keymaster: use hmac_key as AuthToken key
Current AuthToken key use random number key. In order to
synchronize with GSC AuthToken key which use hmac_key, copy
hamc_key to AuthToken key in InitializeAuthTokenKey().
Bug: 175096345
Change-Id: I1d15355ac6195e5f68dffd295c774abc25206f79
diff --git a/openssl_keymaster_enforcement.cpp b/openssl_keymaster_enforcement.cpp
index 32f3093..8d56809 100644
--- a/openssl_keymaster_enforcement.cpp
+++ b/openssl_keymaster_enforcement.cpp
@@ -250,4 +250,21 @@
return KM_ERROR_OK;
}
+
+keymaster_error_t OpenSSLKeymasterEnforcement::GetHmacKey(
+ keymaster_key_blob_t* key) {
+ if ((key == nullptr) || (key->key_material == nullptr)) {
+ return KM_ERROR_UNEXPECTED_NULL_POINTER;
+ }
+
+ if (hmac_key_.key_material_size != SHA256_DIGEST_LENGTH) {
+ return KM_ERROR_INVALID_ARGUMENT;
+ }
+
+ memcpy((void*)key->key_material, hmac_key_.key_material,
+ hmac_key_.key_material_size);
+ key->key_material_size = hmac_key_.key_material_size;
+
+ return KM_ERROR_OK;
+}
} // namespace keymaster
diff --git a/openssl_keymaster_enforcement.h b/openssl_keymaster_enforcement.h
index 5a41139..cbc8263 100644
--- a/openssl_keymaster_enforcement.h
+++ b/openssl_keymaster_enforcement.h
@@ -50,6 +50,7 @@
KeymasterBlob* sharingCheck) override;
VerifyAuthorizationResponse VerifyAuthorization(
const VerifyAuthorizationRequest& request) override;
+ keymaster_error_t GetHmacKey(keymaster_key_blob_t* key);
private:
static const size_t kKeyAgreementKeySize = TRUSTY_KM_KAK_SIZE;
diff --git a/trusty_keymaster_context.cpp b/trusty_keymaster_context.cpp
index e3d930e..aa0e37d 100644
--- a/trusty_keymaster_context.cpp
+++ b/trusty_keymaster_context.cpp
@@ -509,9 +509,18 @@
}
bool TrustyKeymasterContext::InitializeAuthTokenKey() {
- if (GenerateRandom(auth_token_key_, kAuthTokenKeySize) != KM_ERROR_OK)
- return false;
- auth_token_key_initialized_ = true;
+ if (auth_token_key_initialized_)
+ return true;
+
+ keymaster_key_blob_t key;
+ key.key_material = auth_token_key_;
+ key.key_material_size = kAuthTokenKeySize;
+ keymaster_error_t error = enforcement_policy_.GetHmacKey(&key);
+ if (error == KM_ERROR_OK)
+ auth_token_key_initialized_ = true;
+ else
+ auth_token_key_initialized_ = false;
+
return auth_token_key_initialized_;
}
