Also replace libfutures with libtokio, as the former doesn't have
support for timeouts.
Bug: 264921138
Test: keystore2_test
Change-Id: I97c9749e93b2d001afe5d17bda8c665f884b0e05
Add a second, read-only build flag indicating that rkpd is enabled.
This flag is not server controlled, and thus cannot be disabled.
Platforms, such as cuttlefish, are RKP only, and are using a new
version of keymint that is not compatible with the old
RemoteProvisioner. Therefore, we must ensure that the configuration
is fixed and cannot be turned off.
Bug: 266482839
Test: RemoteProvisionerUnitTests
Test: keystore2_client_tests
Test: RkpdAppUnitTests
Change-Id: Id61c704a8beca2ad7b5b9bee9433cc4e11964299
More OUT_OF_KEYS errors are coming, and the old "OUT_OF_KEYS" is a
bucket for all transient errors. Rename the enum to better indicate
this.
Also rename OUT_OF_KEYS_REQUIRES_UPGRADE to
OUT_OF_KEYS_REQUIRES_SECURITY_PATCH. This better indicates that
system is potentially vulnerable (rather than simply running old code).
Test: keystore2_test
Change-Id: I1f2d803529c3e43592536016a9261e2294b42bb5
In case the number of key descriptors and their content exceeds the
binder transaction size limit, only return a subset that does fit.
This is a temporary fix - long-term fix is to introduce new API that
lets the caller specify the range of aliases to be fetched.
Bug: 222287335
Test: Manual: Generate 100 keys with a 6k characters name each.
Change-Id: I5e8543a25dd9f1bb504fbc23f35779da0a0153b0
`extern crate` makes it harder to keep track of dependencies, so we
prefer to import macros explicitly instead.
Bug: 261037227
Test: m keystore2_unsafe_fuzzer
Change-Id: I0ec95e9343a05c8f61c2cdca3ba601bae97c9187
- Generate a key and delete it using keystore2 service `deleteKey` API.
Test should delete the key successfully.
- Try to delete a non-existing key with keystore2 service `deleteKey`
API. Test should fail to delete a key with an error response code
`KEY_NOT_FOUND`.
- Try to delete a key with domain `BLOB` using keystore2 service
`deleteKey` API. Test should fail to delete a key with an error code
`INVALID_ARGUMENT`.
- Generate a key with domain `BLOB`. Delete the generated key using
underlying security level `deleteKey` API. Test should successfully
delete key blob.
- Try to delete a key with domain `BLOB` without providing key-blob.
Test should fail to delete a key with an error code
`INVALID_ARGUMENT`.
- Try to delete a key with domain `APP` using underlying security level
`deleteKey` API. Test should fail to delete with an error code
`INVALID_ARGUMENT`.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I8233ef79b33daff868ad9767903169dc21f4906e
1. Remove helper functions for binders. Just do the work in the binder
function (reducing layers).
2. Stop returning Result from new_native_binder. Those functions have
no failure paths.
3. Add some debug logs
Test: keytore2_test
Change-Id: I99aeeefec1e39891a124e1eb02f5a19f7188ca76
- Don't specify a BlockMode for RSA operations.
- Don't set ATTESTATION_APPLICATION_ID from the client; keystore will
fill this in itself whenever an ATTESTATION_CHALLENGE is present.
- Rename `has_trusty_keymint` to `has_default_keymint`, as it has
nothing to do with Trusty.
- Allow wider ranges of error codes.
Bug: 197891150
Test: keystore2_client_tests
Change-Id: I17d4eff724c554cbd89dfcc0a4e3ec7beb4e08db
Since these tests perform actual binder interactions with rkpd, we
need to spin up the binder thread pool so that the callbacks have
a thread to run on.
Test: keystore2_test
Change-Id: If0f67661f915798722d2bf7f9c5072887048cae8
Update keystore2 to pass a callback for receiving success/failure from
the storeUpgradedKeyAsync API.
Test: keystore2_test
Bug: 262748535
Change-Id: Ifbae48b697267d05baa83d7d1e42569c7db694b5
Move boilerplate for the sender code into a helper type. This moves
all the mutex unwrapping and optional checking into one spot, cleaning
up the call sites.
Test: keystore2_test
Change-Id: I517e091047d11d4ecca73026e5ee288878658fa3
- Build ASN.1 DER-encoded wrapped key material `SecureKeyWrapper`.
