diff options
author | Jorim Jaggi <jjaggi@google.com> | 2018-01-30 15:36:28 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2018-01-30 15:36:28 +0000 |
commit | 5eec4382f2f49f87e3329daabf1db6ebe651e8fc (patch) | |
tree | 4fa63a4fbed4a4ceb62528770ed77e550e4ff8e1 | |
parent | fb6a3d646f6c52229e4a1cb540a2149f7dba65cf (diff) | |
parent | 1b75929a58c32882d21d04ee1df2a60a199923bd (diff) | |
download | security-5eec4382f2f49f87e3329daabf1db6ebe651e8fc.tar.gz |
Merge "Revert "Add "Unlocked device required" parameter to keys""
-rw-r--r-- | keystore/Android.bp | 3 | ||||
-rw-r--r-- | keystore/include/keystore/keymaster_types.h | 1 | ||||
-rw-r--r-- | keystore/key_store_service.cpp | 6 | ||||
-rw-r--r-- | keystore/key_store_service.h | 2 | ||||
-rw-r--r-- | keystore/keymaster_enforcement.cpp | 14 | ||||
-rw-r--r-- | keystore/keymaster_enforcement.h | 5 | ||||
-rw-r--r-- | keystore/keystore_keymaster_enforcement.h | 13 |
7 files changed, 3 insertions, 41 deletions
diff --git a/keystore/Android.bp b/keystore/Android.bp index 68dde3d3..cb736b33 100644 --- a/keystore/Android.bp +++ b/keystore/Android.bp @@ -84,7 +84,6 @@ cc_binary { srcs: ["keystore_cli.cpp"], shared_libs: [ "android.hardware.keymaster@3.0", - "android.hardware.keymaster@4.0", "libbinder", "libcrypto", "libcutils", @@ -110,8 +109,8 @@ cc_binary { srcs: ["keystore_cli_v2.cpp"], shared_libs: [ "android.hardware.confirmationui@1.0", + "android.hardware.keymaster@3.0", "libbinder", - "android.hardware.keymaster@4.0", "libchrome", "libutils", "libhidlbase", diff --git a/keystore/include/keystore/keymaster_types.h b/keystore/include/keystore/keymaster_types.h index bd612940..62b43bee 100644 --- a/keystore/include/keystore/keymaster_types.h +++ b/keystore/include/keystore/keymaster_types.h @@ -83,7 +83,6 @@ using keymaster::TAG_RESET_SINCE_ID_ROTATION; using keymaster::TAG_RSA_PUBLIC_EXPONENT; using keymaster::TAG_USAGE_EXPIRE_DATETIME; using keymaster::TAG_USER_AUTH_TYPE; -using keymaster::TAG_USER_ID; using keymaster::TAG_USER_SECURE_ID; using keymaster::NullOr; diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp index c3f661c1..89c31a54 100644 --- a/keystore/key_store_service.cpp +++ b/keystore/key_store_service.cpp @@ -372,7 +372,6 @@ Status KeyStoreService::lock(int32_t userId, int32_t* aidl_return) { return Status::ok(); } - enforcement_policy.set_device_locked(true, userId); mKeyStore->lock(userId); *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR); return Status::ok(); @@ -401,7 +400,6 @@ Status KeyStoreService::unlock(int32_t userId, const String16& pw, int32_t* aidl return Status::ok(); } - enforcement_policy.set_device_locked(false, userId); const String8 password8(pw); // read master key, decrypt with password, initialize mMasterKey*. *aidl_return = static_cast<int32_t>(mKeyStore->readMasterKey(password8, userId)); @@ -1468,7 +1466,7 @@ Status KeyStoreService::isOperationAuthorized(const sp<IBinder>& token, bool* ai } Status KeyStoreService::addAuthToken(const ::std::vector<uint8_t>& authTokenAsVector, - int32_t android_uid, int32_t* aidl_return) { + int32_t* aidl_return) { // TODO(swillden): When gatekeeper and fingerprint are ready, this should be updated to // receive a HardwareAuthToken, rather than an opaque byte array. @@ -1490,8 +1488,6 @@ Status KeyStoreService::addAuthToken(const ::std::vector<uint8_t>& authTokenAsVe return Status::ok(); } - enforcement_policy.set_device_locked(false, android_uid); - mAuthTokenTable.AddAuthenticationToken(hidlVec2AuthToken(hidl_vec<uint8_t>(authTokenAsVector))); *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR); return