Use hw_auth_token_t in gatekeeper Change-Id: I0cd567e3e7badbfc0a7c57e9c9ceb4080dd1290c

commit: fa104e1a3bb5e8fed1235b16e64aa88049ecb18a [log] [tgz]
author: Andres Morales <anmorales@google.com> Wed Apr 08 12:36:44 2015 -0700
committer: Andres Morales <anmorales@google.com> Sat Apr 11 08:51:10 2015 -0700
tree: 12eed49cdd81b8012fce177681a437a5f01dac00
parent: 426fcfb152001e3ae8b43333444e013ee7e48b42 [diff]
diff --git a/gatekeeper.cpp b/gatekeeper.cpp
index 1f301d6..e163ae0 100644
--- a/gatekeeper.cpp
+++ b/gatekeeper.cpp

@@ -82,7 +82,7 @@
     secure_id_t user_id = password_handle->user_id;
     secure_id_t authenticator_id = password_handle->authenticator_id;
 
-    uint64_t timestamp = GetNanosecondsSinceBoot();
+    uint64_t timestamp = GetNanosecondsSinceBoot() / 1000 / 1000;
 
     if (DoVerify(password_handle, request.provided_password)) {
         // Signature matches
@@ -143,14 +143,15 @@
         uint32_t timestamp, secure_id_t user_id, secure_id_t authenticator_id) {
     if (auth_token == NULL) return;
 
-    AuthToken *token = new AuthToken;
+    hw_auth_token_t *token = new hw_auth_token_t;
     SizedBuffer serialized_auth_token;
 
-    token->auth_token_version = AUTH_TOKEN_VERSION;
-    token->root_secure_user_id = user_id;
-    token->auxiliary_secure_user_id = authenticator_id;
-    token->authenticator_id = 0;
-    token->timestamp = timestamp;
+    token->version = HW_AUTH_TOKEN_VERSION;
+    token->challenge = 0; //TODO: take challenge, needed for FP enrollment
+    token->user_id = user_id;
+    token->authenticator_id = authenticator_id;
+    token->authenticator_type = htonl(HW_AUTH_PASSWORD);
+    token->timestamp = htonl(timestamp);
 
     const uint8_t *auth_token_key = NULL;
     uint32_t key_len = 0;
@@ -160,7 +161,7 @@
     ComputeSignature(token->hmac, sizeof(token->hmac), auth_token_key, key_len,
             reinterpret_cast<uint8_t *>(token), hash_len);
 
-    if (length != NULL) *length = sizeof(AuthToken);
+    if (length != NULL) *length = sizeof(*token);
     auth_token->reset(reinterpret_cast<uint8_t *>(token));
 }
 

diff --git a/include/gatekeeper/gatekeeper.h b/include/gatekeeper/gatekeeper.h
index 6b76198..10f8791 100644
--- a/include/gatekeeper/gatekeeper.h
+++ b/include/gatekeeper/gatekeeper.h

@@ -19,6 +19,7 @@
 
 #include <stdint.h>
 #include <UniquePtr.h>
+#include <hardware/hw_auth_token.h>
 
 #include "gatekeeper_messages.h"
 
@@ -28,25 +29,6 @@
 typedef uint64_t salt_t;
 
 /**
- * Data format for an authentication record used to prove
- * successful password verification. Consumed by KeyStore
- * and keymaster to determine CryptoObject availability.
- *
- * All fields are written in network order.
- *
- * TODO: use hw_auth_token_t when Trusty has it
- */
-const uint8_t AUTH_TOKEN_VERSION = 0;
-struct __attribute__ ((__packed__)) AuthToken {
-    uint8_t auth_token_version;
-    secure_id_t root_secure_user_id;
-    secure_id_t auxiliary_secure_user_id;
-    uint32_t authenticator_id;
-    uint32_t timestamp;
-    uint8_t hmac[32];
-};
-
-/**
  * Internal only structure for easy serialization
  * and deserialization of password handles.
  *
@@ -92,7 +74,7 @@
      *
      */
     virtual void GetAuthTokenKey(const uint8_t **auth_token_key, uint32_t *length)
-        const = 0;
+           const = 0;
     /**
      * The key used to sign and verify password data.
      *
@@ -147,7 +129,7 @@
     /**
      * Generates a signed attestation of an authentication event and assings
      * to auth_token UniquePtr.
-     * The format is consistent with that of AuthToken above.
+     * The format is consistent with that of hw_auth_token_t.
      * Also returns the length in length if it is not null.
      */
     void MintAuthToken(UniquePtr<uint8_t> *auth_token, uint32_t *length, uint32_t timestamp,

diff --git a/tests/gatekeeper_test.cpp b/tests/gatekeeper_test.cpp
index 05554f6..66de7de 100644
--- a/tests/gatekeeper_test.cpp
+++ b/tests/gatekeeper_test.cpp