Import the wrapped key material. Test should create DER-encoded
wrapped key material and import the secure key successfully.
Imported key should be used perform crypto operation successfully.
- Build ASN.1 DER-encoded wrapped key material `SecureKeyWrapper` with
invalid AAD. Try to import the wrapped key material. Test should
create DER-encoded wrapped key material. Test should fail to import
the secure key with error code `VERIFICATION_FAILED`.
- Import wrapped AES key and use it for crypto operations. Test should
import wrapped key and user it for performing crypto operations
successfully.
- Import a key wihtout WRAP_KEY purpose and try to use it as wrapping
key while importing wrapped key. Test should fail to import wrapped
key with an error code `INCOMPATIBLE_PURPOSE`.
- Try to import wrapped key using non-existing wrapping key in Android
keystore. Test should fail to import wrapped key with an error code
`KEY_NOT_FOUND`.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ic9ed03b6f945bd41c4873f97a84c1658c284e918
Needed to upgrade bindgen from 0.59.0 to 0.63.0. Resolves the
following errors:
//#[path = "../../../src/options.rs"]
//mod options;
error[E0432]: unresolved import `keystore2_apc_compat_bindgen::size_t`
--> system/security/keystore2/apc_compat/apc_compat.rs:22:82
|
22 | abortUserConfirmation, closeUserConfirmationService, promptUserConfirmation, size_t,
|
^^^^^^ no `size_t` in the root
error[E0412]: cannot find type `size_t` in this scope
--> system/security/keystore2/apc_compat/apc_compat.rs:79:23
|
79 | tbs_message_size: size_t,
| ^^^^^^ not found in this scope
error[E0412]: cannot find type `size_t` in this scope
--> system/security/keystore2/apc_compat/apc_compat.rs:81:30
|
81 | confirmation_token_size: size_t,
| ^^^^^^ not found in this scope
error[E0412]: cannot find type `size_t` in this scope
--> system/security/keystore2/apc_compat/apc_compat.rs:181:37
|
181 | extra_data.len() as size_t,
| ^^^^^^ not found in this scope
Test: Treehugger
Change-Id: I848f481627f3c14caa6252eee6b5dd40d2f58eed
This makes a java defaults and catches a few
places where the files were not updated
to use the default latest library version
Test: Run and tested using `atest keystore2_test` for Rust test and CTS test with `atest CtsKeystoreTestCases`
Change-Id: I2b67e482f341405e2aa23d53535e8b3d0b41cfab
On older devices, keystore will not publish the remoteprovisioning
service. Add a log message so it's obvious when this happens instead
of silently swallowing errors.
Test: local build + logcat
Change-Id: Ic15f4574da86031a56f6d7c8a8339d364d9cc7b9
Test: Run and tested using `atest keystore2_test` for Rust test and CTS test with `atest CtsKeystoreTestCases`
Change-Id: Ic8e62f1c5d19c6203945fefeb18b066bf8a32ed7
This error occurs when there are no attestation keys to give
and is not a true error. In meeting it was decided that the
RKP keys being empty is fine and the only time to warn when
we are on an RKP only device.
Test: Run and tested using `atest keystore2_test` for Rust test and CTS test with `atest CtsKeystoreTestCases`
Bug: 241924261
Change-Id: I234493522ac59babad1a5dd315d7070eab9da3b9
- Test to import a RSA key and validate imported key parameters.
Perform an operation using imported key. Test should be able to
import the key and complete the operation successfully.
- Test to import a RSA key without specifying key size and public
expenent. Determine key-size and public exponent from key material.
Validate imported key parameters. Perform an operation using imported
key. Test should be able to import the key and complete the operation
successfully.
- Test to import a RSA key with incorrect key-size as import key
parameter. Test should fail to import a key with an error code
`IMPORT_PARAMETER_MISMATCH`.
- Test to import a RSA key with incorrect public exponent as import key
parameter. Test should fail to import a key with an error code
`IMPORT_PARAMETER_MISMATCH`.
- Test to import a RSA key with multiple pursposes [SIGN and ATTEST_KEY]
as import key parameters. Test should fail to import a key with an
error code `INCOMPATIBLE_PURPOSE`.
- Test to import a EC key without specifying curve. Determine ec-curve
from key material. Validate imported key parameters. Perform an
operation using imported key. Test should be able to import the key
and complete the operation successfully.
