Skip to content

Commit

Permalink
set security level properly
Browse files Browse the repository at this point in the history
  • Loading branch information
@5ec1cff
5ec1cff committed Jul 28, 2024
1 parent 3ea1502 commit 479459d
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 10 deletions.
4 changes: 2 additions & 2 deletions service/src/main/java/io/github/a13e300/tricky_store/KeystoreInterceptor.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,15 +133,15 @@ object KeystoreInterceptor : BinderInterceptor() {
keystore.linkToDeath(Killer, 0)
if (tee != null) {
Logger.i("register for TEE SecurityLevel $tee!")
val interceptor = SecurityLevelInterceptor(tee)
val interceptor = SecurityLevelInterceptor(tee, SecurityLevel.TRUSTED_ENVIRONMENT)
registerBinderInterceptor(bd, tee.asBinder(), interceptor)
teeInterceptor = interceptor
} else {
Logger.i("no TEE SecurityLevel found!")
}
if (strongBox != null) {
Logger.i("register for StrongBox SecurityLevel $tee!")
val interceptor = SecurityLevelInterceptor(strongBox)
val interceptor = SecurityLevelInterceptor(strongBox, SecurityLevel.STRONGBOX)
registerBinderInterceptor(bd, strongBox.asBinder(), interceptor)
strongBoxInterceptor = interceptor
} else {
Expand Down
19 changes: 11 additions & 8 deletions service/src/main/java/io/github/a13e300/tricky_store/SecurityLevelInterceptor.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package io.github.a13e300.tricky_store

import android.hardware.security.keymint.KeyParameter
import android.hardware.security.keymint.KeyParameterValue
import android.hardware.security.keymint.SecurityLevel
import android.hardware.security.keymint.Tag
import android.os.IBinder
import android.os.Parcel
Expand All @@ -19,7 +18,10 @@ import java.security.KeyPair
import java.security.cert.Certificate
import java.util.concurrent.ConcurrentHashMap

class SecurityLevelInterceptor(private val original: IKeystoreSecurityLevel) : BinderInterceptor() {
class SecurityLevelInterceptor(
private val original: IKeystoreSecurityLevel,
private val level: Int
) : BinderInterceptor() {
companion object {
private val generateKeyTransaction =
getTransactCode(IKeystoreSecurityLevel.Stub::class.java, "generateKey")
Expand Down Expand Up @@ -79,6 +81,7 @@ class SecurityLevelInterceptor(private val original: IKeystoreSecurityLevel) : B
): KeyEntryResponse {
val response = KeyEntryResponse()
val metadata = KeyMetadata()
metadata.keySecurityLevel = level
Utils.putCertificateChain(metadata, chain.toTypedArray<Certificate>())
val d = KeyDescriptor()
d.domain = descriptor.domain
Expand All @@ -91,40 +94,40 @@ class SecurityLevelInterceptor(private val original: IKeystoreSecurityLevel) : B
a.keyParameter = KeyParameter()
a.keyParameter.tag = Tag.PURPOSE
a.keyParameter.value = KeyParameterValue.keyPurpose(i)
a.securityLevel = SecurityLevel.TRUSTED_ENVIRONMENT
a.securityLevel = level
authorizations.add(a)
}
for (i in params.digest) {
a = Authorization()
a.keyParameter = KeyParameter()
a.keyParameter.tag = Tag.DIGEST
a.keyParameter.value = KeyParameterValue.digest(i)
a.securityLevel = SecurityLevel.TRUSTED_ENVIRONMENT
a.securityLevel = level
authorizations.add(a)
}
a = Authorization()
a.keyParameter = KeyParameter()
a.keyParameter.tag = Tag.ALGORITHM
a.keyParameter.value = KeyParameterValue.algorithm(params.algorithm)
a.securityLevel = SecurityLevel.TRUSTED_ENVIRONMENT
a.securityLevel = level
authorizations.add(a)
a = Authorization()
a.keyParameter = KeyParameter()
a.keyParameter.tag = Tag.KEY_SIZE
a.keyParameter.value = KeyParameterValue.integer(params.keySize)
a.securityLevel = SecurityLevel.TRUSTED_ENVIRONMENT
a.securityLevel = level
authorizations.add(a)
a = Authorization()
a.keyParameter = KeyParameter()
a.keyParameter.tag = Tag.EC_CURVE
a.keyParameter.value = KeyParameterValue.ecCurve(params.ecCurve)
a.securityLevel = SecurityLevel.TRUSTED_ENVIRONMENT
a.securityLevel = level
authorizations.add(a)
a = Authorization()
a.keyParameter = KeyParameter()
a.keyParameter.tag = Tag.NO_AUTH_REQUIRED
a.keyParameter.value = KeyParameterValue.boolValue(true) // TODO: copy
a.securityLevel = SecurityLevel.TRUSTED_ENVIRONMENT
a.securityLevel = level
authorizations.add(a)
// TODO: ORIGIN
//OS_VERSION
Expand Down

0 comments on commit 479459d

Please sign in to comment.