diff options
author | Treehugger Robot <treehugger-gerrit@google.com> | 2023-03-07 17:44:54 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2023-03-07 17:44:54 +0000 |
commit | 91e742dfbbadde0b56d40afcfb45e6bfff63e620 (patch) | |
tree | 93d97321655f632a20fc52a48757811b63fba50d | |
parent | 98fa81cbdda8f64d0d77bce20f1a37d2fa139059 (diff) | |
parent | 0b90f56a0ab0c3a8ea8b831221cd7571b367b603 (diff) | |
download | libese-91e742dfbbadde0b56d40afcfb45e6bfff63e620.tar.gz |
Merge "Removed km_ops from CoseKey"
7 files changed, 28 insertions, 45 deletions
diff --git a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCose.java b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCose.java index 1eb8816..0c2244c 100644 --- a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCose.java +++ b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCose.java @@ -71,7 +71,6 @@ public class KMCose { public static final short COSE_KEY_KEY_TYPE = 1; public static final short COSE_KEY_KEY_ID = 2; public static final short COSE_KEY_ALGORITHM = 3; - public static final short COSE_KEY_KEY_OPS = 4; public static final short COSE_KEY_CURVE = -1; public static final short COSE_KEY_PUBKEY_X = -2; public static final short COSE_KEY_PUBKEY_Y = -3; @@ -112,7 +111,6 @@ public class KMCose { KMCose.COSE_KEY_KEY_TYPE, KMCose.COSE_KEY_KEY_ID, KMCose.COSE_KEY_ALGORITHM, - KMCose.COSE_KEY_KEY_OPS, KMCose.COSE_KEY_CURVE, KMCose.COSE_KEY_PUBKEY_X, KMCose.COSE_KEY_PUBKEY_Y, @@ -452,12 +450,13 @@ public class KMCose { } /** - * Constructs a CoseKey with the provided input paramters. + * Constructs a CoseKey with the provided input parameters. Note that construction of the key_ops + * label is not needed to be supported. In the KeyMint2.0 specifications: The CoseKey inside + * MacedPublicKeys and DiceCertChain does not have key_ops label. * * @param keyType Instance of the identification of the key type. * @param keyId Instance of key identification value. * @param keyAlg Instance of the algorithm that is used with this key. - * @param keyOps Instance of the operation that this key is used for. * @param curve Instance of the EC curve that is used with this key. * @param pubKey Buffer containing the public key. * @param pubKeyOff Start offset of the buffer. @@ -471,7 +470,6 @@ public class KMCose { short keyType, short keyId, short keyAlg, - short keyOps, short curve, byte[] pubKey, short pubKeyOff, @@ -486,8 +484,7 @@ public class KMCose { short xPtr = KMByteBlob.instance(pubKey, pubKeyOff, pubKeyLen); short yPtr = KMByteBlob.instance(pubKey, (short) (pubKeyOff + pubKeyLen), pubKeyLen); short coseKey = - constructCoseKey( - buff, keyType, keyId, keyAlg, keyOps, curve, xPtr, yPtr, privKeyPtr, testMode); + constructCoseKey(buff, keyType, keyId, keyAlg, curve, xPtr, yPtr, privKeyPtr, testMode); KMCoseKey.cast(coseKey).canonicalize(); return coseKey; } @@ -499,7 +496,6 @@ public class KMCose { * @param keyType instance of KMInteger/KMNInteger which holds valid COSE key types. * @param keyId instance of KMByteBlob which holds key identifier value. * @param keyAlg instance of KMInteger/KMNInteger which holds valid COSE key algorithm. - * @param keyOps instance of KMInteger/KMNInteger which holds valid COSE key operations. * @param curve instance of KMInteger/KMNInteger which holds valid COSE EC curve. * @param pubX instance of KMByteBlob which holds EC public key's x value. * @param pubY instance of KMByteBlob which holds EC public key's y value. @@ -512,21 +508,19 @@ public class KMCose { short keyType, short keyId, short keyAlg, - short keyOps, short curve, short pubX, short pubY, short priv, boolean includeTestKey) { - short valueIndex = 8; + short valueIndex = 7; buff[0] = keyType; buff[1] = keyId; buff[2] = keyAlg; - buff[3] = keyOps; - buff[4] = curve; - buff[5] = pubX; - buff[6] = pubY; - buff[7] = priv; + buff[3] = curve; + buff[4] = pubX; + buff[5] = pubY; + buff[6] = priv; for (short i = valueIndex; i < 16; i++) { buff[i] = KMType.INVALID_VALUE; } diff --git a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCoseKey.java b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCoseKey.java