Commit graph

55 commits

Author SHA1 Message Date
Shawn Willden
66b1cfaac0 Update to support keymaster's configurable version.
Test: VtsHalIdentityTargetTest
Bug: b/173577355
Change-Id: Ia7c1a46edec12047c51ed4888788386dcfe11ca9
2020-11-23 23:11:52 -07:00
Selene Huang
06614b3e15 identity: Change Identitial Credential to pass in subject by
attestation params instead of making another function in attestation_utils.

Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Change-Id: I67f5f584875a1baefc5a3d1a1fc46d605febbf33
2020-11-20 08:41:34 -08:00
David Zeuthen
34abaaefcb identity: Fix attestation and documentation problems.
- The docs said that IdentityCredential.createEphemeralKey() returned
  data encoded PKCS#8 which is wrong. It's supposed to be in DER format
  which is also what the VTS tests and credstore expects.

- Clarify that createEphemeralKeyPair(), setReaderEphemeralPublicKey(),
  and createAuthChallenge() are all optional.

- Avoid passing an invalid profile ID in the IdentityCredentialTests.
  verifyOneProfileAndEntryPass test.

- Update requirements for which tags must be present in the attestation
  for CredentialKey as well as the requirements on expiration date and
  the issuer name.  Update default implementation to satisfy these
  requirements. Update VTS tests to carefully verify these requrements
  are met.

- Clarify requirements for X.509 cert for AuthenticationKey. Add VTS
  test to verify.

- Mandate that TAG_IDENTITY_CREDENTIAL_KEY must not be set for test
  credentials. Add VTS test to verify this.

- Make default implementation pretend to be implemented in a trusted
  environment and streamline VTS tests to not special-case for the
  default implementation.

- Switch to using the attestation extension parser from the KM 4.1
  support library instead of the one from system/keymaster. The latter
  one did not support the latest attestation extension and thus would
  fail for pretty much anything that wasn't the default HAL impl.

- Fix a couple of bugs in keymaster::V4_1::parse_attestation_record():
  - Report root_of_trust.security_level
  - Add support for Tag::IDENTITY_CREDENTIAL_KEY

- Fix how EMacKey is calculated.

- Add test vectors to verify how EMacKey and DeviceMac is calculated.

Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Bug: 171745570
Change-Id: I2f8bd772de078556733f769cec2021918d1d7de6
2020-11-17 13:44:00 -05:00
Xin Li
36dcf1a404 Merge Android R (rvc-dev-plus-aosp-without-vendor@6692709)
Bug: 166295507
Merged-In: I6502829205ede2de914b27e6c2c5c42916af2b39
Change-Id: I7cb06511e43bd1fffd5f80a11dbdf5b1314cfe8e
2020-08-28 13:05:04 -07:00
David Benjamin
45ff9aa8ff Avoid unnecessary access of BoringSSL structs.
Checking cert_info->key->algor->algorithm is redundant with the checks
following it. If the public key is an EC key, that was the OID. Remove
the check so this code does not break when BoringSSL makes the X509
structures opaque in the future.

While we're not particularly aiming to make ECDSA_SIG opaque, getters
exist, so go ahead and use them.

Test: mm, treehugger
Change-Id: I1b37fef2290b7697a6e821f20ba702b3da5ef18d
2020-08-26 15:38:47 -04:00
Dan Shi
ba4d532fee Suppress gtest error for tests without any instance
Bug: 162052785
Test: m -j vts
Change-Id: I8c1a48e6fbd7c8161137902b5332911fa0d7b8b3
2020-07-28 15:12:32 -07:00
Treehugger Robot
347694c3cf Merge "Identity: Add VTS test to check empty and semi-empty requests work properly." am: 75e326e17d am: 925757c2eb
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1360918

Change-Id: Ibdbb8583c23370a27ed1d7f900383b80594f26ff
2020-07-13 17:01:35 +00:00
David Zeuthen
7067a73ed2 Identity: Add VTS test to check empty and semi-empty requests work properly.
Some IC applications may perform two requests - one to get data
elements and a second empty request. The latter is to e.g. get an
empty DeviceSignedItems and corresponding MAC.

