diff options
author | Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> | 2023-06-13 04:44:45 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2023-06-13 04:44:45 +0000 |
commit | 869fccddd9db714624446aff2828b2a3e568d617 (patch) | |
tree | 4960324b7440aa81b113a1b9ef597b3ef541960c | |
parent | 78d750f9e6792ea1c9d25749f50aa558d82bc265 (diff) | |
parent | 48b8ca8dca6f27611a21b5bf90de82f45c0317fc (diff) | |
download | libese-869fccddd9db714624446aff2828b2a3e568d617.tar.gz |
Merge "Deprecate IRPC test mode key generation in V3." am: a19382bfaa am: 837bd68238 am: 728d37d6ab am: eabe7413ae am: f4fbd8e0ca am: 48b8ca8dca
Original change: https://android-review.googlesource.com/c/platform/external/libese/+/2615692
Change-Id: Ia6fb0db85dd76354d8c636c689bc9557c527b541
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
4 files changed, 21 insertions, 69 deletions
diff --git a/ready_se/google/keymint/KM300/Applet/src/com/android/javacard/keymaster/KMCose.java b/ready_se/google/keymint/KM300/Applet/src/com/android/javacard/keymaster/KMCose.java index bcfb5f8..2854a71 100644 --- a/ready_se/google/keymint/KM300/Applet/src/com/android/javacard/keymaster/KMCose.java +++ b/ready_se/google/keymint/KM300/Applet/src/com/android/javacard/keymaster/KMCose.java @@ -250,11 +250,9 @@ public class KMCose { * Constructs array based on the tag values provided. * * @param tag array of tag values to be constructed. - * @param includeTestMode flag which indicates if TEST_COSE_KEY should be included or not. * @return instance of KMArray. */ - private static short handleCosePairTags( - short[] tag, short[] keyValues, short valueIndex, boolean includeTestMode) { + private static short handleCosePairTags(short[] tag, short[] keyValues, short valueIndex) { short index = 0; // var is used to calculate the length of the array. short var = 0; @@ -268,7 +266,6 @@ public class KMCose { } index++; } - var += includeTestMode ? 1 : 0; short arrPtr = KMArray.instance(var); index = 0; // var is used to index the array. @@ -322,7 +319,7 @@ public class KMCose { for (short i = 4; i < 8; i++) { buff[i] = KMType.INVALID_VALUE; } - short ptr = handleCosePairTags(COSE_HEADER_LABELS, buff, (short) 4, false); + short ptr = handleCosePairTags(COSE_HEADER_LABELS, buff, (short) 4); ptr = KMCoseHeaders.instance(ptr); KMCoseHeaders.cast(ptr).canonicalize(); return ptr; @@ -373,7 +370,6 @@ public class KMCose { * @param pubKeyOff Start offset of the buffer. * @param pubKeyLen Length of the public key. * @param privKeyPtr Instance of the private key. - * @param testMode Represents if key is used in test mode or production mode. * @return Instance of the CoseKey structure. */ public static short constructCoseKey( @@ -385,8 +381,7 @@ public class KMCose { byte[] pubKey, short pubKeyOff, short pubKeyLen, - short privKeyPtr, - boolean testMode) { + short privKeyPtr) { if (pubKey[pubKeyOff] == 0x04) { // uncompressed format pubKeyOff += 1; pubKeyLen -= 1; @@ -394,8 +389,7 @@ public class KMCose { pubKeyLen = (short) (pubKeyLen / 2); short xPtr = KMByteBlob.instance(pubKey, pubKeyOff, pubKeyLen); short yPtr = KMByteBlob.instance(pubKey, (short) (pubKeyOff + pubKeyLen), pubKeyLen); - short coseKey = - constructCoseKey(buff, keyType, keyId, keyAlg, curve, xPtr, yPtr, privKeyPtr, testMode); + short coseKey = constructCoseKey(buff, keyType, keyId, keyAlg, curve, xPtr, yPtr, privKeyPtr); KMCoseKey.cast(coseKey).canonicalize(); return coseKey; } @@ -411,7 +405,6 @@ public class KMCose { * @param pubX instance of KMByteBlob which holds EC public key's x value. * @param pubY instance of KMByteBlob which holds EC