KeyMint.generateKey requires a challenge to be passed when a key
blob is also passed. The test missed this, and was thus failing on
compliant HALs.
Bug: 301223273
Test: keystore2_test
Change-Id: Icf7a32683c85d87fddd7d05ba07a110bb4e38c79
Define SerializedError wire type for convenience and type safety. It
does not change the rules of how errors are downcasted to an i32.
Change operation outcome errors from Keymint ErrorCode to
SerializedError. This has an intended effect of binder errors being
reported to metrics as ResponseCode::SYSTEM_ERROR instead of
ErrorCode::UNKNOWN_ERROR.
Also update comments.
Bug: 298194325
Test: m
Change-Id: Ieff70245b776c38845c4f5142ab13d438ff79104
Removed `libkeymint_vts_test_utils` and its dependent libs from static
libs list and added only `libkeymint_vts_test_utils` in shared libs
list.
Test: m libkeystore2_test_utils; atest keystore2_client_tests; atest keystore2_test_utils_test;
atest keystore2_test
Bug: 194359114
Change-Id: Iab4b8c174af81a8c64a9f44fcd634d54f78773da
New devices will no longer have hwservicemanager installed as part of
HIDL deprecation. So this service must not crash when it's not found.
From keystore2's perspective, this is the same as not having the HIDL
Keymaster HALs installed.
Test: remove hwservicemanager from
device/google/cuttlefish/shared/device.mk && launch_cvd
Bug: 298454031
Change-Id: I4c7cefd388936aff821cff572a8af1b6f69f82d1
Also remove benign logging when there are multiple strong
biometrics.
Test: adb logcat on CF while adding/removing user/pwd
Change-Id: I777404d566990a4a604554133c0d87abba2200bc
These will soon be required by a lint.
Some functions were incorrectly marked as safe which were not actually
safe, so I've fixed those too.
Bug: 290018030
Test: m rust
Change-Id: I38df6a8162d430617f123ab1aace38b741458fce
Changes made in keystore2-client-tests to verify the key characteristics
of generated and imported keys.
Bug: 279721870
Test: atest keystore2_client_tests
Change-Id: I30c1fb2bdb1d69d321d356453d895db73347acde
KeyMint spec requires unique ID rotation to happen every 30 days (or
more precisely 2592000000 milliseconds) starting at UNIX epoch time.
Keystore is also supposed to set the RESET_SINCE_ID_ROTATION to indicate
"whether the device has been factory reset since the last unique ID
rotation".
However, instead Keystore sets RESET_SINCE_ID_ROTATION if there has been
a factory reset in the last 30 days counting back from now, which is
different and will give one extra UNIQUE_ID value in a subsequent
period:
For example, if there's a factory reset (marked as :) in the 3rd period
(periods delimited by |), the first half of the 4th period will have
RESET_SINCE_ID_ROTATION set and get a different UNIQUE_ID value than it
should:
Want = | A | B | C : C2 | D | ...
Get = | A | B | C : C2 | D2 : D | ...
Bug: 289774200
Test: keystore2_test
Change-Id: I156de902931915cd1ae7ad2eba63fd0276f15ae0
Sync was incorrectly implemented for AuthRequest, allowing simultaneous
access to a Receiver from multiple threads despite it not being
threadsafe. Use a Mutex instead to do this safely.
Bug: 290018030
Test: m rust
Change-Id: I6f43f13d5f36bdbafc9bd910a1ebadbb1366009d
Remove get_declared_instances API as it is not a part of the target module - libkeystore2
Bug: 287588482
Test: ./keystore2_unsafe_fuzzer clusterfuzz-testcase-minimized-keystore2_unsafe_fuzzer-5127790852636672
Change-Id: I7513955783f4877496f721f52b92970887bbad41
This is just a copy of the OWNERS file in the parent directory with
only the members of the AHWS team filtered in, in the same order as the
parent file, except that eranm@ is added at the top of the list as
per go/atos-user-guide which says: First Owner in the OWNERS file should
be the person to triage the issues.
Bug: 288143537
Test: N/A
Change-Id: Ia9bb4773cb494e793ae3b4f0b18ebd90641051e2
The flag has been a default, and now is not accepted.
