Commit graph

57 commits

Author SHA1 Message Date
nagendra modadugu
8414fb8556 keymaster: spec does not require that update produce output
Remove out of spec enforcement on the amount of data returned
by update, as this is not specified in the HAL.

Bug: 109771020
Test: yes it is
Merged-In: Ic41afbd01d51faf48d3c0fe090409ebcd257cc1e
Change-Id: Ic41afbd01d51faf48d3c0fe090409ebcd257cc1e
(cherry picked from commit 7b75f015a7)
2018-08-28 15:17:31 -07:00
Shawn Willden
e1e08f8dde Fix attestation test.
Bug: 77588764
Test: VtsHalKeymasterV4_0TargetTest
Merged-In: Ibe264d08ae7b3333a6949761a92759f5305b3fcb
Change-Id: Ibe264d08ae7b3333a6949761a92759f5305b3fcb
(cherry picked from commit d898d0a422)
2018-08-28 15:16:58 -07:00
Eran Messeri
ff29edcc71 Fixing Keymaster documentation.
Keymaster HAL documentation documents the bootPatchLevel as having
tag 718, while types.hal indicates the tag value for it is actually
719.

Test: N/A
Bug: 78104779
Merged-In: I0dde0b3c863081f2594e20466d8e82866a5f2d2e
Change-Id: I0dde0b3c863081f2594e20466d8e82866a5f2d2e
(cherry picked from commit ae8da1b70a)
2018-08-28 15:08:39 -07:00
Hung-ying Tyan
555cb5e13b Fix free() in keymaster VTS
The buffer is allocated by OPENSSL_malloc() in X509_NAME_oneline(name, nullptr, 0).
Should be reclaimed by OPENSSL_free() instead of free().

The patch is provided by vink.shen@mediatek.corp-partner.google.com

Bug: 109708231
Test: build pass
Merged-In: I66a864e3e28905eebac2e7d3a4517d4d5aaa39df
Change-Id: I66a864e3e28905eebac2e7d3a4517d4d5aaa39df
(cherry picked from commit 79db3ec849)
2018-08-10 00:48:32 +00:00
nagendra modadugu
bbe9263f85 Respect limited requirements for Strongbox KM implementations
With this patch the KM VTS test apply the restricted requirements on
supported key sizes, EC curves, and Digests to Strongbox keymaster
implementations.

Also amend tests to use Update().

Test: Yes it is
Bug: 74519020
Merged-In: Ibec9c3398671f81dbc0ecf78e554726276160579
Change-Id: Ibec9c3398671f81dbc0ecf78e554726276160579
(cherry picked from commit 3a7e2cade3)
2018-08-10 00:48:11 +00:00
TreeHugger Robot
8bac8dcba5 Merge "Minor corrections to the Keymaster4 documentation." into pi-dev 2018-05-31 16:49:10 +00:00
Shawn Willden
5b60a1b72e Minor corrections to the Keymaster4 documentation.
Gramatical and punctuation corrections; addition of missing
userSecureId to AuthorizationList schema and removal of extraneous
rollbackResistant from same; correction of OS_PATCHLEVEL source
property; and addition of missing TAG_UNLOCKED_DEVICE_REQUIRED
documentation.

Bug: 69550260
Test: N/A
Change-Id: I04092b7df3af69201ba1467cddc09f6f44e861a8
2018-05-30 16:20:48 -06:00
Shawn Willden
8d815f659d Fix default keymaster so it doesn't start an extra thread.
Bug: 80102279
Bug: 80251973
Test: N/A; this keymaster exists only for policy compliance. It's never used.
Change-Id: I45f0eefd9abdd02f6774aa52f238040510c5d62c
2018-05-24 20:52:11 +00:00
TreeHugger Robot
1f74538cdb Merge "Move Keymaster docs into HAL" into pi-dev 2018-05-24 02:11:43 +00:00
Shawn Willden
b20a5dd5d9 Move Keymaster docs into HAL
Bug: 69550260
Test: N/A
Change-Id: Ib135e4e4060f3a89480f6784b30e9008126b3b76
2018-05-23 18:26:42 -06:00
Shawn Willden
6dad2b3a4b Activate HMAC sharing check.
This had to be disabled because Qualcomm's keymaster4 returned a bad
value.

Bug: 77588764
Bug: 79698245
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: Ieb150d7f17c36f01acf2eeb665792594251b51ae
2018-05-23 05:44:42 -06:00
Shawn Willden
f0f05d4052 Add utility method to perform HMAC agreement
To make it easier for clients (vold & keystore) to perform key
agreement, this CL adds a service method that does it.  To make key
agreement consistent, this method sorts the HMAC sharing parameters
lexicographically.  The requirement for sorting is documented in the
HAL.

Test: Boot device
Bug: 79307225
Bug: 78766190
Change-Id: Idb224f27f8e4426281d9a0105605ba22bf7c7e95
2018-05-10 18:28:51 -06:00
Shawn Willden
86a33acfce Correct bug in HmacKeySharingTest
The key sharing test modified the seed in an invalid way.

