Commit graph

434 commits

Author SHA1 Message Date
Garret Kelly
4684c6f469 Merge "Increase leniency of attestation record timestamps" into qt-dev am: 6c4e33d079
am: 89fda5c7f9

Change-Id: I063e8cd6e53da1af4a50df9273a5ada4b9e7ea87
2019-06-25 23:28:39 -07:00
Garret Kelly
72c4746cda Merge "Increase leniency of attestation record timestamps" into qt-dev
am: 6c4e33d079

Change-Id: I741568f862d553a92344618406f0fb2f7a3d46f5
2019-06-25 23:19:49 -07:00
Felix
551b8d15ce Add interface info to .rc files
Signed-off-by: Felix <google@ix5.org>
Change-Id: I6d70bbdb66c3dce280bf6908c3750316a6f6cf70
2019-06-25 20:00:07 +02:00
Garret Kelly
9c0a45795f Increase leniency of attestation record timestamps
The TEE keymaster has been seen to be almost a minute out of sync with
the host clock during attestation.  Increase the leniency window to two
minutes.

Bug: 134408892
Bug: 134408367
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: Ic256a939dcd7e7b108099cfcf237cacde8dde059
2019-06-24 23:28:52 +00:00
Max Bires
90cda58d54 Merge "Removing an extraneous test" into qt-dev
am: 16b2c77456

Change-Id: I2bd55543991178bf313996841e51aff838986a5c
2019-06-17 14:44:44 -07:00
Max Bires
cf9daece29 Removing an extraneous test
Test: VTS passes
Bug: 133316458
Change-Id: I98d73ff025515a89e2743ed20950c840aedb5114
(cherry picked from commit b28e69f37e)
2019-06-17 15:32:05 +00:00
Janis Danisevskis
f69d8bc9c5 Keymaster memory management is inconsistent
Object derived from RefBase must be owned by sp rather then other smart
pointer implementations.

Bug: 79474587
Change-Id: I866f67e1cb091efb3026450d50a410b5985539b6
2019-06-14 14:26:55 -07:00
TreeHugger Robot
aefd16ace9 Merge "Removing an extraneous test" 2019-05-30 20:13:31 +00:00
Max Bires
b28e69f37e Removing an extraneous test
Test: VTS passes
Bug: 133316458
Change-Id: I98d73ff025515a89e2743ed20950c840aedb5114
2019-05-22 19:22:45 +00:00
Steven Moreland
10363938d7 Merge "listByInterface -> listManifestByInterface" am: 877c7f5ce1
am: 5427525c6b

Change-Id: I780f4cdd4c01b89af28d81c21111053ffdde99df
2019-05-16 18:18:41 -07:00
Xin Li
4b6ac97b7d Merge "DO NOT MERGE - Merge pie-platform-release (PPRL.190505.001) into master." 2019-05-17 00:58:07 +00:00
Steven Moreland
5427525c6b Merge "listByInterface -> listManifestByInterface"
am: 877c7f5ce1

Change-Id: I0cc69469c3804fd189e4f021a835c7c4f46879ab
2019-05-16 17:08:19 -07:00
Treehugger Robot
877c7f5ce1 Merge "listByInterface -> listManifestByInterface" 2019-05-16 23:25:19 +00:00
Matthew Maurer
d65e81b1fb Merge "Allow INVALID_INPUT_LENGTH for oversized messages" am: b397fc8e88
am: 6194c02c64

Change-Id: I24a72716540258f6e790464b2951537d5bbc92c4
2019-05-16 14:49:45 -07:00
Matthew Maurer
6194c02c64 Merge "Allow INVALID_INPUT_LENGTH for oversized messages"
am: b397fc8e88

Change-Id: Ia3e4641b9fa4936655da6db1d8def5f31cee6e06
2019-05-16 13:36:35 -07:00
Matthew Maurer
b397fc8e88 Merge "Allow INVALID_INPUT_LENGTH for oversized messages" 2019-05-16 19:06:39 +00:00
Matthew Maurer
0690156c0d Merge "Use SHA_2_256 for importWrappedKey" am: 0ce3156f97
am: b2a847aea7

Change-Id: Ib382c184dc01505819f16c86007ab5578f0574f4
2019-05-16 10:09:01 -07:00
Matthew Maurer
b2a847aea7 Merge "Use SHA_2_256 for importWrappedKey"
am: 0ce3156f97

Change-Id: I4ff814128ad16f62c47b0e19b9adb0a296afa178
2019-05-16 09:57:22 -07:00
Matthew Maurer
0ce3156f97 Merge "Use SHA_2_256 for importWrappedKey" 2019-05-16 16:43:54 +00:00
Xin Li
fef0cab5e9 DO NOT MERGE - Merge pi-platform-release (PPRL.190505.001) into stage-aosp-master
Bug: 132622481
Change-Id: Ie2af73fae9852849b11796bb1e77f0fc62c28ce2
2019-05-13 15:39:13 -07:00
Steven Moreland
6106299c4f listByInterface -> listManifestByInterface
This does two things:
- makes sure that HALs configured as lazy HALs will be retrieved
- will detect bad manifest entries earlier

Bug: 131703193
Test: boot
Change-Id: I82e10f49367b097023eb31797c877c15eedb5e00
2019-05-13 13:01:08 -07:00
Matthew Maurer
66f842ceec Allow INVALID_INPUT_LENGTH for oversized messages
In Keymaster 3, both INVALID_INPUT_LENGTH and INVALID_ARGUMENT were
acceptable for oversized messages. Keymaster 4 VTS requires that
INVALID_ARGUMENT be returned, but the spec has no such restriction. This
loosens VTS to allow either INVALID_INPUT_LENGTH or INVALID_ARGUMENT in
this case.

Bug: 129297054
Test: atest VtsHalKeymasterV4_0TargetTest Pixel 3, Trusty tests
2019-05-13 09:52:12 -07:00
Matthew Maurer
41cb84029a Use SHA_2_256 for importWrappedKey
The spec requires that SHA1 not be allowed for wrapped keys and that
only SHA_2_256 be used. Unfortunately, the previous VTS required SHA1
support. This patch takes the middle ground by requiring SHA_2_256 be
supported for importWrappedKey, but not disallowing it from supporting
SHA1.

This makes it possible for a spec compliant keymaster to pass VTS
while not disqualifying shipped devices.