- Test to import a EC key with incorrect ec-curve as import key
parameter. Test should fail to import a key with an error code
`IMPORT_PARAMETER_MISMATCH`.
- Test to import a AES, 3DES and HMAC keys. Validate imported keys
parameters. Perform operations using imported keys. Test should
be able to import the key and complete the operation successfully.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ib90c05b93929b8b0e1d4cb9542f5b8493a116c39
`SYSTEM_ERROR` while loading attest key.
While loading attest-key if it fails to find its blob or cert
then `INVALID_ARGUMENT` error reponse is returned instead of
`SYSTEM_ERROR`.
Bug: 254703846
Test: atest CtsKeystoreTestCases; atest keystore2_client_tests
Change-Id: Ie0d75c3bd99057b4c775e9c8f9dd91385cd6db81
- Generate EC/RSA attestation keys and use it for signing RSA and EC
keys. Test should be able to use the attest keys for signing the
generated keys successfully.
- Generate EC-CURVE_25519 attestation key and use it for signing RSA
key. Test should be able to generate RSA key with EC-CURVE_25519 key
as attestation key.
- Generate an asymmetric key which doesn't possess ATTEST_KEY purpose.
Use this key for attesting asymmetric key. It should fail to generate
key with incompatible purpose error.
- Generate a symmetric key. Try to use this symmetric key as attestation
key while generating asymmetric key. It should fail to generate a key
with system error.
- Try to generate symmetric key with valid attestation key,
attstation-challenge and attestation-app-id. Test should generate a
key without attestation record.
- Try to generate RSA/EC attestation keys with multiple purpose. Test
should fail to generate keys with incompatible purpose error code.
- Generate an attestation key and try to use it for signing a key
without providing attestation challenge. Test should fail with missing
attestation challenge error.
Note: These tests are executed on devices where
`android.hardware.keystore.app_attest_key` feature is enabled, otherwise
tests are skipped.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I4228dc5fe5e207995472c3425d5f2696ef95249f
This changes the error logs to show the file and line number instead of
naming a specific a function where the error originated. In some cases
the function name is kept where it made sense for readibility of the
logs.
Test: Run and tested using `atest keystore2_test` for Rust test and CTS test with `atest CtsKeystoreTestCases`
Bug: 241924261
Change-Id: I2ea970dd83e18033506555f2726c716626697cdf
Debug implementation was changed in https://android-review.googlesource.com/c/platform/frameworks/native/+/2239178.
This changes how enums made with declare_binder_enum are displayed by default. The updated strings print the Debug
implementation for the enum and check the values against that.
Test: Tested using `atest keystore2_test`
Bug: 252968848
Change-Id: I86a124432f83116b87c9b40c023851fac4030fb8
Added macros to generate test code for RSA and EC keys use cases.
Test cases are split to run them in distict test cases to avoid
timeout issues. Limiting RSA and EC each test cases to generate only
one key and perform an operation.
Bug: 242356276
Test: atest keystore2_client_tests
Change-Id: I2841734f329afb0005727da26cc5b9ff532b9e73
apc_compat module updated to support confirmationui AIDL service without
altering the existing behavior with HIDL service. Higher precedence is
given to AIDL service.
Bug: b/205760172
Test: Run confirmation UI test using CTS Verifier
Change-Id: I0fac9b3a7ea0d4d63cb76111ccd95d52b10a047e
Runs the formatting command and adds a directory formatter
to the keystore2 for standardized directory formatting.
Test: Formatting change
Change-Id: I56230f57dcfd3e48c7c9e39e1362bb67ebc7862e
Runs rustfmt on keystore2 to standardize formatting changes.
Test: Formatting change so no test needed
Change-Id: I24208f8fe91e6b15108eef0ff5264a3f086497e4
The test tries to create a race condition: It creates an operation
and starts two threads, each trying to use the operation repeatedly
until it gets `OPERATION_BUSY` or finishes successfully.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ib3549d6bcad4e24bf621960f0f399481bf2da7c7
- Generate HMAC keys with digest modes [SHA1, SHA_2_224, SHA_2_256,
SHA_2_384, SHA_2_512], should be able to create operations using
generated keys successfully.
- Try to generate HAMC keys with key size in the range 0..513. For
invalid key size, key generation should fail with an error code
`UNSUPPORTED_KEY_SIZE`.
- Generate HMAC keys with min-mac-lengths in the range 0..257. For
invalid min-mac-length, key generation should fail with an error
code `UNSUPPORTED_MIN_MAC_LENGTH`.