Bug: 77588764
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: I0b2ac90397a3f23258ebd4dddc5f6043af7b1600
2018-04-09 14:16:38 -06:00
Shawn Willden
44f8b71874 Correct import wrapped key golden keys.
The golden test keys didn't include TAG_NO_AUTH_REQUIRED, which causes
them to be rejected by strictly compliant implementations.

Bug: 77588764
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: I5157537e5407618ddc37debf00486977abb00f99
2018-04-04 21:35:11 +00:00
TreeHugger Robot
a71ab794a6 Merge "Correct TripleDes tests." into pi-dev 2018-04-04 21:31:25 +00:00
Shawn Willden
08839105dc Correct TripleDes tests.
The TripleDes tests failed to set TAG_NO_AUTH_REQUIRED, which causes
operations to be rejected by strictly compliant implementations.

Bug: 77588764
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: I25cd5ec0ccede2b148f5da4566b8e1e20e8edbde
2018-04-04 21:31:22 +00:00
nagendra modadugu
9c36c91945 keymaster: provide instance name to getService()
Bug: 38430282
Test: VtsHalKeymasterV3_0TargetTest pass with exception
  of (AesEcbWithUserId, RsaAttestation, EcAttestation)
  which are expected failures.

Change-Id: I48e7195f512190deb608f1a69783c92254eef1aa
2018-03-30 18:31:35 -07:00
Brian Young
3f48322658 Add "Unlocked device required" key API
Add a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.

This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.

Test: CTS tests in I8a5affd1eaed176756175158e3057e44934fffed

Bug: 67752510

Merged-In: Id19d19b19532ac8d4c52aad46a954faa4515289d
Change-Id: Id19d19b19532ac8d4c52aad46a954faa4515289d
(cherry picked from commit 1840be6d35)
2018-03-28 08:38:56 -07:00
nagendra modadugu
a63596436b Remove DES 112 tests, and speed up RSA keygen
Only DES3 is supported (168-bit), so remove
tests for 112-bit DES.

Also replace the RSA public exponent 3, with
65537 in most tests so that RSA key generation
is faster.

Change-Id: I9958df81fe46d752d82072dc6c7effa34b2921a8
2018-03-01 17:26:12 -08:00
Brian Young
f67e953919 Revert "Restore "Add "Unlocked device required" parameter to keys""
This reverts commit 97e02689d9.

Reason for revert: Regression in creating auth-bound keys

Bug: 73773914

Bug: 67752510

Change-Id: I8ccba28580099c4c533f53b0be92f1d607ce63c6
2018-02-23 01:31:40 +00:00
Brian C. Young
97e02689d9 Restore "Add "Unlocked device required" parameter to keys"
Add a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.

This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.

This reverts commit 95b60a0f41.

Test: CTS tests in I8a5affd1eaed176756175158e3057e44934fffed

Bug: 67752510

Change-Id: I2893c23ab173ff5c39085d56b555e54770900cbc
2018-02-15 11:19:40 -08:00
Jorim Jaggi
62df80180b Merge "Revert "Add "Unlocked device required" parameter to keys"" 2018-01-30 15:36:28 +00:00
Brian Young
95b60a0f41 Revert "Add "Unlocked device required" parameter to keys"
This reverts commit 5fe872413b.

Reason for revert: Build breakages on elfin, gce_x86_phone.

Bug: 72679761
Bug: 67752510
Change-Id: I2857b2a9b6ff26735bd4989a36c5e5deb4953904
2018-01-30 15:31:19 +00:00
TreeHugger Robot
ea52a4d3b8 Merge "Add "Unlocked device required" parameter to keys" 2018-01-29 23:16:02 +00:00
Shawn Willden
98b998b59a Support library enhancements, to ease transition of vold to KM4
Keymaster clients need to see all the available devices and figure out
which they want to use.  This method finds them all and returns them
in a vector sorted from most secure to least, according to a heuristic
defined in Keymaster::VersionResult::operator<

This CL also makes a few other minor improvements to the support
library, providing more information in VersionResult and adding some
more convenience methods in AuthorizationSetBuilder.

Test: Build & boot
Change-Id: I876238ee9ff72573c30d60e1cec665dd610bcde6
2018-01-25 22:38:56 -07:00
Brian C. Young
5fe872413b Add "Unlocked device required" parameter to keys
Add a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.

This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.

Test: go/asym-write-test-plan

Bug: 67752510

Change-Id: I466dfad3e2e515c43e68f08e0ec6163e0e86b933
2018-01-25 10:18:21 -08:00
TreeHugger Robot
406406fb90 Merge changes from topic "tui_keystore"
* changes:
  Add Trusted Confirmation support to Keymaster HAL.
  Sort tags in keymaster_tags.h alphabetically
2018-01-25 17:31:38 +00:00
Shawn Willden
129629bde4 Add Trusted Confirmation support to Keymaster HAL.
Bug: 63928580
Test: VtsHalKeymasterV4_0TargetTest