Bug: 129291873
Test: atest VtsHalKeymasterV4_0TargetTest:ImportWrappedKeyTest, Trusty
Change-Id: I6c3a9182b51f2e7a46173d5bfc34d3c3264d954f
2019-05-10 14:27:53 -07:00
Janis Danisevskis
e08ba7a9fd Verify mac change on time stamp change am: 33d75d090b
am: 3b8bae3554

Change-Id: I26af43007c28b1b251ce5e2d22dc0975711ad8a3
2019-05-09 15:50:26 -07:00
Janis Danisevskis
33d75d090b Verify mac change on time stamp change
This test verifies that verification tokens with different time stamps do
not have the same MAC. This may not guarantee that the MAC is computed
correctly but it catches implementation that do not include the time
stamp in the mac.

It also checks that the MAC changes when both time stamp and challenge
changes.

Test: yes it is
Bug: 131859731
Bug: 132288466
Bug: 132287277
Change-Id: I85aa1d873eff46df7a66fc69bd61a031e6e6fbe0
2019-05-09 12:50:11 -07:00
Janis Danisevskis
3414222e3a Keymaster support: Verbose vendor errors
Added function for verbosely logging Keymaster vendor errors.

Bug: 123562864
Test: atest android.keystore.cts
Merged-In: Ida093941d3b76b3d2e953439229081345909c16b
Change-Id: Ida093941d3b76b3d2e953439229081345909c16b
2019-05-03 16:04:02 -07:00
Garret Kelly
5b6d16c9dd Merge "Make test expectation match comment" into qt-dev
am: 282c8d0694

Change-Id: I47b9aeff0fcf7798ebcc900040771d95bdc91b5b
2019-05-03 15:41:31 -07:00
Garret Kelly
d47288dde5 Make test expectation match comment
The BOOT_PATCHLEVEL value is allowed to have 00 in the days position
according to the keymaster specification.  This test's comment already
suggests that it's allowed, so update the expectation to match.

Test: VtsHalKeymasterV4_0TargetTest
Bug: 130843899
Change-Id: Ib43da43b2e0398b48fb59710bf4066f2641de2eb
2019-05-01 15:18:38 -04:00
Garret Kelly
0c098a4af0 Merge "Fix comparison between hex and binary values" into qt-dev
am: a8a23aa389

Change-Id: I2974a3c02139d31038e759d65383ce4a91530b75
2019-04-26 16:57:36 -07:00
Garret Kelly
ebfdba67d2 Fix comparison between hex and binary values
The verified boot hash in the attestation record is a binary blob, while
the property read from the system is a hex-encoded value.  Convert the
boot hash from the attestation record into hex before comparing.

Test: VtsHalKeymasterV4_0TargetTest
Bug: 130843899
Change-Id: I6f6e0da71501d741dd8b27d0778e1854af17ace6
2019-04-24 17:39:57 -04:00
Shawn Willden
ca9e5b3caa Correct IKeymasterDevice documentation. am: 744a37115a
am: dff8dd72a3

Change-Id: I476e9dc8d644339e05a92d7815f0fc5ee08c3923
2019-04-23 11:43:42 -07:00
Shawn Willden
744a37115a Correct IKeymasterDevice documentation.
Bug: 129931913
Bug: 130144003
Test: ./update-makefiles.sh (checks hashes)
Change-Id: Ia8101f8410a728b28653416300c1a3eb480eb469
2019-04-19 00:59:01 +00:00
Steven Moreland
6d494b2346 Merge "Update hidl makefiles for bpfmt" am: ff0bd741ca
am: 96f40f7b02

Change-Id: Idbf030e4993067bdb8181321bca2de00c9b6f7ef
2019-04-18 14:34:45 -07:00
Steven Moreland
1ae4615d9f Update hidl makefiles for bpfmt
hidl-generated makefiles are now generated such that bpfmt(file) == file.

Bug: 67417008
Test: enable bpfmt hook
Change-Id: I1f69d292bc23a7cc293a66110cb02d597e1019ad
2019-04-17 09:38:50 -07:00
Max Bires
873d889730 Expanding VTS test coverage
Keymaster VTS test coverage on 4.0 was incomplete. This significantly
expands the coverage of the spec. The bugs listed are errors found that
these tests will cover, but are not indicative of the complete set of
things tested.

Test: atest VtsHalKeymasterV4_0TargetTest
Bug: 79953279
Bug: 119553313
Bug: 119541233
Bug: 119396995
Bug: 119542230
Bug: 119549128
Bug: 119549677
Bug: 122184852
Bug: 122261372
Change-Id: I42d78091b48398597bbebe1d9c91b806494ddf4c
(cherry picked from commit 8c0edf6c84)
2019-04-11 15:17:19 +00:00
Max Bires
8c0edf6c84 Expanding VTS test coverage
Keymaster VTS test coverage on 4.0 was incomplete. This significantly
expands the coverage of the spec. The bugs listed are errors found that
these tests will cover, but are not indicative of the complete set of
things tested.

Test: atest VtsHalKeymasterV4_0TargetTest
Bug: 79953279
Bug: 119553313
Bug: 119541233
Bug: 119396995
Bug: 119542230
Bug: 119549128
Bug: 119549677
Bug: 122184852
Bug: 122261372
Change-Id: I42d78091b48398597bbebe1d9c91b806494ddf4c
2019-04-08 10:18:32 -07:00
Eran Messeri
04a7045117 Test importing EC P-256 keys with multiple encodings
Test importing of an Elliptic Curve P-256 key, encoded using the RFC5915
specification (which requires the curve OID in key in addition to the
wrapper) and the same key encoded using SEC1 (which allows omitting the
OID if it's known from the wrapper).

Test: atest VtsHalKeymasterV4_0TargetTest ImportKeyTest
Bug: 124437839
Bug: 127799174
Bug: 129398850
Change-Id: I5f5df86e55a758ed739403d830baa5c7308813a3
Merged-In: I5f5df86e55a758ed739403d830baa5c7308813a3
2019-04-01 14:54:00 +01:00
TreeHugger Robot
300fc770e9 Merge "Test importing EC P-256 keys with multiple encodings" 2019-03-27 18:29:46 +00:00
Janis Danisevskis
f6f522c525 Merge "Fix strict weak ordering requirement of less than operation" am: e82263dd74 am: 36b364abfb
am: 22368369f7

Change-Id: I2301e7fec1c5c28516dafff483a8a0f2a2e00b0a
2019-03-26 09:34:44 -07:00
Janis Danisevskis
22368369f7 Merge "Fix strict weak ordering requirement of less than operation" am: e82263dd74
am: 36b364abfb

Change-Id: I7a97aaecd25f3a78a3f9508388a88ace9c97642e
2019-03-26 09:30:01 -07:00
Eran Messeri
68289f76f2 Test importing EC P-256 keys with multiple encodings
Test importing of an Elliptic Curve P-256 key, encoded using the RFC5915
specification (which requires the curve OID in key in addition to the
wrapper) and the same key encoded using SEC1 (which allows omitting the
OID if it's known from the wrapper).

