CLOCK_BOOTTIME is more correct because it includes time spent
while the device is suspended.
This also fixes an issue when comparing the times resulting from the
get_last_auth_time() API in the Java world, because we want to use
SystemClock.elapsedRealtime(), which uses CLOCK_BOOTTIME.
Bug: 309686873
Test: atest keystore2_client_tests
Change-Id: I89d71ccfcfe4f8b3495fede40ae26ad6fa2b0118
This cl moves watchdog calls to keystore2 to make rkpd_client
less dependent on keystore2, this allows us to make rkpd_client
an independent library more easily later.
Test: atest keystore2_test
Bug: 241428146
Change-Id: Ic3040ad65356aa7e25d38f36d453a258caf28403
This simplifies the task of creating an independent library of
rkpd_client later.
Test: atest keystore2_test
Bug: 241428146
Change-Id: Idddf37d14580e691fde5a494e54297465cb693b6
This will facilitate the extraction of rkpd_client as a standalone
library later.
Test: atest keystore2_test
Bug: 241428146
Change-Id: Icff6f88f2c3cc3dc50dd126067ed5f10c8aa7b29
This simplifies the task of creating an independent library of
rkpd_client later.
Test: atest keystore2_test
Bug: 241428146
Change-Id: I2834c9be9f5100d52829e6392f0dd48e7c76beb1
Log an informational message when creating each of a user's super keys,
as these are significant events.
Bug: 296464083
Test: atest -p --include-subdirs system/security/keystore2
Flag: exempt, just adds a log message
Change-Id: I9d76a0ec06fae208412f4c6cf1b7dd739b023a61
Currently the UnlockedDeviceRequired super keys are created by
get_or_create_super_key(), while the AfterFirstUnlock super key is
created by separate code in init_user(). The super key creation code in
get_or_create_super_key() is generic enough to work for all super keys,
however. This CL factors this code out into a new function
create_super_key(), which a later CL will use for the AfterFirstUnlock
super key. No change in behavior.
Bug: 296464083
Test: atest -p --include-subdirs system/security/keystore2
Flag: exempt, mechanical refactoring
Change-Id: I88779273efef6cb925152381c07549e1f49daecf
This returns the time (from CLOCK_MONOTONIC_RAW) that the specified user
last authenticated using the given authenticator.
Bug: 303839446
Test: atest keystore2_client_tests
Change-Id: Idd4c477365ffa556b7985d1d926dfa554680ff28
Adding a 'static bound for a binder Interface Implementation.
This is now needed to allow new code used to cast a Binder
Native object back to the original object that implements the
Binder Interface.
Test: CI
Bug: 278780666
Change-Id: Ifa1ec4d4c6692d75ada6c58cb97e6c82b791be04
1. Generate a key with application-data and use the generated key to
create an operation using the same application-data. Test should
create an operation successfully.
2. Generate a key with application-data and use the generated key to
create an operation using different application-data. Test should
fail to create an operation with `INVALID_KEY_BLOB` error code.
3. Generate a key with application-id and use the generated key to
create an operation using the same application-id. Test should
create an operation successfully.
4. Generate a key with application-id and use the generated key to
create an operation using different application-id. Test should
fail to create an operation with `INVALID_KEY_BLOB` error code.
5. Generate an attestation key without app-id and app-data. Test should
generate a new key with specifying app-id, app-data and using
previously generated attestation key. Test should be able to generate
a new key successfully.
6. Generate an attestation key with app-id and app-data. Test should try
to generate an attested key using previously generated attestation
key without specifying same app-id, app-data. Test should fail to
generate a new key with an error code `INVALID_KEY_BLOB`. It is an
oversight of the Keystore API that `APPLICATION_ID` and
`APPLICATION_DATA` tags cannot be provided to generateKey for
an attestation key that was generated with them.
Bug: 279721870
Test: atest keystore2_client_tests
Change-Id: I56fad4806c6d96c5994f4affdd7aa6620b1f1be8
Rename the ScreenLockBound superencryption keys and superencryption type
to UnlockedDeviceRequired. This avoids confusion about what "screen
lock bound" means and makes the terminology consistent with the
UnlockedDeviceRequired key parameter in the API.
