diff options
author | Rob Barnes <robbarnes@google.com> | 2019-11-14 14:50:30 -0700 |
---|---|---|
committer | Rob Barnes <robbarnes@google.com> | 2019-11-14 16:43:12 -0700 |
commit | 3af223fde02c804f87e0838c9634c983b6753086 (patch) | |
tree | f165e8c8cf9d0025621feea5904778b144c08674 | |
parent | 5f5576fe939f4dd7e90f93b496c19fc64c56bfba (diff) | |
download | security-3af223fde02c804f87e0838c9634c983b6753086.tar.gz |
Allow for input_data on finish.
Test: Keystore CTS tests
Change-Id: I22e69079e3ad5462ded2c7b71274c29ba5ef58d0
-rw-r--r-- | keystore-engine/keystore_backend_binder.cpp | 6 | ||||
-rw-r--r-- | keystore/binder/android/security/keystore/IKeystoreService.aidl | 2 | ||||
-rw-r--r-- | keystore/include/keystore/keystore_client.h | 2 | ||||
-rw-r--r-- | keystore/include/keystore/keystore_client_impl.h | 1 | ||||
-rw-r--r-- | keystore/key_store_service.cpp | 3 | ||||
-rw-r--r-- | keystore/key_store_service.h | 4 | ||||
-rw-r--r-- | keystore/keystore_cli_v2.cpp | 26 | ||||
-rw-r--r-- | keystore/keystore_client_impl.cpp | 16 |
8 files changed, 21 insertions, 39 deletions
diff --git a/keystore-engine/keystore_backend_binder.cpp b/keystore-engine/keystore_backend_binder.cpp index 9a7c63ef..8b5a5842 100644 --- a/keystore-engine/keystore_backend_binder.cpp +++ b/keystore-engine/keystore_backend_binder.cpp @@ -211,9 +211,9 @@ int32_t KeystoreBackendBinder::sign(const char* key_id, const uint8_t* in, size_ promise = new OperationResultPromise(); future = promise->get_future(); - binder_result = service->finish(promise, handle, KeymasterArguments(params), - std::vector<uint8_t>() /* signature */, - std::vector<uint8_t>() /* entropy */, &error_code); + binder_result = service->finish( + promise, handle, KeymasterArguments(params), std::vector<uint8_t>() /* input */, + std::vector<uint8_t>() /* signature */, std::vector<uint8_t>() /* entropy */, &error_code); if (!binder_result.isOk()) { LOG(ERROR) << AT << "communication error while calling keystore"; diff --git a/keystore/binder/android/security/keystore/IKeystoreService.aidl b/keystore/binder/android/security/keystore/IKeystoreService.aidl index f92c796b..3071fe54 100644 --- a/keystore/binder/android/security/keystore/IKeystoreService.aidl +++ b/keystore/binder/android/security/keystore/IKeystoreService.aidl @@ -68,7 +68,7 @@ interface IKeystoreService { int begin(in IKeystoreOperationResultCallback cb, IBinder appToken, String alias, int purpose, boolean pruneable, in KeymasterArguments params, in byte[] entropy, int uid); int update(in IKeystoreOperationResultCallback cb, IBinder token, in KeymasterArguments params, in byte[] input); - int finish(in IKeystoreOperationResultCallback cb, IBinder token, in KeymasterArguments params, in byte[] signature, + int finish(in IKeystoreOperationResultCallback cb, IBinder token, in KeymasterArguments params, in byte[] input, in byte[] signature, in byte[] entropy); int abort(in IKeystoreResponseCallback cb, IBinder token); int addAuthToken(in byte[] authToken); diff --git a/keystore/include/keystore/keystore_client.h b/keystore/include/keystore/keystore_client.h index d8e63c4b..cb27268e 100644 --- a/keystore/include/keystore/keystore_client.h +++ b/keystore/include/keystore/keystore_client.h @@ -160,7 +160,7 @@ class KeystoreClient { // keymaster_error_t on failure. virtual KeyStoreNativeReturnCode finishOperation(uint64_t handle, const keystore::AuthorizationSet& input_parameters, - const std::string& signature_to_verify, + const std::string& input_data, const