diff options
| author | David Zeuthen <zeuthen@google.com> | 2021-03-04 16:39:42 -0500 |
|---|---|---|
| committer | David Zeuthen <zeuthen@google.com> | 2021-03-04 17:45:54 -0500 |
| commit | c6c950b55be95fe3e52d93d90ac817e9c7598f2b (patch) | |
| tree | 75edcf7bb2466e31a1bd9d20ce05449ec521e3b1 /identity/aidl/default/common/IdentityCredential.cpp | |
| parent | 620ad1ca3f4aecc22a3a5a54196a123ddfb222f8 (diff) | |
identity: Check freshness of verification token in TA.
A problem where credstore didn't always use the TA-generated challenge
in the verification token was fixed in aosp/1619825. With this bug-fix
we can now reliably check that the passed-in verification token is
always fresh.
Bug: 181893400
Test: atest android.security.identity.cts on emulator
Test: atest VtsHalIdentityTargetTest
Change-Id: Iffdf026475da6321764561972aae27a82ab94530
Diffstat (limited to 'identity/aidl/default/common/IdentityCredential.cpp')
| -rw-r--r-- | identity/aidl/default/common/IdentityCredential.cpp | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/identity/aidl/default/common/IdentityCredential.cpp b/identity/aidl/default/common/IdentityCredential.cpp index 94779971b1..c8ee0dd67a 100644 --- a/identity/aidl/default/common/IdentityCredential.cpp +++ b/identity/aidl/default/common/IdentityCredential.cpp @@ -253,14 +253,17 @@ ndk::ScopedAStatus IdentityCredential::startRetrieval( } } - // Feed the auth token to secure hardware. - if (!hwProxy_->setAuthToken(authToken.challenge, authToken.userId, authToken.authenticatorId, - int(authToken.authenticatorType), authToken.timestamp.milliSeconds, - authToken.mac, verificationToken_.challenge, - verificationToken_.timestamp.milliSeconds, - int(verificationToken_.securityLevel), verificationToken_.mac)) { - return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( - IIdentityCredentialStore::STATUS_INVALID_DATA, "Invalid Auth Token")); + // Feed the auth token to secure hardware only if they're valid. + if (authToken.timestamp.milliSeconds != 0) { + if (!hwProxy_->setAuthToken( + authToken.challenge, authToken.userId, authToken.authenticatorId, + int(authToken.authenticatorType), authToken.timestamp.milliSeconds, + authToken.mac, verificationToken_.challenge, + verificationToken_.timestamp.milliSeconds, + int(verificationToken_.securityLevel), verificationToken_.mac)) { + return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( + IIdentityCredentialStore::STATUS_INVALID_DATA, "Invalid Auth Token")); + } } // We'll be feeding ACPs interleaved with certificates from the reader |