public key's y value. * @param priv instance of KMByteBlob which holds EC private value. - * @param includeTestKey flag which identifies whether to construct test key or production key. * @return instance of the KMCoseKey object. */ public static short constructCoseKey( @@ -422,8 +415,7 @@ public class KMCose { short curve, short pubX, short pubY, - short priv, - boolean includeTestKey) { + short priv) { short valueIndex = 7; buff[0] = keyType; buff[1] = keyId; @@ -435,14 +427,7 @@ public class KMCose { for (short i = valueIndex; i < 16; i++) { buff[i] = KMType.INVALID_VALUE; } - short arrPtr = handleCosePairTags(COSE_KEY_LABELS, buff, valueIndex, includeTestKey); - if (includeTestKey) { - short testKey = - KMCosePairSimpleValueTag.instance( - KMNInteger.uint_32(KMCose.COSE_TEST_KEY, (short) 0), - KMSimpleValue.instance(KMSimpleValue.NULL)); - KMArray.cast(arrPtr).add((short) (KMArray.cast(arrPtr).length() - 1), testKey); - } + short arrPtr = handleCosePairTags(COSE_KEY_LABELS, buff, valueIndex); arrPtr = KMCoseKey.instance(arrPtr); KMCoseKey.cast(arrPtr).canonicalize(); return arrPtr; diff --git a/ready_se/google/keymint/KM300/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java b/ready_se/google/keymint/KM300/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java index 4a6acee..04fadea 100644 --- a/ready_se/google/keymint/KM300/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java +++ b/ready_se/google/keymint/KM300/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java @@ -1153,8 +1153,7 @@ public class KMKeymasterApplet extends Applet implements AppletEvent, ExtendedLe scratchPad, (short) 0, temp, - KMType.INVALID_VALUE, - false); + KMType.INVALID_VALUE); temp = KMKeymasterApplet.encodeToApduBuffer( coseKey, scratchPad, (short) 0, KMKeymasterApplet.MAX_COSE_BUF_SIZE); diff --git a/ready_se/google/keymint/KM300/Applet/src/com/android/javacard/keymaster/KMRemotelyProvisionedComponentDevice.java b/ready_se/google/keymint/KM300/Applet/src/com/android/javacard/keymaster/KMRemotelyProvisionedComponentDevice.java index da6d518..612bfcd 100644 --- a/ready_se/google/keymint/KM300/Applet/src/com/android/javacard/keymaster/KMRemotelyProvisionedComponentDevice.java +++ b/ready_se/google/keymint/KM300/Applet/src/com/android/javacard/keymaster/KMRemotelyProvisionedComponentDevice.java @@ -300,19 +300,13 @@ public class KMRemotelyProvisionedComponentDevice { * blob. It then generates a COSEMac message which includes the ECDSA public key. */ public void processGenerateRkpKey(APDU apdu) { - short arr = KMArray.instance((short) 1); - KMArray.cast(arr).add((short) 0, KMSimpleValue.exp()); - arr = KMKeymasterApplet.receiveIncoming(apdu, arr); // Re-purpose the apdu buffer as scratch pad. byte[] scratchPad = apdu.getBuffer(); - // test mode flag. - boolean testMode = - (KMSimpleValue.TRUE == KMSimpleValue.cast(KMArray.cast(arr).get((short) 0)).getValue()); KMKeymasterApplet.generateRkpKey(scratchPad, getEcAttestKeyParameters()); short pubKey = KMKeymasterApplet.getPubKey(); - short coseMac0 = constructCoseMacForRkpKey(testMode, scratchPad, pubKey); + short coseMac0 = constructCoseMacForRkpKey(scratchPad, pubKey); // Encode the COSE_MAC0 object - arr = KMArray.instance((short) 3); + short arr = KMArray.instance((short) 3); KMArray.cast(arr).add((short) 0, KMInteger.uint_16(KMError.OK)); KMArray.cast(arr).add((short) 1, coseMac0); KMArray.cast(arr).add((short) 2, KMKeymasterApplet.getPivateKey()); @@ -878,8 +872,7 @@ public class KMRemotelyProvisionedComponentDevice { KMKeymasterApplet.encodeToApduBuffer( macStructure, scratchPad, (short) 