Add support for confirmation APIs.
This code implements new keystore APIs for confirmations.
Also add new 'confirmation' verb to the keystore_cli_v2 command to be
used for testing confirmations. It will block until there's a
callback. Example invocations:
phone:/ # keystore_cli_v2 confirmation --prompt_text="Hello World" --extra_data=010203 --ui_options=1,2,3
Waiting for prompt to complete - use Ctrl+C to abort...
Confirmation prompt completed
responseCode = 0
dataThatWasConfirmed[30] = {0xa2, 0x66, 0x70, 0x72, 0x6f, 0x6d, 0x70, 0x74, 0x6b, 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x57, 0x6f, 0x72, 0x6c, 0x64, 0x65, 0x65, 0x78, 0x74, 0x72, 0x61, 0x43, 0x01, 0x02, 0x03}
phone:/ #
If a prompt is already being shown, the |OperationPending| return code
(code 3) is returned:
phone:/ # keystore_cli_v2 confirmation --prompt_text="Hello World" --extra_data=010203 --ui_options=1,2,3
Presenting confirmation prompt failed with return code 3.
Canceling a prompt:
phone:/# keystore_cli_v2 confirmation --prompt_text="Hello World" --extra_data=010203 --cancel_after=1.5
Sleeping 1.5 seconds before canceling prompt...
Waiting for prompt to complete - use Ctrl+C to abort...
Confirmation prompt completed
responseCode = 2
dataThatWasConfirmed[0] = {}
Bug: 63928580
Test: Manually tested.
Change-Id: Ida14706ad066d5350b9081eb7821c7b1a1472dd2
diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h
index fec44ec..958b0dc 100644
--- a/keystore/key_store_service.h
+++ b/keystore/key_store_service.h
@@ -20,6 +20,7 @@
#include <android/security/BnKeystoreService.h>
#include "auth_token_table.h"
+#include "confirmation_manager.h"
#include "KeyStore.h"
#include "keystore_keymaster_enforcement.h"
@@ -36,7 +37,9 @@
class KeyStoreService : public android::security::BnKeystoreService,
android::IBinder::DeathRecipient {
public:
- explicit KeyStoreService(KeyStore* keyStore) : mKeyStore(keyStore), mOperationMap(this) {}
+ explicit KeyStoreService(KeyStore* keyStore)
+ : mKeyStore(keyStore), mOperationMap(this),
+ mConfirmationManager(new ConfirmationManager(this)) {}
virtual ~KeyStoreService() = default;
void binderDied(const android::wp<android::IBinder>& who);
@@ -160,6 +163,7 @@
::android::security::keymaster::KeymasterCertificateChain* chain,
int32_t* _aidl_return) override;
::android::binder::Status onDeviceOffBody(int32_t* _aidl_return) override;
+
::android::binder::Status importWrappedKey(
const ::android::String16& wrappedKeyAlias, const ::std::vector<uint8_t>& wrappedKey,
const ::android::String16& wrappingKeyAlias, const ::std::vector<uint8_t>& maskingKey,
@@ -167,6 +171,14 @@
int64_t fingerprintSid, ::android::security::keymaster::KeyCharacteristics* characteristics,
int32_t* _aidl_return) override;
+ ::android::binder::Status presentConfirmationPrompt(
+ const ::android::sp<::android::IBinder>& listener, const ::android::String16& promptText,
+ const ::std::vector<uint8_t>& extraData, const ::android::String16& locale,
+ int32_t uiOptionsAsFlags, int32_t* _aidl_return) override;
+ ::android::binder::Status
+ cancelConfirmationPrompt(const ::android::sp<::android::IBinder>& listener,
+ int32_t* _aidl_return) override;
+
private:
static const int32_t UID_SELF = -1;
@@ -276,8 +288,15 @@
KeyStoreServiceReturnCode upgradeKeyBlob(const android::String16& name, uid_t targetUid,
const AuthorizationSet& params, Blob* blob);
+ /**
+ * Adds a Confirmation Token to the key parameters if needed.
+ */
+ void appendConfirmationTokenIfNeeded(const KeyCharacteristics& keyCharacteristics,
+ std::vector<KeyParameter>* params);
+
KeyStore* mKeyStore;
OperationMap mOperationMap;
+ android::sp<ConfirmationManager> mConfirmationManager;
keystore::AuthTokenTable mAuthTokenTable;
KeystoreKeymasterEnforcement enforcement_policy;
};