summaryrefslogtreecommitdiff
path: root/keystore2/src/enforcements.rs
diff options
context:
space:
mode:
Diffstat (limited to 'keystore2/src/enforcements.rs')
-rw-r--r--keystore2/src/enforcements.rs98
1 files changed, 45 insertions, 53 deletions
diff --git a/keystore2/src/enforcements.rs b/keystore2/src/enforcements.rs
index cb6a2667..8d5e9855 100644
--- a/keystore2/src/enforcements.rs
+++ b/keystore2/src/enforcements.rs
@@ -14,6 +14,7 @@
//! This is the Keystore 2.0 Enforcements module.
// TODO: more description to follow.
+use crate::ks_err;
use crate::error::{map_binder_status, Error, ErrorCode};
use crate::globals::{get_timestamp_service, ASYNC_TASK, DB, ENFORCEMENTS};
use crate::key_parameter::{KeyParameter, KeyParameterValue};
@@ -95,14 +96,14 @@ impl AuthRequest {
.unwrap()
.take()
.ok_or(Error::Km(ErrorCode::KEY_USER_NOT_AUTHENTICATED))
- .context("In get_auth_tokens: No operation auth token received.")?;
+ .context(ks_err!("No operation auth token received."))?;
let tst = match &self.state {
AuthRequestState::TimeStampedOpAuth(recv) | AuthRequestState::TimeStamp(recv) => {
let result = recv.recv().context("In get_auth_tokens: Sender disconnected.")?;
- Some(result.context(concat!(
- "In get_auth_tokens: Worker responded with error ",
- "from generating timestamp token."
+ Some(result.context(ks_err!(
+ "Worker responded with error \
+ from generating timestamp token.",
))?)
}
AuthRequestState::OpAuth => None,
@@ -228,10 +229,7 @@ fn get_timestamp_token(challenge: i64) -> Result<TimeStampToken, Error> {
fn timestamp_token_request(challenge: i64, sender: Sender<Result<TimeStampToken, Error>>) {
if let Err(e) = sender.send(get_timestamp_token(challenge)) {
log::info!(
- concat!(
- "In timestamp_token_request: Receiver hung up ",
- "before timestamp token could be delivered. {:?}"
- ),
+ concat!("Receiver hung up ", "before timestamp token could be delivered. {:?}"),
e
);
}
@@ -322,7 +320,7 @@ impl AuthInfo {
.check_and_update_key_usage_count(key_id)
.context("Trying to update key usage count.")
})
- .context("In after_finish.")?;
+ .context(ks_err!())?;
}
Ok(())
}
@@ -349,14 +347,14 @@ impl AuthInfo {
DeferredAuthState::OpAuthRequired
| DeferredAuthState::TimeStampedOpAuthRequired
| DeferredAuthState::TimeStampRequired(_) => {
- Err(Error::Km(ErrorCode::KEY_USER_NOT_AUTHENTICATED)).context(concat!(
- "In AuthInfo::get_auth_tokens: No operation auth token requested??? ",
- "This should not happen."
+ Err(Error::Km(ErrorCode::KEY_USER_NOT_AUTHENTICATED)).context(ks_err!(
+ "No operation auth token requested??? \
+ This should not happen."
))
}
// This should not be reachable, because it should have been handled above.
DeferredAuthState::Waiting(_) => {
- Err(Error::sys()).context("In AuthInfo::get_auth_tokens: Cannot be reached.")
+ Err(Error::sys()).context(ks_err!("AuthInfo::get_auth_tokens: Cannot be reached.",))
}
}
}
@@ -418,7 +416,7 @@ impl Enforcements {
key_usage_limited: None,
confirmation_token_receiver: None,
},
- ))
+ ));
}
};
@@ -428,7 +426,7 @@ impl Enforcements {
// Rule out WRAP_KEY purpose
KeyPurpose::WRAP_KEY => {
return Err(Error::Km(Ec::INCOMPATIBLE_PURPOSE))
- .context("In authorize_create: WRAP_KEY purpose is not allowed here.");
+ .context(ks_err!("WRAP_KEY purpose is not allowed here.",));
}
// Allow AGREE_KEY for EC keys only.
