Loading keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp +22 −0 Original line number Diff line number Diff line Loading @@ -2917,6 +2917,28 @@ TEST_F(EncryptionOperationsTest, AesEcbRoundTripSuccess) { EXPECT_EQ(message, plaintext); } /* * EncryptionOperationsTest.AesEcbWithUserId * * Verifies that AES ECB mode works when Tag::USER_ID is specified. */ TEST_F(EncryptionOperationsTest, AesEcbWithUserId) { string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_USER_ID, 0) .AesEncryptionKey(key.size() * 8) .EcbMode() .Padding(PaddingMode::PKCS7), KeyFormat::RAW, key)); string message = "Hello World!"; auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7); string ciphertext = EncryptMessage(message, params); string plaintext = DecryptMessage(ciphertext, params); EXPECT_EQ(message, plaintext); } /* * EncryptionOperationsTest.AesEcbRoundTripSuccess * Loading keymaster/4.0/support/Keymaster3.cpp +6 −3 Original line number Diff line number Diff line Loading @@ -61,9 +61,12 @@ KeyParameter convert(const V3_0::KeyParameter& param) { } hidl_vec<V3_0::KeyParameter> convert(const hidl_vec<KeyParameter>& params) { hidl_vec<V3_0::KeyParameter> converted(params.size()); for (size_t i = 0; i < params.size(); ++i) { converted[i] = convert(params[i]); std::vector<V3_0::KeyParameter> converted; converted.reserve(params.size()); for (const auto& param : params) { // Qualcomm's Keymaster3 implementation behaves oddly if Tag::USER_ID is provided. Filter it // out. Revert this change when b/73286437 is fixed. if (param.tag != Tag::USER_ID) converted.push_back(convert(param)); } return converted; } Loading keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h +17 −11 Original line number Diff line number Diff line Loading @@ -142,23 +142,27 @@ DECLARE_TYPED_TAG(ROOT_OF_TRUST); DECLARE_TYPED_TAG(RSA_PUBLIC_EXPONENT); DECLARE_TYPED_TAG(TRUSTED_CONFIRMATION_REQUIRED); DECLARE_TYPED_TAG(UNIQUE_ID); DECLARE_TYPED_TAG(UNLOCKED_DEVICE_REQUIRED); DECLARE_TYPED_TAG(USAGE_EXPIRE_DATETIME); DECLARE_TYPED_TAG(USER_AUTH_TYPE); DECLARE_TYPED_TAG(USER_ID); DECLARE_TYPED_TAG(USER_SECURE_ID); template <typename... Elems> struct MetaList {}; using all_tags_t = MetaList< TAG_INVALID_t, TAG_KEY_SIZE_t, TAG_MAC_LENGTH_t, TAG_CALLER_NONCE_t, TAG_MIN_MAC_LENGTH_t, TAG_RSA_PUBLIC_EXPONENT_t, TAG_INCLUDE_UNIQUE_ID_t, TAG_ACTIVE_DATETIME_t, TAG_ORIGINATION_EXPIRE_DATETIME_t, TAG_USAGE_EXPIRE_DATETIME_t, TAG_MIN_SECONDS_BETWEEN_OPS_t, TAG_MAX_USES_PER_BOOT_t, TAG_USER_SECURE_ID_t, TAG_NO_AUTH_REQUIRED_t, TAG_AUTH_TIMEOUT_t, TAG_ALLOW_WHILE_ON_BODY_t, TAG_APPLICATION_ID_t, TAG_APPLICATION_DATA_t, TAG_CREATION_DATETIME_t, TAG_ROLLBACK_RESISTANCE_t, TAG_ROOT_OF_TRUST_t, TAG_ASSOCIATED_DATA_t, TAG_NONCE_t, TAG_BOOTLOADER_ONLY_t, TAG_OS_VERSION_t, TAG_OS_PATCHLEVEL_t, TAG_UNIQUE_ID_t, TAG_ATTESTATION_CHALLENGE_t, TAG_ATTESTATION_APPLICATION_ID_t, TAG_RESET_SINCE_ID_ROTATION_t, TAG_PURPOSE_t, TAG_ALGORITHM_t, TAG_BLOCK_MODE_t, TAG_DIGEST_t, TAG_PADDING_t, using