Bug: 296464083
Test: atest -p --include-subdirs system/security/keystore2
Test: atest CtsKeystoreTestCases
Flag: exempt, mechanical refactoring and comment changes
Change-Id: I98f7716d05c06f8c6db0f3eb616fb6e780407c2d
Rename the LskfBound superencryption key and superencryption type (also
known as per-boot) to AfterFirstUnlock.
This makes it much clearer what the protection of this key is. This
includes avoiding the misleading use of "LSKF"; the secret that's
actually relevant is the user's synthetic password, which is most
commonly unlocked with the LSKF but can potentially be unlocked in other
ways. This is also helpful for the planned change to make the user's
super keys exist even while the user doesn't have an LSKF.
Bug: 296464083
Test: atest -p --include-subdirs system/security/keystore2
Test: atest CtsKeystoreTestCases
Flag: exempt, mechanical refactoring and comment changes
Change-Id: I9b16934f37222fef2bf01830f521928ef2c1853a
Rename UserState::LskfLocked to UserState::BeforeFirstUnlock, and
rename UserState::LskfUnlocked to UserState::AfterFirstUnlock.
This makes it much clearer what these states are. This includes
avoiding the misleading use of "LSKF"; the secret that's actually
relevant is the user's synthetic password, which is most commonly
unlocked with the LSKF but can potentially be unlocked in other ways.
This is also helpful for the planned change to make the user's super
keys exist even while the user doesn't have an LSKF.
Bug: 296464083
Test: atest -p --include-subdirs system/security/keystore2
Test: atest CtsKeystoreTestCases
Flag: exempt, mechanical refactoring and comment changes
Change-Id: I78f15e2165876951c98e22e577fc4c92a3602b3b
* changes:
Adding tests to check unique id attestation.
Changes are made in keystore-client-tests to verify CREATION_DATETIME, ATTESTATION_CHALLENGE and ATTESTATION_APPLICATION_ID.
Add code (adapted from system/keymint/common/src/keyblob/legacy.rs)
which parses keyblobs in the format produced by the previous C++
reference implementation of KeyMint.
Bug: 283077822
Bug: 296403357
Test: tested with ARC upgrade, see b/296403357
Change-Id: I519eed0ac968d5c2595f95609ffadede5d2d2677
When handling keyblob upgrade required, also watch out for an invalid
keyblob error that might indicate that a key used to be a
km_compat-wrapped Keymaster key.
In this situation, try stripping off the km_compat prefix and
attempt upgrade of the inner keyblob data instead.
Bug: 251426862
Bug: 283077822
Bug: 296403357
Test: tested with ARC upgrade, see b/296403357
Change-Id: I8539455e33ab2e1c97f26174476ee9d616269e74
IKeystoreMaintenance#getState() is no longer called, so remove it along
with the enum value for the GetState permission.
Bug: 296464083
Test: atest -p --include-subdirs system/security/keystore2
Change-Id: I9ec6cca78cd1eb899ac7adfc99fc5eee41dc7e44
1. Generate a key with `BOOTLOADER_ONLY` tag. Test should successfully
generate a key and verify the key characteristics. Test should fail
with error code `INVALID_KEY_BLOB` during creation of an operation
using this key.
2. Generate a key with `EARLY_BOOT_ONLY` tag. Test should successfully
generate a key and verify the key characteristics. Test should fail
with error code `EARLY_BOOT_ENDED` during creation of an operation
using this key.
3. Generate a key with `MAX_USES_PER_BOOT` tag. Test should successfully
generate a key and verify the key characteristics. Test should be
able to use the key successfully `MAX_USES_COUNT` times. After
exceeding key usage `MAX_USES_COUNT` times subsequent attempts to use
the key in test should fail with error code `MAX_OPS_EXCEEDED`.
4. Generate a key with `USAGE_COUNT_LIMIT` tag. Test should successfully
generate a key and verify the key characteristics. Test should be
able to use the key successfully `MAX_USES_COUNT` times. After
exceeding key usage `MAX_USES_COUNT` times subsequent attempts to use
the key in test should fail with error code `KEY_NOT_FOUND`. Test
should also check attest record for attested keys that
`USAGE_COUNT_LIMIT` is included in attest record.
Bug: 279721870
Test: atest keystore2_client_tests
Change-Id: I205964b571d92dc0fcbd11b1f6d45bc3aea7c050
USAGE_EXPIRE_DATETIME.