Test: Treehugger, m rust
Bug: 279198502
Bug: 276464273
Change-Id: I71ebcdbd3606c5dc55bf3454acfba9cc55ad85dd
- Generate an RSA/EC attested keys with attestation of the device's
identifiers. Test should succeed in generatating a attested key with
attestation of device identifier. Test might fail on devices which
doesn't support device id attestation with error response code
`CANNOT_ATTEST_IDS or INVALID_TAG`.
- Try to generate an attested key with attestation of invalid device's
identifiers. Test should fail with error response `CANNOT_ATTEST_IDS`
- Test to make sure `CANNOT_ATTEST_IDS` error code is returned while
trying to generate a key on a device which doesn't support
`FEATURE_DEVICE_ID_ATTESTATION`.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ib57c58d3ea89279eb69db342c3343b8d99ddc639
Various recent bugs would have been easier to investigate if the auth
tokens received by keystore were logged.
Test: adb logcat while lock/unlock
Bug: 285328437
Bug: 284802403
Change-Id: Ia955d344a2bb47820c0616cc1b9784f5fcbecb0a
The Rust liblog_event_list API used to silently ignore any errors
reported by liblog. aosp/2617613 attempts to make the operations
propagate the failure instead.
Note that this introduces a subtle behavior change: when *creating the
log record* fails, the API with Results does not allow submitting a
partially constructed log. Otherwise, the result of the write operation
is ignored as it was before.
Bug: 282691103
Test: m
Test: atest keystore2_test
Change-Id: I7c43100149b4ca831050af0a9229b95d2f7f8392
* changes:
Add tests for super_key.rs
Simplify control flow for user unlocking.
Remove unlock_user_key function
Separate logic for user reset, remove, and init
Separate hybrid key logic into a helper function.
Make super_encrypt_on_key_init inline
https://r.android.com/1971319 changed the return type of
rustutils::system_properties::read() from Result<String> to
Result<Option<String>>. But, read_keystore_crash_count() was not
correctly updated to handle the Ok(None) case. Consequently, the case
of "property doesn't exist" started being considered an error, and the
code intended to handle this case stopped being executed. Fix this by
correctly handling the return value.
Bug: 284163087
Test: Verified that the read_keystore_crash_count() error message is no
longer present in logcat at boot time, and
'getprop keystore.crash_count' shows 0.
Change-Id: I4b9ff16cba9e7500623dab7c3bc888cba0daf997
The new tests are focused on unlocking, resetting and removing a user.
The tests verify that keys are deleted when necessary and that the user
state transitions properly.
Bug: 280502317
Test: atest keystore2_test on cuttlefish
Change-Id: Idae5d99fb289045bb277ba6c93ab62cfd9aed6fb
Keystore2 super key handling is being refactored in preparation for
Unlocked-Only Storage.
Currently, super_key.rs exposes two functions to authorization.rs for
key unlocking:
- unlock_screen_lock_bound_key
- unlock_and_get_user_state
This change simplifies the key_unlocking logic to a single function,
unlock_user. This new function handles all of the unlocking logic and
functions more like a state machine than the previous code.
This change mainly improves readability. It tries not to change
functionality.
Bug: 280502317
Bug: 277798192
Test: Wiped device. Setup user with PIN. Ensured unlock works. Remove
PIN. Ensured unlock works. Added pin and biometric. Ensured unlock
works. Rebooted device. Ensured unlock works.
Change-Id: Ib9a3e907cd40d34c5ecf2a869a65e403deda0254
Keystore2 super key handling is being refactored in preparation for
Unlocked-Only Storage.
This function is dead code. It has no callers.
Bug: 280502317
Bug: 277798192
Test: Wiped device. Setup user with PIN. Ensured unlock works. Remove
PIN. Ensured unlock works. Added pin and biometric. Ensured unlock
works. Rebooted device. Ensured unlock works.
Change-Id: I4c7791f6944afb621afb2d67f4b7b7d4690ddd78
Keystore2 super key handling is being refactored in preparation for
Unlocked-Only Storage.
This does not change the behavior of keystore2. It is a readability
change.
