_tags.cpp +++ b/android_keymaster/keymaster_tags.cpp @@ -109,6 +109,8 @@ const char* StringifyTag(keymaster_tag_t tag) { return "KM_TAG_RESET_SINCE_ID_ROTATION"; case KM_TAG_ALLOW_WHILE_ON_BODY: return "KM_TAG_ALLOW_WHILE_ON_BODY"; + case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED: + return "KM_TAG_TRUSTED_CONFIRMATION_REQUIRED"; case KM_TAG_UNLOCKED_DEVICE_REQUIRED: return "KM_TAG_UNLOCKED_DEVICE_REQUIRED"; case KM_TAG_ATTESTATION_CHALLENGE: @@ -181,6 +183,7 @@ DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_MEID); DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_MANUFACTURER); DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_MODEL); DEFINE_KEYMASTER_TAG(KM_BOOL, TAG_UNLOCKED_DEVICE_REQUIRED); +DEFINE_KEYMASTER_TAG(KM_BOOL, TAG_TRUSTED_CONFIRMATION_REQUIRED); // DEFINE_KEYMASTER_ENUM_TAG is used to create TypedEnumTag instances for each enum keymaster tag. diff --git a/include/keymaster/attestation_record.h b/include/keymaster/attestation_record.h index 6c97c4b..905252d 100644 --- a/include/keymaster/attestation_record.h +++ b/include/keymaster/attestation_record.h @@ -71,6 +71,7 @@ typedef struct km_auth_list { ASN1_INTEGER* user_auth_type; ASN1_INTEGER* auth_timeout; ASN1_NULL* allow_while_on_body; + ASN1_NULL* trusted_confirmation_required; ASN1_NULL* unlocked_device_required; ASN1_NULL* all_applications; ASN1_OCTET_STRING* application_id; diff --git a/include/keymaster/keymaster_tags.h b/include/keymaster/keymaster_tags.h index ac614fe..daa7b19 100644 --- a/include/keymaster/keymaster_tags.h +++ b/include/keymaster/keymaster_tags.h @@ -154,6 +154,7 @@ DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_NO_AUTH_REQUIRED); DECLARE_KEYMASTER_TAG(KM_UINT, TAG_AUTH_TIMEOUT); DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_ALLOW_WHILE_ON_BODY); DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_UNLOCKED_DEVICE_REQUIRED); +DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_TRUSTED_CONFIRMATION_REQUIRED); DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_ALL_APPLICATIONS); DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_APPLICATION_ID); DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_APPLICATION_DATA); diff --git a/km_openssl/attestation_record.cpp b/km_openssl/attestation_record.cpp index 2c94bbf..279088d 100644 --- a/km_openssl/attestation_record.cpp +++ b/km_openssl/attestation_record.cpp @@ -229,6 +229,9 @@ keymaster_error_t build_auth_list(const AuthorizationSet& auth_list, KM_AUTH_LIS case KM_TAG_CALLER_NONCE: bool_ptr = &record->caller_nonce; break; + case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED: + bool_ptr = &record->trusted_confirmation_required; + break; /* Byte arrays*/ case KM_TAG_APPLICATION_ID: @@ -707,6 +710,13 @@ keymaster_error_t extract_auth_list(const KM_AUTH_LIST* record, AuthorizationSet record->attestation_id_model->length)) return KM_ERROR_MEMORY_ALLOCATION_FAILED; + // Trusted confirmation required + if (record->trusted_confirmation_required) { + if (!auth_list->push_back(TAG_NO_AUTH_REQUIRED)) { + return KM_ERROR_MEMORY_ALLOCATION_FAILED; + } + } + return KM_ERROR_OK; } |