Status::ok(); diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h index ea4a089d..ce809f87 100644 --- a/keystore/key_store_service.h +++ b/keystore/key_store_service.h @@ -146,7 +146,7 @@ class KeyStoreService : public android::security::BnKeystoreService, ::android::binder::Status isOperationAuthorized(const ::android::sp<::android::IBinder>& token, bool* _aidl_return) override; ::android::binder::Status addAuthToken(const ::std::vector<uint8_t>& authToken, - int32_t android_uid, int32_t* _aidl_return) override; + int32_t* _aidl_return) override; ::android::binder::Status onUserAdded(int32_t userId, int32_t parentId, int32_t* _aidl_return) override; ::android::binder::Status onUserRemoved(int32_t userId, int32_t* _aidl_return) override; diff --git a/keystore/keymaster_enforcement.cpp b/keystore/keymaster_enforcement.cpp index 690927c5..d78a5a63 100644 --- a/keystore/keymaster_enforcement.cpp +++ b/keystore/keymaster_enforcement.cpp @@ -223,8 +223,6 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k bool caller_nonce_authorized_by_key = false; bool authentication_required = false; bool auth_token_matched = false; - bool unlocked_device_required = false; - int32_t user_id = -1; for (auto& param : auth_set) { @@ -284,18 +282,10 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k } break; - case Tag::USER_ID: - user_id = authorizationValue(TAG_USER_ID, param).value(); - break; - case Tag::CALLER_NONCE: caller_nonce_authorized_by_key = true; break; - case Tag::UNLOCKED_DEVICE_REQUIRED: - unlocked_device_required = true; - break; - /* Tags should never be in key auths. */ case Tag::INVALID: case Tag::ROOT_OF_TRUST: @@ -366,10 +356,6 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k } } - if (unlocked_device_required && is_device_locked(user_id)) { - return ErrorCode::DEVICE_LOCKED; - } - if (authentication_required && !auth_token_matched) { ALOGE("Auth required but no matching auth token found"); return ErrorCode::KEY_USER_NOT_AUTHENTICATED; diff --git a/keystore/keymaster_enforcement.h b/keystore/keymaster_enforcement.h index 6e6c54f2..d7b27fcd 100644 --- a/keystore/keymaster_enforcement.h +++ b/keystore/keymaster_enforcement.h @@ -142,11 +142,6 @@ class KeymasterEnforcement { */ virtual bool ValidateTokenSignature(const HardwareAuthToken& token) const = 0; - /* - * Returns true if the device screen is currently locked for the specified user. - */ - virtual bool is_device_locked(int32_t userId) const = 0; - private: ErrorCode AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set, const HardwareAuthToken& auth_token, uint64_t op_handle); diff --git a/keystore/keystore_keymaster_enforcement.h b/keystore/keystore_keymaster_enforcement.h index e114ea90..3cdf6490 100644 --- a/keystore/keystore_keymaster_enforcement.h +++ b/keystore/keystore_keymaster_enforcement.h @@ -84,19 +84,6 @@ class KeystoreKeymasterEnforcement : public KeymasterEnforcement { // signing key. Assume the token is good. return true; } - - bool is_device_locked(int32_t userId) const override { - // If we haven't had a set call for this user yet, assume the device is locked. - if (mIsDeviceLockedForUser.count(userId) == 0) return true; - return mIsDeviceLockedForUser.find(userId)->second; - } - - void set_device_locked(bool isLocked, int32_t userId) { - mIsDeviceLockedForUser[userId] = isLocked; - } - - private: - std::map<int32_t, bool> mIsDeviceLockedForUser; }; } // namespace keystore |