Test: atest VtsHalKeymasterV4_0TargetTest ImportKeyTest
Bug: 124437839
Bug: 127799174
Change-Id: I5f5df86e55a758ed739403d830baa5c7308813a3
2019-03-26 12:01:03 +00:00
Janis Danisevskis
c7a8b863cd Keymaster support: Verbose vendor errors
Added function for verbosely logging Keymaster vendor errors.

Bug: 123562864
Test: atest android.keystore.cts
Change-Id: Ida093941d3b76b3d2e953439229081345909c16b
2019-03-20 16:13:53 +00:00
Janis Danisevskis
93c7276e3a Fix strict weak ordering requirement of less than operation
operator< on hidl_vec<uint8_t> violates strict weak ordering in the case
that one oparand is shorter that the other and the shorter is a prefix
of the longer.

if x and y are incomparable, i.e., neither x < y nor y < x and
   y and z are incomparable, i.e., neither y < z nor z < y, then
   x and z must be incomparable.
As for the current implementation the first two statements are true but
the third is not given the following example input:
x:="aa", y:="a", z:="ab".

This patch fixes the issue by defining a < b if a is a prefix of b.

As this relation is used in a std::sort algorithm which demands strict
weak ordering this bug leads to undefined behavior.

Change-Id: I4961bb35e2fd4f5fcf561ec0c7c536f81830aab8
2019-03-19 09:54:04 -07:00
Steven Moreland
7f4e21adda Merge "Update makefies: no 'types'" am: 4ee5ec1469 am: bab622f6a6
am: 7224bc9bcf

Change-Id: I434939e0770afa436c532a945542fce30a71ef7d
2019-03-04 16:05:59 -08:00
Steven Moreland
7224bc9bcf Merge "Update makefies: no 'types'" am: 4ee5ec1469
am: bab622f6a6

Change-Id: Iaeb7cc7ff2b16d610136c4a20a6a64884d563f68
2019-03-04 15:27:24 -08:00
Steven Moreland
a878aee9ab Update makefies: no 'types'
Bug: 123976090
Test: N/A
Change-Id: I30fb04c81889b62775e1b764b965fdb0f893de17
2019-03-04 11:27:17 -08:00
nagendra modadugu
31266a9780 [DO NOT MERGE] keymaster: add an EC attestation test
am: d0a5c1dda5

Change-Id: I797704e86fb125a0986c3fb658ddc9b86df3b9fe
2019-02-22 17:26:13 -08:00
nagendra modadugu
d0a5c1dda5 [DO NOT MERGE] keymaster: add an EC attestation test
Add a test that creates an EC key by
using key-bits (rather than curve-id),
and check that the attestation message
corresponds to key characteristics.

Bug: 122375834
Bug: 119542230
Test: VTS passes
Change-Id: Iad6ff2ca90a951124940943f2484f9fb9f813a19
2019-02-22 13:33:03 -08:00
Sasha Smundak
791b843bcb Merge "Explicitly include log/log.h or android/log.h instead of cutils/log.h" am: b5db125860 am: 4a1f714ed0
am: 1e45903dd5

Change-Id: I1a54776b7560154304573a8cd3dfeae5babf43e5
2019-02-01 13:22:37 -08:00
Sasha Smundak
769c053d7c Explicitly include log/log.h or android/log.h instead of cutils/log.h
Eliminates the warning.
Test: treehugger

Bug: 123758136
Change-Id: Ibe50261efc18d659a10129977342bc765a9ba9d5
2019-02-01 10:52:09 -08:00
Baranidharan Muthukumaran
43d64bbee6 Merge "Fix KM VTS tests for Strongbox implementations" into pie-vts-dev
am: c08c73653a

Change-Id: Ic8b48ca2afb2d942182043281836927698966874
2019-01-09 12:10:41 -08:00
Yi Kong
a574ede20b Merge "Suppress null-dereference warning" am: 3b7ecd55f8 am: 86f9078b54
am: 1633275bb7

Change-Id: I43f5feaf279921c4dc0adc98afc9c5f528c01fcc
2019-01-08 20:33:47 -08:00
Yi Kong
45cb85f8c0 Suppress null-dereference warning
It is unclear whether author intentionally meant to cause segfault here.
While waiting for the author to explain/fix the code, suppress the
warning to unblock enabling the warning globally.

Test: m checkbuild
Bug: 121390225
Change-Id: Iad03842833cfdc243404a32f6b31d161387c3890
2018-12-21 14:52:47 -08:00
Keun Soo YIM
68ae05dd2d pack VTS cc_test binaries as general-tests
Test: make general-tests
Bug: 120093339
Merged-In: I363450d205868f900e4925ccff1430e2a569f2a4
Change-Id: I363450d205868f900e4925ccff1430e2a569f2a4
2018-12-07 10:49:56 -08:00
Keun Soo Yim
868c0694bb Merge "pack VTS cc_test binaries as general-tests" 2018-11-28 21:20:36 +00:00
Elliott Hughes
8009b3ccce Merge "C++17 compatibility: add a non-const char* overload." am: f919d0a0b8 am: 9ef0004adc
am: 6464114f34

Change-Id: If291303fec3c252f90a119431c6124d81ec46b2d
2018-11-27 17:15:05 -08:00
Keun Soo YIM
ff84c37bc1 pack VTS cc_test binaries as general-tests
Test: make general-tests
Bug: 120093339
Change-Id: I363450d205868f900e4925ccff1430e2a569f2a4
2018-11-27 16:11:41 -08:00
Elliott Hughes
d9de6aa270 C++17 compatibility: add a non-const char* overload.
C++17 adds a non-const std::basic_string::data, so non-const std::strings in the
test are `char*` and the const std::strings are `const char*`. See
https://en.cppreference.com/w/cpp/string/basic_string/data for details.