- Try to generate HMAC key with multiple digest modes, key generation
should fail with an error code `UNSUPPORTED_DIGEST`.
- Try to generate HMAC key without providing digest mode, key
generation should fail with an error code `UNSUPPORTED_DIGEST`.
- Try to generate HMAC key with digest mode `NONE`, key
generation should fail with an error code `UNSUPPORTED_DIGEST`.
- Generate HMAC key with min-mac-length of 128 bits and digests
[SHA1, SHA-2-224], try to create operations with mac-len greater than
digest lengths. Test should fail to create an operation with an error
code `UNSUPPORTED_MAC_LENGTH`.
- Generate HMAC key with min-mac-length of 128 bits and digests
[SHA1, SHA-2-224], try to create operations with mac-len less than
min-mac-length. Test should fail to create an operation with an error
code `INVALID_MAC_LENGTH`.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I594c9718b0f6a67f2655faca4bf100abf2ced3a3
Choose the strategy for generating the boot level key from a property,
if present, instead of looking at KM versions.
Bug: 241241178
Test: set property on Cuttlefish, check logs for strategy used.
Change-Id: I2c7a6fb2c6471ab4a7cb7f650791930f41068bfa
- Generate 3DES keys with block modes [ECB, CBC] and padding modes
[NONE, PKCS7]. Should be able to create operations successfully
with these generated keys.
- Try to generate a key and create an operation with invalid inputs, it
should fail with proper error codes
- with unsupported key size
- with unsupported padding mode
- with padding mode NONE and input text whose length isn't a
multiple of the DES block size
- with unsupported blockmode
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ida98fd2e6f9b7ba84b8beba9ea979d5aeb2240ee
Updated to return `INVALID_ARGUMENT` instead of `PERMISSION_DENIED`
response code when domain is other than `APP` or `SELINUX`.
Added tests to validate `listEntries` API with valid domains `APP and
SELINUX` and invalid domains like `BLOB`.
Bug: 239719010
Test: atest CtsKeystoreTestCases; atest keystore2_client_tests;
Change-Id: I7d10c13342ca5719682e371e428fa42f992ba07d
Separated out the tests based on functionalities and created a separate
modules without modifying the existing test cases.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ifc93b3ce69817469d1d5f01844c623f5209e2b62
- Generate AES keys with block modes [ECB, CBC] and padding modes [NONE,
PKCS7]. Should be able to create operations successfully with these
generated keys.
- Generate AES keys with block modes [CTR, GCM] and padding modes [NONE,
PKCS7]. Should be able to create operations successfully with padding
mode NONE. With PKCS7 padding mode creation of an operation should
fail with incompatible padding mode.
- Try to generate a key and create an operation with invalid inputs, it
should fail with proper error codes.
- with unsupported key size
- with GCM block mode without providing min-mac-length
- with multiple block modes
- with multiple padding modes
- with incompatible padding modes
- with incompatible block modes
- with missing mac-length
- with invalid mac-length
- with unsupported mac-length
- With AES-CBC-PKCS7 key without `CALLER_NONCE` authorization, Try to
set nonce while creating an operation.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ibf1b8460317b4c99d9060d5889c8b3778a80ca5b
- Generate RSA signing keys with combinations of digest modes [NONE,
MD5, SHA1, SHA_2_224, SHA_2_256, SHA_2_384, SHA_2_512] and padding
modes [NONE, RSA_PKCS1_1_5_SIGN, RSA_PSS]. Should be able to
create operations using these keys except in below cases.
- when padding mode is RSA_PSS and digest mode is NONE
- when padding mode is NONE and digest is other than NONE.
- Generate RSA encrypt/decrypt keys with OAEP padding mode, combinations
of digests [MD5, SHA1, SHA_2_224, SHA_2_256, SHA_2_384, SHA_2_512] and
mgf-digests [MD5, SHA1, SHA_2_224, SHA_2_256, SHA_2_384, SHA_2_512].
Should be able to create operations with these generated keys
successfully.
- Generate RSA encrypt/decrypt keys with combinations of padding modes
[NONE, RSA_PKCS1_1_5_ENCRYPT, RSA_OAEP], digests [NONE, MD5, SHA1,
SHA_2_224, SHA_2_256, SHA_2_384, SHA_2_512]. Should be able to create
operations with these generated keys successfully except in below case
- with padding mode RSA_OAEP and digest mode NONE an error is
expected.
