diff options
author | Max Bires <jbires@google.com> | 2021-07-01 13:19:27 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-07-01 13:19:27 +0000 |
commit | 6a1afdb0f31ab6785d57aacc318f9d80025bcac4 (patch) | |
tree | cf009ac83f2be0d049eed9263d08007362bbcc25 | |
parent | 21eddbdfed327ef56ad0b24ab6f4247d2cdac086 (diff) | |
parent | 43a43af46a99983957fe43ffc07d141090d132f7 (diff) | |
download | security-6a1afdb0f31ab6785d57aacc318f9d80025bcac4.tar.gz |
Merge "Only fetch an attestation key if challenge present" into sc-dev am: 43a43af46a
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15143707
Change-Id: Ic5876c4d4e35c9e8d4d8a428a98d3b68c9ed5d79
-rw-r--r-- | keystore2/src/attestation_key_utils.rs | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/keystore2/src/attestation_key_utils.rs b/keystore2/src/attestation_key_utils.rs index 425eec66..ca00539b 100644 --- a/keystore2/src/attestation_key_utils.rs +++ b/keystore2/src/attestation_key_utils.rs @@ -22,7 +22,7 @@ use crate::permission::KeyPerm; use crate::remote_provisioning::RemProvState; use crate::utils::check_key_permission; use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{ - AttestationKey::AttestationKey, Certificate::Certificate, KeyParameter::KeyParameter, + AttestationKey::AttestationKey, Certificate::Certificate, KeyParameter::KeyParameter, Tag::Tag, }; use android_system_keystore2::aidl::android::system::keystore2::{ Domain::Domain, KeyDescriptor::KeyDescriptor, @@ -47,8 +47,8 @@ pub enum AttestationKeyInfo { } /// This function loads and, optionally, assigns the caller's remote provisioned -/// attestation key or, if `attest_key_descriptor` is given, it loads the user -/// generated attestation key from the database. +/// attestation key if a challenge is present. Alternatively, if `attest_key_descriptor` is given, +/// it loads the user generated attestation key from the database. pub fn get_attest_key_info( key: &KeyDescriptor, caller_uid: u32, @@ -57,8 +57,9 @@ pub fn get_attest_key_info( rem_prov_state: &RemProvState, db: &mut KeystoreDB, ) -> Result<Option<AttestationKeyInfo>> { + let challenge_present = params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE); match attest_key_descriptor { - None => rem_prov_state + None if challenge_present => rem_prov_state .get_remotely_provisioned_attestation_key_and_certs(&key, caller_uid, params, db) .context(concat!( "In get_attest_key_and_cert_chain: ", @@ -69,6 +70,7 @@ pub fn get_attest_key_info( AttestationKeyInfo::RemoteProvisioned { attestation_key, attestation_certs } }) }), + None => Ok(None), Some(attest_key) => get_user_generated_attestation_key(&attest_key, caller_uid, db) .context("In get_attest_key_and_cert_chain: Trying to load attest key") .map(Some), |