Extend VTS tests to check that the HAL does this correctly both for
the completely empty request and also for a request with an empty
namespace.

Bug: 160966911
Test: atest VtsHalIdentityTargetTest
Change-Id: I3205f2c0ded2ea315857438a3114ddcf8ef557f9
2020-07-10 14:38:53 -04:00
Treehugger Robot
6544b9f52c Merge "Identity: Update for changes to ISO 18013-5." am: 84a6118710 am: 6223c5fbf3
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1344923

Change-Id: I803cc05da5a1fe22e27db8683632114a322c9b99
2020-06-24 16:18:03 +00:00
David Zeuthen
2e4533e5c1 Identity: Update for changes to ISO 18013-5.
Key derivation for session encryption and MACing now involves mixing
in SessionTranscriptBytes. Update docs, default implementation, and
VTS tests to reflect this.

Also, the standard changed such that instead of DeviceAuthentication
being MACed or signed, it's instead DeviceAuthenticationBytes which is
defined as #6.24(bstr .cbor DeviceAuthentication). The same also for
ReaderAuthentication, now ReaderAuthenticationBytes is the CBOR which
is signed by the reader.

Also update the URL for CDDL since it's now a published RFC.

Bug: 159482543
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Change-Id: I73fc7eb48ffb71e00a8b54849266ed814295fa39
2020-06-24 09:27:02 -04:00
David Zeuthen
c098dafed8 Identity: More static linking of VTS test binary. am: 780f8c860d am: 7fb435ce16
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1342874

Change-Id: Ib3eecb15864e67834d0bf935d39ca089ef14e4ab
2020-06-18 15:52:03 +00:00
David Zeuthen
780f8c860d Identity: More static linking of VTS test binary.
The VTS test was dynamically linking some libraries not normally
present on an Android system. Statically link these libraries instead.

Bug: 158150767
Test: atest VtsHalIdentityTargetTest
Change-Id: Ib93620c36b0ff7f5c9f239ff8861a11196605881
2020-06-18 09:44:51 -04:00
Jing-yan, Jang
7015c0ef67 Merge "Identity Credential: Add some support functions for mDL oem Hal." into rvc-dev am: 4200c3b5d3
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/interfaces/+/11716799

Change-Id: I5f64791e4381f8952c388c5f9c72083c4269112a
2020-06-18 06:54:01 +00:00
josephjang
4821cee9a3 Identity Credential: Add some support functions for mDL oem Hal.
Add following crypto APIs to for mDL oem Hal.
ecPrivateKeyToKeyPair()
signEcDsaDigest()
certificateSignedByPublicKey()
coseSignEcDsaWithSignature()
ecdsaSignatureDerToCose()
ecdsaSignatureCoseToDer()
coseSignGetSignature()
coseSignGetAlg()
coseMacWithDigest()
certificateFindPublicKey()
certificateTbsCertificate()
certificateFindSignature()
createAttestationForEcPublicKey()

Bug: 136506289
Test: atest VtsHalIdentityTargetTest
Change-Id: Ib40de4a3ad7e791ff4d82f77292c621653c1a3f3
2020-06-16 14:04:43 +00:00
TreeHugger Robot
ec14eb63af Merge "Identity: Statically link VTS test binary." into rvc-dev am: bde68f5a1d
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/interfaces/+/11853101

Change-Id: Ie30d34ce47e6aaf98cdaaa7d9d2d523923a0a158
2020-06-12 20:29:11 +00:00
David Zeuthen
45eb940d74 Identity: Statically link VTS test binary.
The VTS test was dynamically linking some libraries not normally
present on an Android system. Statically link these libraries instead.

Bug: 158150767
Test: atest VtsHalIdentityTargetTest
Merged-In: Ida85ca8835d0243c47f451ccdfa0d11d29ec1bdb
Change-Id: If11fe0812bf367400f5c8e894e636937ee191d3f
2020-06-12 14:56:49 -04:00
David Zeuthen
baa41d7945 Identity: Statically link VTS test binary.
The VTS test was dynamically linking some libraries not normally
present on an Android system. Statically link these libraries instead.