- Generate RSA encrypt/decrypt keys with padding modes [NONE,
RSA_PKCS1_1_5_ENCRYPT, RSA_OAEP] and without digests. Should be able
to create operations with these generated keys successfully.
- Generate RSA keys without padding modes and digest modes. Creation of
an operation should fail with unsupported padding mode error.
- Tests to validate failure of generating RSA keys with incompatible
purpose, unsupported purpose, unsupported padding mode, unsupported
digest and unsupported key sizes.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I16843932cc170d0e820208f558587aacf13b9272
Currently software-emulated keys do not have any update mechanism. Any
software key that is created in previous versions cannot be used once
the device is upgraded. With this change, keys now can be upgraded and
used by the latest keystore.
Change-Id: Ic791baeedd7775df7eafca405440e645b19ec2bc
Test: TreeHugger
Fixes: 223376764
- Test to verify that Domain::KEY_ID is not allowed for generating
a key. Try to generate a key with domain as KEY_ID and expect an
error.
- Test to find key entry with domain as KEY_ID.
Generate a key and load it with domain as KEY_ID. Test should be
able to create an operation using the key loaded with domain as
KEY_ID.
- Generate a key with an alias. Generate another key and bind it with
same alias. Verify that originally generated key no longer exists
and report an error if we try to use it.
- Generate a key with an alias. Load the generated key with domain
KEY_ID. Generate another key and bind it with same alias. Verify
that originally loaded key no longer exists and report an error
if we try to use it.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ibfe237181311decf5f6f00dc222d5cd124e4ac11
Microdroid payloads use diced to access their secrets and BCCs. The
open_dice_cbor then gives them safe rust bindings to open-dice to
process them. There's a dependency on ZVec which pulls in
libkeystore2_crypto.
Test: build, TH
Change-Id: I402a9a416d7b0e0eed2e268495b148e5669e5c52
This buffer time is how far into the future keystore looks to mark
a key as "old" and needing deletion.
The old buffer time was only 20 seconds, which may not even be enough
for very slow network (where round trips and retries could take
minutes).
Test: keystore2_test
Change-Id: I27869458ec66e546b42fe344bbdffd32881c84e7
Test 1: Should fail to generate a key with domain not listed
in keystore2::Domain.
Test 2: Should fail to generate a EC key without providing curve.
Test 3: Should fail to generate a EC key with 25519 curve having
sign and agree_key purposes.
Test 4: Generate a EC keys with `NONE, MD5, SHA1, SHA-2 224,
SHA-2 256, SHA-2 384 and SHA-2 512` digest modes and P_224,
P_256, P_384, P_521 ec curves combinations. Should be able
to create operations with these keys successfully for all
digest modes except NONE and MD5.
Test 5: Generate a EC key with curve CURVE_25519 and digest mode NONE.
Should be able to create an operation with digest mode NONE.
Test 6: Generate a EC keys with curve CURVE_25519 and digest modes
`MD5, SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512`
combinations. Creation of an operation should fail with
unsupported digest error.
Test 7: Should fail to create an operation with incompatible digest
mode in key authorizations.
Test 8: Test for key owner validation. Generate a key in one user and
try to use it in another user context where it should fail to
load the key as it doesn't own the key generated by prior user.
Test 9: Generate a key with Domain::BLOB. Verify that key descriptor
holds the key blob. Try to use this key to perform an operation
successfully.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I8b923cfdd9dbd50d1ebaab03560e9378ede7cdee
- Test to verify grant API with invalid access vector, it is expected to
fail with proper error code.
- Test to verify grant API with empty access vector, it is expected to
succeed granting a key with empty access vector. In grantee context
while trying to use this key permission denied error is expected.
- Test to verify grant API with valid access vector, it is expected to
successfully grant a key. Grantee should be able access the key and
use it according to granted key permissions.
Bug: 236253306
Test: atest keystore2_client_tests
Change-Id: I20dc31b0e4f888f2bf740f84e3bb7b0e97a1bb52
Keystore2 previously did not process the DEVICE_UNIQUE_ATTESTATION tag.
This was an unnecessary step when there was no ability to select the
attestation key provided to the backing Keymaster instance. Now,
however, Keystore2 does need to process generateKey requests for this
tag. This is because it will pass in an RKP key by default and append
those certificates to the result if RKP is present.