Without adding the non-const overload, the varargs overload is preferred, leading
to static_assert failures:

  In file included from hardware/interfaces/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp:33:
  In file included from hardware/interfaces/keymaster/3.0/vts/functional/authorization_set.h:20:
  hardware/interfaces/keymaster/3.0/vts/functional/keymaster_tags.h:257:5: error: static_assert failed "Authorization other then TagType::BOOL take exactly one parameter."
  static_assert(tag_type == TagType::BOOL || (sizeof...(args) == 1),
  ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  hardware/interfaces/keymaster/3.0/vts/functional/authorization_set.h:213:19: note: in instantiation of function template specialization 'android::hardware::keymaster::V3_0::Authorization<android::hardware::keymaster::V3_0::TagType::BYTES, android::hardware::keymaster::V3_0::Tag::ASSOCIATED_DATA, char *, unsigned long>' requested here
  push_back(Authorization(tag, std::forward<Value>(val)...));
  ^
  hardware/interfaces/keymaster/3.0/vts/functional/authorization_set.h:245:9: note: in instantiation of function template specialization 'android::hardware::keymaster::V3_0::AuthorizationSet::push_back<android::hardware::keymaster::V3_0::TypedTag<android::hardware::keymaster::V3_0::TagType::BYTES, android::hardware::keymaster::V3_0::Tag::ASSOCIATED_DATA>, char *, unsigned long>' requested here
  push_back(ttag, std::forward<ValueType>(value)...);
  ^
  hardware/interfaces/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp:3426:35: note: in instantiation of function template specialization 'android::hardware::keymaster::V3_0::AuthorizationSetBuilder::Authorization<android::hardware::keymaster::V3_0::TypedTag<android::hardware::keymaster::V3_0::TagType::BYTES, android::hardware::keymaster::V3_0::Tag::ASSOCIATED_DATA>, char *, unsigned long>' requested here
  AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
  ^

Bug: http://b/111067277
Test: builds
Change-Id: I3d70fb5a41db16cc9dff50364cd793e0c3510ed0
2018-11-27 16:40:33 +00:00
Baranidharan Muthukumaran
3f127ca4d1 Fix KM VTS tests for Strongbox implementations
Modify RSA keysize used in various tests
to ensure both TEE and Strongbox implementations
can be validated.
Skip invalid keysizes that Strongbox does not
support.

Test: Patches the strongbox tests
Bug: 112189538
Bug: 119172331
Change-Id: I46ab01ce9b8224403e2a334a894967761d6799c9
Signed-off-by: Max Bires <jbires@google.com>
(cherry picked from commit 88a376b0a0)
2018-11-20 21:23:19 +00:00
Janis Danisevskis
679515f5c7 Merge "Removed unsafe use of hidl_vec<>.setToExternal" am: 91a01c5cfc am: 7b5b901b62
am: 6ad8d58110

Change-Id: Ia00aa483e97481b350f0e6f9e5138d46c84e7755
2018-11-15 05:55:17 -08:00
Janis Danisevskis
91a01c5cfc Merge "Removed unsafe use of hidl_vec<>.setToExternal" 2018-11-15 01:19:10 +00:00
Janis Danisevskis
53e3336c22 Merge "keymaster: fix authorization set serialization" am: 0cad4822d5 am: fd62cdf4b1
am: 1b46ee35a6

Change-Id: I96161538ba7fd7821db425fcf6de53a970514722
2018-11-13 17:32:33 -08:00
Janis Danisevskis
8f45a1c5c3 keymaster: fix authorization set serialization
Invalid and unknown tags were treated as zero size but they where still
counted as entry. This lead to invalid tags being persisted. When
Serialized blobs were used to cache key characteristics, these invalid
tags were send to clients of keystore. However, the serialization cannot
cope with invalid tags.

Bug: 119414176
Test: Successfully used the Skype app which triggered the problem
Change-Id: Ia46ac4a16395db3d10f93d3722eda69d523db478
2018-11-13 13:21:30 -08:00
Janis Danisevskis
7f3995f7f5 Merge "authorization_set.cpp: relax serialization of unknown tags" am: 949ab7dbb9 am: eba18e906f
am: bb222282d5

Change-Id: Ie59897dbe8e3fc0b9812067da2dded2233f57289
2018-11-12 17:48:26 -08:00
Janis Danisevskis
28a6b79f4b authorization_set.cpp: relax serialization of unknown tags
Bug: 119414176
Change-Id: I16722f2a2b1a00a352322c603d2bf18a996d6ee7
2018-11-12 12:06:32 -08:00
Janis Danisevskis
50b4d3b5d8 Various fixes for async keystore. am: 2ecd6597f3 am: 2116843b17
am: 5acd9002ab

Change-Id: I7be81b6b9427abb16f53989361d1ff24aa68f1e8
2018-11-09 13:16:15 -08:00
Janis Danisevskis
9c41221206 Removed unsafe use of hidl_vec<>.setToExternal
hidl_vec objects that do not own their associated buffer are highly
unsafe in multithreaded environments where move semantic is used to
transfer ownership between threads. With keystore transitioning to a
multi threaded execution model we can no longer use this optimization
safely.

Bug: 111443219
Test: Ran full keystore cts test suite.
Change-Id: I9a366fc7df5dfee508dc092855545963ef6d9665
2018-11-09 10:49:55 -08:00
Janis Danisevskis
2ecd6597f3 Various fixes for async keystore.
* Added missing Tag::HARDWARE_TYPE and Tag::TRUSTED_CONFIRMATION_REQUIRED
* Made AuthorizationSet::hidl_data() safer to use.
  hidl_data() initializes a hidl_vec with the internal data of
  std::vector using setToExternal and returns it by value. This means
  the returned temporay does not own the buffer which has the life cycle
  of the AuthorizationSet. This is fine if passed as parameter to a
  function where it is bound to a cont reference. But if the temporary
  gets assigned to something with longer life cycle move semantics kicks
  in and the buffer is now tracked by something with a longer life
  cycle. This patch marks the returned temporary const, so that it can
  no longer be moved. It can still be bound to a const reference, but
  when assigned to a variable it must get copied.
* Add Filter function to AuthorizationSet.

Bug: 111443219
Test: KeyStore CTS tests
Change-Id: I4744b7c87d01fbd905c3afb8ebeefba93605994b
2018-11-07 11:32:03 -08:00
Janis Danisevskis
78e8f44b7c Test for malformed modulus in attestation cert
With this patch the attestation tests use the attested to key to sign a
message and use the public key in the attestation certificate to verify
the signature. Thereby tripping up over malformed public keys.