1. Tests will generate a key with current date and time set to
active-datetime and verify the key characteristics. Test will use
this key to create a sign operation successfully.
2. Test will generate a key with future date set to active-datetime and
verify the key characteristics. Test will fail with error code
`KEY_NOT_YET_VALID` while creating an operation using generated key.
3. Tests will generate a key with future date and time set to
origination-expire-datetime and verify the key characteristics. Test
will use this key to create a sign operation successfully.
4. Test will generate a key with current date and time set to
origination-expire-datetime and verify the key characteristics. Test
will fail with error code `KEY_EXPIRED` while creating an operation
using generated key.
5. Tests will generate a key with future date and time set to
usage-expire-datetime and verify the key characteristics. Test
will use this key to successfully verify the signature created using
this key.
6. Tests will generate a key with current date and time set to
usage-expire-datetime and verify the key characteristics. Test
will fail with error code `KEY_EXPIRED` while verifying the signature
created using this key.
7. Test will generate a AES key with future date and time set to
usage-expire-datetime and verify the key characteristics. Test
will perform encrypt and decrypt operations using this generated key
successfully.
8. Test will generate a AES key with current date and time set to
usage-expire-datetime and verify the key characteristics. Test
will fail with error code `KEY_EXPIRED` while creating Decrypt
operation using generated key.
Bug: 279721870
Test: atest keystore2_client_tests
Change-Id: I8a0865a6256a6da133e95d0ee8250ba67359a2a2
WAL mode allows db connections to open when the disk
is full. This is done in the current and legacy db and
tested manually by the commandline.
Testing: Filled a file with empty values until it took up all the space on the disk then accessed the database. This was not possible with this mode disabled but was once I enabled it on a new flash
Bug: 191777960
Test: atest keystore2_test and atest CtsKeystoreTestCases, filled real device to full and tested
Change-Id: Ic1a45fd635168061a6c5489a42a67cb59d3ddc6a
Remove improper import and make the flag a constant
with the read only option
Bug: 191777960
Test: m keystore2
Change-Id: I34bd2d0d891686c93a167456e8d50eec75374244
KeyMint.generateKey requires a challenge to be passed when a key
blob is also passed. The test missed this, and was thus failing on
compliant HALs.
Bug: 301223273
Test: keystore2_test
Change-Id: Icf7a32683c85d87fddd7d05ba07a110bb4e38c79
Define SerializedError wire type for convenience and type safety. It
does not change the rules of how errors are downcasted to an i32.
Change operation outcome errors from Keymint ErrorCode to
SerializedError. This has an intended effect of binder errors being
reported to metrics as ResponseCode::SYSTEM_ERROR instead of
ErrorCode::UNKNOWN_ERROR.
Also update comments.
Bug: 298194325
Test: m
Change-Id: Ieff70245b776c38845c4f5142ab13d438ff79104
Removed `libkeymint_vts_test_utils` and its dependent libs from static
libs list and added only `libkeymint_vts_test_utils` in shared libs
list.
Test: m libkeystore2_test_utils; atest keystore2_client_tests; atest keystore2_test_utils_test;
atest keystore2_test
Bug: 194359114
Change-Id: Iab4b8c174af81a8c64a9f44fcd634d54f78773da
New devices will no longer have hwservicemanager installed as part of
HIDL deprecation. So this service must not crash when it's not found.
From keystore2's perspective, this is the same as not having the HIDL
Keymaster HALs installed.
Test: remove hwservicemanager from
device/google/cuttlefish/shared/device.mk && launch_cvd
Bug: 298454031
Change-Id: I4c7cefd388936aff821cff572a8af1b6f69f82d1
Also remove benign logging when there are multiple strong
biometrics.
Test: adb logcat on CF while adding/removing user/pwd
Change-Id: I777404d566990a4a604554133c0d87abba2200bc
These will soon be required by a lint.
Some functions were incorrectly marked as safe which were not actually
safe, so I've fixed those too.
Bug: 290018030
Test: m rust
Change-Id: I38df6a8162d430617f123ab1aace38b741458fce
Changes made in keystore2-client-tests to verify the key characteristics
of generated and imported keys.
Bug: 279721870
Test: atest keystore2_client_tests
Change-Id: I30c1fb2bdb1d69d321d356453d895db73347acde
KeyMint spec requires unique ID rotation to happen every 30 days (or
more precisely 2592000000 milliseconds) starting at UNIX epoch time.