Bug: 158150767
Test: atest VtsHalIdentityTargetTest
Change-Id: Ida85ca8835d0243c47f451ccdfa0d11d29ec1bdb
2020-06-12 14:52:37 -04:00
David Zeuthen
d16d0fa609 Update Identity Credential VTS tests.
These updates are based on input/experiences implementing this
HAL. There are no API changes.

 - Specify that the validity for credentialKey certificate shall be
   from current time and expire at the same time as the attestation
   batch certificate.

 - Require challenge passed to getAttestationCertificate() is
   non-empty.

 - Fix bug in VTS tests where the startPersonlization() result was not
   checked.

 - Remove verifyStartPersonalizationZero test since it cannot be
   completed.

 - Ensure secureUserId is non-zero if user authentication is needed.

 - Specify format for signingKeyBlob in generateSigningKeyPair() same
   way we do for credentialData in finishAddingEntries().

 - Modify EndToEndTest to decrypt/unpack credentialData to obtain
   credentialPrivKey and storageKey and do cross-checks on these.

 - Modify EndToEndTest to decrypt/unpack signingKeyBlob to obtain
   signingKeyPriv and check it matches the public key in the returned
   certificate.

 - Add new VTS tests for user and reader authentication.

 - Relax unnecessary requirements about SessionTranscript structure -
   just require it has X and Y of the ephemeral key created earlier.

 - Allow calls in VTS tests to v2 HAL to fail - this should allow
   these VTS tests to pass on a compliant v1 HAL.

Bug: 156911917
Bug: 158107945
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Merged-In: I11b79dbd57b1830609c70301fea9c99f9e5080cb
Change-Id: I93003389012e69c6df23e1bcebeafde8281caf9c
2020-06-05 09:59:01 -04:00
David Zeuthen
ef7395127f Update Identity Credential VTS tests.
These updates are based on input/experiences implementing this
HAL. There are no API changes.

 - Specify that the validity for credentialKey certificate shall be
   from current time and expire at the same time as the attestation
   batch certificate.

 - Require challenge passed to getAttestationCertificate() is
   non-empty.

 - Fix bug in VTS tests where the startPersonlization() result was not
   checked.

 - Remove verifyStartPersonalizationZero test since it cannot be
   completed.

 - Ensure secureUserId is non-zero if user authentication is needed.

 - Specify format for signingKeyBlob in generateSigningKeyPair() same
   way we do for credentialData in finishAddingEntries().

 - Modify EndToEndTest to decrypt/unpack credentialData to obtain
   credentialPrivKey and storageKey and do cross-checks on these.

 - Modify EndToEndTest to decrypt/unpack signingKeyBlob to obtain
   signingKeyPriv and check it matches the public key in the returned
   certificate.

 - Add new VTS tests for user and reader authentication.

 - Relax unnecessary requirements about SessionTranscript structure -
   just require it has X and Y of the ephemeral key created earlier.

 - Allow calls in VTS tests to v2 HAL to fail - this should allow
   these VTS tests to pass on a compliant v1 HAL.

Bug: 156911917
Bug: 158107945
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Change-Id: I11b79dbd57b1830609c70301fea9c99f9e5080cb
2020-06-04 16:46:54 -04:00
Selene Huang
57b3479394 Add attestation certificate parsing and validate for IC vts.
- Added attestation certificate parsing support.
 - Added various certificate conversion support.
 - Added certification verification support.
 - Added tests for the attestation certificate verification.
 - Updated the old tests to use the new attestation validation
   implementation.
 - Updated GenerateReaderCertificate to use pointer reader private key.

Bug: 154909726
Test: VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Merged-In: Ibe770e6eaf0b0018d60876926d824204e4eaf732
Change-Id: I07c2eaf92ed60fa31761816c4b45684806c3305e
2020-05-29 15:50:55 -04:00
Selene Huang
38ca6961e3 Add attestation certificate parsing and validate for IC vts.
- Added attestation certificate parsing support.
 - Added various certificate conversion support.
 - Added certification verification support.
 - Added tests for the attestation certificate verification.
 - Updated the old tests to use the new attestation validation
   implementation.
 - Updated GenerateReaderCertificate to use pointer reader private key.