Currently, super_key.rs exposes one function for resetting, removing,
and initializing users:
- reset_or_init_user_and_get_user_state
This change breaks this function into smaller parts:
- reset_user
- init_user
- remove_user
- get_user_state
This simplifies the code in super_key.rs and allows it to act more like
a state machine.
Bug: 280502317
Bug: 277798192
Test: Wiped device. Setup user with PIN. Ensured unlock works. Remove
PIN. Ensured unlock works. Added pin and biometric. Ensured unlock
works. Rebooted device. Ensured unlock works.
Change-Id: I4e27b41a76a8b45ca2bae6daabe51f2a985c2efe
Keystore2 super key handling is being refactored in preparation for
Unlocked-Only Storage.
This code is complicated and should be moved to its own function.
Bug: 280502317
Bug: 277798192
Test: Wiped device. Setup user with PIN. Ensured unlock works. Remove
PIN. Ensured unlock works. Added pin and biometric. Ensured unlock
works. Rebooted device. Ensured unlock works.
Change-Id: I0602a8229cdd149d4f9b42a96f446d2a17df1321
Keystore2 super key handling is being refactored in preparation for
Unlocked-Only Storage.
There's no reason to separate this function. It doesn't handle any
complicated logic and makes control flow more difficult to understand.
Bug: 280502317
Bug: 277798192
Test: Wiped device. Setup user with PIN. Ensured unlock works. Remove
PIN. Ensured unlock works. Added pin and biometric. Ensured unlock
works. Rebooted device. Ensured unlock works.
Change-Id: Iafd31ae79a722910effaba98ac216d5b912dd348
1. Generate RSA key and grant it to a user. In user context load the
key using `EVP_PKEY_from_keystore` and perform sign and verify
opeearions.
[keystore2_perofrm_crypto_op_using_keystore2_engine_rsa_key_success]
2. Generate EC key and grant it to a user. In user context load the
key using `EVP_PKEY_from_keystore` and perform sign and verify
operations.
[keystore2_perofrm_crypto_op_using_keystore2_engine_ec_key_success]
3. Generate RSA key and grant it to a user. Re-encode the certificate
as PEM and update the certificate using `updateSubcomponents`.
In user context load the key using `EVP_PKEY_from_keystore` and
perform sign and verify operations.
Bug: 201343811
Test: atest keystore2_client_tests
Change-Id: I7dafd598f4198e11103cd11695b2f67636f24755
Attestation keys are now managed by RKPD. Remove support for attestation
keys in keystore DB.
Test: keystore2_test
Change-Id: Iad7d9297701364eba44bcc60b564c7c7e12b9aea
1. Try to list large number of aliases such that aliases list would
exceed the binder transaction size limit. Test should successfully
list the aliases using `listEntriesBatched` API.
2. Import keys from multiple processes having same user context. Try to
list the aliases in all the processes with and without providing
`startingPastAlias`. Test should list aliases using
`listEntriesBatched` in all the processes using any of the alias as
`startingPastAlias` and match with expected list of aliases. Test
should also list all the aliases without providing
`startingPastAlias`.
3. Try to list aliases with empty keystore using `listEntriesBatched`
API. Test should successfully query the Keystore for aliases and
vrify that keystore is empty.
4. Test to list aliases using domain as SELINUX using
`listEntriesBatched` API.
5. Import multiple number of keys in an app context and try to list the
aliases using imported keys aliases as `startingPastAlias` and verify
the retrived the list of aliases matches the expected list of alises
in all the cases.
6. Try to list the key entries with domain SELINUX from user context
where user doesn't possesses `GET_INFO` permission for specified
namespace. Test should fail to list key entries with error response
code `PERMISSION_DENIED`.
7. Try to list key entries with domain BLOB. Test should fail with error
response code `INVALID_ARGUMENT`.
8. Try to get the total number of keystore entries with domain SELINUX
from user context where user doesn't possesses `GET_INFO` permission
for specified namespace. Test should fail to get the count with
error response code `PERMISSION_DENIED`.
9. Try to get the count of total number of entries in keystore with
domain BLOB. Test should fail with error response code
`INVALID_ARGUMENT`.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I7dd52230cd602a1ae33e3f9f2a22d2dd2c447df7
Using the binder object we can directly get names of interfaces
rather than hardcoding the strings. This allows for lookup to be easier.
