Allow for input_data on finish.

Test: Keystore CTS tests Change-Id: I22e69079e3ad5462ded2c7b71274c29ba5ef58d0
author: Rob Barnes <robbarnes@google.com> 2019-11-14 14:50:30 -0700
committer: Rob Barnes <robbarnes@google.com> 2019-11-14 16:43:12 -0700
commit: 3af223fde02c804f87e0838c9634c983b6753086 (patch)
tree: f165e8c8cf9d0025621feea5904778b144c08674
parent: 5f5576fe939f4dd7e90f93b496c19fc64c56bfba (diff)
download: security-3af223fde02c804f87e0838c9634c983b6753086.tar.gz
8 files changed, 21 insertions, 39 deletions
diff --git a/keystore-engine/keystore_backend_binder.cpp b/keystore-engine/keystore_backend_binder.cpp
index 9a7c63ef..8b5a5842 100644
--- a/keystore-engine/keystore_backend_binder.cpp
+++ b/keystore-engine/keystore_backend_binder.cpp
@@ -211,9 +211,9 @@ int32_t KeystoreBackendBinder::sign(const char* key_id, const uint8_t* in, size_
     promise = new OperationResultPromise();
     future = promise->get_future();
 
-    binder_result = service->finish(promise, handle, KeymasterArguments(params),
-                                    std::vector<uint8_t>() /* signature */,
-                                    std::vector<uint8_t>() /* entropy */, &error_code);
+    binder_result = service->finish(
+        promise, handle, KeymasterArguments(params), std::vector<uint8_t>() /* input */,
+        std::vector<uint8_t>() /* signature */, std::vector<uint8_t>() /* entropy */, &error_code);
 
     if (!binder_result.isOk()) {
         LOG(ERROR) << AT << "communication error while calling keystore";
diff --git a/keystore/binder/android/security/keystore/IKeystoreService.aidl b/keystore/binder/android/security/keystore/IKeystoreService.aidl
index f92c796b..3071fe54 100644
--- a/keystore/binder/android/security/keystore/IKeystoreService.aidl
+++ b/keystore/binder/android/security/keystore/IKeystoreService.aidl
@@ -68,7 +68,7 @@ interface IKeystoreService {
     int begin(in IKeystoreOperationResultCallback cb, IBinder appToken, String alias, int purpose, boolean pruneable,
         in KeymasterArguments params, in byte[] entropy, int uid);
     int update(in IKeystoreOperationResultCallback cb, IBinder token, in KeymasterArguments params, in byte[] input);
-    int finish(in IKeystoreOperationResultCallback cb, IBinder token, in KeymasterArguments params, in byte[] signature,
+    int finish(in IKeystoreOperationResultCallback cb, IBinder token, in KeymasterArguments params, in byte[] input, in byte[] signature,
         in byte[] entropy);
     int abort(in IKeystoreResponseCallback cb, IBinder token);
     int addAuthToken(in byte[] authToken);
diff --git a/keystore/include/keystore/keystore_client.h b/keystore/include/keystore/keystore_client.h
index d8e63c4b..cb27268e 100644
--- a/keystore/include/keystore/keystore_client.h
+++ b/keystore/include/keystore/keystore_client.h
@@ -160,7 +160,7 @@ class KeystoreClient {
     // keymaster_error_t on failure.
     virtual KeyStoreNativeReturnCode
     finishOperation(uint64_t handle, const keystore::AuthorizationSet& input_parameters,
-                    const std::string& signature_to_verify,
+                    const std::string& input_data, const std::string& signature_to_verify,
                     keystore::AuthorizationSet* output_parameters, std::string* output_data) = 0;
 