Bug: 154909726
Test: VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Merged-In: Ibe770e6eaf0b0018d60876926d824204e4eaf732
Change-Id: I5d87622cc43241d1e2de59cd1c0f33630e4fcbab
2020-05-29 12:10:57 -04:00
David Zeuthen
b1e8ff545a Identity Credential: Add method to accept verification token.
This is to facilitate HAL implementations using a TA existing in a
different environment than where auth tokens are minted. This method
will be used by credstore in a companion CL.

This modifies version 2 of the Identity Credential API (which was
never been released) to add a new method and creates version 2 of the
Keymaster types-only AIDL API to include the new VerificationToken
parcelable and SecurityLevel enum.

Bug: 156076333
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Merged-In: I7d05413a9ec70225ce419079f3cc9daf026cf744
Change-Id: Idd7ab041d87617556ed840403033b642f8c2ab86
2020-05-18 15:55:21 -04:00
David Zeuthen
7036816f91 Identity Credential: Pass additional information to HAL.
Without this extra information passed upfront it's not practical to
implement a HAL which incrementally builds up cryptographically
authenticated data.

Two new methods are added to facilitate this and the HAL version
number is bumped to 2.

Bug: 154631410
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Merged-In: Iff63dfa2c4485c8768e06e7f6d70e940cfc8f68e
Change-Id: Ia8afcfb211c8d3614be6b382819538347cda0454
2020-05-18 15:47:47 -04:00
Selene Huang
2ea80dc83f Merge "Add attestation certificate parsing and validate for IC vts." 2020-05-12 05:41:49 +00:00
David Zeuthen
a8ed82cbb4 Identity Credential: Add method to accept verification token.
This is to facilitate HAL implementations using a TA existing in a
different environment than where auth tokens are minted. This method
will be used by credstore in a companion CL.

This modifies version 2 of the Identity Credential API (which was
never been released) to add a new method and creates version 2 of the
Keymaster types-only AIDL API to include the new VerificationToken
parcelable and SecurityLevel enum.

Bug: 156076333
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts

Change-Id: I7d05413a9ec70225ce419079f3cc9daf026cf744
2020-05-08 11:33:23 -04:00
Selene Huang
cab019aae5 Add attestation certificate parsing and validate for IC vts.
- Added attestation certificate parsing support.
- Added various certificate conversion support.
- Added certification verification support.
- Added tests for the attestation certificate verification.
- Updated the old tests to use the new attestation validation
  implementation.
- Updated GenerateReaderCertificate to use pointer reader private key.

Bug: 154909726

Test: VtsHalIdentityTargetTest
Test: atest android.security.identity.cts

Change-Id: Ibe770e6eaf0b0018d60876926d824204e4eaf732
2020-04-30 21:33:48 -07:00
David Zeuthen
28edb10334 Identity Credential: Pass additional information to HAL.
Without this extra information passed upfront it's not practical to
implement a HAL which incrementally builds up cryptographically
authenticated data.

Two new methods are added to facilitate this and the HAL version
number is bumped to 2.

Bug: 154631410
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Change-Id: Iff63dfa2c4485c8768e06e7f6d70e940cfc8f68e
2020-04-29 14:27:18 -04:00
David Zeuthen
602753593e Identity Credential: Restrict AccessControlProfile identifiers to 32.
In order to implement Identity Credential on resource-restricted
secure hardware, we need to limit the number of possible
AccessControlProfile in a credential. A limit of 32 means that such
hardware only need to devote four bytes of RAM for a bitmask with
information about which profiles are authorized.

Document this, add new VTS test, and update the default
implementation.