all_tags_t = MetaList<TAG_INVALID_t, TAG_KEY_SIZE_t, TAG_MAC_LENGTH_t, TAG_CALLER_NONCE_t, TAG_MIN_MAC_LENGTH_t, TAG_RSA_PUBLIC_EXPONENT_t, TAG_INCLUDE_UNIQUE_ID_t, TAG_ACTIVE_DATETIME_t, TAG_ORIGINATION_EXPIRE_DATETIME_t, TAG_USAGE_EXPIRE_DATETIME_t, TAG_MIN_SECONDS_BETWEEN_OPS_t, TAG_MAX_USES_PER_BOOT_t, TAG_USER_ID_t, TAG_USER_SECURE_ID_t, TAG_NO_AUTH_REQUIRED_t, TAG_AUTH_TIMEOUT_t, TAG_ALLOW_WHILE_ON_BODY_t, TAG_UNLOCKED_DEVICE_REQUIRED_t, TAG_APPLICATION_ID_t, TAG_APPLICATION_DATA_t, TAG_CREATION_DATETIME_t, TAG_ROLLBACK_RESISTANCE_t, TAG_ROOT_OF_TRUST_t, TAG_ASSOCIATED_DATA_t, TAG_NONCE_t, TAG_BOOTLOADER_ONLY_t, TAG_OS_VERSION_t, TAG_OS_PATCHLEVEL_t, TAG_UNIQUE_ID_t, TAG_ATTESTATION_CHALLENGE_t, TAG_ATTESTATION_APPLICATION_ID_t, TAG_RESET_SINCE_ID_ROTATION_t, TAG_PURPOSE_t, TAG_ALGORITHM_t, TAG_BLOCK_MODE_t, TAG_DIGEST_t, TAG_PADDING_t, TAG_BLOB_USAGE_REQUIREMENTS_t, TAG_ORIGIN_t, TAG_USER_AUTH_TYPE_t, TAG_EC_CURVE_t>; template <typename TypedTagType> Loading Loading @@ -343,6 +347,7 @@ inline bool operator==(const KeyParameter& a, const KeyParameter& b) { case Tag::BOOTLOADER_ONLY: case Tag::NO_AUTH_REQUIRED: case Tag::ALLOW_WHILE_ON_BODY: case Tag::UNLOCKED_DEVICE_REQUIRED: case Tag::ROLLBACK_RESISTANCE: case Tag::RESET_SINCE_ID_ROTATION: case Tag::TRUSTED_CONFIRMATION_REQUIRED: Loading @@ -357,6 +362,7 @@ inline bool operator==(const KeyParameter& a, const KeyParameter& b) { case Tag::OS_VERSION: case Tag::OS_PATCHLEVEL: case Tag::MAC_LENGTH: case Tag::USER_ID: case Tag::AUTH_TIMEOUT: case Tag::VENDOR_PATCHLEVEL: case Tag::BOOT_PATCHLEVEL: Loading keymaster/4.0/types.hal +6 −1 Original line number Diff line number Diff line Loading @@ -118,7 +118,8 @@ enum Tag : uint32_t { * boot. */ /* User authentication */ // 500-501 reserved // 500 reserved USER_ID = TagType:UINT | 501, /* Android ID of authorized user or authenticator(s), */ USER_SECURE_ID = TagType:ULONG_REP | 502, /* Secure ID of authorized user or authenticator(s). * Disallowed if NO_AUTH_REQUIRED is present. */ NO_AUTH_REQUIRED = TagType:BOOL | 503, /* If key is usable without authentication. */ Loading Loading @@ -191,6 +192,9 @@ enum Tag : uint32_t { * match the data described in the token, keymaster must return NO_USER_CONFIRMATION. */ TRUSTED_CONFIRMATION_REQUIRED = TagType:BOOL | 508, UNLOCKED_DEVICE_REQUIRED = TagType:BOOL | 509, /* Require the device screen to be unlocked if * the key is used. */ /* Application access control */ APPLICATION_ID = TagType:BYTES | 601, /* Byte string identifying the authorized application. */ Loading Loading @@ -471,6 +475,7 @@ enum ErrorCode : int32_t { PROOF_OF_PRESENCE_REQUIRED = -69, CONCURRENT_PROOF_OF_PRESENCE_REQUESTED = -70, NO_USER_CONFIRMATION = -71, DEVICE_LOCKED = -72, UNIMPLEMENTED = -100, VERSION_MISMATCH = -101, Loading Loading
keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp +22 −0 Original line number Diff line number Diff line Loading @@ -2917,6 +2917,28 @@ TEST_F(EncryptionOperationsTest, AesEcbRoundTripSuccess) { EXPECT_EQ(message, plaintext); } /* * EncryptionOperationsTest.AesEcbWithUserId * * Verifies that AES ECB mode works when Tag::USER_ID is specified. */ TEST_F(EncryptionOperationsTest, AesEcbWithUserId) { string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_USER_ID, 0) .AesEncryptionKey(key.size() * 8) .EcbMode() .Padding(PaddingMode::PKCS7), KeyFormat::RAW, key)); string message = "Hello World!"; auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7); string ciphertext = EncryptMessage(message, params); string plaintext = DecryptMessage(ciphertext, params); EXPECT_EQ(message, plaintext); } /* * EncryptionOperationsTest.AesEcbRoundTripSuccess * Loading
keymaster/4.0/support/Keymaster3.cpp +6 −3 Original line number Diff line number Diff line Loading @@ -61,9 +61,12 @@ KeyParameter convert(const V3_0::KeyParameter& param) { } hidl_vec<V3_0::KeyParameter> convert(const hidl_vec<KeyParameter>& params) { hidl_vec<V3_0::KeyParameter> converted(params.size()); for (size_t i = 0; i < params.size(); ++i) { converted[i] = convert(params[i]); std::vector<V3_0::KeyParameter> converted; converted.reserve(params.size()); for (const auto& param : params) { // Qualcomm's Keymaster3 implementation behaves oddly if Tag::USER_ID is provided. Filter it // out. Revert this change when b/73286437 is fixed. if (param.tag != Tag::USER_ID) converted.push_back(convert(param)); } return converted; } Loading
keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h +17 −11 Original line number Diff line number Diff line Loading @@ -142,23 +142,27 @@ DECLARE_TYPED_TAG(ROOT_OF_TRUST); DECLARE_TYPED_TAG(RSA_PUBLIC_EXPONENT); DECLARE_TYPED_TAG(TRUSTED_CONFIRMATION_REQUIRED); DECLARE_TYPED_TAG(UNIQUE_ID); DECLARE_TYPED_TAG(UNLOCKED_DEVICE_REQUIRED); DECLARE_TYPED_TAG(USAGE_EXPIRE_DATETIME); DECLARE_TYPED_TAG(USER_AUTH_TYPE); DECLARE_TYPED_TAG(USER_ID); DECLARE_TYPED_TAG(USER_SECURE_ID); template <typename... Elems> struct MetaList {}; using all_tags_t = MetaList< TAG_INVALID_t, TAG_KEY_SIZE_t, TAG_MAC_LENGTH_t, TAG_CALLER_NONCE_t, TAG_MIN_MAC_LENGTH_t, TAG_RSA_PUBLIC_EXPONENT_t, TAG_INCLUDE_UNIQUE_ID_t, TAG_ACTIVE_DATETIME_t, TAG_ORIGINATION_EXPIRE_DATETIME_t, TAG_USAGE_EXPIRE_DATETIME_t, TAG_MIN_SECONDS_BETWEEN_OPS_t, TAG_MAX_USES_PER_BOOT_t, TAG_USER_SECURE_ID_t, TAG_NO_AUTH_REQUIRED_t, TAG_AUTH_TIMEOUT_t, TAG_ALLOW_WHILE_ON_BODY_t, TAG_APPLICATION_ID_t, TAG_APPLICATION_DATA_t, TAG_CREATION_DATETIME_t, TAG_ROLLBACK_RESISTANCE_t, TAG_ROOT_OF_TRUST_t, TAG_ASSOCIATED_DATA_t, TAG_NONCE_t, TAG_BOOTLOADER_ONLY_t, TAG_OS_VERSION_t, TAG_OS_PATCHLEVEL_t, TAG_UNIQUE_ID_t, TAG_ATTESTATION_CHALLENGE_t, TAG_ATTESTATION_APPLICATION_ID_t, TAG_RESET_SINCE_ID_ROTATION_t, TAG_PURPOSE_t, TAG_ALGORITHM_t, TAG_BLOCK_MODE_t, TAG_DIGEST_t, TAG_PADDING_t, using