文章目錄

• • • • 1、authToken是什么？
      • 2、authToken的填充
      • 3、authToken的保存

1、authToken是什么？

在密碼或指紋驗證通過后(verify通過后)，需返回一個authToken值，然后交由keystore保持起來. 以下是gatekeeper的verify產生authToken和調用keystore保存authToken的流程圖:

2、authToken的填充

在gatekeeper TA的verify()通過后，對填充authToken結構體，然后再返回。

(hardware/libhardware/include/hardware/hw_auth_token.h) typedef struct __attribute__((__packed__)) {uint8_t version; // Current version is 0uint64_t challenge;uint64_t user_id; // secure user ID, not Android user IDuint64_t authenticator_id; // secure authenticator IDuint32_t authenticator_type; // hw_authenticator_type_t, in network orderuint64_t timestamp; // in network orderuint8_t hmac[32]; } hw_auth_token_t;

質詢 ： challenge
用戶SID ：user_id
身份驗證程序 ID (ASID) ： authenticator_id
身份驗證程序類型 ： authenticator_type，00-gatekeeper,01-指紋

3、authToken的保存

在gatekeeperd中調用hw_device->verify()后，先判斷authToken，如果為空，則認為是verify失敗(鑒權失敗)。如果不為空，則認為verify成功. 并調用addAuthToken將authToken保持下來
以下是authToken的使用邏輯，同底層硬件/TEE無關

在gatekeeperd的verifychallange中hw_device->verify()結束后，調用keystore的addAuthToken方法，將authToken保存下來

(system/core/gatekeeperd$ vim gatekeeperd.cpp) if (ret == 0 && *auth_token != NULL && *auth_token_length > 0) {// TODO: cache service?sp<IServiceManager> sm = defaultServiceManager();sp<IBinder> binder = sm->getService(String16("android.security.keystore"));sp<security::keystore::IKeystoreService> service =interface_cast<security::keystore::IKeystoreService>(binder);if (service != NULL) {std::vector<uint8_t> auth_token_vector(*auth_token,(*auth_token) + *auth_token_length);int result = 0;auto binder_result = service->addAuthToken(auth_token_vector, &result);if (!binder_result.isOk() || !keystore::KeyStoreServiceReturnCode(result).isOk()) {ALOGE("Failure sending auth token to KeyStore: %" PRId32, result);}} else {ALOGE("Unable to communicate with KeyStore");} } (frameworks/base/keystore/java/android/security/KeyStore.java) public int addAuthToken(byte[] authToken) {try {return mBinder.addAuthToken(authToken);} catch (RemoteException e) {Log.w(TAG, "Cannot connect to keystore", e);return SYSTEM_ERROR;} } (system/security/keystore/key_store_service.cpp) Status KeyStoreService::addAuthToken(const ::std::vector<uint8_t>& authTokenAsVector,int32_t* aidl_return) {KEYSTORE_SERVICE_LOCK;// TODO(swillden): When gatekeeper and fingerprint are ready, this should be updated to// receive a HardwareAuthToken, rather than an opaque byte array.if (!checkBinderPermission(P_ADD_AUTH)) {ALOGW("addAuthToken: permission denied for %d", IPCThreadState::self()->getCallingUid());*aidl_return = static_cast<int32_t>(ResponseCode::PERMISSION_DENIED);return Status::ok();}if (authTokenAsVector.size() != sizeof(hw_auth_token_t)) {*aidl_return = KeyStoreServiceReturnCode(ErrorCode::INVALID_ARGUMENT).getErrorCode();return Status::ok();}hw_auth_token_t authToken;memcpy(reinterpret_cast<void*>(&authToken), authTokenAsVector.data(), sizeof(hw_auth_token_t));if (authToken.version != 0) {*aidl_return = KeyStoreServiceReturnCode(ErrorCode::INVALID_ARGUMENT).getErrorCode();return Status::ok();}mKeyStore->getAuthTokenTable().AddAuthenticationToken(hidlVec2AuthToken(hidl_vec<uint8_t>(authTokenAsVector)));*aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);return Status::ok(); }

max_entries_等于32，authToken的個數小于32，則直接將此authToken壓入表中，若大于32則替換一個最小的

(system/security/keystore/auth_token_table.cpp) void AuthTokenTable::AddAuthenticationToken(HardwareAuthToken&& auth_token) {Entry new_entry(std::move(auth_token), clock_function_());// STOPSHIP: debug only, to be removedALOGD("AddAuthenticationToken: timestamp = %llu, time_received = %lld",static_cast<unsigned long long>(new_entry.token().timestamp),static_cast<long long>(new_entry.time_received()));std::lock_guard<std::mutex> lock(entries_mutex_);RemoveEntriesSupersededBy(new_entry);if (entries_.size() >= max_entries_) {ALOGW("Auth token table filled up; replacing oldest entry");*min_element(entries_) = std::move(new_entry);} else {entries_.push_back(std::move(new_entry));} }

總結

以上是生活随笔為你收集整理的详解android gatekeeper/fingerprint中的authToken的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。