Bug: 155100967
Test: atest android.security.identity.cts
Test: atest VtsHalIdentityTargetTest
Merged-In: Ia4f2ee0013b330561df744e0595f298a0d156122
Change-Id: I2dd672447bedfa9407bf1044e6261af26fd137f9
2020-04-27 16:03:36 -04:00
David Zeuthen
a0796e98c2 Identity Credential: Restrict AccessControlProfile identifiers to 32.
In order to implement Identity Credential on resource-restricted
secure hardware, we need to limit the number of possible
AccessControlProfile in a credential. A limit of 32 means that such
hardware only need to devote four bytes of RAM for a bitmask with
information about which profiles are authorized.

Document this, add new VTS test, and update the default
implementation.

Bug: 155100967
Test: atest android.security.identity.cts
Test: atest VtsHalIdentityTargetTest
Change-Id: Ia4f2ee0013b330561df744e0595f298a0d156122
2020-04-27 15:28:27 -04:00
Selene Huang
d39b9fb604 Fix IC vts bugs and add tests for IC IWritableIdentityCredential.aidl interface.
Fixed following bugs in WritableIdentityCredential.cpp
  - Do not allow startPersonalization to be called more than once per
  aidl.
  - Do not preceed with beginAddEntry if addAccessControlProfile and
  startPersonalization profile count mismatch.
  - Verify access control profile ids are unique.
  - Do not let empty name space to mess up beginAddEntry.
  - Do not allow beginAddEntry to add entries interleaving namespace
    groupings. Enforce all entries must be added in namespace "groups"
    per aidl.
  - Fix counting error that allowed one entries to be added per name
    space than startPersonalization limit.
  - Do not approve finishAddingEntries if there are more profiles or
    entries to be added than startPersonalization set accounting.
  - Add testing utilities library for identity credential.
  - Refactored end to end tests.

Bug: 154909726
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Merged-In: I51902681776c6230e49589fc75a8145e79d7d1a6

Change-Id: Ib7c108f67c61125edba6177dcac61cfbf58da671
2020-04-27 13:03:20 -04:00
Treehugger Robot
71156e527c Merge "Fix IC vts bugs and add tests for IC IWritableIdentityCredential.aidl interface." 2020-04-24 14:00:54 +00:00
Selene Huang
92b61d650f Fix IC vts bugs and add tests for IC IWritableIdentityCredential.aidl interface.
Fixed following bugs in WritableIdentityCredential.cpp
  - Do not allow startPersonalization to be called more than once per
  aidl.
  - Do not preceed with beginAddEntry if addAccessControlProfile and
  startPersonalization profile count mismatch.
  - Verify access control profile ids are unique.
  - Do not let empty name space to mess up beginAddEntry.
  - Do not allow beginAddEntry to add entries interleaving namespace
    groupings. Enforce all entries must be added in namespace "groups"
    per aidl.
  - Fix counting error that allowed one entries to be added per name
    space than startPersonalization limit.
  - Do not approve finishAddingEntries if there are more profiles or
    entries to be added than startPersonalization set accounting.
  - Add testing utilities library for identity credential.
  - Refactored end to end tests.

Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts

Change-Id: I51902681776c6230e49589fc75a8145e79d7d1a6
2020-04-24 00:04:07 -07:00
David Zeuthen
a7bdc9559a Update Identity Credential HAL docs.
This change contains no actual syntactical or semantic changes, just
clarifications on the inputs and outputs.

Test: N/A
Bug: 151082886
Merged-In: I794b8d0360c1eda37b4dbe757d7a7fadcbdda7bc
Change-Id: I5ad596ec0fa4dac7473d8fd435f538dbb5529846
2020-04-21 16:49:40 -04:00
David Zeuthen
c428692e82 Update Identity Credential HAL docs.
This change contains no actual syntactical or semantic changes, just
clarifications on the inputs and outputs.

Test: N/A
Bug: 151082886

Change-Id: I794b8d0360c1eda37b4dbe757d7a7fadcbdda7bc
2020-04-14 15:14:48 -04:00
Jeongik Cha
a73d6bc97e Freeze vintf aidl interfaces
AIDL interfaces which are vintf-stable have to be frozen in release.
But these interfaces have been never frozen, so freeze them.

