Add Trusted Confirmation support to Keymaster HAL. (129629bd) · Commits · e / os / android_hardware_interfaces

keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h

+3 −0

Original line number	Diff line number	Diff line
		@@ -140,6 +140,7 @@ DECLARE_TYPED_TAG(RESET_SINCE_ID_ROTATION);
		DECLARE_TYPED_TAG(ROLLBACK_RESISTANCE);
		DECLARE_TYPED_TAG(ROOT_OF_TRUST);
		DECLARE_TYPED_TAG(RSA_PUBLIC_EXPONENT);
		DECLARE_TYPED_TAG(TRUSTED_CONFIRMATION_REQUIRED);
		DECLARE_TYPED_TAG(UNIQUE_ID);
		DECLARE_TYPED_TAG(USAGE_EXPIRE_DATETIME);
		DECLARE_TYPED_TAG(USER_AUTH_TYPE);
		@@ -344,6 +345,7 @@ inline bool operator==(const KeyParameter& a, const KeyParameter& b) {
		case Tag::ALLOW_WHILE_ON_BODY:
		case Tag::ROLLBACK_RESISTANCE:
		case Tag::RESET_SINCE_ID_ROTATION:
		case Tag::TRUSTED_CONFIRMATION_REQUIRED:
		case Tag::TRUSTED_USER_PRESENCE_REQUIRED:
		return true;

		@@ -386,6 +388,7 @@ inline bool operator==(const KeyParameter& a, const KeyParameter& b) {
		case Tag::ATTESTATION_ID_MANUFACTURER:
		case Tag::ATTESTATION_ID_MODEL:
		case Tag::ASSOCIATED_DATA:
		case Tag::CONFIRMATION_TOKEN:
		case Tag::NONCE:
		return a.blob == b.blob;

keymaster/4.0/types.hal

+18 −0

Original line number	Diff line number	Diff line
		@@ -181,6 +181,16 @@ enum Tag : uint32_t {
		*/
		TRUSTED_USER_PRESENCE_REQUIRED = TagType:BOOL \| 507,

		/** TRUSTED_CONFIRMATION_REQUIRED is only applicable to keys with KeyPurpose SIGN, and specifies
		* that this key must not be usable unless the user provides confirmation of the data to be
		* signed. Confirmation is proven to keymaster via an approval token. See CONFIRMATION_TOKEN,
		* as well as the ConfirmatinUI HAL.
		*
		* If an attempt to use a key with this tag does not have a cryptographically valid
		* CONFIRMATION_TOKEN provided to finish() or if the data provided to update()/finish() does not
		* match the data described in the token, keymaster must return NO_USER_CONFIRMATION. */
		TRUSTED_CONFIRMATION_REQUIRED = TagType:BOOL \| 508,

		/* Application access control */
		APPLICATION_ID = TagType:BYTES \| 601, /* Byte string identifying the authorized application. */

		@@ -227,6 +237,13 @@ enum Tag : uint32_t {
		RESET_SINCE_ID_ROTATION = TagType:BOOL \| 1004, /* Whether the device has beeen factory reset
		* since the last unique ID rotation. Used for
		* key attestation. */

		/**
		* CONFIRMATION_TOKEN is used to deliver a cryptographic token proving that the user confirmed a
		* signing request. The content is a full-length HMAC-SHA256 value. See the ConfirmationUI HAL
		* for details of token computation.
		*/
		CONFIRMATION_TOKEN = TagType:BYTES \| 1005,
		};

		/**
		@@ -429,6 +446,7 @@ enum ErrorCode : int32_t {
		HARDWARE_TYPE_UNAVAILABLE = -68,
		PROOF_OF_PRESENCE_REQUIRED = -69,
		CONCURRENT_PROOF_OF_PRESENCE_REQUESTED = -70,
		NO_USER_CONFIRMATION = -71,

		UNIMPLEMENTED = -100,
		VERSION_MISMATCH = -101,

keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp

+23 −0

Original line number	Diff line number	Diff line
		@@ -711,6 +711,29 @@ TEST_F(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
		.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
		}

		/*
		* SigningOperationsTest.NoUserConfirmation
		*
		* Verifies that keymaster rejects signing operations for keys with
		* TRUSTED_CONFIRMATION_REQUIRED and no valid confirmation token
		* presented.
		*/
		TEST_F(SigningOperationsTest, NoUserConfirmation) {
		ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
		.RsaSigningKey(1024, 3)
		.Digest(Digest::NONE)
		.Padding(PaddingMode::NONE)
		.Authorization(TAG_NO_AUTH_REQUIRED)
		.Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)));

		const string message = "12345678901234567890123456789012";
		EXPECT_EQ(ErrorCode::OK,
		Begin(KeyPurpose::SIGN,
		AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
		string signature;
		EXPECT_EQ(ErrorCode::NO_USER_CONFIRMATION, Finish(message, &signature));
		}

		/*
		* SigningOperationsTest.RsaPkcs1Sha256Success
		*