Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 406406fb authored by TreeHugger Robot's avatar TreeHugger Robot Committed by Android (Google) Code Review
Browse files

Merge changes from topic "tui_keystore" 

* changes:
  Add Trusted Confirmation support to Keymaster HAL.
  Sort tags in keymaster_tags.h alphabetically
parents 6d341ac8 129629bd

keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h

+33 −30
Original line number Diff line number Diff line
@@ -104,46 +104,47 @@ struct Tag2TypedTag { 
    typedef typename Tag2TypedTag<Tag::name>::type TAG_##name##_t; \

    static TAG_##name##_t TAG_##name;



DECLARE_TYPED_TAG(ACTIVE_DATETIME);

DECLARE_TYPED_TAG(ALGORITHM);

DECLARE_TYPED_TAG(ALLOW_WHILE_ON_BODY);

DECLARE_TYPED_TAG(APPLICATION_DATA);

DECLARE_TYPED_TAG(APPLICATION_ID);

DECLARE_TYPED_TAG(ASSOCIATED_DATA);

DECLARE_TYPED_TAG(ATTESTATION_APPLICATION_ID);

DECLARE_TYPED_TAG(ATTESTATION_CHALLENGE);

DECLARE_TYPED_TAG(AUTH_TIMEOUT);

DECLARE_TYPED_TAG(BLOB_USAGE_REQUIREMENTS);

DECLARE_TYPED_TAG(BLOCK_MODE);

DECLARE_TYPED_TAG(BOOTLOADER_ONLY);

DECLARE_TYPED_TAG(CALLER_NONCE);

DECLARE_TYPED_TAG(CONFIRMATION_TOKEN);

DECLARE_TYPED_TAG(CREATION_DATETIME);

DECLARE_TYPED_TAG(DIGEST);

DECLARE_TYPED_TAG(EC_CURVE);

DECLARE_TYPED_TAG(INCLUDE_UNIQUE_ID);

DECLARE_TYPED_TAG(INVALID);

DECLARE_TYPED_TAG(KEY_SIZE);

DECLARE_TYPED_TAG(MAC_LENGTH);

DECLARE_TYPED_TAG(CALLER_NONCE);

DECLARE_TYPED_TAG(MAX_USES_PER_BOOT);

DECLARE_TYPED_TAG(MIN_MAC_LENGTH);

DECLARE_TYPED_TAG(RSA_PUBLIC_EXPONENT);

DECLARE_TYPED_TAG(INCLUDE_UNIQUE_ID);

DECLARE_TYPED_TAG(ACTIVE_DATETIME);

DECLARE_TYPED_TAG(ORIGINATION_EXPIRE_DATETIME);

DECLARE_TYPED_TAG(USAGE_EXPIRE_DATETIME);

DECLARE_TYPED_TAG(MIN_SECONDS_BETWEEN_OPS);

DECLARE_TYPED_TAG(MAX_USES_PER_BOOT);

DECLARE_TYPED_TAG(USER_SECURE_ID);

DECLARE_TYPED_TAG(NONCE);

DECLARE_TYPED_TAG(NO_AUTH_REQUIRED);

DECLARE_TYPED_TAG(AUTH_TIMEOUT);

DECLARE_TYPED_TAG(ALLOW_WHILE_ON_BODY);

DECLARE_TYPED_TAG(APPLICATION_ID);

DECLARE_TYPED_TAG(APPLICATION_DATA);

DECLARE_TYPED_TAG(CREATION_DATETIME);

DECLARE_TYPED_TAG(ORIGIN);

DECLARE_TYPED_TAG(ORIGINATION_EXPIRE_DATETIME);

DECLARE_TYPED_TAG(OS_PATCHLEVEL);

DECLARE_TYPED_TAG(OS_VERSION);

DECLARE_TYPED_TAG(PADDING);

DECLARE_TYPED_TAG(PURPOSE);

DECLARE_TYPED_TAG(RESET_SINCE_ID_ROTATION);

DECLARE_TYPED_TAG(ROLLBACK_RESISTANCE);

DECLARE_TYPED_TAG(ROOT_OF_TRUST);

DECLARE_TYPED_TAG(ASSOCIATED_DATA);

DECLARE_TYPED_TAG(NONCE);

DECLARE_TYPED_TAG(BOOTLOADER_ONLY);

DECLARE_TYPED_TAG(OS_VERSION);

DECLARE_TYPED_TAG(OS_PATCHLEVEL);

DECLARE_TYPED_TAG(RSA_PUBLIC_EXPONENT);

DECLARE_TYPED_TAG(TRUSTED_CONFIRMATION_REQUIRED);

DECLARE_TYPED_TAG(UNIQUE_ID);

DECLARE_TYPED_TAG(ATTESTATION_CHALLENGE);

DECLARE_TYPED_TAG(ATTESTATION_APPLICATION_ID);

DECLARE_TYPED_TAG(RESET_SINCE_ID_ROTATION);



