diff options
| -rw-r--r-- | identity/aidl/default/common/IdentityCredential.cpp | 19 | ||||
| -rw-r--r-- | identity/aidl/default/libeic/EicPresentation.c | 25 |
2 files changed, 25 insertions, 19 deletions
diff --git a/identity/aidl/default/common/IdentityCredential.cpp b/identity/aidl/default/common/IdentityCredential.cpp index 94779971b1..c8ee0dd67a 100644 --- a/identity/aidl/default/common/IdentityCredential.cpp +++ b/identity/aidl/default/common/IdentityCredential.cpp @@ -253,14 +253,17 @@ ndk::ScopedAStatus IdentityCredential::startRetrieval( } } - // Feed the auth token to secure hardware. - if (!hwProxy_->setAuthToken(authToken.challenge, authToken.userId, authToken.authenticatorId, - int(authToken.authenticatorType), authToken.timestamp.milliSeconds, - authToken.mac, verificationToken_.challenge, - verificationToken_.timestamp.milliSeconds, - int(verificationToken_.securityLevel), verificationToken_.mac)) { - return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( - IIdentityCredentialStore::STATUS_INVALID_DATA, "Invalid Auth Token")); + // Feed the auth token to secure hardware only if they're valid. + if (authToken.timestamp.milliSeconds != 0) { + if (!hwProxy_->setAuthToken( + authToken.challenge, authToken.userId, authToken.authenticatorId, + int(authToken.authenticatorType), authToken.timestamp.milliSeconds, + authToken.mac, verificationToken_.challenge, + verificationToken_.timestamp.milliSeconds, + int(verificationToken_.securityLevel), verificationToken_.mac)) { + return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( + IIdentityCredentialStore::STATUS_INVALID_DATA, "Invalid Auth Token")); + } } // We'll be feeding ACPs interleaved with certificates from the reader diff --git a/identity/aidl/default/libeic/EicPresentation.c b/identity/aidl/default/libeic/EicPresentation.c index 5e9a280d09..9e033b39fb 100644 --- a/identity/aidl/default/libeic/EicPresentation.c +++ b/identity/aidl/default/libeic/EicPresentation.c @@ -336,6 +336,18 @@ bool eicPresentationSetAuthToken(EicPresentation* ctx, uint64_t challenge, uint6 int verificationTokenSecurityLevel, const uint8_t* verificationTokenMac, size_t verificationTokenMacSize) { + // It doesn't make sense to accept any tokens if eicPresentationCreateAuthChallenge() + // was never called. + if (ctx->authChallenge == 0) { + eicDebug("Trying validate tokens when no auth-challenge was previously generated"); + return false; + } + // At least the verification-token must have the same challenge as what was generated. + if (verificationTokenChallenge != ctx->authChallenge) { + eicDebug("Challenge in verification token does not match the challenge " + "previously generated"); + return false; + } if (!eicOpsValidateAuthToken( challenge, secureUserId, authenticatorId, hardwareAuthenticatorType, timeStamp, mac, macSize, verificationTokenChallenge, verificationTokenTimestamp, @@ -360,18 +372,9 @@ static bool checkUserAuth(EicPresentation* ctx, bool userAuthenticationRequired, return false; } + // Only ACP with auth-on-every-presentation - those with timeout == 0 - need the + // challenge to match... if (timeoutMillis == 0) { - if (ctx->authTokenChallenge == 0) { - eicDebug("No challenge in authToken"); - return false; - } - - // If we didn't create a challenge, too bad but user auth with - // timeoutMillis set to 0 needs it. - if (ctx->authChallenge == 0) { - eicDebug("No challenge was created for this session"); - return false; - } if (ctx->authTokenChallenge != ctx->authChallenge) { eicDebug("Challenge in authToken (%" PRIu64 ") doesn't match the challenge " |