在android中authToken是一串标致调用者身份的数据,是一个结构体.
在gatekeeper和fingerprint的鉴权成功后(verify成功后),都会返回一个authToken给android,然后加入到auth_token_table表中, 该表最大存储32个authToken
typedef struct __attribute__((__packed__)) {
uint8_t version;
uint64_t challenge;
uint64_t user_id;
uint64_t authenticator_id;
uint32_t authenticator_type;
uint64_t timestamp;
uint8_t hmac[32];
} hw_auth_token_t;
(system/security/keystore/auth_token_table.cpp)
void AuthTokenTable::AddAuthenticationToken(HardwareAuthToken&& auth_token) {
Entry new_entry(std::move(auth_token), clock_function_());
// STOPSHIP: debug only, to be removed
ALOGD("AddAuthenticationToken: timestamp = %llu, time_received = %lld",
static_cast<unsigned long long>(new_entry.token().timestamp),
static_cast<long long>(new_entry.time_received()));
std::lock_guard<std::mutex> lock(entries_mutex_);
RemoveEntriesSupersededBy(new_entry);
if (entries_.size() >= max_entries_) {
ALOGW("Auth token table filled up; replacing oldest entry");
*min_element(entries_) = std::move(new_entry);
} else {
entries_.push_back(std::move(new_entry));
}
}
max_entries_为32,也就是最大存储32个authToken
(system/security/keystore/auth_token_table.cpp)
std::tuple<AuthTokenTable::Error, HardwareAuthToken>
AuthTokenTable::FindAuthorization(const AuthorizationSet& key_info, KeyPurpose purpose,
uint64_t op_handle) {
std::lock_guard<std::mutex> lock(entries_mutex_);
if (!KeyRequiresAuthentication(key_info, purpose)) return {AUTH_NOT_REQUIRED, {}};
auto auth_type =
defaultOr(key_info.GetTagValue(TAG_USER_AUTH_TYPE), HardwareAuthenticatorType::NONE);
std::vector<uint64_t> key_sids;
ExtractSids(key_info, &key_sids);
if (KeyRequiresAuthPerOperation(key_info, purpose))
return FindAuthPerOpAuthorization(key_sids, auth_type, op_handle);
else
return FindTimedAuthorization(key_sids, auth_type, key_info);
}
(system/security/keystore/keymaster_worker.cpp)
std::pair<KeyStoreServiceReturnCode, HardwareAuthToken>
KeymasterWorker::getAuthToken(const KeyCharacteristics& characteristics, uint64_t handle,
KeyPurpose purpose, bool failOnTokenMissing) {
AuthorizationSet allCharacteristics(characteristics.softwareEnforced);
allCharacteristics.append(characteristics.hardwareEnforced.begin(),
characteristics.hardwareEnforced.end());
HardwareAuthToken authToken;
AuthTokenTable::Error err;
std::tie(err, authToken) = keyStore_->getAuthTokenTable().FindAuthorization(
allCharacteristics, static_cast<KeyPurpose>(purpose), handle);
KeyStoreServiceReturnCode rc;
switch (err) {
case AuthTokenTable::OK:
case AuthTokenTable::AUTH_NOT_REQUIRED:
rc = ResponseCode::NO_ERROR;
break;
case AuthTokenTable::AUTH_TOKEN_NOT_FOUND:
case AuthTokenTable::AUTH_TOKEN_EXPIRED:
case AuthTokenTable::AUTH_TOKEN_WRONG_SID:
ALOGE("getAuthToken failed: %d", err); // STOPSHIP: debug only, to be removed
rc = ErrorCode::KEY_USER_NOT_AUTHENTICATED;
break;
case AuthTokenTable::OP_HANDLE_REQUIRED:
rc = failOnTokenMissing ? KeyStoreServiceReturnCode(ErrorCode::KEY_USER_NOT_AUTHENTICATED)
: KeyStoreServiceReturnCode(ResponseCode::OP_AUTH_NEEDED);
break;
default:
ALOGE("Unexpected FindAuthorization return value %d", err);
rc = ErrorCode::INVALID_ARGUMENT;
}
return {rc, std::move(authToken)};
}