index d1a9f36..d3edc5f 100644 --- a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCoseKey.java +++ b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCoseKey.java @@ -25,7 +25,9 @@ import javacard.framework.Util; * https://datatracker.ietf.org/doc/html/rfc8152#section-7 The supported key types are KMNInteger, * KMInteger and the supported value types are KMInteger, KMNInteger, KMByteBlob, KMSimpleValue. It * corresponds to a CBOR Map type. struct{byte TAG_TYPE; short length; short arrayPtr } where - * arrayPtr is a pointer to array with any KMTag subtype instances. + * arrayPtr is a pointer to array with any KMTag subtype instances. Note that construction of the + * key_ops label is not needed to be supported. In the KeyMint2.0 specifications: The CoseKey inside + * MacedPublicKeys and DiceCertChain does not have key_ops label. */ public class KMCoseKey extends KMCoseMap { @@ -182,7 +184,9 @@ public class KMCoseKey extends KMCoseMap { } /** - * Verifies the KMCoseKey values against the input values. + * Verifies the KMCoseKey values against the input values. Note that construction of the key_ops + * label is not needed to be supported. In the KeyMint2.0 specifications: The CoseKey inside + * MacedPublicKeys and DiceCertChain does not have key_ops label. * * @param keyType value of the key type * @param keyIdPtr instance of KMByteBlob containing the key id. @@ -192,18 +196,16 @@ public class KMCoseKey extends KMCoseMap { * @return true if valid, otherwise false. */ public boolean isDataValid( - short[] buff, short keyType, short keyIdPtr, short keyAlg, short keyOps, short curve) { - short buffLen = 10; + short[] buff, short keyType, short keyIdPtr, short keyAlg, short curve) { + short buffLen = 8; buff[0] = KMCose.COSE_KEY_KEY_TYPE; buff[1] = keyType; buff[2] = KMCose.COSE_KEY_KEY_ID; buff[3] = keyIdPtr; buff[4] = KMCose.COSE_KEY_ALGORITHM; buff[5] = keyAlg; - buff[6] = KMCose.COSE_KEY_KEY_OPS; - buff[7] = keyOps; - buff[8] = KMCose.COSE_KEY_CURVE; - buff[9] = curve; + buff[6] = KMCose.COSE_KEY_CURVE; + buff[7] = curve; boolean valid = false; short ptr; short tagIndex = 0; diff --git a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCosePairCoseKeyTag.java b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCosePairCoseKeyTag.java index be853de..5290da2 100644 --- a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCosePairCoseKeyTag.java +++ b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCosePairCoseKeyTag.java @@ -6,7 +6,7 @@ import javacard.framework.Util; /** * KMCosePairCoseKeyTag represents a key-value type, where key can be KMInteger or KMNInteger and - * value is KMCOseKey type. struct{byte TAG_TYPE; short length; struct{short COSE_KEY_VALUE_TYPE; + * value is KMCoseKey type. struct{byte TAG_TYPE; short length; struct{short COSE_KEY_VALUE_TYPE; * short key; short value}}. */ public class KMCosePairCoseKeyTag extends KMCosePairTagType { diff --git a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCosePairTagType.java b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCosePairTagType.java index f3fc76e..baa0855 100644 --- a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCosePairTagType.java +++ b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCosePairTagType.java @@ -21,12 +21,11 @@ import javacard.framework.ISOException; import javacard.framework.Util; /** - * This class represents the COSE_Key as defined in - * https://datatracker.ietf.org/doc/html/rfc8152#section-7. This is basically a map containing key - * value pairs. The label for the key can be (uint / int / tstr) and the value can be of any type. - * But this class is confined to support only key and value types which are required for remote key - * provisioning. So keys of type (int / uint) and values of type (int / uint / simple / bstr) only - * are supported. The structure representing all the sub classes of KMCosePairTagType is as follows: + * This class represents the a key-value types. This is basically a map containing key value pairs. + * The label for the key can be (uint / int / tstr) and the value can be of any type. But this class + * is confined to support only key and value types which are required for remote key provisioning. + * So keys of type (int / uint) and values of type (int / uint / simple / bstr) only are supported. + * The structure representing all the sub classes of KMCosePairTagType is as follows: * KM_COSE_PAIR_TAG_TYPE(1byte), Length(2 bytes), COSE_PAIR_*_TAG_TYPE(2 bytes), Key(2 bytes), * Value(2 bytes). Key can be either KMInteger or KMNInteger and Value can be either KMIntger or * KMNinteger or KMSimpleValue or KMByteBlob or KMTextString or KMCoseKey. Each subclass of @@ -57,15 +56,6 @@ public abstract class KMCosePairTagType extends KMType { KMCose.COSE_ALG_ECDH_ES_HKDF_256, KMCose.COSE_ALG_ES256 }, - // Key operations - (Object) new byte[] {0, 0, 0, KMCose.COSE_KEY_KEY_OPS}, - (Object) - new byte[] { - KMCose.COSE_KEY_OP_SIGN, - KMCose.COSE_KEY_OP_VERIFY, - KMCose.COSE_KEY_OP_ENCRYPT, - KMCose.COSE_KEY_OP_DECRYPT - }, // Key Curve (Object) new byte[] {0, 0, 0, KMCose.COSE_KEY_CURVE}, (Object) new byte[] {KMCose.COSE_ECCURVE_256}, diff --git a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMDecoder.java b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMDecoder.java index e7dc21d..dd05b13 100644 --- a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMDecoder.java +++ b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMDecoder.java @@ -240,7 +240,9 @@ public class KMDecoder { private short peekCosePairTagType() { byte[] buffer = (byte[]) bufferRef[0]; short startOff = scratchBuf[START_OFFSET]; - // Cose Key should be always either UINT or Negative int + // This decoder is confined to support only key and value types which are required for remote + // key provisioning. So keys of type (int / uint) and values of type (int / uint / simple / bstr + // / tstr / Cosekey) only are supported. if ((buffer[startOff] & MAJOR_TYPE_MASK) != UINT_TYPE && (buffer[startOff] & MAJOR_TYPE_MASK) != NEG_INT_TYPE) { ISOException.throwIt(ISO7816.SW_DATA_INVALID); diff --git a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java index 427634c..eac55a9 100644 --- a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java +++ b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java @@ -1047,7 +1047,6 @@ public class KMKeymasterApplet extends Applet implements AppletEvent, ExtendedLe KMCose.COSE_KEY_TYPE_EC2, KMType.INVALID_VALUE, alg, - KMType.INVALID_VALUE, KMCose.COSE_ECCURVE_256)) { KMException.throwIt(KMError.STATUS_FAILED); } @@ -1127,7 +1126,6 @@ public class KMKeymasterApplet extends Applet implements AppletEvent, ExtendedLe KMInteger.uint_8(KMCose.COSE_KEY_TYPE_EC2), KMType.INVALID_VALUE, KMNInteger.uint_8(KMCose.COSE_ALG_ES256), - KMInteger.uint_8(KMCose.COSE_KEY_OP_VERIFY), KMInteger.uint_8(KMCose.COSE_ECCURVE_256), scratchPad, (short) 0, diff --git a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMRemotelyProvisionedComponentDevice.java b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMRemotelyProvisionedComponentDevice.java index ab28cd5..8ba0e2f 100644 --- a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMRemotelyProvisionedComponentDevice.java +++ b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMRemotelyProvisionedComponentDevice.java @@ -806,7 +806,6 @@ public class KMRemotelyProvisionedComponentDevice { KMCose.COSE_KEY_TYPE_EC2, KMType.INVALID_VALUE, KMCose.COSE_ALG_ES256, - KMType.INVALID_VALUE, KMCose.COSE_ECCURVE_256)) { KMException.throwIt(KMError.STATUS_FAILED); } @@ -1423,7 +1422,6 @@ public class KMRemotelyProvisionedComponentDevice { KMInteger.uint_8(KMCose.COSE_KEY_TYPE_EC2), KMType.INVALID_VALUE, KMNInteger.uint_8(KMCose.COSE_ALG_ES256), - KMType.INVALID_VALUE, KMInteger.uint_8(KMCose.COSE_ECCURVE_256), data, pubKeyIndex, @@ -1584,7 +1582,6 @@ public class KMRemotelyProvisionedComponentDevice { KMInteger.uint_8(KMCose.COSE_KEY_TYPE_EC2), KMType.INVALID_VALUE, KMNInteger.uint_8(KMCose.COSE_ALG_ES256), - KMType.INVALID_VALUE, KMInteger.uint_8(KMCose.COSE_ECCURVE_256), KMByteBlob.cast(pubKey).getBuffer(), KMByteBlob.cast(pubKey).getStartOff(), |