This change alters Keystore2 behavior during attestation key selection.
If the DEVICE_UNIQUE_ATTESTATION tag is present, it will no longer
attempt to select an RKP key and will instead pass nothing in the
attestKey argument for KM.
Bug: 234413909
Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testKeyManagement
Change-Id: Ib81fb65570a4e9eb7e7b051f9791071ee78dc02f
Verify that the clients (for ex: clients with `vold` context) with
`req_forced_op` permission are allowed to create forced (unpruneable)
operations otherwise the creation of forced operation is denied.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I73d85ac127274e623095e233368b0211f6738d6e
The usage of unique device identifiers is enforced via Android system
permission, not SELinux policy.
Mark the USE_DEV_ID SELinux policy as unused.
Bug: 235987410
Test: atest keystore2_test
Change-Id: I89e61eaf5d1f708e3ce10a90cf33d90946009201
For any Domain value other than APP, SELINUX, GRANT and KEY_ID it is
updated to return response code as ResponseCode::INVALID_ARGUMENT
instead of ResponseCode::SYSTEM_ERROR.
Bug: 232022823
Test: atest keystore2_client_test; atest CtsKeystoreTestCases
Change-Id: I48314558fb2e77636fa99f42f8326fa99f719a4f
Creating n number of operations from same owner. Expecting creation
of all operations should be successful without any error. Whenever all
operation slots are full older operations are expected to be pruned.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I9d231658e77cb10f67cfd248072bde0755c1660d
In https://android-review.googlesource.com/c/platform/system/security/+/1698833
we added a check only for client keys. However, this means that on application
deletion only the keystore keys related to the application are unbound and the
attestation keys get orphaned.
Through this change, I am planning to unbind the attestation keys related to
the application as well.
Change-Id: I1c9d1ac6d6943cc53f5d74653e3da72cd4f2adf7
Test: atest keystore2_test
BUG: 232534682
- Forced operation creation with all slots filled with normal operations
- Forced operation creation with all slots filled with forced operations
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I493ea1c25d09597c44add430a20b5ca9c983e8d3
Added SPDX-license-identifier-Apache-2.0 to:
keystore2/tests/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Change-Id: I816f5ba7db5e359b97f1bd0222ca43eebacfc4d1
Creates multiple child procs and creates opearations in it and
parent proc waits for all child procs operations status, expects
one or more opearations to fail with backeend busy error.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I52f95a7cfd031d80c88bfc2ca478a26572f40150
A rust_defaults "keystore2_use_latest_aidl_rust" that includes the latest
Keystore2 AIDL library. Modules that depend on Keystore2 directly can include
this rust_defaults to avoid managing dependency versions explicitly
Test: Compile
Change-Id: Iabe9af743c4ceb787db42ff7cc619bab97ec55c4
Bug: 230750270
Test: Local testing with statsd TestDrive script
Ignore-AOSP-First: This targets T and will be cherry-picked to AOSP later.
Change-Id: I8490e31df4a111ff6787ea67dd8a170b410566df
(cherry picked from commit d675e225a7)
To allow for testing, read the rkp_only properties every time instead
of caching the value. This allows the RemoteProvisioner tests to alter
the property, moving the device in and out of rkp-only mode.
Test: RemoteProvisionerUnitTests
Bug: 27306369
Change-Id: If9a616fd36095175f4aea07c897c67a11eb04bcf
A value for the salt is present in all code paths:
- All callers of `Password::derive_key` pass a `Some(..)` value for the
salt. Remove this `Some` everywhere and...
- Change the signature of `derive_key` to expect a `&[u8]` for `salt`
rather than an `Option<&[u8]>`.
- `Password::derive_key` is the only caller of `generateKeyFromPassword`
(via bindgen to C++-land), so...
- Make it clear that the C++ `generateKeyFromPassword()` function
expects 16 bytes of `salt`.
Bug: 172121323
Test: compile, TreeHugger
Change-Id: I41966cce96b5371785680c13bacfc5f95969372a
An empty key pool should not allow fallback to the batch key if the
vendor indicates the system is rkp only.
Additionally, if the system is misconfigured (e.g. marked as rkp only
and has no remotely provisioned component hal) then we should insist
on checking RKP keys anyway. This will result in the given system
always returning OUT_OF_KEYS, which will fail various tests.
