android密码解锁/指纹解锁返回的authToken深度解剖

目录

        • 1、authToken是什么
        • 2、authToken代码精读
          • (1)、AddAuthenticationToken
          • (2)、FindAuthorization
          • (3)、getAuthToken

1、authToken是什么

在android中authToken是一串标致调用者身份的数据,是一个结构体.
在gatekeeper和fingerprint的鉴权成功后(verify成功后),都会返回一个authToken给android,然后加入到auth_token_table表中, 该表最大存储32个authToken

typedef struct __attribute__((__packed__)) {
            uint8_t version; 
            uint64_t challenge;
            uint64_t user_id; 
            uint64_t authenticator_id; 
            uint32_t authenticator_type;
            uint64_t timestamp; 
            uint8_t hmac[32];
} hw_auth_token_t;

2、authToken代码精读

(1)、AddAuthenticationToken
(system/security/keystore/auth_token_table.cpp)
void AuthTokenTable::AddAuthenticationToken(HardwareAuthToken&& auth_token) {
    Entry new_entry(std::move(auth_token), clock_function_());
    // STOPSHIP: debug only, to be removed
    ALOGD("AddAuthenticationToken: timestamp = %llu, time_received = %lld",
          static_cast<unsigned long long>(new_entry.token().timestamp),
          static_cast<long long>(new_entry.time_received()));

    std::lock_guard<std::mutex> lock(entries_mutex_);
    RemoveEntriesSupersededBy(new_entry);
    if (entries_.size() >= max_entries_) {
        ALOGW("Auth token table filled up; replacing oldest entry");
        *min_element(entries_) = std::move(new_entry);
    } else {
        entries_.push_back(std::move(new_entry));
    }
}

max_entries_为32,也就是最大存储32个authToken

(2)、FindAuthorization
(system/security/keystore/auth_token_table.cpp)
std::tuple<AuthTokenTable::Error, HardwareAuthToken>
AuthTokenTable::FindAuthorization(const AuthorizationSet& key_info, KeyPurpose purpose,
                                  uint64_t op_handle) {

    std::lock_guard<std::mutex> lock(entries_mutex_);

    if (!KeyRequiresAuthentication(key_info, purpose)) return {AUTH_NOT_REQUIRED, {}};

    auto auth_type =
        defaultOr(key_info.GetTagValue(TAG_USER_AUTH_TYPE), HardwareAuthenticatorType::NONE);

    std::vector<uint64_t> key_sids;
    ExtractSids(key_info, &key_sids);

    if (KeyRequiresAuthPerOperation(key_info, purpose))
        return FindAuthPerOpAuthorization(key_sids, auth_type, op_handle);
    else
        return FindTimedAuthorization(key_sids, auth_type, key_info);
}
(3)、getAuthToken
(system/security/keystore/keymaster_worker.cpp)
std::pair<KeyStoreServiceReturnCode, HardwareAuthToken>
KeymasterWorker::getAuthToken(const KeyCharacteristics& characteristics, uint64_t handle,
                              KeyPurpose purpose, bool failOnTokenMissing) {

    AuthorizationSet allCharacteristics(characteristics.softwareEnforced);
    allCharacteristics.append(characteristics.hardwareEnforced.begin(),
                              characteristics.hardwareEnforced.end());

    HardwareAuthToken authToken;
    AuthTokenTable::Error err;
    std::tie(err, authToken) = keyStore_->getAuthTokenTable().FindAuthorization(
        allCharacteristics, static_cast<KeyPurpose>(purpose), handle);

    KeyStoreServiceReturnCode rc;

    switch (err) {
    case AuthTokenTable::OK:
    case AuthTokenTable::AUTH_NOT_REQUIRED:
        rc = ResponseCode::NO_ERROR;
        break;

    case AuthTokenTable::AUTH_TOKEN_NOT_FOUND:
    case AuthTokenTable::AUTH_TOKEN_EXPIRED:
    case AuthTokenTable::AUTH_TOKEN_WRONG_SID:
        ALOGE("getAuthToken failed: %d", err);  // STOPSHIP: debug only, to be removed
        rc = ErrorCode::KEY_USER_NOT_AUTHENTICATED;
        break;

    case AuthTokenTable::OP_HANDLE_REQUIRED:
        rc = failOnTokenMissing ? KeyStoreServiceReturnCode(ErrorCode::KEY_USER_NOT_AUTHENTICATED)
                                : KeyStoreServiceReturnCode(ResponseCode::OP_AUTH_NEEDED);
        break;

    default:
        ALOGE("Unexpected FindAuthorization return value %d", err);
        rc = ErrorCode::INVALID_ARGUMENT;
    }

    return {rc, std::move(authToken)};
}

你可能感兴趣的:(Android,fingerprint,gatekeeper,keystore,authtoken)