     // Aborts the operation associated with |handle|. Returns KM_ERROR_OK on
diff --git a/keystore/include/keystore/keystore_client_impl.h b/keystore/include/keystore/keystore_client_impl.h
index 6726fe56..ed8ac446 100644
--- a/keystore/include/keystore/keystore_client_impl.h
+++ b/keystore/include/keystore/keystore_client_impl.h
@@ -76,6 +76,7 @@ class KeystoreClientImpl : public KeystoreClient {
                                              std::string* output_data) override;
     KeyStoreNativeReturnCode finishOperation(uint64_t handle,
                                              const keystore::AuthorizationSet& input_parameters,
+                                             const std::string& input_data,
                                              const std::string& signature_to_verify,
                                              keystore::AuthorizationSet* output_parameters,
                                              std::string* output_data) override;
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 7028e72d..9a93b459 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -892,6 +892,7 @@ Status KeyStoreService::update(const ::android::sp<IKeystoreOperationResultCallb
 Status KeyStoreService::finish(const ::android::sp<IKeystoreOperationResultCallback>& cb,
                                const ::android::sp<::android::IBinder>& token,
                                const ::android::security::keymaster::KeymasterArguments& params,
+                               const ::std::vector<uint8_t>& input,
                                const ::std::vector<uint8_t>& signature,
                                const ::std::vector<uint8_t>& entropy, int32_t* _aidl_return) {
     if (!checkAllowedOperationParams(params.getParameters())) {
@@ -903,7 +904,7 @@ Status KeyStoreService::finish(const ::android::sp<IKeystoreOperationResultCallb
         return AIDL_RETURN(ErrorCode::INVALID_OPERATION_HANDLE);
     }
 
-    dev->finish(token, params.getParameters(), {}, signature, entropy,
+    dev->finish(token, params.getParameters(), input, signature, entropy,
                 [this, cb, token](OperationResult result_) {
                     mKeyStore->removeOperationDevice(token);
                     cb->onFinished(result_);
diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h
index 0d7c1705..5ebd2386 100644
--- a/keystore/key_store_service.h
+++ b/keystore/key_store_service.h
@@ -126,8 +126,8 @@ class KeyStoreService : public android::security::keystore::BnKeystoreService {
     finish(const ::android::sp<::android::security::keystore::IKeystoreOperationResultCallback>& cb,
            const ::android::sp<::android::IBinder>& token,
            const ::android::security::keymaster::KeymasterArguments& params,
-           const ::std::vector<uint8_t>& signature, const ::std::vector<uint8_t>& entropy,
-           int32_t* _aidl_return) override;
+           const ::std::vector<uint8_t>& input, const ::std::vector<uint8_t>& signature,
+           const ::std::vector<uint8_t>& entropy, int32_t* _aidl_return) override;
     ::android::binder::Status
     abort(const ::android::sp<::android::security::keystore::IKeystoreResponseCallback>& cb,
           const ::android::sp<::android::IBinder>& token, int32_t* _aidl_return) override;
diff --git a/keystore/keystore_cli_v2.cpp b/keystore/keystore_cli_v2.cpp
index b46b2219..4f69eb02 100644
--- a/keystore/keystore_cli_v2.cpp
+++ b/keystore/keystore_cli_v2.cpp
@@ -416,16 +416,10 @@ int SignAndVerify(const std::string& name) {
         return result.getErrorCode();
     }
     AuthorizationSet empty_params;
-    size_t num_input_bytes_consumed;
     std::string output_data;
-    result = keystore->updateOperation(handle, empty_params, "data_to_sign",
-                                       &num_input_bytes_consumed, &output_params, &output_data);
-    if (!result.isOk()) {
-        printf("Sign: UpdateOperation failed: %d\n", result.getErrorCode());
-        return result.getErrorCode();
-    }
-    result = keystore->finishOperation(handle, empty_params, std::string() /*signature_to_verify*/,
-                                       &output_params, &output_data);
+    result = keystore->finishOperation(handle, empty_params, "data_to_sign",
+                                       std::string() /*signature_to_verify*/, &output_params,
+                                       &output_data);
     if (!result.isOk()) {
         printf("Sign: FinishOperation failed: %d\n", result.getErrorCode());
         return result.getErrorCode();
@@ -436,18 +430,8 @@ int SignAndVerify(const std::string& name) {
     output_data.clear();
     result =
         keystore->beginOperation(KeyPurpose::VERIFY, name, sign_params, &output_params, &handle);
-    if (!result.isOk()) {
-        printf("Verify: BeginOperation failed: %d\n", result.getErrorCode());
-        return result.getErrorCode();
-    }
-    result = keystore->updateOperation(handle, empty_params, "data_to_sign",
-                                       &num_input_bytes_consumed, &output_params, &output_data);
-    if (!result.isOk()) {
-        printf("Verify: UpdateOperation failed: %d\n", result.getErrorCode());
-        return result.getErrorCode();
-    }
-    result = keystore->finishOperation(handle, empty_params, signature_to_verify, &output_params,
-                                       &output_data);
+    result = keystore->finishOperation(handle, empty_params, "data_to_sign", signature_to_verify,
+                                       &output_params, &output_data);
     if (result == ErrorCode::VERIFICATION_FAILED) {
         printf("Verify: Failed to verify signature.\n");
         return result.getErrorCode();
diff --git a/keystore/keystore_client_impl.cpp b/keystore/keystore_client_impl.cpp
index 3fca4c9d..f8886839 100644
--- a/keystore/keystore_client_impl.cpp
+++ b/keystore/keystore_client_impl.cpp
@@ -166,16 +166,9 @@ bool KeystoreClientImpl::oneShotOperation(KeyPurpose purpose, const std::string&
         return false;
     }
     AuthorizationSet empty_params;
-    size_t num_input_bytes_consumed;
     AuthorizationSet ignored_params;
-    result = updateOperation(handle, empty_params, input_data, &num_input_bytes_consumed,
-                             &ignored_params, output_data);
-    if (!result.isOk()) {
-        ALOGE("UpdateOperation failed: %d", result.getErrorCode());
-        return false;
-    }
-    result =
-        finishOperation(handle, empty_params, signature_to_verify, &ignored_params, output_data);
+    result = finishOperation(handle, empty_params, input_data, signature_to_verify, &ignored_params,
+                             output_data);
     if (!result.isOk()) {
         ALOGE("FinishOperation failed: %d", result.getErrorCode());
         return false;
@@ -384,6 +377,7 @@ KeystoreClientImpl::updateOperation(uint64_t handle, const AuthorizationSet& inp
 