Test: atest keystore2_test and atest CtsKeystoreTestCases
Bug: 249096262
Change-Id: I74bc696b860e2c08286b1d5175378e8d44728858
This uses the getAllHalInstanceNames method to replace calls
to vintf and return the hal names to the code. Other callers
to this function will not need to change their inputs.
Test: atest keystore2_test && atest CtsKeystoreTestCases
Bug: 249096262
Change-Id: If23cf8ca4b9d1c8cb3675964475066728bfe789f
Fix for regression in aosp/2453685, this gets the
version of keymint that is on the device.
Test: atest keystore2_test
Bug: 275589241 276396649
Change-Id: I2afe1472a0a4e3c4f81379c589833285bb228811
The RkpPoolStats atom has been moved from keystore2 into rkpd, so
we no longer need to query it from keystore2.
Bug: 268247931
Test: presubmit
Change-Id: I285011ed29183e3008310be248ddeb8b9668ac01
Support for listing key entries in batches, so that a large number of
key entries, or entries with long key aliases, could be listed.
The list of key descriptors (which contain the key alias) is returned
to JCA from Keystore2 service via the Binder interface.
The size of a single Binder transaction is limited. Thus, we have run
into http://b/222287335 , where an app can create too many Keystore2
keys than can be returned in a single Binder transaction. Effectively,
this prevents the app from listing the keys it generated at all.
This is solved by adding a method to the Keystore2 interface for
obtaining all the key descriptors whose alias is past a given value
(with the intention that this value is the last key alias from the
previous batch). Keystore2 already limits the number of entries
returned to a number estimated to fit under the Binder transaction size
limit. Together, this enables callers to receive the list of key
descriptors in batches.
Additionally, add a method to Keystore2 to return the total number of
key entries by querying the DB for the number of rows, rather than count
the number of entries returned (which may be truncated).
Bug: 222287335
Test: atest KeystoreTests
Test: atest CtsKeystoreTestCases:android.keystore.cts.AndroidKeyStoreTest
Test: atest keystore2_test
Change-Id: I4a8efef2303beadd2cf6db992833d87bf58d7aec
These interfaces are deprecated and replaced by
android.security.rkp_aidl ones.
Bug: 273325840
Change-Id: I6f561d7c332fc3cc5921453b5bd5938154b700d0
Test: m
These interfaces are deprecated and replaced by
android.security.rkp_aidl ones.
Bug: 273325840
Test: m
Change-Id: I888ded721341ab6e6e89fe236c8fb0f7e6122b74
This CL replaces the usage of the core::slice::memchr function with
calls to std::iter::position.
Test: m keystore2_unsafe_fuzzer
Test: TH
Bug: 267698452
Change-Id: I33cab09176d0ff02ce092e240e887ece98728915
Aidl Instances can be gotten from the binder with
get_declared_instances.
Test: m keystore2 && m keystore2_unsafe_fuzzer
Change-Id: I36b4bdb8de6dd8abedf50d2026d1d841ce27c55d
The methods get_hal_names and get_hal_names_and_versions were not used.
Remove them.
Bug: 249096262
Test: m keystore2
Change-Id: I9967286cfad86071a914d959385519890d1adb30
keystore entry using `updateSubcomponent` API.
1. Try to update only the certificate-chain of the non existing
asymmetric key, test should succeed in creating a new keystore
entry with the given certificate-chain only.
2. Try to update only the public key of the non existing asymmetric
key, test should fail to update non-existing key certificate with
error response `KEY_NOT_FOUND`.
Bug: 267183713
Test: atest keystore2_client_tests
Change-Id: Iaf5c9b0e29eb59873493b330c0f1d36ec8337f88
long aliases.
Create 100 keystore entries with aliases of length 6000 chars and
list the aliases using `listEntries` API. Test should be able to
list all the Keystore entries aliases and match them with aliases
of the entries created by test. Test should successfully verify all
the aliases of Keystore entries it created.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I16d35dc1f053f8b60745e62185009397b987dfe7
In earlier revisions of the code, RKPD client would wait indefinitely.
This model had an invariant guaranteeing that receiver end of the
oneshot channel is always present when sender is invoked.
