Merge "Removed km_ops from CoseKey"

author: Treehugger Robot <treehugger-gerrit@google.com> 2023-03-07 17:44:54 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> 2023-03-07 17:44:54 +0000
commit: 91e742dfbbadde0b56d40afcfb45e6bfff63e620 (patch)
tree: 93d97321655f632a20fc52a48757811b63fba50d
parent: 98fa81cbdda8f64d0d77bce20f1a37d2fa139059 (diff)
parent: 0b90f56a0ab0c3a8ea8b831221cd7571b367b603 (diff)
download: libese-91e742dfbbadde0b56d40afcfb45e6bfff63e620.tar.gz
7 files changed, 28 insertions, 45 deletions
diff --git a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCose.java b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCose.java
index 1eb8816..0c2244c 100644
--- a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCose.java
+++ b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCose.java
@@ -71,7 +71,6 @@ public class KMCose {
   public static final short COSE_KEY_KEY_TYPE = 1;
   public static final short COSE_KEY_KEY_ID = 2;
   public static final short COSE_KEY_ALGORITHM = 3;
-  public static final short COSE_KEY_KEY_OPS = 4;
   public static final short COSE_KEY_CURVE = -1;
   public static final short COSE_KEY_PUBKEY_X = -2;
   public static final short COSE_KEY_PUBKEY_Y = -3;
@@ -112,7 +111,6 @@ public class KMCose {
     KMCose.COSE_KEY_KEY_TYPE,
     KMCose.COSE_KEY_KEY_ID,
     KMCose.COSE_KEY_ALGORITHM,
-    KMCose.COSE_KEY_KEY_OPS,
     KMCose.COSE_KEY_CURVE,
     KMCose.COSE_KEY_PUBKEY_X,
     KMCose.COSE_KEY_PUBKEY_Y,
@@ -452,12 +450,13 @@ public class KMCose {
   }
 
   /**
-   * Constructs a CoseKey with the provided input paramters.
+   * Constructs a CoseKey with the provided input parameters. Note that construction of the key_ops
+   * label is not needed to be supported. In the KeyMint2.0 specifications: The CoseKey inside
+   * MacedPublicKeys and DiceCertChain does not have key_ops label.
    *
    * @param keyType Instance of the identification of the key type.
    * @param keyId Instance of key identification value.
    * @param keyAlg Instance of the algorithm that is used with this key.
-   * @param keyOps Instance of the operation that this key is used for.
    * @param curve Instance of the EC curve that is used with this key.
    * @param pubKey Buffer containing the public key.
    * @param pubKeyOff Start offset of the buffer.
@@ -471,7 +470,6 @@ public class KMCose {
       short keyType,
       short keyId,
       short keyAlg,
-      short keyOps,
       short curve,
       byte[] pubKey,
       short pubKeyOff,
@@ -486,8 +484,7 @@ public class KMCose {
     short xPtr = KMByteBlob.instance(pubKey, pubKeyOff, pubKeyLen);
     short yPtr = KMByteBlob.instance(pubKey, (short) (pubKeyOff + pubKeyLen), pubKeyLen);
     short coseKey =
-        constructCoseKey(
-            buff, keyType, keyId, keyAlg, keyOps, curve, xPtr, yPtr, privKeyPtr, testMode);
+        constructCoseKey(buff, keyType, keyId, keyAlg, curve, xPtr, yPtr, privKeyPtr, testMode);
     KMCoseKey.cast(coseKey).canonicalize();
     return coseKey;
   }
@@ -499,7 +496,6 @@ public class KMCose {
    * @param keyType instance of KMInteger/KMNInteger which holds valid COSE key types.
    * @param keyId instance of KMByteBlob which holds key identifier value.
    * @param keyAlg instance of KMInteger/KMNInteger which holds valid COSE key algorithm.
-   * @param keyOps instance of KMInteger/KMNInteger which holds valid COSE key operations.
    * @param curve instance of KMInteger/KMNInteger which holds valid COSE EC curve.
    * @param pubX instance of KMByteBlob which holds EC public key's x value.
    * @param pubY instance of KMByteBlob which holds EC public key's y value.
@@ -512,21 +508,19 @@ public class KMCose {
       short keyType,
       short keyId,
       short keyAlg,
-      short keyOps,
       short curve,
       short pubX,
       short pubY,
       short priv,
       boolean includeTestKey) {
-    short valueIndex = 8;
+    short valueIndex = 7;
     buff[0] = keyType;
     buff[1] = keyId;
     buff[2] = keyAlg;
-    buff[3] = keyOps;
-    buff[4] = curve;
-    buff[5] = pubX;
-    buff[6] = pubY;
-    buff[7] = priv;
+    buff[3] = curve;
+    buff[4] = pubX;
+    buff[5] = pubY;
+    buff[6] = priv;
     for (short i = valueIndex; i < 16; i++) {
       buff[i] = KMType.INVALID_VALUE;
     }
diff --git a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCoseKey.java b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCoseKey.java
index d1a9f36..d3edc5f 100644
--- a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCoseKey.java
+++ b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCoseKey.java
@@ -25,7 +25,9 @@ import javacard.framework.Util;
  * https://datatracker.ietf.org/doc/html/rfc8152#section-7 The supported key types are KMNInteger,
  * KMInteger and the supported value types are KMInteger, KMNInteger, KMByteBlob, KMSimpleValue. It
  * corresponds to a CBOR Map type. struct{byte TAG_TYPE; short length; short arrayPtr } where
- * arrayPtr is a pointer to array with any KMTag subtype instances.
+ * arrayPtr is a pointer to array with any KMTag subtype instances. Note that construction of the
+ * key_ops label is not needed to be supported. In the KeyMint2.0 specifications: The CoseKey inside
+ * MacedPublicKeys and DiceCertChain does not have key_ops label.
  */
 public class KMCoseKey extends KMCoseMap {
 
