set security level properly

5ec1cff · Jul 28, 2024 · fca5bde · fca5bde
1 parent 3ea1502
commit fca5bde
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/service/src/main/java/io/github/a13e300/tricky_store/KeystoreInterceptor.kt b/service/src/main/java/io/github/a13e300/tricky_store/KeystoreInterceptor.kt
@@ -133,15 +133,15 @@ object KeystoreInterceptor : BinderInterceptor() {
         keystore.linkToDeath(Killer, 0)
         if (tee != null) {
             Logger.i("register for TEE SecurityLevel $tee!")
-            val interceptor = SecurityLevelInterceptor(tee)
+            val interceptor = SecurityLevelInterceptor(tee, SecurityLevel.TRUSTED_ENVIRONMENT)
             registerBinderInterceptor(bd, tee.asBinder(), interceptor)
             teeInterceptor = interceptor
         } else {
             Logger.i("no TEE SecurityLevel found!")
         }
         if (strongBox != null) {
             Logger.i("register for StrongBox SecurityLevel $tee!")
-            val interceptor = SecurityLevelInterceptor(strongBox)
+            val interceptor = SecurityLevelInterceptor(strongBox, SecurityLevel.STRONGBOX)
             registerBinderInterceptor(bd, strongBox.asBinder(), interceptor)
             strongBoxInterceptor = interceptor
         } else {

diff --git a/service/src/main/java/io/github/a13e300/tricky_store/SecurityLevelInterceptor.kt b/service/src/main/java/io/github/a13e300/tricky_store/SecurityLevelInterceptor.kt
@@ -19,7 +19,10 @@ import java.security.KeyPair
 import java.security.cert.Certificate
 import java.util.concurrent.ConcurrentHashMap
 
-class SecurityLevelInterceptor(private val original: IKeystoreSecurityLevel) : BinderInterceptor() {
+class SecurityLevelInterceptor(
+    private val original: IKeystoreSecurityLevel,
+    private val level: Int
+) : BinderInterceptor() {
     companion object {
         private val generateKeyTransaction =
             getTransactCode(IKeystoreSecurityLevel.Stub::class.java, "generateKey")
@@ -79,6 +82,7 @@ class SecurityLevelInterceptor(private val original: IKeystoreSecurityLevel) : B
     ): KeyEntryResponse {
         val response = KeyEntryResponse()
         val metadata = KeyMetadata()
+        metadata.keySecurityLevel = level
         Utils.putCertificateChain(metadata, chain.toTypedArray<Certificate>())
         val d = KeyDescriptor()
         d.domain = descriptor.domain
@@ -91,7 +95,7 @@ class SecurityLevelInterceptor(private val original: IKeystoreSecurityLevel) : B
             a.keyParameter = KeyParameter()
             a.keyParameter.tag = Tag.PURPOSE
             a.keyParameter.value = KeyParameterValue.keyPurpose(i)
-            a.securityLevel = SecurityLevel.TRUSTED_ENVIRONMENT
+            a.securityLevel = level
             authorizations.add(a)
         }
         for (i in params.digest) {