DECLARE_TYPED_TAG(PURPOSE);

DECLARE_TYPED_TAG(ALGORITHM);

DECLARE_TYPED_TAG(BLOCK_MODE);

DECLARE_TYPED_TAG(DIGEST);

DECLARE_TYPED_TAG(PADDING);

DECLARE_TYPED_TAG(BLOB_USAGE_REQUIREMENTS);

DECLARE_TYPED_TAG(ORIGIN);

DECLARE_TYPED_TAG(USAGE_EXPIRE_DATETIME);

DECLARE_TYPED_TAG(USER_AUTH_TYPE);

DECLARE_TYPED_TAG(EC_CURVE);

DECLARE_TYPED_TAG(USER_SECURE_ID);



template <typename... Elems>

struct MetaList {};
@@ -344,6 +345,7 @@ inline bool operator==(const KeyParameter& a, const KeyParameter& b) { 
        case Tag::ALLOW_WHILE_ON_BODY:

        case Tag::ROLLBACK_RESISTANCE:

        case Tag::RESET_SINCE_ID_ROTATION:

        case Tag::TRUSTED_CONFIRMATION_REQUIRED:

        case Tag::TRUSTED_USER_PRESENCE_REQUIRED:

            return true;
@@ -388,6 +390,7 @@ inline bool operator==(const KeyParameter& a, const KeyParameter& b) { 
        case Tag::ATTESTATION_ID_MANUFACTURER:

        case Tag::ATTESTATION_ID_MODEL:

        case Tag::ASSOCIATED_DATA:

        case Tag::CONFIRMATION_TOKEN:

        case Tag::NONCE:

            return a.blob == b.blob;

keymaster/4.0/types.hal

+18 −0
Original line number Diff line number Diff line
@@ -181,6 +181,16 @@ enum Tag : uint32_t { 
     */

    TRUSTED_USER_PRESENCE_REQUIRED = TagType:BOOL | 507,



    /** TRUSTED_CONFIRMATION_REQUIRED is only applicable to keys with KeyPurpose SIGN, and specifies

     *  that this key must not be usable unless the user provides confirmation of the data to be

     *  signed. Confirmation is proven to keymaster via an approval token. See CONFIRMATION_TOKEN,

     *  as well as the ConfirmatinUI HAL.

     *

     * If an attempt to use a key with this tag does not have a cryptographically valid

     * CONFIRMATION_TOKEN provided to finish() or if the data provided to update()/finish() does not

     * match the data described in the token, keymaster must return NO_USER_CONFIRMATION. */

    TRUSTED_CONFIRMATION_REQUIRED = TagType:BOOL | 508,



    /* Application access control */

    APPLICATION_ID = TagType:BYTES | 601, /* Byte string identifying the authorized application. */
@@ -251,6 +261,13 @@ enum Tag : uint32_t { 
    RESET_SINCE_ID_ROTATION = TagType:BOOL | 1004, /* Whether the device has beeen factory reset

                                                    * since the last unique ID rotation.  Used for

                                                    * key attestation. */



    /**

     * CONFIRMATION_TOKEN is used to deliver a cryptographic token proving that the user confirmed a

     * signing request. The content is a full-length HMAC-SHA256 value. See the ConfirmationUI HAL

     * for details of token computation.

     */

    CONFIRMATION_TOKEN = TagType:BYTES | 1005,

};



/**
@@ -453,6 +470,7 @@ enum ErrorCode : int32_t { 
    HARDWARE_TYPE_UNAVAILABLE = -68,

    PROOF_OF_PRESENCE_REQUIRED = -69,

    CONCURRENT_PROOF_OF_PRESENCE_REQUESTED = -70,

    NO_USER_CONFIRMATION = -71,



    UNIMPLEMENTED = -100,

    VERSION_MISMATCH = -101,

keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp

+23 −0
Original line number Diff line number Diff line
@@ -711,6 +711,29 @@ TEST_F(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) { 
                                          .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));

}



/*

 * SigningOperationsTest.NoUserConfirmation

 *

 * Verifies that keymaster rejects signing operations for keys with

 * TRUSTED_CONFIRMATION_REQUIRED and no valid confirmation token

 * presented.

 */

TEST_F(SigningOperationsTest, NoUserConfirmation) {

    ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()

                                             .RsaSigningKey(1024, 3)

                                             .Digest(Digest::NONE)

                                             .Padding(PaddingMode::NONE)

                                             .Authorization(TAG_NO_AUTH_REQUIRED)

                                             .Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)));



    const string message = "12345678901234567890123456789012";

    EXPECT_EQ(ErrorCode::OK,

              Begin(KeyPurpose::SIGN,

                    AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));

    string signature;

    EXPECT_EQ(ErrorCode::NO_USER_CONFIRMATION, Finish(message, &signature));

}



/*

 * SigningOperationsTest.RsaPkcs1Sha256Success

 *