Change-Id: I402be6f182f7f375493334d5e000fec23f3551f6
2018-01-24 10:19:10 -08:00
Janis Danisevskis
83509cd758 Sort tags in keymaster_tags.h alphabetically
Test: No functional changes
Change-Id: I49c5632b5dae1f24634e99eb71a9471e91275fbd
2018-01-24 10:19:10 -08:00
Steven Moreland
12372db498 Merge "Update makefiles." 2018-01-23 22:37:32 +00:00
Steven Moreland
5d1e41a8fd Update makefiles.
Bug: N/A
Test: N/A
Change-Id: Idb1d74aeed9b82ca6568c76f35552f3fcc894239
2018-01-23 19:44:19 +00:00
Shawn Willden
b9be9ded26 Add support for BOOT and VENDOR patch levels to keymaster.
Bug: 68250869
Test: Manual.  VTS testing is not possible.
Change-Id: Ifa2025ce31592dbeb274ee3a2c300a7de416ae1f
2018-01-23 10:21:06 -07:00
TreeHugger Robot
af4d761cf5 Merge "Add additional parameters to importWrappedKey" 2018-01-22 20:18:17 +00:00
TreeHugger Robot
e541981ac2 Merge "Add VerificationToken tests." 2018-01-20 03:25:18 +00:00
Shawn Willden
8d28efa9b8 Add additional parameters to importWrappedKey
Bug: 31675676
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: I31166d0c562d92bbdcf3357782ac2a076a1bc2d9
2018-01-19 20:09:05 -07:00
Shawn Willden
4fbc1d574b Add VerificationToken tests.
Bug: 70409878
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: I5458729ef8c3494f45fe8274b391133b997d43f2
2018-01-20 02:54:23 +00:00
TreeHugger Robot
dec9b4480d Merge "Specify SecurityLevel::SOFTWARE in default keymaster 4.0 service." 2018-01-19 22:49:27 +00:00
Shawn Willden
256929827a Move KeyParameter operator== to support lib.
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: I4b71a9fbd986c1bd1001e3ab49de5d360b303b27
2018-01-19 09:44:11 -07:00
Shawn Willden
3d9433268f Add HMAC key sharing tests
Bug: 70409878
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: I9da12a70ce04f606980b5c8bec8deaeaa318bf81
2018-01-18 21:35:54 -07:00
Shawn Willden
252233df69 Refactor VTS tests a bit, to enable adding tests in separate files.
Bug: 70409878
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: Idd147d20761e7123005b468841a2ddb46cc19576
2018-01-18 21:35:49 -07:00
Shawn Willden
163063e15b Merge "Fix build breakage" 2018-01-19 02:20:37 +00:00
TreeHugger Robot
a7c5a47d64 Merge "ImportWrappedKey: preliminary VTS tests" 2018-01-19 02:14:56 +00:00
Shawn Willden
0555ddd6ba Fix build breakage
Previous CLs to move keymaster wrappers broke the build (but somehow
not in my tree, nor in TreeHugger's build).

Test: Build
Change-Id: I0494e1e38ee7e8806f3758d533b6b1e3a6c576d1
2018-01-18 19:12:53 -07:00
Frank Salim
ad57fa93fb ImportWrappedKey: preliminary VTS tests
• Happy-path import
• Masked
• Wrong mask
• Wrong Purpose

Bug: 63931634

Test: data/nativetest/VtsHalKeymasterV4_0TargetTest/VtsHalKeymasterV4_0TargetTest --hal_service_instance=android.hardware.keymaster@4.0::IKeymasterDevice/strongbox
Change-Id: Ie7948bca25ee4840d179fb879b054755199c96d9
2018-01-18 17:32:35 -07:00
Frank Salim
16350c9efc Specify SecurityLevel::SOFTWARE in default keymaster 4.0 service.
Test: it compiles

Change-Id: I0ae85000c802dd375f0c7d66c7c9c71b143107aa
2018-01-18 14:41:20 -08:00
Shawn Willden
7d339812c9 Move Keymaster wrapper into support library.
This wrapper was used to manage KM3/KM4 compatibility in keystore.
It's also needed in vold, so this CL moves it here, to make it usable
for vold.

Test: keystore CTS tests
Change-Id: I8079b8577f7d4a8fd67f47fbe1f48861e4a0734b
2018-01-18 15:39:50 -07:00
Shawn Willden
8823a4415c Add support for 3DES algorithm to Keymaster.
Test: VtsHalKeymasterV4_0TargetTest
Bug: 31675676
Change-Id: I68a67b78979002a38e92454f79715ed516026889
2018-01-17 14:15:38 -07:00
Shawn Willden
2d6b39d034 Add Trusted User Presence support to Keymaster HAL.
Test: not yet
Change-Id: I99451cb6e21b577281bd7a889e1a44db7b26525f
2018-01-10 22:52:12 -07:00
Shawn Willden
a6eb3faeb5 Remove references to Keymaster::3.0 from Keymaster::4.0
Test: VtsHalKeymasterV4_0TargetTest
Change-Id: Idf627a3d7a51d2a464bd1723a32e88f43969bf45
2018-01-04 15:05:36 -07:00
Janis Danisevskis
c0af94ad84 Merge "Fix typos in KM4 interface definition documentation" 2018-01-02 17:36:26 +00:00