Skip to content

Commit

Permalink
Support requiring auth for keys generated outside of TEE on Android
Browse files Browse the repository at this point in the history 
This can be useful for older TEE versions that do not support certain
key types.
  • Loading branch information
@cpetrov
cpetrov committed Dec 18, 2023
1 parent 6c2026a commit 85098bb
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 4 deletions.
4 changes: 2 additions & 2 deletions src/tabris/Crypto.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -241,8 +241,8 @@ class SubtleCrypto {
if ('usageRequiresAuth' in options) {
checkType(options.usageRequiresAuth, Boolean, {name: 'options.usageRequiresAuth'});
}
if (options.usageRequiresAuth && !options.inTee) {
throw new TypeError('options.usageRequiresAuth is only supported for keys in TEE');
if (options.usageRequiresAuth && !options.inTee && (tabris as any).device.platform !== 'Android') {
throw new TypeError('options.usageRequiresAuth is only supported for keys not in TEE on Android');
}
}
const inTee = options?.inTee;
Expand Down
12 changes: 10 additions & 2 deletions test/tabris/Crypto.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1124,13 +1124,21 @@ describe('Crypto', function() {
expect(client.calls({op: 'create', type: 'tabris.CryptoKey'}).length).to.equal(0);
});

it('rejects options.usageRequiresAuth when options.inTee is not set', async function() {
it('rejects options.usageRequiresAuth when options.inTee is not set and platform is not Android', async function() {
(tabris as any).device.platform = 'iOS';
params[3] = {usageRequiresAuth: true};
await expect(generateKey())
.rejectedWith(TypeError, 'options.usageRequiresAuth is only supported for keys in TEE');
.rejectedWith(TypeError, 'options.usageRequiresAuth is only supported for keys not in TEE on Android');
expect(client.calls({op: 'create', type: 'tabris.CryptoKey'}).length).to.equal(0);
});

it('does not reject options.usageRequiresAuth when options.inTee is not set and platform is Android', async function() {
(tabris as any).device.platform = 'Android';
params[3] = {usageRequiresAuth: true};
await generateKey(param => param.onSuccess());
expect(client.calls({op: 'create', type: 'tabris.CryptoKey'}).length).to.be.greaterThan(0);
});

});

describe('subtle.sign()', function() {
Expand Down

0 comments on commit 85098bb

Please sign in to comment.