Keystore is also supposed to set the RESET_SINCE_ID_ROTATION to indicate
"whether the device has been factory reset since the last unique ID
rotation".
However, instead Keystore sets RESET_SINCE_ID_ROTATION if there has been
a factory reset in the last 30 days counting back from now, which is
different and will give one extra UNIQUE_ID value in a subsequent
period:
For example, if there's a factory reset (marked as :) in the 3rd period
(periods delimited by |), the first half of the 4th period will have
RESET_SINCE_ID_ROTATION set and get a different UNIQUE_ID value than it
should:
Want = | A | B | C : C2 | D | ...
Get = | A | B | C : C2 | D2 : D | ...
Bug: 289774200
Test: keystore2_test
Change-Id: I156de902931915cd1ae7ad2eba63fd0276f15ae0
Sync was incorrectly implemented for AuthRequest, allowing simultaneous
access to a Receiver from multiple threads despite it not being
threadsafe. Use a Mutex instead to do this safely.
Bug: 290018030
Test: m rust
Change-Id: I6f43f13d5f36bdbafc9bd910a1ebadbb1366009d
Remove get_declared_instances API as it is not a part of the target module - libkeystore2
Bug: 287588482
Test: ./keystore2_unsafe_fuzzer clusterfuzz-testcase-minimized-keystore2_unsafe_fuzzer-5127790852636672
Change-Id: I7513955783f4877496f721f52b92970887bbad41
This is just a copy of the OWNERS file in the parent directory with
only the members of the AHWS team filtered in, in the same order as the
parent file, except that eranm@ is added at the top of the list as
per go/atos-user-guide which says: First Owner in the OWNERS file should
be the person to triage the issues.
Bug: 288143537
Test: N/A
Change-Id: Ia9bb4773cb494e793ae3b4f0b18ebd90641051e2
The flag has been a default, and now is not accepted.
Test: Treehugger, m rust
Bug: 279198502
Bug: 276464273
Change-Id: I71ebcdbd3606c5dc55bf3454acfba9cc55ad85dd
- Generate an RSA/EC attested keys with attestation of the device's
identifiers. Test should succeed in generatating a attested key with
attestation of device identifier. Test might fail on devices which
doesn't support device id attestation with error response code
`CANNOT_ATTEST_IDS or INVALID_TAG`.
- Try to generate an attested key with attestation of invalid device's
identifiers. Test should fail with error response `CANNOT_ATTEST_IDS`
- Test to make sure `CANNOT_ATTEST_IDS` error code is returned while
trying to generate a key on a device which doesn't support
`FEATURE_DEVICE_ID_ATTESTATION`.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ib57c58d3ea89279eb69db342c3343b8d99ddc639
Various recent bugs would have been easier to investigate if the auth
tokens received by keystore were logged.
Test: adb logcat while lock/unlock
Bug: 285328437
Bug: 284802403
Change-Id: Ia955d344a2bb47820c0616cc1b9784f5fcbecb0a
The Rust liblog_event_list API used to silently ignore any errors
reported by liblog. aosp/2617613 attempts to make the operations
propagate the failure instead.
Note that this introduces a subtle behavior change: when *creating the
log record* fails, the API with Results does not allow submitting a
partially constructed log. Otherwise, the result of the write operation
is ignored as it was before.
Bug: 282691103
Test: m
Test: atest keystore2_test
Change-Id: I7c43100149b4ca831050af0a9229b95d2f7f8392
* changes:
Add tests for super_key.rs
Simplify control flow for user unlocking.
Remove unlock_user_key function
Separate logic for user reset, remove, and init
Separate hybrid key logic into a helper function.
Make super_encrypt_on_key_init inline
https://r.android.com/1971319 changed the return type of
rustutils::system_properties::read() from Result<String> to
Result<Option<String>>. But, read_keystore_crash_count() was not
correctly updated to handle the Ok(None) case. Consequently, the case
of "property doesn't exist" started being considered an error, and the
code intended to handle this case stopped being executed. Fix this by
correctly handling the return value.
Bug: 284163087
Test: Verified that the read_keystore_crash_count() error message is no
longer present in logcat at boot time, and
'getprop keystore.crash_count' shows 0.