0, KMKeymasterApplet.MAX_COSE_BUF_SIZE); - short hmacLen = - rkpHmacSign(testMode, scratchPad, (short) 0, encodedLen, scratchPad, encodedLen); + short hmacLen = rkpHmacSign(scratchPad, (short) 0, encodedLen, scratchPad, encodedLen); if (hmacLen != KMByteBlob.cast(KMArray.cast(coseMacPtr).get(KMCose.COSE_MAC0_TAG_OFFSET)).length()) { @@ -1212,7 +1205,7 @@ public class KMRemotelyProvisionedComponentDevice { return lengthToSend; } - private short constructCoseMacForRkpKey(boolean testMode, byte[] scratchPad, short pubKey) { + private short constructCoseMacForRkpKey(byte[] scratchPad, short pubKey) { // prepare cosekey short coseKey = KMCose.constructCoseKey( @@ -1224,8 +1217,7 @@ public class KMRemotelyProvisionedComponentDevice { KMByteBlob.cast(pubKey).getBuffer(), KMByteBlob.cast(pubKey).getStartOff(), KMByteBlob.cast(pubKey).length(), - KMType.INVALID_VALUE, - testMode); + KMType.INVALID_VALUE); // Encode the cose key and make it as payload. short len = KMKeymasterApplet.encodeToApduBuffer( @@ -1252,7 +1244,7 @@ public class KMRemotelyProvisionedComponentDevice { KMKeymasterApplet.encodeToApduBuffer( macStructure, scratchPad, (short) 0, KMKeymasterApplet.MAX_COSE_BUF_SIZE); // HMAC Sign. - short hmacLen = rkpHmacSign(testMode, scratchPad, (short) 0, len, scratchPad, len); + short hmacLen = rkpHmacSign(scratchPad, (short) 0, len, scratchPad, len); // Create COSE_MAC0 object short coseMac0 = KMCose.constructCoseMac0( @@ -1362,35 +1354,10 @@ public class KMRemotelyProvisionedComponentDevice { } private short rkpHmacSign( - boolean testMode, - byte[] data, - short dataStart, - short dataLength, - byte[] signature, - short signatureStart) { - short result; - if (testMode) { - short macKey = KMByteBlob.instance(EPHEMERAL_MAC_KEY_SIZE); - Util.arrayFillNonAtomic( - KMByteBlob.cast(macKey).getBuffer(), - KMByteBlob.cast(macKey).getStartOff(), - EPHEMERAL_MAC_KEY_SIZE, - (byte) 0); - result = - seProvider.hmacSign( - KMByteBlob.cast(macKey).getBuffer(), - KMByteBlob.cast(macKey).getStartOff(), - EPHEMERAL_MAC_KEY_SIZE, - data, - dataStart, - dataLength, - signature, - signatureStart); - } else { - result = - seProvider.hmacSign( - storeDataInst.getRkpMacKey(), data, dataStart, dataLength, signature, signatureStart); - } + byte[] data, short dataStart, short dataLength, byte[] signature, short signatureStart) { + short result = + seProvider.hmacSign( + storeDataInst.getRkpMacKey(), data, dataStart, dataLength, signature, signatureStart); return result; } } diff --git a/ready_se/google/keymint/KM300/HAL/JavacardRemotelyProvisionedComponentDevice.cpp b/ready_se/google/keymint/KM300/HAL/JavacardRemotelyProvisionedComponentDevice.cpp index c79889f..a6e46bf 100644 --- a/ready_se/google/keymint/KM300/HAL/JavacardRemotelyProvisionedComponentDevice.cpp +++ b/ready_se/google/keymint/KM300/HAL/JavacardRemotelyProvisionedComponentDevice.cpp @@ -115,9 +115,10 @@ ScopedAStatus JavacardRemotelyProvisionedComponentDevice::getHardwareInfo(RpcHar ScopedAStatus JavacardRemotelyProvisionedComponentDevice::generateEcdsaP256KeyPair( bool testMode, MacedPublicKey* macedPublicKey, std::vector<uint8_t>* privateKeyHandle) { - cppbor::Array array; - array.add(testMode); - auto [item, err] = card_->sendRequest(Instruction::INS_GENERATE_RKP_KEY_CMD, array); + if (testMode) { + return km_utils::kmError2ScopedAStatus(static_cast<keymaster_error_t>(STATUS_REMOVED)); + } + auto [item, err] = card_->sendRequest(Instruction::INS_GENERATE_RKP_KEY_CMD); if (err != KM_ERROR_OK) { LOG(ERROR) << "Error in sending generateEcdsaP256KeyPair."; return km_utils::kmError2ScopedAStatus(translateRkpErrorCode(err)); |