Bug: 118372436
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: I4ce75c689cd5b6bb04a56e283c1202501ee821c9
2018-10-24 13:40:50 +00:00
Chih-Hung Hsieh
8cca54bec0 Add noexcept to move constructors and assignment operators.
am: 19a5da4c13

Change-Id: Ib5b417deddc9af28a2de012e379f55d869053ec4
2018-10-01 16:13:05 -07:00
Chih-Hung Hsieh
19a5da4c13 Add noexcept to move constructors and assignment operators.
Bug: 116614593
Test: build with WITH_TIDY=1
Change-Id: Ib50ced82d650737cf99a9757133119945a3409f3
2018-10-01 20:30:38 +00:00
Rob Barnes
57ba8d23ee Fixed minor comment typos in IKeymasterDevice.hal
am: 2c46b2e3b8

Change-Id: I540e52241d5096d5fbff8ccce26ed498eaa9036d
2018-09-26 14:40:18 -07:00
Rob Barnes
2c46b2e3b8 Fixed minor comment typos in IKeymasterDevice.hal
Test: 'make checkbuild' finished successfully.
Change-Id: I4ceb39475fff176bfcd57e10335aa1af64849739
2018-09-26 06:10:20 +00:00
Yi Kong
fa8dfc724e Merge "Don't use initializer_list as return type"
am: 9c6b9bf7c3

Change-Id: Ided6c9a8952938912bf036b4c83544a568088e42
2018-09-24 14:32:46 -07:00
Yi Kong
7392175ccd Don't use initializer_list as return type
The underlying array may be cleaned up once its lifetime has ended,
the initializer_list would become ill-formed. Return as std::vector
instead.

This fixes "-Wreturn-stack-address" (clang) / "-Winit-list-lifetime"
(gcc) warning.

Test: mma
Bug: 111998531
Change-Id: Ie5bb6bc3d0d7689744fd573c5683b22e6fb6b178
2018-09-21 15:36:57 -07:00
Roberto Pereira
fdea589ea0 keymaster 3.0: make service use nobody as user and remove system group
am: 848607a121

Change-Id: Ib91c3acfb7ba8c0bd6b4864dedb7c92e09f5f8d2
2018-09-10 14:44:54 -07:00
Roberto Pereira
848607a121 keymaster 3.0: make service use nobody as user and remove system group
Only the drmrpc group is necessary

Test: VtsHalKeymasterV3_0TargetTest
Change-Id: I2be255215df827c9f17ecaffcb9d0ba402dd3405
2018-09-10 12:44:42 -07:00
Baranidharan Muthukumaran
65b9c173ea Skip NoUserConfirmation VTS test for Strongbox
am: 709aa5f453

Change-Id: I6dff83b19396fcf599cb8f3be235124d0073beaf
2018-09-06 21:14:02 -07:00
Baranidharan Muthukumaran
709aa5f453 Skip NoUserConfirmation VTS test for Strongbox
Since Confirmation UI is optional for Strongbox
implementation, skipping the test.

Bug: 112189538
Test: This is an update to the vts test
Change-Id: Ie3485a1de92444b0c49670b198de30ea25e0673e
Signed-off-by: Max Bires <jbires@google.com>
2018-09-07 02:37:12 +00:00
Baranidharan Muthukumaran
3f200e078e Merge "Fix KM VTS tests for Strongbox implementations"
am: d6b4242d52

Change-Id: I52cd833dfa2c8cc4fb130544f5cb5d35217a0fc4
2018-09-04 03:55:02 -07:00
Treehugger Robot
d6b4242d52 Merge "Fix KM VTS tests for Strongbox implementations" 2018-09-04 10:44:18 +00:00
Eran Messeri
8ee59f2aa6 Merge "Fixing Keymaster documentation." into pie-vts-dev
am: 33f7970672

Change-Id: I0bd196af03f96817cbd23620b109e7665456f586
2018-08-29 01:11:55 -07:00
Shawn Willden
f7c0a7938d Change ImportWrappedKeyTest back to SHA1
Change I5f877b2a1ac66026a876e145416ba078d486e4b5 inadvertently changed
the digest used for ImportWrappedKey, breaking the test.  This CL
reverts that portion of the change.

Test: VtsHalKeymasterV4_0TargetTest
Bug: 112279922
Merged-In: Ib8e2e7793ba46ae0d29d8407bb730a35bdb5ea98
Change-Id: Ib8e2e7793ba46ae0d29d8407bb730a35bdb5ea98
(cherry picked from commit 0dba888612)
2018-08-28 15:19:40 -07:00
Shawn Willden
0b166a2daf Require keymaster4 attestations to contain the right version.
Note that devices with KM4 will fail to pass VTS after this
lands, until the fix from Qualcomm arrives.

Test: VtsHalKeymasterV4_0TargetTest
Bug: 112040197
Merged-In: Ie2cd917af704b9f19de3537297b3a7e4f0c861e9
Change-Id: Ie2cd917af704b9f19de3537297b3a7e4f0c861e9
(cherry picked from commit 4e006c2b92)
2018-08-28 15:19:03 -07:00
nagendra modadugu
913053419e keymaster: skip SHA2 digest tests for strongbox
Strongbox is not required to support SHA-2 digests,
so skip the related tests.

Bug: 109771020
Merged-In: I5f877b2a1ac66026a876e145416ba078d486e4b5
Change-Id: I5f877b2a1ac66026a876e145416ba078d486e4b5
(cherry picked from commit 8cec80be1f)
2018-08-28 15:18:32 -07:00
nagendra modadugu
8414fb8556 keymaster: spec does not require that update produce output
Remove out of spec enforcement on the amount of data returned
by update, as this is not specified in the HAL.

Bug: 109771020
Test: yes it is
Merged-In: Ic41afbd01d51faf48d3c0fe090409ebcd257cc1e
Change-Id: Ic41afbd01d51faf48d3c0fe090409ebcd257cc1e
(cherry picked from commit 7b75f015a7)
2018-08-28 15:17:31 -07:00
Shawn Willden
e1e08f8dde Fix attestation test.
Bug: 77588764
Test: VtsHalKeymasterV4_0TargetTest
Merged-In: Ibe264d08ae7b3333a6949761a92759f5305b3fcb
Change-Id: Ibe264d08ae7b3333a6949761a92759f5305b3fcb
(cherry picked from commit d898d0a422)
2018-08-28 15:16:58 -07:00
Eran Messeri
ff29edcc71 Fixing Keymaster documentation.
Keymaster HAL documentation documents the bootPatchLevel as having
tag 718, while types.hal indicates the tag value for it is actually
719.

Test: N/A
Bug: 78104779
Merged-In: I0dde0b3c863081f2594e20466d8e82866a5f2d2e
Change-Id: I0dde0b3c863081f2594e20466d8e82866a5f2d2e
(cherry picked from commit ae8da1b70a)
2018-08-28 15:08:39 -07:00
Baranidharan Muthukumaran
88a376b0a0 Fix KM VTS tests for Strongbox implementations
Modify RSA keysize used in various tests
to ensure both TEE and Strongbox implementations
can be validated.
Skip invalid keysizes that Strongbox does not
support.

