From 77819bb98841baef3febb234578c60237aa9bc99 Mon Sep 17 00:00:00 2001 From: Hasini Gunasinghe Date: Mon, 1 May 2023 15:33:06 +0000 Subject: [PATCH] Challenge is expected in timestamp token in case 2 In the second case out of the two cases of authorization enforcement described for update(), it seems like the challenge is expected in the timestamp token. Test: N/A Change-Id: I33e1b84bf8218335665b31ca144b3b4ecb342328 --- .../hardware/security/keymint/IKeyMintOperation.aidl | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintOperation.aidl b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintOperation.aidl index 82c8a0df9f..a4fab55271 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintOperation.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintOperation.aidl @@ -126,8 +126,8 @@ interface IKeyMintOperation { * * o The HMAC field must validate correctly. * - * o The challenge field in the auth token must contain the challenge value contained in the - * BeginResult returned from IKeyMintDevice::begin(). + * o The challenge field in the timestamp token must contain the challenge value contained in + * the BeginResult returned from IKeyMintDevice::begin(). * * The resulting secure time value is then used to authenticate the HardwareAuthToken. For the * auth token to be valid, all of the following has to be true: @@ -139,9 +139,6 @@ interface IKeyMintOperation { * * o The key must have a Tag::USER_AUTH_TYPE that matches the auth type in the token. * - * o The challenge field in the auth token must contain the challenge value contained in the - * BeginResult returned from IKeyMintDevice::begin(). - * * o The timestamp in the auth token plus the value of the Tag::AUTH_TIMEOUT must be greater * than the provided secure timestamp.