KeyPurpose::AGREE_KEY => {
@@ -436,9 +434,8 @@ impl Enforcements {
if kp.get_tag() == Tag::ALGORITHM
&& *kp.key_parameter_value() != KeyParameterValue::Algorithm(Algorithm::EC)
{
- return Err(Error::Km(Ec::UNSUPPORTED_PURPOSE)).context(
- "In authorize_create: key agreement is only supported for EC keys.",
- );
+ return Err(Error::Km(Ec::UNSUPPORTED_PURPOSE))
+ .context(ks_err!("key agreement is only supported for EC keys.",));
}
}
}
@@ -449,10 +446,10 @@ impl Enforcements {
match *kp.key_parameter_value() {
KeyParameterValue::Algorithm(Algorithm::RSA)
| KeyParameterValue::Algorithm(Algorithm::EC) => {
- return Err(Error::Km(Ec::UNSUPPORTED_PURPOSE)).context(
- "In authorize_create: public operations on asymmetric keys are not \
- supported.",
- );
+ return Err(Error::Km(Ec::UNSUPPORTED_PURPOSE)).context(ks_err!(
+ "public operations on asymmetric keys are \
+ not supported."
+ ));
}
_ => {}
}
@@ -460,7 +457,7 @@ impl Enforcements {
}
_ => {
return Err(Error::Km(Ec::UNSUPPORTED_PURPOSE))
- .context("In authorize_create: specified purpose is not supported.");
+ .context(ks_err!("authorize_create: specified purpose is not supported."));
}
}
// The following variables are to record information from key parameters to be used in
@@ -505,23 +502,21 @@ impl Enforcements {
KeyParameterValue::ActiveDateTime(a) => {
if !Enforcements::is_given_time_passed(*a, true) {
return Err(Error::Km(Ec::KEY_NOT_YET_VALID))
- .context("In authorize_create: key is not yet active.");
+ .context(ks_err!("key is not yet active."));
}
}
KeyParameterValue::OriginationExpireDateTime(o) => {
if (purpose == KeyPurpose::ENCRYPT || purpose == KeyPurpose::SIGN)
&& Enforcements::is_given_time_passed(*o, false)
{
- return Err(Error::Km(Ec::KEY_EXPIRED))
- .context("In authorize_create: key is expired.");
+ return Err(Error::Km(Ec::KEY_EXPIRED)).context(ks_err!("key is expired."));
}
}
KeyParameterValue::UsageExpireDateTime(u) => {
if (purpose == KeyPurpose::DECRYPT || purpose == KeyPurpose::VERIFY)
&& Enforcements::is_given_time_passed(*u, false)
{
- return Err(Error::Km(Ec::KEY_EXPIRED))
- .context("In authorize_create: key is expired.");
+ return Err(Error::Km(Ec::KEY_EXPIRED)).context(ks_err!("key is expired."));
}
}
KeyParameterValue::UserSecureID(s) => {
@@ -560,24 +555,23 @@ impl Enforcements {
// authorize the purpose
if !key_purpose_authorized {
return Err(Error::Km(Ec::INCOMPATIBLE_PURPOSE))
- .context("In authorize_create: the purpose is not authorized.");
+ .context(ks_err!("the purpose is not authorized."));
}
// if both NO_AUTH_REQUIRED and USER_SECURE_ID tags are present, return error
if !user_secure_ids.is_empty() && no_auth_required {
- return Err(Error::Km(Ec::INVALID_KEY_BLOB)).context(
- "In authorize_create: key has both NO_AUTH_REQUIRED and USER_SECURE_ID tags.",
- );
+ return Err(Error::Km(Ec::INVALID_KEY_BLOB))
+ .context(ks_err!("key has both NO_AUTH_REQUIRED and USER_SECURE_ID tags."));
}
// if either of auth_type or secure_id is present and the other is not present, return error
if (user_auth_type.is_some() && user_secure_ids.is_empty())
|| (user_auth_type.is_none() && !user_secure_ids.is_empty())
{
- return Err(Error::Km(Ec::KEY_USER_NOT_AUTHENTICATED)).context(
- "In authorize_create: Auth required, but either auth type or secure ids \
- are not present.",
- );
+ return Err(Error::Km(Ec::KEY_USER_NOT_AUTHENTICATED)).context(ks_err!(
+ "Auth required, but either auth type or secure ids \
+ are not present."