- android.hardware.power
- android.hardware.identity
- android.hardware.keymaster
- android.hardware.vibrator
- android.hardware.light
- android.hardware.tests.extension.vibrator

Bug: 153500421
Bug: 153500550
Bug: 153511407
Bug: 153500549
Bug: 153501107
Bug: 153501202
Test: m
Change-Id: I643c25fc695f9d1e874dcceb327d465c49e9cab6
Merged-In: I643c25fc695f9d1e874dcceb327d465c49e9cab6
2020-04-09 08:27:34 +00:00
Treehugger Robot
15664d3f58 Merge "Freeze vintf aidl interfaces" 2020-04-09 07:49:49 +00:00
Jeongik Cha
cfb374895d Freeze vintf aidl interfaces
AIDL interfaces which are vintf-stable have to be frozen in release.
But these interfaces have been never frozen, so freeze them.

- android.hardware.power
- android.hardware.identity
- android.hardware.keymaster
- android.hardware.vibrator
- android.hardware.light
- android.hardware.tests.extension.vibrator

Bug: 153500421
Bug: 153500550
Bug: 153511407
Bug: 153500549
Bug: 153501107
Bug: 153501202
Test: m
Change-Id: I643c25fc695f9d1e874dcceb327d465c49e9cab6
2020-04-08 20:28:40 +09:00
Jiyong Park
d7fcbb00d7 Update the current API dump
All aidl_interface modules should by default considered as stable, in
case it is used across system and vendor partitions, or across modules.
Like other API surfaces, we need to have a dump for the current
(yet-to-be-released) version and update it when there is an API change.
This is done via .

Then the owner of the interface can freeze the current version as a
numbered version via .

This change shal be rejected only when the owner is certain that the
interface is not used across the updatable boundaries.

Bug: 152655547
Test: m
Change-Id: Ia633e3a143b35626c59b2447c38c1710ee270f0c
Merged-In: Ia633e3a143b35626c59b2447c38c1710ee270f0c
2020-04-08 18:27:11 +09:00
Dan Shi
aad51fa000 Rename vts-core to vts
Bug: 151896491
Test: local build
Exempt-From-Owner-Approval: This CL update suite name vts-core to vts as
the suite name is updated. This CL won't change test logic or behavior.

Change-Id: I562b4dc50765e953800a814a8fd84a01c1b9352b
Merged-In: I562b4dc50765e953800a814a8fd84a01c1b9352b
2020-04-07 16:37:40 -07:00
Dan Shi
ba894f81db Rename vts-core to vts
Bug: 151896491
Test: local build
Exempt-From-Owner-Approval: This CL update suite name vts-core to vts as
the suite name is updated. This CL won't change test logic or behavior.

Change-Id: I562b4dc50765e953800a814a8fd84a01c1b9352b
Merged-In: I562b4dc50765e953800a814a8fd84a01c1b9352b
2020-04-07 15:17:02 -07:00
Jiyong Park
cde2dfddc2 Update the current API dump
All aidl_interface modules should by default considered as stable, in
case it is used across system and vendor partitions, or across modules.
Like other API surfaces, we need to have a dump for the current
(yet-to-be-released) version and update it when there is an API change.
This is done via .

Then the owner of the interface can freeze the current version as a
numbered version via .

This change shal be rejected only when the owner is certain that the
interface is not used across the updatable boundaries.

Bug: 152655547
Test: m
Change-Id: Ia633e3a143b35626c59b2447c38c1710ee270f0c
2020-03-30 14:58:46 +09:00
Jooyung Han
17be89b21b use vector<uint8_t> for byte[] in AIDL
In native world, byte stream is typically represented in uint8_t[]
or vector<uint8_t>. C++ backend already generates that way. This
change involves NDK backend.

Now NDK backend also uses vector<uint8_t> just like C++ backend.

