This change replaces libcppbor with libcppbor_external as part of the
effort to remove the partial libcppbor copy that lives in
hardware/interfaces.
Bug: 182445123
Test: It builds
Change-Id: I9c96cdf807979ecf806c80edd3cec9c443294c22
Currently we're using file-specific tags which makes it hard for
people looking at logcat to infer it's actually from credstore and it
also complicates filtering. Just use "credstore" everywhere.
Also change logging level from ERROR to INFO in the message
"Registered binder service" which is logged on startup.
Bug: None
Test: Compiles + manual inspection via logcat
Test: atest android.security.identity.cts (on goldfish)
Change-Id: I336d1a4e4e10b87fd3f08a5046cf5e13f09c9cb6
This CL adds the fix for the credstore failure reported in b/183253539.
Bug: 183253539
Test: CtsVerifier's Identity Credential Authentication test
Test: atest android.security.identity.cts
Change-Id: I396f36a58d260e3e081ef8a94aaf64431d0ad484
This is a followup CL to address the last code review comment at:
aosp/1612458.
Test: N/A. This is only a change in the text of the error.
Change-Id: I5d5a040ee23ef20836633e296376c6e4bbfc0e47
The root of the problem is that in some cases credstore would
pass auth- and verification-tokens to the Identity Credential
HAL without first having obtained a challenge via
IIdentityCredential.createAuthChallenge(). This makes it
impossible for the TA to validate the verification token for
freshness.
This is easily fixed by simply ensuring createAuthChallenge()
is called (and the returned challenge is used in the requested
verification token) whenever dealing with ACPs using user
authentication.
Additional issues / changes:
- During Android 12 development, an use-after-free bug was
introduced in Credential.cpp L120.
- keystore's getTokensForCredstore() had some bugs in how to
select an auth-token, in particular mixing authTokenAgeMillis
(milliseconds) with time_t values (seconds)
- as a result, keystore would sometimes return tokens older
than what credstore requested. This wasn't actually problem
because the TA would check it anyway.
- we now precisely define semantics in IKeystoreService.aidl
- Another potential use-after-free bug was found in
Credential.cpp L767
None of the fixes for these bugs affect CTS or VTS tests.
Bug: 181893400
Test: atest android.security.identity.cts on emulator
Test: atest android.security.identity.cts on crosshatch (w/ Android 11 era HAL)
Test: CtsVerifier's Identity Credential Authentication test crosshatch (w/ Android 11 era HAL)
Change-Id: I45a3fd16eff3b6a232d8b8c88f2e3dd3619a9c03
- Add Credential.proveOwership()
- Add Credential.deleteWithChallenge()
- Add Credential.updateCredential()
- Add Credential.storeStaticAuthenticationDataWithExpirationDate()
- Store this on disk. For entries stored without this parameter
assume they never expire.
- Add allowUsingExpiredKeys to Credential.selectAuthKey() and
Credential.getEntries()
- Unless set to true, never select an expired key
- Introduce ERROR_NOT_SUPPORTED and return this if HAL does not
support operation
Bug: 170146643
Test: atest android.security.identity.cts
Change-Id: Ic5dafc6498c9c59b82942def9d348d974f008589
This fixes a bug in credstore where it only worked if a credential
used ACP ids starting at zero and upwards (e.g. no holes). This is not
a reasonable requirement, it just happened to be a bug which wasn't
triggered because all CTS tests uses identifiers starting at 0 with
no holes.
This bug-fix is merged along with a new CTS test to check this bug no
longer exists.
Bug: 160966911
Test: atest android.security.identity.cts
Test: New CTS test testProvisionAcpIdNotStartingAtZero
Change-Id: I58595e6bf5f3ca3f82ebe9291fde54b7cf11e0dd
TEMP_FAILURE_RETRY expects an argument that returns -1 on temporary
failure, not a boolean.
Test: TreeHugger
Change-Id: If8cb4a440e909c4ed7cbfdd34454670b0d5ee045
Exempt-From-Owner-Approval: Janitorial fix
This is needed because the Secure Areas backing the Identity
Credential HAL may exist in a different environment from where the
auth token is minted. In this case, the Secure Area needs a
verification token to make sense of the timestamp in the auth token.
Getting a verification token is an asynchronous operation so change
the binder method used by credstore to be asynchronous as well.
Bug: 156076333
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Change-Id: Id6cb6812a31d968069b7d72bd2b39b512d38d241
Without this extra information passed upfront it's not practical to
implement a HAL which incrementally builds up cryptographically
authenticated data.
This information is conveyed by using two new methods on version 2 of
the Identity Credential HAL. If these methods are not implemented (if
a version 1 HAL is running) the invocation fails and we handle this
gracefully by just ignoring the error.
Bug: 154631410
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Change-Id: I17d516e41e800f58daa4c11dcca0305c80740d5b
The implementation of the Identity Credential TA in constrained
environments may need to incrementally update the HMAC-SHA256 of
DeviceAuthencation CBOR to avoid keeping the entire CBOR structure in
memory. To do this they need to calculate the derived key before
starting to build the CBOR so they need access to the signingKey
earlier on. Update credstore to pass the signingKey earlier.
Bug: 150390415
Test: atest android.security.identity.cts
Test: VtsHalIdentityTargetTest
Change-Id: If2479a10f80fba748591c30aa7b8662e1063787e
This was needed because credstore needs to generate and pass the
generated AttestationApplicationId to the Identity Credential HAL.
Bug: 111446262
Test: atest android.security.identity.cts
Test: VtsHalIdentityCredentialTargetTest
Test: android.hardware.identity-support-lib-test
Change-Id: Id22b85ca083e23c7e1fbd3459910fba37a5db137
The results of TEMP_FAILURE_RETRY can be negative in an error
case. But we were assigning it to an unsigned size_t, and
thus our check to see if it was negative would always be false.
We switch to storing this result in a signed ssize_t, so we'll
properly handle a negative return value. As long as we're
never writing more than 2GB (ssize_t max on a 32-bit system),
this shouldn't be a problem.
Test: TreeHugger
Change-Id: I3d417fab7c3ee7557221f9757567379d1b8cb6da
The credstore system daemon is sitting below the Identity Credential
Framework APIs and on top of the Identity Credential HALs. Its main
job is to store credential data and provide a way for applications to
communicate with the secure hardware abstracted by the HAL.
This daemon runs as an unprivileged user, credstore.
The auth-tokens needed by credstore are supplied by keystore and this
CL includes the requisite changes to keystore for this to work.
Bug: 111446262
Test: CTS tests for Framework APIs
Change-Id: Ieb4d59852a143482436a1c418c25ed96e25c0047