+ ));
}
// validate caller nonce for origination purposes
@@ -585,24 +579,22 @@ impl Enforcements {
&& !caller_nonce_allowed
&& op_params.iter().any(|kp| kp.tag == Tag::NONCE)
{
- return Err(Error::Km(Ec::CALLER_NONCE_PROHIBITED)).context(
- "In authorize_create, NONCE is present, although CALLER_NONCE is not present",
- );
+ return Err(Error::Km(Ec::CALLER_NONCE_PROHIBITED))
+ .context(ks_err!("NONCE is present, although CALLER_NONCE is not present"));
}
if unlocked_device_required {
// check the device locked status. If locked, operations on the key are not
// allowed.
if self.is_device_locked(user_id) {
- return Err(Error::Km(Ec::DEVICE_LOCKED))
- .context("In authorize_create: device is locked.");
+ return Err(Error::Km(Ec::DEVICE_LOCKED)).context(ks_err!("device is locked."));
}
}
if let Some(level) = max_boot_level {
if !SUPER_KEY.read().unwrap().level_accessible(level) {
return Err(Error::Km(Ec::BOOT_LEVEL_EXCEEDED))
- .context("In authorize_create: boot level is too late.");
+ .context(ks_err!("boot level is too late."));
}
}
@@ -636,7 +628,7 @@ impl Enforcements {
Some(
hat_and_last_off_body
.ok_or(Error::Km(Ec::KEY_USER_NOT_AUTHENTICATED))
- .context("In authorize_create: No suitable auth token found.")?,
+ .context(ks_err!("No suitable auth token found."))?,
)
} else {
None
@@ -649,16 +641,16 @@ impl Enforcements {
let token_age = now
.checked_sub(&hat.time_received())
.ok_or_else(Error::sys)
- .context(concat!(
- "In authorize_create: Overflow while computing Auth token validity. ",
- "Validity cannot be established."
+ .context(ks_err!(
+ "Overflow while computing Auth token validity. \
+ Validity cannot be established."
))?;
let on_body_extended = allow_while_on_body && last_off_body < hat.time_received();
if token_age.seconds() > key_time_out && !on_body_extended {
return Err(Error::Km(Ec::KEY_USER_NOT_AUTHENTICATED))
- .context("In authorize_create: matching auth token is expired.");
+ .context(ks_err!("matching auth token is expired."));
}
Some(hat)
}
@@ -832,20 +824,20 @@ impl Enforcements {
auth_token_entry.take_auth_token()
} else {
return Err(AuthzError::Rc(AuthzResponseCode::NO_AUTH_TOKEN_FOUND))
- .context("In get_auth_tokens: No auth token found.");
+ .context(ks_err!("No auth token found."));
}
} else {
return Err(AuthzError::Rc(AuthzResponseCode::NO_AUTH_TOKEN_FOUND)).context(
- concat!(
- "In get_auth_tokens: No auth token found for ",
- "the given challenge and passed-in auth token max age is zero."
+ ks_err!(
+ "No auth token found for \
+ the given challenge and passed-in auth token max age is zero."
),
);
}
};
// Wait and obtain the timestamp token from secure clock service.
- let tst = get_timestamp_token(challenge)
- .context("In get_auth_tokens. Error in getting timestamp token.")?;
+ let tst =
+ get_timestamp_token(challenge).context(ks_err!("Error in getting timestamp token."))?;
Ok((auth_token, tst))
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-14 01:37:10 +0000