Test: keystore2_test
Test: RemoteProvisionerUnitTests
Bug: 227306369
Change-Id: I027bc56ff167abf99b18be01dccf05f90dd07f2a
The wrong tag was included in the km_compat layer filter code for
key generation tags. This prevented the INCLUDE_UNIQUE_ID tag from
being passed to keymaster, breaking unique id attestation on platforms
with keymaster (keymint functionality was correct).
Test: KeyAttestationTest
Fixes: 228851969
Change-Id: I81ef55bb92c9869102a741e64375b883c3443224
Added SPDX-license-identifier-Apache-2.0 to:
keystore2/tests/legacy_blobs/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Change-Id: Ifc2e14a9b60e364323794eaa5a8c181c4f0a78ee
This change leverages the ro.remote_provisioning.rkp_only system
property in order to determine whether or not the system has fallback
keys. If there are no fallback keys, then ks2 will now return
OUT_OF_KEYS as a ResponseCode to the caller over the binder interface.
This will allow the caller to call generateKey() on the
RemoteProvisioner AIDL interface, blocking until the call is returned.
At this point, keys will either have been provisioned, or an actionable
error can be routed back to the developer.
Bug: 227306369
Test: atest RemoteProvisionerUnitTests
Change-Id: I8f5bc5add4ab895ab95c9e4e70e6fc9fa4422da5
Allow an application to either have an selinux permission or a
privileged application permission to request a unique id attestation.
Eventually, we will remove the sepolicy permission. However, until
GMSCore is updated to pick up the new permission, keep the policy
around.
Test: KeyAttestationTest
Bug: 216778747
Change-Id: I2401ca630d1599f0399b47e1fd9dd88d78318b95
- authorizations: helper struct to create set of key authorizations
- key_generations: helper methods to generate various keys.
Test: N/A
Change-Id: I23250838b7b6d8ad59f5ef8682861a07e856299f
Creating a new library "libkeystore2_with_test_utils" where it includes blob utils
apis and sample test vectors based on feature flag keystore2_blob_test_utils.
Bug: 213173772
Bug: 213172664
Bug: 203101472
Test: keystore2_test
Change-Id: I869d27d1d3e8c6d28d8f5e5d6aed4305b5265816
This CL adds run_as_child which starts a child asynchronously and
returns a handle that allows waiting for and communicating with the
child process.
Test: keystore2_test_utils_test
Change-Id: Ibde858f249c94295b5f1c0c0cb29b8a98fb98a3a
- Remove the listEntries API in IKeystoreMaintenance
- Remove the ability to migrate keys across UIDs in the APP domain
Test: m keystore2
Bug: 220015249
Change-Id: I513e5b485b026825b9e7f8c86a1e8fb89247ab3d
CreateKeyMintDevice now creates a shared_ptr with correct ref counts.
Bug: 219791936
Test: atest keystore2_km_compat_test_cpp does not crash any more.
Change-Id: I3b304c0a4d55883b8f917ce0ef4c70d4bd0e9e9b
If we cannot create an IRemotelyProvisionedKeyPool binder, keystore
starts up as normal. However, we were not logging _why_ the operation
failed. This change adds a bit of logging so that we can diagnose when
devices are missing the IRemotelyProvisionedKeyPool service.
Test: keystore2_test
Change-Id: I60a481dc9762d8b156c5bec9e622a7e2192d145d
On some devices it is infeasible to provision the KeyMint RoT bits in
the Android Bootloader. This provides an alternate path to provision
them from the TEE during early boot.
Bug: 219076736
Test: VtsAidlKeyMintTargetTest
Change-Id: I8e19a1096087780f8c979f5a6b37f4100e41a975
Merged-In: I8e19a1096087780f8c979f5a6b37f4100e41a975
Placing a call to delete all expired attestation keys directly in
the function responsible for retrieving them. This guarantees that any
key selected will be fresh. This also modifies
delete_expired_attestation_keys to create a time buffer so that a key
can't be milliseconds away from expiration when this call returns.
Test: atest keystore2_tests
Change-Id: I6f83eb65d02d8583d054c56ef6c572f3ee2e8e24
This change applies a key upgrade path to the RKP keys when they are
used in key generation. Without this, RKP keys will fail after a device
receives an update due to version mismatch in KeyMint.
Test: atest keystore2_test && atest RemoteProvisionerUnitTests
Change-Id: I5dddc8fa1fe7fe9d7dd559b337089d607fcc735a
Virtual operation slots are leaked when sofware emulation is used.