With introduction of timeouts, this invariant no longer holds. The
receiver can time out and be cleaned up. This patch makes SafeSender
tolerate this scenario.
Also, attempt to cancelGetKey() if corresponding request for a key times
out.
Bug: 269460851
Test: keystore2_test
Change-Id: I33d80af52b5ab15c2113a140a8bd2beedfe2ff4f
This catches bugs that could happen after main test thread completes.
Bug: 269460851
Test: keystore2_test
Change-Id: I0d723b04a95e83da8aaceb0748f5af0a9eab90e2
Test: Run and tested using `atest keystore2_test` for Rust test and CTS test with `atest CtsKeystoreTestCases`
Change-Id: Id53c870260e9757227f6cb5d57787796f60fe9d5
1. Verify that key agreement works with curves `P_224, P_256, P_384 and
P_521`. Test should generate KeyMint EC key with purpose `AGREE_KEY`
and OpenSSL EC key with same curve as KeyMint key. Perform local ECDH
between these two keys and verify that derived secrets are the same.
2. Verify that key agreement works with CURVE_25519 curve.
Test should generate KeyMint EC-CURVE_25519 key with purpose
`AGREE_KEY` and OpenSSL EC key with same curve as KeyMint key.
Perform local ECDH between these two keys and verify that derived
secrets are the same.
3. Verify that key agreement doesn't work when EC keys are using
different curves. Generate a KeyMine EC key using P_256 curve and
OpenSSL EC key using CURVE_25519. Try to perform a local ECDH between
these keys and operation should fail with `INVALID_ARGUMENT` error
code.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I3da7af09908d6828ad617c833469bbd786b09e8f
Now we'll get error codes bubbled up from rkpd (via the remote
provisioning system service). Convert those errors into meaningful
keystore errors so clients can act on them.
Test: keystore2_tests
Test: RkpdAppIntegrationTests
Test: CtsKeystoreTestCases:android.keystore.cts.KeyStoreExceptionTest
Bug: 264888027
Change-Id: Ib574fe4da0443f32f95f8579c4a308d36fe4b46f
- updateSubcomponent
- getSecurityLevel
1. Generate asymmetric key and update its public certificate and
certificate chain. Test should load the updated key and verify
whether its certificate and cert-chain are updated successfully.
2. Try to update non-existing key's public cert and cert-chain. Test
should fail to update with error response code `KEY_NOT_FOUND`.
3. Try to update the certificate in a grantee context which doesn't
possess UPDATE access permission for the specified key. Test should
fail to update with error response code `PERMISSION_DENIED`. Test
should also verify that the gratee context which possess the `UPDATE`
access permission should be able to update the certificate
successfully.
4. Try to get `TRUSTED_ENVIRONMENT` security level instance. Test should
successfully get the instance.
5. Try to get `SOFTWARE` security level instance. Test should fail with
error response code `HARDWARE_TYPE_UNAVAILABLE`.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I92635c6c1fafde4e1cd4f5654f0164e45c145961
- Grant a key to the user with DELETE access. Vefify that grantee can
delete the granted key successfully.
- Grant a key to the user. In grantee context try to grant this key to
another user. Test should fail with `PERMISSION_DENIED` error
response to grant a key to another user from grantee context for
designated key.
- Try to grant a key to the user with `GRANT` access. Test should fail with
`PERMISSION_DENIED` error response code. Keystore2 system must
not allow `GRANT` permission to be granted.
- Try to grant a non-existing key to the user. Test should fail to grant
a key with `KEY_NOT_FOUND` error response.
- Grant a key to the user and ungrant it before the grantee can use the
granted key. In grantee context while trying to use the granted key
`KEY_NOT_FOUND` error response is expected.
- Try to ungrant a non-existing key. Test should fail with
`KEY_NOT_FOUND` error response.
- Grant a key to multiple users. All grantees should be able to access
the key and use it for crypto operation.
- Grante a key to two users with GET_INFO|DELETE permissions. In one of
the grantee contexts delete the key. In another grantee context when
it tries to access the granted key, it should fail with
`KEY_NOT_FOUND` error response.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I0bd6faeeaff2fa436413604dfbad67ea65dc8597