Test: Patches the strongbox tests
Bug: 112189538
Change-Id: I46ab01ce9b8224403e2a334a894967761d6799c9
Signed-off-by: Max Bires <jbires@google.com>
2018-08-28 10:58:49 -07:00
Shawn Willden
d033196431 Change ImportWrappedKeyTest back to SHA1
am: ad5b5ff2f0

Change-Id: Ia36eb6dd3aa4a07b5a72291c81de6e0cede202af
2018-08-17 09:14:47 -07:00
Shawn Willden
a795d5e3e7 Require KM4 attestations contain the right version
am: 0f2b0966c6

Change-Id: I04801fc26713513d8d39a836e30545e148fd1f50
2018-08-17 09:14:39 -07:00
nagendra modadugu
95f20ea7c5 keymaster: skip SHA2 digest tests for strongbox
am: 7194604cd8

Change-Id: Id44ef77aea880dd565a1a8e466f6ac2e1c98047f
2018-08-17 09:14:31 -07:00
Shawn Willden
ad5b5ff2f0 Change ImportWrappedKeyTest back to SHA1
Change I5f877b2a1ac66026a876e145416ba078d486e4b5 inadvertently changed
the digest used for ImportWrappedKey, breaking the test.  This CL
reverts that portion of the change.

Test: VtsHalKeymasterV4_0TargetTest
Bug: 112279922
Bug: 80246122
Change-Id: Ib8e2e7793ba46ae0d29d8407bb730a35bdb5ea98
2018-08-17 06:58:32 -06:00
Shawn Willden
0f2b0966c6 Require KM4 attestations contain the right version
Note that devices with KM4 will fail to pass VTS after this
lands, until the fix from Qualcomm arrives.

Test: VtsHalKeymasterV4_0TargetTest
Bug: 112040197
Bug: 80246122
Change-Id: Ie2cd917af704b9f19de3537297b3a7e4f0c861e9
2018-08-17 06:58:12 -06:00
nagendra modadugu
7194604cd8 keymaster: skip SHA2 digest tests for strongbox
Strongbox is not required to support SHA-2 digests,
so skip the related tests.

Bug: 109771020
Bug: 80246122
Test: This is the test
Change-Id: I5f877b2a1ac66026a876e145416ba078d486e4b5
2018-08-17 06:58:12 -06:00
nagendra modadugu
683bd5d1b9 keymaster spec doesn't require update to output
Remove out of spec enforcement on the amount of data returned
by update, as this is not specified in the HAL.

Bug: 109771020
Bug: 80246122
Test: yes it is
Change-Id: Ic41afbd01d51faf48d3c0fe090409ebcd257cc1e
2018-08-17 06:57:28 -06:00
Shawn Willden
7b00c75643 Fix attestation test.
Bug: 77588764
Bug: 80246122
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: Ibe264d08ae7b3333a6949761a92759f5305b3fcb
2018-08-17 06:51:06 -06:00
Shawn Willden
66efa86145 Handle software keymaster implementations.
am: 1404b6e8b0

Change-Id: Ia054c30244e989cf60e3abb81304ed9fed0b2fbf
2018-08-15 15:29:30 -07:00
Shawn Willden
1404b6e8b0 Handle software keymaster implementations.
Test: VtsHalKeymasterV3_0TargetTest
Change-Id: I0ca923fab3e312c576abc2f51f6dd28482176db7
2018-08-15 12:13:34 -06:00
Hung-ying Tyan
3c07de32fc Fix free() in keymaster VTS
am: 555cb5e13b

Change-Id: Ida0db54bf04cc81b8dfe218f4e2835e59947e6b7
2018-08-10 14:31:03 -07:00
nagendra modadugu
4fce12f113 Respect limited requirements for Strongbox KM implementations
am: bbe9263f85

Change-Id: I16e0071a70b1ab5bc4317b608b36c8eeef559c58
2018-08-10 14:30:49 -07:00
Hung-ying Tyan
555cb5e13b Fix free() in keymaster VTS
The buffer is allocated by OPENSSL_malloc() in X509_NAME_oneline(name, nullptr, 0).
Should be reclaimed by OPENSSL_free() instead of free().

The patch is provided by vink.shen@mediatek.corp-partner.google.com

Bug: 109708231
Test: build pass
Merged-In: I66a864e3e28905eebac2e7d3a4517d4d5aaa39df
Change-Id: I66a864e3e28905eebac2e7d3a4517d4d5aaa39df
(cherry picked from commit 79db3ec849)
2018-08-10 00:48:32 +00:00
nagendra modadugu
bbe9263f85 Respect limited requirements for Strongbox KM implementations
With this patch the KM VTS test apply the restricted requirements on
supported key sizes, EC curves, and Digests to Strongbox keymaster
implementations.

Also amend tests to use Update().

Test: Yes it is
Bug: 74519020
Merged-In: Ibec9c3398671f81dbc0ecf78e554726276160579
Change-Id: Ibec9c3398671f81dbc0ecf78e554726276160579
(cherry picked from commit 3a7e2cade3)
2018-08-10 00:48:11 +00:00
Shawn Willden
0dba888612 Change ImportWrappedKeyTest back to SHA1
Change I5f877b2a1ac66026a876e145416ba078d486e4b5 inadvertently changed
the digest used for ImportWrappedKey, breaking the test.  This CL
reverts that portion of the change.

Test: VtsHalKeymasterV4_0TargetTest
Bug: 112279922
Change-Id: Ib8e2e7793ba46ae0d29d8407bb730a35bdb5ea98
2018-08-06 17:23:23 -06:00
Shawn Willden
4e006c2b92 Require keymaster4 attestations to contain the right version.
Note that devices with KM4 will fail to pass VTS after this
lands, until the fix from Qualcomm arrives.

Test: VtsHalKeymasterV4_0TargetTest
Bug: 112040197
Change-Id: Ie2cd917af704b9f19de3537297b3a7e4f0c861e9
2018-08-02 21:01:10 +00:00
nagendra modadugu
8cec80be1f keymaster: skip SHA2 digest tests for strongbox
Strongbox is not required to support SHA-2 digests,
so skip the related tests.

Bug: 109771020
Change-Id: I5f877b2a1ac66026a876e145416ba078d486e4b5
2018-07-23 11:25:00 -07:00
Eran Messeri
f1aa9d6b88 Merge "Fixing Keymaster documentation." into pi-dev
am: 897b56e2a8

Change-Id: I2089c6a5ca411b95b9e925e92999d246d4240b5f
2018-06-29 04:00:40 -07:00
TreeHugger Robot
897b56e2a8 Merge "Fixing Keymaster documentation." into pi-dev 2018-06-29 10:57:17 +00:00
nagendra modadugu
c7d39cf9ac Merge "keymaster: spec does not require that update produce output" into pi-dev
am: 409b5fd5fb

Change-Id: Ieb194a3116abcfee249c2033ed346aa7151fc26c
2018-06-26 17:05:10 -07:00
TreeHugger Robot
409b5fd5fb Merge "keymaster: spec does not require that update produce output" into pi-dev 2018-06-26 23:57:01 +00:00
nagendra modadugu
7b75f015a7 keymaster: spec does not require that update produce output
Remove out of spec enforcement on the amount of data returned
by update, as this is not specified in the HAL.