This can lead to TOO_MANY_OPERATIONS errors despite have plenty of spare
operation slots in the backend.
Also fixes not using the reserved operation slot for signing. All
signing operations during key generation are now serialized and use the
reserved operation slot.
The slot test in keystore2_km_compat_test_cpp now tests that sofware
emulated operations don't impact the virtual operation slot accounting.
It also verifies that key generation that requires an operation slot can
commence even if all virtual slots are depleted.
Bug: 219551178
Bug: 219552427
Test: atest keystore2_km_compat_test_cpp
Change-Id: I6665b06a038e4935b4c751228881d8b500a6dcd4
Slot_test
Change-Id: Ice45c9f67f0ac0aa067825c410bf3ba9257e5bee
This CL addresses various gaps in legacy support.
* Encrypted legacy blobs.
* Encrypted key characteristics files (pre Android Q).
* Encrypted certificate and certificate chain entries
(pre Android R).
To support key migration even when the corresponding user is locked,
keys can now be migrated in the legacy database by renaming files.
In order to construct a complete a key characteristics cache from old
characteristics files the information must be augmented with the
characteristics that can be extracted from the key blob by calling
KeyMintDevice::getKeyCharacteristics. For this to work, the blob
may need to be decrypted, upgraded, and reencrypted. The crypto steps
may fail with ResponseCode::LOCKED though if the user is locked.
If the key was upgraded in the process both the old and the new key
blob must be inserted into the database in order for the garbage
collector to reap and invalidate the superseded blob correctly.
At the time APPLICATION_ID and APPLICATION_DATA are usually not
available. This would cause such bound keys to fail with
ErrorCode::INVALID_KEY_BLOB. However, APPLICATION_ID/DATA were
never exposed to applications though, so this should be acceptable
for now.
Bug: 213173772
Bug: 213172664
Bug: 203101472
Test: keystore2_test
Change-Id: Id8561d3f98d53182709d9f4feeeecda3b1535077
- Implement a general back-level KeyMint wrapper, which forwards
requests to either a back-level real device, or an up-level
software device. Keyblobs from the latter are given a marker
prefix and an authentication suffix.
- Add an FFI wrapper function to allow calculation of HMAC-SHA256,
so this can be used to give an authenticated suffix to wrapped
keyblobs.
- Abstract out the decision process for whether emulation is required
to a EmulationDetector trait, and provide implementations for
KeyMint V1 and for a km_compat-wrapped Keymaster.
- Impose the KeyMint V1 wrapper whenever the real device is detected to
be a V1 implementation.
- Add support to the IKeystoreCompatService for returning a device for
SecurityLevel::SOFTWARE. This device will always be the most recent
KeyMint version.
- Clarify what level of IKeyMint implementation gets returned from
the IKeystoreCompatService for the other security levels.
- Add an inner function to the km_compat code to allow unit tests
to still work.
Co-authored-by: Janis Danisevskis <jdanis@google.com>
Bug: 194358913
Test: CtsKeystoreTestCases on oriole/bramble/cuttlefish
Change-Id: I297e8ad1cf00fd15cd5358b2760cd2ca88f53abb
This refactor serves the disambiguation between the import of legacy
blobs into the sqlite3 database and the migration of keys between
namespaces, which becomes more promient in the light of shared uid
migration.
Test: No new test required because no functionality was changed.
Change-Id: I0612d0731083548a196911712f6c0adbbc9a5e9a
Split the IRemotelyProvisionedKeyPool binder implementation to its own
struct, as we cannot have two rust objects backing the same native
binder.
Test: keystore2_test
Test: keystore2_test --ignored
Bug: 194696876
Change-Id: I188bc2e2daf277f4a3543c7ec8320002d57f60ba
This patch makes it a little easier to interpret watch dog records, by
sorting them by the age of the youngest watch point in each thread.
The most likely culprit will thus move to the top of the record.
Test: N/A
Change-Id: I17ef4801ed38313b85468bd14943269f881a8e2b
The noicu build rules were only used by microdroid which no longer has a
special variant of keystore2.
Bug: 215747811
Test: atest MicrodroidTests
Change-Id: Iefa4d22beb0074bc95e0ff20c7689ad8b62372f4
keystore2 has been removed from microdroid so the build variant is no
longer needed.
Bug: 215747811
Test: atest MicrodroidTests
Change-Id: I46395d04535a3084e995324445e6b52bef4d8154