std::string& signature_to_verify, keystore::AuthorizationSet* output_parameters, std::string* output_data) = 0; // Aborts the operation associated with |handle|. Returns KM_ERROR_OK on diff --git a/keystore/include/keystore/keystore_client_impl.h b/keystore/include/keystore/keystore_client_impl.h index 6726fe56..ed8ac446 100644 --- a/keystore/include/keystore/keystore_client_impl.h +++ b/keystore/include/keystore/keystore_client_impl.h @@ -76,6 +76,7 @@ class KeystoreClientImpl : public KeystoreClient { std::string* output_data) override; KeyStoreNativeReturnCode finishOperation(uint64_t handle, const keystore::AuthorizationSet& input_parameters, + const std::string& input_data, const std::string& signature_to_verify, keystore::AuthorizationSet* output_parameters, std::string* output_data) override; diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp index 7028e72d..9a93b459 100644 --- a/keystore/key_store_service.cpp +++ b/keystore/key_store_service.cpp @@ -892,6 +892,7 @@ Status KeyStoreService::update(const ::android::sp<IKeystoreOperationResultCallb Status KeyStoreService::finish(const ::android::sp<IKeystoreOperationResultCallback>& cb, const ::android::sp<::android::IBinder>& token, const ::android::security::keymaster::KeymasterArguments& params, + const ::std::vector<uint8_t>& input, const ::std::vector<uint8_t>& signature, const ::std::vector<uint8_t>& entropy, int32_t* _aidl_return) { if (!checkAllowedOperationParams(params.getParameters())) { @@ -903,7 +904,7 @@ Status KeyStoreService::finish(const ::android::sp<IKeystoreOperationResultCallb return AIDL_RETURN(ErrorCode::INVALID_OPERATION_HANDLE); } - dev->finish(token, params.getParameters(), {}, signature, entropy, + dev->finish(token, params.getParameters(), input, signature, entropy, [this, cb, token](OperationResult result_) { mKeyStore->removeOperationDevice(token); cb->onFinished(result_); diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h index 0d7c1705..5ebd2386 100644 --- a/keystore/key_store_service.h +++ b/keystore/key_store_service.h @@ -126,8 +126,8 @@ class KeyStoreService : public android::security::keystore::BnKeystoreService { finish(const ::android::sp<::android::security::keystore::IKeystoreOperationResultCallback>& cb, const ::android::sp<::android::IBinder>& token, const ::android::security::keymaster::KeymasterArguments& params, - const ::std::vector<uint8_t>& signature, const ::std::vector<uint8_t>& entropy, - int32_t* _aidl_return) override; + const ::std::vector<uint8_t>& input, const ::std::vector<uint8_t>& signature, + const ::std::vector<uint8_t>& entropy, int32_t* _aidl_return) override; ::android::binder::Status abort(const ::android::sp<::android::security::keystore::IKeystoreResponseCallback>& cb, const ::android::sp<::android::IBinder>& token, int32_t* _aidl_return) override; diff --git a/keystore/keystore_cli_v2.cpp b/keystore/keystore_cli_v2.cpp index b46b2219..4f69eb02 100644 --- a/keystore/keystore_cli_v2.cpp +++ b/keystore/keystore_cli_v2.cpp @@ -416,16 +416,10 @@ int SignAndVerify(const std::string& name) { return result.getErrorCode(); } AuthorizationSet empty_params; - size_t num_input_bytes_consumed; std::string output_data; - result = keystore->updateOperation(handle, empty_params, "data_to_sign", - &num_input_bytes_consumed, &output_params, &output_data); - if (!result.isOk()) { - printf("Sign: UpdateOperation failed: %d\n", result.getErrorCode()); - return result.getErrorCode(); - } - result = keystore->finishOperation(handle, empty_params, std::string() /*signature_to_verify*/, - &output_params, &output_data); + result = keystore->finishOperation(handle, empty_params, "data_to_sign", + std::string() /*signature_to_verify*/, &output_params, + &output_data); if (!result.isOk()) { printf("Sign: FinishOperation failed: %d\n", result.getErrorCode()); return result.getErrorCode(); @@ -436,18 +430,8 @@ int SignAndVerify(const std::string& name) { output_data.clear(); result = keystore->beginOperation(KeyPurpose::VERIFY, name, sign_params, &output_params, &handle); - if (!result.isOk()) { - printf("Verify: BeginOperation failed: %d\n", result.getErrorCode()); - return result.getErrorCode(); - } - result = keystore->updateOperation(handle, empty_params, "data_to_sign", - &num_input_bytes_consumed, &output_params, &output_data); - if (!result.isOk()) { - printf("Verify: UpdateOperation failed: %d\n", result.getErrorCode()); - return result.getErrorCode(); - } - result = keystore->finishOperation(handle, empty_params, signature_to_verify, &output_params, - &output_data); + result = keystore->finishOperation(handle, empty_params, "data_to_sign", signature_to_verify, + &output_params, &output_data); if (result == ErrorCode::VERIFICATION_FAILED) { printf("Verify: Failed to verify signature.\n"); return result.getErrorCode(); diff --git a/keystore/keystore_client_impl.cpp b/keystore/keystore_client_impl.cpp index 3fca4c9d..f8886839 100644 --- a/keystore/keystore_client_impl.cpp +++ b/keystore/keystore_client_impl.cpp @@ -166,16 +166,9 @@ bool KeystoreClientImpl::oneShotOperation(KeyPurpose purpose, const std::string& return false; } AuthorizationSet empty_params; - size_t num_input_bytes_consumed; AuthorizationSet ignored_params; - result = updateOperation(handle, empty_params, input_data, &num_input_bytes_consumed, - &ignored_params, output_data); - if (!result.isOk()) { - ALOGE("UpdateOperation failed: %d", result.getErrorCode()); - return false; - } - result = - finishOperation(handle, empty_params, signature_to_verify, &ignored_params, output_data); + result = finishOperation(handle, empty_params, input_data, signature_to_verify, &ignored_params, + output_data); if (!result.isOk()) { ALOGE("FinishOperation failed: %d", result.getErrorCode()); return false; @@ -384,6 +377,7 @@ KeystoreClientImpl::updateOperation(uint64_t handle, const AuthorizationSet& inp KeyStoreNativeReturnCode KeystoreClientImpl::finishOperation(uint64_t handle, const AuthorizationSet& input_parameters, + const std::string& input_data, const std::string& signature_to_verify, AuthorizationSet* output_parameters, std::string* output_data) { if (active_operations_.count(handle) == 0) { @@ -391,12 +385,14 @@ KeystoreClientImpl::finishOperation(uint64_t handle, const AuthorizationSet& inp } int32_t error_code; auto hidlSignature = blob2hidlVec(signature_to_verify); + auto hidlInput = blob2hidlVec(input_data); android::sp<OperationResultPromise> promise(new OperationResultPromise{}); auto future = promise->get_future(); auto binder_result = keystore_->finish( promise, active_operations_[handle], android::security::keymaster::KeymasterArguments(input_parameters.hidl_data()), - (std::vector<uint8_t>)hidlSignature, hidl_vec<uint8_t>(), &error_code); + (std::vector<uint8_t>)hidlInput, (std::vector<uint8_t>)hidlSignature, hidl_vec<uint8_t>(), + &error_code); if (!binder_result.isOk()) return ResponseCode::SYSTEM_ERROR; KeyStoreNativeReturnCode rc(error_code); if (!rc.isOk()) return rc; |