Bug: 109771020
Test: yes it is
Change-Id: Ic41afbd01d51faf48d3c0fe090409ebcd257cc1e
2018-06-26 15:44:36 -07:00
Shawn Willden
0804bb0cfc Merge "Fix attestation test." into pi-dev
am: be04f192e9

Change-Id: I276a5f18b35b5923590ab2c5f6d9688bd06d05bd
2018-06-25 16:47:51 -07:00
Shawn Willden
d898d0a422 Fix attestation test.
Bug: 77588764
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: Ibe264d08ae7b3333a6949761a92759f5305b3fcb
2018-06-25 06:36:02 -06:00
Eran Messeri
ae8da1b70a Fixing Keymaster documentation.
Keymaster HAL documentation documents the bootPatchLevel as having
tag 718, while types.hal indicates the tag value for it is actually
719.

Test: N/A
Bug: 78104779
Change-Id: I0dde0b3c863081f2594e20466d8e82866a5f2d2e
2018-06-21 20:35:45 +01:00
Janis Danisevskis
fdaab3d2a7 Merge "Relax HMAC computation check" into pi-dev
am: b6093dccf0

Change-Id: I205cf45af3e58028c120c2a118dd9dd6509e0bad
2018-06-20 15:36:46 -07:00
Janis Danisevskis
b6093dccf0 Merge "Relax HMAC computation check" into pi-dev 2018-06-20 22:32:13 +00:00
Janis Danisevskis
a1c4e0ec5d Relax HMAC computation check
This KM4 key agreement check is causing some pain on early units
that aren't completely provisioned in both locked and non-Green
(unlocked) states.

This doesn't impact KM3 devices (Pixel 2016/2017 etc.)

Bug: 110301629
Change-Id: I5a737ac8a335863b1099c29cf3c0496adeb41e15
2018-06-20 05:25:22 +00:00
nagendra modadugu
69242ea30b Merge "Respect limited requirements for Strongbox KM implementations" into pi-dev
am: 17be71d397

Change-Id: I16bde9c0defeb971cba8684c021a331a59b7937f
2018-06-18 10:32:22 -07:00
nagendra modadugu
3a7e2cade3 Respect limited requirements for Strongbox KM implementations
With this patch the KM VTS test apply the restricted requirements on
supported key sizes, EC curves, and Digests to Strongbox keymaster
implementations.

Also amend tests to use Update().

Test: Yes it is
Bug: 74519020
Change-Id: Ibec9c3398671f81dbc0ecf78e554726276160579
2018-06-18 09:20:56 -07:00
Hung-ying Tyan
e874dd7741 Fix free() in keymaster VTS
am: 79db3ec849

Change-Id: Ib555c571fb5aede39c7f1f9418a91f24b193c5a8
2018-06-10 21:58:19 -07:00
Xin Li
27353e7065 Merge pi-dev-plus-aosp-without-vendor into stage-aosp-master
Bug: 79597307
Change-Id: Ifa37597ef6090bfbf1b41307a60cf65cfa1f563d
2018-06-08 11:07:51 -07:00
Shawn Willden
fddc15e1ec Merge "Fix bug in VTS attestation cert verification." am: 636650bd84
am: 03a2fcd89f

Change-Id: I1270383112047ab90d87bee4a483a91bb9093090
2018-06-08 06:11:43 -07:00
Treehugger Robot
636650bd84 Merge "Fix bug in VTS attestation cert verification." 2018-06-08 13:00:19 +00:00
Hung-ying Tyan
79db3ec849 Fix free() in keymaster VTS
The buffer is allocated by OPENSSL_malloc() in X509_NAME_oneline(name, nullptr, 0).
Should be reclaimed by OPENSSL_free() instead of free().

The patch is provided by vink.shen@mediatek.corp-partner.google.com

Bug: 109708231
Test: build pass
Change-Id: I66a864e3e28905eebac2e7d3a4517d4d5aaa39df
2018-06-08 17:53:48 +08:00
TreeHugger Robot
8bac8dcba5 Merge "Minor corrections to the Keymaster4 documentation." into pi-dev 2018-05-31 16:49:10 +00:00
Shawn Willden
5b60a1b72e Minor corrections to the Keymaster4 documentation.
Gramatical and punctuation corrections; addition of missing
userSecureId to AuthorizationList schema and removal of extraneous
rollbackResistant from same; correction of OS_PATCHLEVEL source
property; and addition of missing TAG_UNLOCKED_DEVICE_REQUIRED
documentation.

Bug: 69550260
Test: N/A
Change-Id: I04092b7df3af69201ba1467cddc09f6f44e861a8
2018-05-30 16:20:48 -06:00
Shawn Willden
8d815f659d Fix default keymaster so it doesn't start an extra thread.
Bug: 80102279
Bug: 80251973
Test: N/A; this keymaster exists only for policy compliance. It's never used.
Change-Id: I45f0eefd9abdd02f6774aa52f238040510c5d62c
2018-05-24 20:52:11 +00:00
TreeHugger Robot
1f74538cdb Merge "Move Keymaster docs into HAL" into pi-dev 2018-05-24 02:11:43 +00:00
Shawn Willden
b20a5dd5d9 Move Keymaster docs into HAL
Bug: 69550260
Test: N/A
Change-Id: Ib135e4e4060f3a89480f6784b30e9008126b3b76
2018-05-23 18:26:42 -06:00
Shawn Willden
6dad2b3a4b Activate HMAC sharing check.
This had to be disabled because Qualcomm's keymaster4 returned a bad
value.

Bug: 77588764
Bug: 79698245
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: Ieb150d7f17c36f01acf2eeb665792594251b51ae
2018-05-23 05:44:42 -06:00
Steven Moreland
913c071391 Update comments for doc comments.
Doc comments look like "/** ... */" and they
can only be in certain places.

Bug: 79865343
Test: m
Change-Id: Ic15c08ff7dc6e4f9827c1dbe7f7236c11a572ec1
Merged-In: Ic15c08ff7dc6e4f9827c1dbe7f7236c11a572ec1
2018-05-21 14:36:29 -07:00
Steven Moreland
4ee4582230 Update comments for doc comments.
Doc comments look like "/** ... */" and they
can only be in certain places.