all_tags_t = MetaList<TAG_INVALID_t, TAG_KEY_SIZE_t, TAG_MAC_LENGTH_t, TAG_CALLER_NONCE_t, TAG_MIN_MAC_LENGTH_t, TAG_RSA_PUBLIC_EXPONENT_t, TAG_INCLUDE_UNIQUE_ID_t, TAG_ACTIVE_DATETIME_t, TAG_ORIGINATION_EXPIRE_DATETIME_t, TAG_USAGE_EXPIRE_DATETIME_t, TAG_MIN_SECONDS_BETWEEN_OPS_t, TAG_MAX_USES_PER_BOOT_t, TAG_USER_ID_t, TAG_USER_SECURE_ID_t, TAG_NO_AUTH_REQUIRED_t, TAG_AUTH_TIMEOUT_t, TAG_ALLOW_WHILE_ON_BODY_t, TAG_UNLOCKED_DEVICE_REQUIRED_t, TAG_APPLICATION_ID_t, TAG_APPLICATION_DATA_t, TAG_CREATION_DATETIME_t, TAG_ROLLBACK_RESISTANCE_t, TAG_ROOT_OF_TRUST_t, TAG_ASSOCIATED_DATA_t, TAG_NONCE_t, TAG_BOOTLOADER_ONLY_t, TAG_OS_VERSION_t, TAG_OS_PATCHLEVEL_t, TAG_UNIQUE_ID_t, TAG_ATTESTATION_CHALLENGE_t, TAG_ATTESTATION_APPLICATION_ID_t, TAG_RESET_SINCE_ID_ROTATION_t, TAG_PURPOSE_t, TAG_ALGORITHM_t, TAG_BLOCK_MODE_t, TAG_DIGEST_t, TAG_PADDING_t, TAG_BLOB_USAGE_REQUIREMENTS_t, TAG_ORIGIN_t, TAG_USER_AUTH_TYPE_t, TAG_EC_CURVE_t>; template <typename TypedTagType> Loading Loading @@ -343,6 +347,7 @@ inline bool operator==(const KeyParameter& a, const KeyParameter& b) { case Tag::BOOTLOADER_ONLY: case Tag::NO_AUTH_REQUIRED: case Tag::ALLOW_WHILE_ON_BODY: case Tag::UNLOCKED_DEVICE_REQUIRED: case Tag::ROLLBACK_RESISTANCE: case Tag::RESET_SINCE_ID_ROTATION: case Tag::TRUSTED_CONFIRMATION_REQUIRED: Loading @@ -357,6 +362,7 @@ inline bool operator==(const KeyParameter& a, const KeyParameter& b) { case Tag::OS_VERSION: case Tag::OS_PATCHLEVEL: case Tag::MAC_LENGTH: case Tag::USER_ID: case Tag::AUTH_TIMEOUT: case Tag::VENDOR_PATCHLEVEL: case Tag::BOOT_PATCHLEVEL: Loading
keymaster/4.0/types.hal +6 −1 Original line number Diff line number Diff line Loading @@ -118,7 +118,8 @@ enum Tag : uint32_t { * boot. */ /* User authentication */ // 500-501 reserved // 500 reserved USER_ID = TagType:UINT | 501, /* Android ID of authorized user or authenticator(s), */ USER_SECURE_ID = TagType:ULONG_REP | 502, /* Secure ID of authorized user or authenticator(s). * Disallowed if NO_AUTH_REQUIRED is present. */ NO_AUTH_REQUIRED = TagType:BOOL | 503, /* If key is usable without authentication. */ Loading Loading @@ -191,6 +192,9 @@ enum Tag : uint32_t { * match the data described in the token, keymaster must return NO_USER_CONFIRMATION. */ TRUSTED_CONFIRMATION_REQUIRED = TagType:BOOL | 508, UNLOCKED_DEVICE_REQUIRED = TagType:BOOL | 509, /* Require the device screen to be unlocked if * the key is used. */ /* Application access control */ APPLICATION_ID = TagType:BYTES | 601, /* Byte string identifying the authorized application. */ Loading Loading @@ -471,6 +475,7 @@ enum ErrorCode : int32_t { PROOF_OF_PRESENCE_REQUIRED = -69, CONCURRENT_PROOF_OF_PRESENCE_REQUESTED = -70, NO_USER_CONFIRMATION = -71, DEVICE_LOCKED = -72, UNIMPLEMENTED = -100, VERSION_MISMATCH = -101, Loading