Change-Id: I4b9ff16cba9e7500623dab7c3bc888cba0daf997
The new tests are focused on unlocking, resetting and removing a user.
The tests verify that keys are deleted when necessary and that the user
state transitions properly.
Bug: 280502317
Test: atest keystore2_test on cuttlefish
Change-Id: Idae5d99fb289045bb277ba6c93ab62cfd9aed6fb
Keystore2 super key handling is being refactored in preparation for
Unlocked-Only Storage.
Currently, super_key.rs exposes two functions to authorization.rs for
key unlocking:
- unlock_screen_lock_bound_key
- unlock_and_get_user_state
This change simplifies the key_unlocking logic to a single function,
unlock_user. This new function handles all of the unlocking logic and
functions more like a state machine than the previous code.
This change mainly improves readability. It tries not to change
functionality.
Bug: 280502317
Bug: 277798192
Test: Wiped device. Setup user with PIN. Ensured unlock works. Remove
PIN. Ensured unlock works. Added pin and biometric. Ensured unlock
works. Rebooted device. Ensured unlock works.
Change-Id: Ib9a3e907cd40d34c5ecf2a869a65e403deda0254
Keystore2 super key handling is being refactored in preparation for
Unlocked-Only Storage.
This function is dead code. It has no callers.
Bug: 280502317
Bug: 277798192
Test: Wiped device. Setup user with PIN. Ensured unlock works. Remove
PIN. Ensured unlock works. Added pin and biometric. Ensured unlock
works. Rebooted device. Ensured unlock works.
Change-Id: I4c7791f6944afb621afb2d67f4b7b7d4690ddd78
Keystore2 super key handling is being refactored in preparation for
Unlocked-Only Storage.
This does not change the behavior of keystore2. It is a readability
change.
Currently, super_key.rs exposes one function for resetting, removing,
and initializing users:
- reset_or_init_user_and_get_user_state
This change breaks this function into smaller parts:
- reset_user
- init_user
- remove_user
- get_user_state
This simplifies the code in super_key.rs and allows it to act more like
a state machine.
Bug: 280502317
Bug: 277798192
Test: Wiped device. Setup user with PIN. Ensured unlock works. Remove
PIN. Ensured unlock works. Added pin and biometric. Ensured unlock
works. Rebooted device. Ensured unlock works.
Change-Id: I4e27b41a76a8b45ca2bae6daabe51f2a985c2efe
Keystore2 super key handling is being refactored in preparation for
Unlocked-Only Storage.
This code is complicated and should be moved to its own function.
Bug: 280502317
Bug: 277798192
Test: Wiped device. Setup user with PIN. Ensured unlock works. Remove
PIN. Ensured unlock works. Added pin and biometric. Ensured unlock
works. Rebooted device. Ensured unlock works.
Change-Id: I0602a8229cdd149d4f9b42a96f446d2a17df1321
Keystore2 super key handling is being refactored in preparation for
Unlocked-Only Storage.
There's no reason to separate this function. It doesn't handle any
complicated logic and makes control flow more difficult to understand.
Bug: 280502317
Bug: 277798192
Test: Wiped device. Setup user with PIN. Ensured unlock works. Remove
PIN. Ensured unlock works. Added pin and biometric. Ensured unlock
works. Rebooted device. Ensured unlock works.
Change-Id: Iafd31ae79a722910effaba98ac216d5b912dd348
1. Generate RSA key and grant it to a user. In user context load the
key using `EVP_PKEY_from_keystore` and perform sign and verify
opeearions.
[keystore2_perofrm_crypto_op_using_keystore2_engine_rsa_key_success]
2. Generate EC key and grant it to a user. In user context load the
key using `EVP_PKEY_from_keystore` and perform sign and verify
operations.
[keystore2_perofrm_crypto_op_using_keystore2_engine_ec_key_success]
3. Generate RSA key and grant it to a user. Re-encode the certificate
as PEM and update the certificate using `updateSubcomponents`.
In user context load the key using `EVP_PKEY_from_keystore` and
perform sign and verify operations.
Bug: 201343811
Test: atest keystore2_client_tests
Change-Id: I7dafd598f4198e11103cd11695b2f67636f24755
Attestation keys are now managed by RKPD. Remove support for attestation
keys in keystore DB.
Test: keystore2_test
Change-Id: Iad7d9297701364eba44bcc60b564c7c7e12b9aea