 KeyStoreNativeReturnCode
 KeystoreClientImpl::finishOperation(uint64_t handle, const AuthorizationSet& input_parameters,
+                                    const std::string& input_data,
                                     const std::string& signature_to_verify,
                                     AuthorizationSet* output_parameters, std::string* output_data) {
     if (active_operations_.count(handle) == 0) {
@@ -391,12 +385,14 @@ KeystoreClientImpl::finishOperation(uint64_t handle, const AuthorizationSet& inp
     }
     int32_t error_code;
     auto hidlSignature = blob2hidlVec(signature_to_verify);
+    auto hidlInput = blob2hidlVec(input_data);
     android::sp<OperationResultPromise> promise(new OperationResultPromise{});
     auto future = promise->get_future();
     auto binder_result = keystore_->finish(
         promise, active_operations_[handle],
         android::security::keymaster::KeymasterArguments(input_parameters.hidl_data()),
-        (std::vector<uint8_t>)hidlSignature, hidl_vec<uint8_t>(), &error_code);
+        (std::vector<uint8_t>)hidlInput, (std::vector<uint8_t>)hidlSignature, hidl_vec<uint8_t>(),
+        &error_code);
     if (!binder_result.isOk()) return ResponseCode::SYSTEM_ERROR;
     KeyStoreNativeReturnCode rc(error_code);
     if (!rc.isOk()) return rc;
author	Rob Barnes <robbarnes@google.com>	2019-11-14 14:50:30 -0700
committer	Rob Barnes <robbarnes@google.com>	2019-11-14 16:43:12 -0700
commit	3af223fde02c804f87e0838c9634c983b6753086 (patch)
tree	f165e8c8cf9d0025621feea5904778b144c08674
parent	5f5576fe939f4dd7e90f93b496c19fc64c56bfba (diff)
download	security-3af223fde02c804f87e0838c9634c983b6753086.tar.gz