Bug: 79865343
Test: m
Change-Id: Ic15c08ff7dc6e4f9827c1dbe7f7236c11a572ec1
2018-05-18 10:10:32 -07:00
Shawn Willden
f0f05d4052 Add utility method to perform HMAC agreement
To make it easier for clients (vold & keystore) to perform key
agreement, this CL adds a service method that does it.  To make key
agreement consistent, this method sorts the HMAC sharing parameters
lexicographically.  The requirement for sorting is documented in the
HAL.

Test: Boot device
Bug: 79307225
Bug: 78766190
Change-Id: Idb224f27f8e4426281d9a0105605ba22bf7c7e95
2018-05-10 18:28:51 -06:00
Shawn Willden
44dc86edf8 Fix bug in VTS attestation cert verification.
Keymaster VTS is failing to verify that the last certificate in the
chain is self-signed.  CTS and GTS tests verify this, but it should be
validated at this level as well.

Bug: 79123157
Test: VtsHalKeymasterV3_0TargetTest
Change-Id: I5ff33fc8186182c2cf8d43d90cd59f89ce45d416
2018-05-04 16:15:06 +00:00
Brian C. Young
9fca9719a3 Remove superfluous test
This test was added on a bad assumption about the behavior of the
keymaster spec, and is now being removed.

Test: VTS
Bug: 77307569
Change-Id: Iac2f6f45ea1816505ff3b47bbdc548ff1161c96b
2018-04-11 12:38:52 -07:00
Shawn Willden
86a33acfce Correct bug in HmacKeySharingTest
The key sharing test modified the seed in an invalid way.

Bug: 77588764
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: I0b2ac90397a3f23258ebd4dddc5f6043af7b1600
2018-04-09 14:16:38 -06:00
Shawn Willden
44f8b71874 Correct import wrapped key golden keys.
The golden test keys didn't include TAG_NO_AUTH_REQUIRED, which causes
them to be rejected by strictly compliant implementations.

Bug: 77588764
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: I5157537e5407618ddc37debf00486977abb00f99
2018-04-04 21:35:11 +00:00
TreeHugger Robot
a71ab794a6 Merge "Correct TripleDes tests." into pi-dev 2018-04-04 21:31:25 +00:00
Shawn Willden
08839105dc Correct TripleDes tests.
The TripleDes tests failed to set TAG_NO_AUTH_REQUIRED, which causes
operations to be rejected by strictly compliant implementations.

Bug: 77588764
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: I25cd5ec0ccede2b148f5da4566b8e1e20e8edbde
2018-04-04 21:31:22 +00:00
nagendra modadugu
9c36c91945 keymaster: provide instance name to getService()
Bug: 38430282
Test: VtsHalKeymasterV3_0TargetTest pass with exception
  of (AesEcbWithUserId, RsaAttestation, EcAttestation)
  which are expected failures.

Change-Id: I48e7195f512190deb608f1a69783c92254eef1aa
2018-03-30 18:31:35 -07:00
Brian Young
3f48322658 Add "Unlocked device required" key API
Add a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.

This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.

Test: CTS tests in I8a5affd1eaed176756175158e3057e44934fffed

Bug: 67752510

Merged-In: Id19d19b19532ac8d4c52aad46a954faa4515289d
Change-Id: Id19d19b19532ac8d4c52aad46a954faa4515289d
(cherry picked from commit 1840be6d35)
2018-03-28 08:38:56 -07:00
nagendra modadugu
a63596436b Remove DES 112 tests, and speed up RSA keygen
Only DES3 is supported (168-bit), so remove
tests for 112-bit DES.

Also replace the RSA public exponent 3, with
65537 in most tests so that RSA key generation
is faster.

Change-Id: I9958df81fe46d752d82072dc6c7effa34b2921a8
2018-03-01 17:26:12 -08:00
Brian Young
f67e953919 Revert "Restore "Add "Unlocked device required" parameter to keys""
This reverts commit 97e02689d9.

Reason for revert: Regression in creating auth-bound keys

Bug: 73773914

Bug: 67752510

Change-Id: I8ccba28580099c4c533f53b0be92f1d607ce63c6
2018-02-23 01:31:40 +00:00
Brian C. Young
97e02689d9 Restore "Add "Unlocked device required" parameter to keys"
Add a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.

This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.

This reverts commit 95b60a0f41.

Test: CTS tests in I8a5affd1eaed176756175158e3057e44934fffed

Bug: 67752510

Change-Id: I2893c23ab173ff5c39085d56b555e54770900cbc
2018-02-15 11:19:40 -08:00
Zhuoyao Zhang
bc02ee16e4 Merge "Convert keymaster hal test to use VtsHalHidlTargetTestEnvBase" am: eeeaaf5589 am: 6e4263fa6b
am: 75cfb6b035

Change-Id: I5a2b49315d74cc53b6205346e39d953826a15dab
2018-02-12 17:51:39 +00:00
Zhuoyao Zhang
14ab40b9e7 Convert keymaster hal test to use VtsHalHidlTargetTestEnvBase
Bug: 64203181
Test: make vts
      vts-tradefed run vts -m VtsHalKeymasterV3_0Target

Change-Id: I6f245996749a53418b71f516ba782fe9d4321501
2018-02-10 12:40:25 -08:00
Jorim Jaggi
62df80180b Merge "Revert "Add "Unlocked device required" parameter to keys"" 2018-01-30 15:36:28 +00:00
Brian Young
95b60a0f41 Revert "Add "Unlocked device required" parameter to keys"
This reverts commit 5fe872413b.

Reason for revert: Build breakages on elfin, gce_x86_phone.

Bug: 72679761
Bug: 67752510
Change-Id: I2857b2a9b6ff26735bd4989a36c5e5deb4953904
2018-01-30 15:31:19 +00:00
TreeHugger Robot
ea52a4d3b8 Merge "Add "Unlocked device required" parameter to keys" 2018-01-29 23:16:02 +00:00
Shawn Willden
98b998b59a Support library enhancements, to ease transition of vold to KM4
Keymaster clients need to see all the available devices and figure out
which they want to use.  This method finds them all and returns them
in a vector sorted from most secure to least, according to a heuristic
defined in Keymaster::VersionResult::operator<

This CL also makes a few other minor improvements to the support
library, providing more information in VersionResult and adding some
more convenience methods in AuthorizationSetBuilder.

Test: Build & boot
Change-Id: I876238ee9ff72573c30d60e1cec665dd610bcde6
2018-01-25 22:38:56 -07:00