Bug: 144957764
Test: atest CtsNdkBinderTestCases
Merged-In: I8de348b57cf92dd99b3ee16252f56300ce5f4683
Change-Id: I8de348b57cf92dd99b3ee16252f56300ce5f4683
(cherry picked from commit 9070318462)

Exempt-From-Owner-Approval: cp from internal
2020-03-24 06:37:11 +00:00
TreeHugger Robot
2cc31a6f4a Merge "Identity: Statically link additional libraries in VtsHalIdentityTargetTest." into rvc-dev 2020-03-10 00:10:39 +00:00
TreeHugger Robot
81e68c71d7 Merge "Identity: Move signingKeyBlob from finishRetrieval() to startRetrieval()." into rvc-dev 2020-03-09 22:07:45 +00:00
David Zeuthen
18be965c7e Identity: Statically link additional libraries in VtsHalIdentityTargetTest.
The problem was that VtsHalIdentityTargetTest was dynamically linking
libraries that (currently) only are pulled in by the default IC HAL
implementaiton. This caused linking problems when copying
VtsHalIdentityTargetTest onto a device a running it.

Fix this by only dynamically linking libbinder and libcrypto.

Bug: 150475275
Test: VtsHalIdentityTargetTest runs on a device without Identity Credential.
Merged-In: I4162cc81ade0373c31c96008f3a2bc95684fd2c2
Change-Id: I7a55a6e602b9902bd725190aa5631644f7639b95
2020-03-09 15:47:01 -04:00
David Zeuthen
b790d97f45 Identity: Move signingKeyBlob from finishRetrieval() to startRetrieval().
The implementation of the Identity Credential TA in constrained
environments may need to incrementally update the HMAC-SHA256 of
DeviceAuthencation CBOR to avoid keeping the entire CBOR structure in
memory. To do this they need to calculate the derived key before
starting to build the CBOR so they need access to the signingKey
earlier on.

Bug: 150390415
Test: atest android.security.identity.cts
Test: VtsHalIdentityTargetTest
Merged-In: I72ad30ec3ccec0b8161cbea360ef8c9212f8cbbc
Change-Id: I95e28dd46b35bc31dec8d77ee14b5a1b3b5c0391
2020-03-09 15:45:21 -04:00
Selene Huang
ee37ee9252 Add attestation certificate generation and identity credential tags.
Bug: 149908474
Test: atest android.security.identity.cts.AttestationTest
Test: atest VtsHalIdentityCredentialTargetTest
Test: atest android.hardware.identity-support-lib-test
Merged-In: I18c5d05d806d4157c9dce42a398cc89421e26907
Change-Id: Ifaffef3606a6398613e33982ff5db81ade1af0b2
2020-03-09 12:30:11 -04:00
David Zeuthen
27cb4eb4da Identity: Statically link additional libraries in VtsHalIdentityTargetTest.
The problem was that VtsHalIdentityTargetTest was dynamically linking
libraries that (currently) only are pulled in by the default IC HAL
implementaiton. This caused linking problems when copying
VtsHalIdentityTargetTest onto a device a running it.

Fix this by only dynamically linking libbinder and libcrypto.

Bug: 150475275
Test: VtsHalIdentityTargetTest runs on a device without Identity Credential.
Change-Id: I4162cc81ade0373c31c96008f3a2bc95684fd2c2
2020-03-02 10:29:08 -05:00
David Zeuthen
e35797ffca Identity: Move signingKeyBlob from finishRetrieval() to startRetrieval().
The implementation of the Identity Credential TA in constrained
environments may need to incrementally update the HMAC-SHA256 of
DeviceAuthencation CBOR to avoid keeping the entire CBOR structure in
memory. To do this they need to calculate the derived key before
starting to build the CBOR so they need access to the signingKey
earlier on.

Bug: 150390415
Test: atest android.security.identity.cts
Test: VtsHalIdentityTargetTest
Change-Id: I72ad30ec3ccec0b8161cbea360ef8c9212f8cbbc
2020-02-27 14:31:57 -05:00
Selene Huang
459cb80866 Add attestation certificate generation and identity credential tags.
Bug: 149908474
Test: atest android.security.identity.cts.AttestationTest
Test: atest VtsHalIdentityCredentialTargetTest
Test: atest android.hardware.identity-support-lib-test

Change-Id: I18c5d05d806d4157c9dce42a398cc89421e26907
2020-02-21 16:02:26 -08:00