Fix StrongBox verification token support.pie-dev

Change-Id: I7dd51b1443e607fcca330ffb679b27c68c36cf7d
Bug: 79698245
Test: Keystore CTS tests with dummy strongbox enabled

4 files changed, 34 insertions, 6 deletions

diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 191811aa..9d035c83 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -1345,6 +1345,24 @@ Status KeyStoreService::begin(const sp<IBinder>& appToken, const String16& name,
         return Status::ok();
     }
 
+    VerificationToken verificationToken;
+    if (authResult.isOk() && authToken.mac.size() &&
+        dev->halVersion().securityLevel == SecurityLevel::STRONGBOX) {
+        // This operation needs an auth token, but the device is a STRONGBOX, so it can't check the
+        // timestamp in the auth token.  Get a VerificationToken from the TEE, which will be passed
+        // to update() and begin().
+        rc = KS_HANDLE_HIDL_ERROR(mKeyStore->getDevice(SecurityLevel::TRUSTED_ENVIRONMENT)
+                                      ->verifyAuthorization(result->handle,
+                                                            {} /* parametersToVerify */, authToken,
+                                                            [&](auto error, const auto& token) {
+                                                                result->resultCode = error;
+                                                                verificationToken = token;
+                                                            }));
+
+        if (rc != ErrorCode::OK) result->resultCode = rc;
+        if (result->resultCode != ErrorCode::OK) return Status::ok();
+    }
+
     // Note: The operation map takes possession of the contents of "characteristics".
     // It is safe to use characteristics after the following line but it will be empty.
     sp<IBinder> operationToken =
@@ -1355,6 +1373,7 @@ Status KeyStoreService::begin(const sp<IBinder>& appToken, const String16& name,
     result->token = operationToken;
 
     mOperationMap.setOperationAuthToken(operationToken, std::move(authToken));
+    mOperationMap.setOperationVerificationToken(operationToken, std::move(verificationToken));
 
     // Return the authentication lookup result. If this is a per operation
     // auth'd key then the resultCode will be ::OP_AUTH_NEEDED and the
@@ -1428,7 +1447,7 @@ Status KeyStoreService::update(const sp<IBinder>& token, const KeymasterArgument
     };
 
     KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR(
-        op.device->update(op.handle, inParams, data, authToken, VerificationToken(), hidlCb));
+        op.device->update(op.handle, inParams, data, authToken, op.verificationToken, hidlCb));
 
     // just a reminder: on success result->resultCode was set in the callback. So we only overwrite
     // it if there was a communication error indicated by the ErrorCode.
@@ -1487,7 +1506,7 @@ Status KeyStoreService::finish(const sp<IBinder>& token, const KeymasterArgument
     KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR(
         op.device->finish(op.handle, inParams,
                           ::std::vector<uint8_t>() /* TODO(swillden): wire up input to finish() */,
-                          signature, authToken, VerificationToken(), hidlCb));
+                          signature, authToken, op.verificationToken, hidlCb));
 
     bool wasOpSuccessful = true;
     // just a reminder: on success result->resultCode was set in the callback. So we only overwrite
diff --git a/keystore/operation.cpp b/keystore/operation.cpp
index 93b1e923..40690608 100644
--- a/keystore/operation.cpp
+++ b/keystore/operation.cpp
@@ -95,12 +95,19 @@ sp<IBinder> OperationMap::getOldestPruneableOperation() {
     return mLru.front();
 }
 
-bool OperationMap::setOperationAuthToken(const sp<IBinder>& token, HardwareAuthToken authToken) {
+void OperationMap::setOperationAuthToken(const sp<IBinder>& token, HardwareAuthToken authToken) {
     auto entry = mMap.find(token);
-    if (entry == mMap.end()) return false;
+    if (entry == mMap.end()) return;
 
     entry->second.authToken = std::move(authToken);
-    return true;
+}
+
+void OperationMap::setOperationVerificationToken(const sp<IBinder>& token,
+                                                 VerificationToken verificationToken) {
+    auto entry = mMap.find(token);
+    if (entry == mMap.end()) return;
+
+    entry->second.verificationToken = std::move(verificationToken);
 }
 
 std::vector<sp<IBinder>> OperationMap::getOperationsForToken(const sp<IBinder>& appToken) {
diff --git a/keystore/operation.h b/keystore/operation.h
index 2d81f9ca..4888bfac 100644
--- a/keystore/operation.h
+++ b/keystore/operation.h
@@ -56,7 +56,8 @@ class OperationMap {
     bool hasPruneableOperation() const;
     size_t getOperationCount() const { return mMap.size(); }
     size_t getPruneableOperationCount() const;
-    bool setOperationAuthToken(const sp<IBinder>& token, HardwareAuthToken authToken);
+    void setOperationAuthToken(const sp<IBinder>& token, HardwareAuthToken authToken);
+    void setOperationVerificationToken(const sp<IBinder>& token, VerificationToken authToken);
     sp<IBinder> getOldestPruneableOperation();
     std::vector<sp<IBinder>> getOperationsForToken(const sp<IBinder>& appToken);
 
diff --git a/keystore/operation_struct.h b/keystore/operation_struct.h
index ea8a908d..00f1fe2b 100644
--- a/keystore/operation_struct.h
+++ b/keystore/operation_struct.h
@@ -50,6 +50,7 @@ struct Operation {
     KeyCharacteristics characteristics;
     sp<IBinder> appToken;
     HardwareAuthToken authToken;
+    VerificationToken verificationToken;
     const hidl_vec<KeyParameter> params;
 };