@@ -19,6 +19,7 @@
 #include <iostream>
 
 #include <gatekeeper/soft_gatekeeper.h>
+#include <hardware/hw_auth_token.h>
 
 using ::gatekeeper::SizedBuffer;
 using ::testing::Test;
@@ -27,7 +28,6 @@
 using ::gatekeeper::VerifyRequest;
 using ::gatekeeper::VerifyResponse;
 using ::gatekeeper::SoftGateKeeper;
-using ::gatekeeper::AuthToken;
 using ::gatekeeper::secure_id_t;
 
 static void do_enroll(SoftGateKeeper &gatekeeper, EnrollResponse *response) {
@@ -79,13 +79,13 @@
 
     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
 
-    AuthToken *auth_token =
-        reinterpret_cast<AuthToken *>(response.auth_token.buffer.get());
+    hw_auth_token_t *auth_token =
+        reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());
 
-    ASSERT_EQ((uint32_t) 0, auth_token->authenticator_id);
+    ASSERT_EQ((uint32_t) HW_AUTH_PASSWORD, auth_token->authenticator_type);
     ASSERT_NE(~((uint32_t) 0), auth_token->timestamp);
-    ASSERT_NE((uint64_t) 0, auth_token->root_secure_user_id);
-    ASSERT_NE((uint64_t) 0, auth_token->auxiliary_secure_user_id);
+    ASSERT_NE((uint64_t) 0, auth_token->user_id);
+    ASSERT_NE((uint64_t) 0, auth_token->authenticator_id);
 }
 
 TEST(GateKeeperTest, TrustedReEnroll) {
@@ -113,10 +113,10 @@
     VerifyResponse response;
     gatekeeper.Verify(request, &response);
     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
-    AuthToken *auth_token =
-        reinterpret_cast<AuthToken *>(response.auth_token.buffer.get());
+    hw_auth_token_t *auth_token =
+        reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());
 
-    secure_id_t secure_id = auth_token->root_secure_user_id;
+    secure_id_t secure_id = auth_token->user_id;
 
     // enroll new password
     provided_password.buffer.reset(new uint8_t[16]);
@@ -139,7 +139,7 @@
     gatekeeper.Verify(new_request, &response);
     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
     ASSERT_EQ(secure_id,
-        reinterpret_cast<AuthToken *>(response.auth_token.buffer.get())->root_secure_user_id);
+        reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id);
 }
 
 
@@ -161,10 +161,10 @@
     VerifyResponse response;
     gatekeeper.Verify(request, &response);
     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
-    AuthToken *auth_token =
-        reinterpret_cast<AuthToken *>(response.auth_token.buffer.get());
+    hw_auth_token_t *auth_token =
+        reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());
 
-    secure_id_t secure_id = auth_token->root_secure_user_id;
+    secure_id_t secure_id = auth_token->user_id;
 
     // enroll new password
     SizedBuffer password;
@@ -184,7 +184,7 @@
     gatekeeper.Verify(new_request, &response);
     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
     ASSERT_NE(secure_id,
-        reinterpret_cast<AuthToken *>(response.auth_token.buffer.get())->root_secure_user_id);
+        reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id);
 }
commit	fa104e1a3bb5e8fed1235b16e64aa88049ecb18a	[log] [tgz]
author	Andres Morales <anmorales@google.com>	Wed Apr 08 12:36:44 2015 -0700
committer	Andres Morales <anmorales@google.com>	Sat Apr 11 08:51:10 2015 -0700
tree	12eed49cdd81b8012fce177681a437a5f01dac00
parent	426fcfb152001e3ae8b43333444e013ee7e48b42 [diff]