@@ -182,7 +184,9 @@ public class KMCoseKey extends KMCoseMap {
   }
 
   /**
-   * Verifies the KMCoseKey values against the input values.
+   * Verifies the KMCoseKey values against the input values. Note that construction of the key_ops
+   * label is not needed to be supported. In the KeyMint2.0 specifications: The CoseKey inside
+   * MacedPublicKeys and DiceCertChain does not have key_ops label.
    *
    * @param keyType value of the key type
    * @param keyIdPtr instance of KMByteBlob containing the key id.
@@ -192,18 +196,16 @@ public class KMCoseKey extends KMCoseMap {
    * @return true if valid, otherwise false.
    */
   public boolean isDataValid(
-      short[] buff, short keyType, short keyIdPtr, short keyAlg, short keyOps, short curve) {
-    short buffLen = 10;
+      short[] buff, short keyType, short keyIdPtr, short keyAlg, short curve) {
+    short buffLen = 8;
     buff[0] = KMCose.COSE_KEY_KEY_TYPE;
     buff[1] = keyType;
     buff[2] = KMCose.COSE_KEY_KEY_ID;
     buff[3] = keyIdPtr;
     buff[4] = KMCose.COSE_KEY_ALGORITHM;
     buff[5] = keyAlg;
-    buff[6] = KMCose.COSE_KEY_KEY_OPS;
-    buff[7] = keyOps;
-    buff[8] = KMCose.COSE_KEY_CURVE;
-    buff[9] = curve;
+    buff[6] = KMCose.COSE_KEY_CURVE;
+    buff[7] = curve;
     boolean valid = false;
     short ptr;
     short tagIndex = 0;
diff --git a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCosePairCoseKeyTag.java b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCosePairCoseKeyTag.java
index be853de..5290da2 100644
--- a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCosePairCoseKeyTag.java
+++ b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCosePairCoseKeyTag.java
@@ -6,7 +6,7 @@ import javacard.framework.Util;
 
 /**
  * KMCosePairCoseKeyTag represents a key-value type, where key can be KMInteger or KMNInteger and
- * value is KMCOseKey type. struct{byte TAG_TYPE; short length; struct{short COSE_KEY_VALUE_TYPE;
+ * value is KMCoseKey type. struct{byte TAG_TYPE; short length; struct{short COSE_KEY_VALUE_TYPE;
  * short key; short value}}.
  */
 public class KMCosePairCoseKeyTag extends KMCosePairTagType {
diff --git a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCosePairTagType.java b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCosePairTagType.java
index f3fc76e..baa0855 100644
--- a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCosePairTagType.java
+++ b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMCosePairTagType.java
@@ -21,12 +21,11 @@ import javacard.framework.ISOException;
 import javacard.framework.Util;
 
 /**
- * This class represents the COSE_Key as defined in
- * https://datatracker.ietf.org/doc/html/rfc8152#section-7. This is basically a map containing key
- * value pairs. The label for the key can be (uint / int / tstr) and the value can be of any type.
- * But this class is confined to support only key and value types which are required for remote key
- * provisioning. So keys of type (int / uint) and values of type (int / uint / simple / bstr) only
- * are supported. The structure representing all the sub classes of KMCosePairTagType is as follows:
+ * This class represents the a key-value types. This is basically a map containing key value pairs.
+ * The label for the key can be (uint / int / tstr) and the value can be of any type. But this class
+ * is confined to support only key and value types which are required for remote key provisioning.
+ * So keys of type (int / uint) and values of type (int / uint / simple / bstr) only are supported.
+ * The structure representing all the sub classes of KMCosePairTagType is as follows:
  * KM_COSE_PAIR_TAG_TYPE(1byte), Length(2 bytes), COSE_PAIR_*_TAG_TYPE(2 bytes), Key(2 bytes),
  * Value(2 bytes). Key can be either KMInteger or KMNInteger and Value can be either KMIntger or
  * KMNinteger or KMSimpleValue or KMByteBlob or KMTextString or KMCoseKey. Each subclass of
@@ -57,15 +56,6 @@ public abstract class KMCosePairTagType extends KMType {
                   KMCose.COSE_ALG_ECDH_ES_HKDF_256,
                   KMCose.COSE_ALG_ES256
                 },
-            // Key operations
-            (Object) new byte[] {0, 0, 0, KMCose.COSE_KEY_KEY_OPS},
-            (Object)
-                new byte[] {
-                  KMCose.COSE_KEY_OP_SIGN,
-                  KMCose.COSE_KEY_OP_VERIFY,
-                  KMCose.COSE_KEY_OP_ENCRYPT,
-                  KMCose.COSE_KEY_OP_DECRYPT
-                },
             // Key Curve
             (Object) new byte[] {0, 0, 0, KMCose.COSE_KEY_CURVE},
             (Object) new byte[] {KMCose.COSE_ECCURVE_256},
diff --git a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMDecoder.java b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMDecoder.java
index e7dc21d..dd05b13 100644
--- a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMDecoder.java
+++ b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMDecoder.java
@@ -240,7 +240,9 @@ public class KMDecoder {
   private short peekCosePairTagType() {
     byte[] buffer = (byte[]) bufferRef[0];
     short startOff = scratchBuf[START_OFFSET];
-    // Cose Key should be always either UINT or Negative int
+    // This decoder is confined to support only key and value types which are required for remote
+    // key provisioning. So keys of type (int / uint) and values of type (int / uint / simple / bstr
+    // / tstr / Cosekey) only are supported.
     if ((buffer[startOff] & MAJOR_TYPE_MASK) != UINT_TYPE
         && (buffer[startOff] & MAJOR_TYPE_MASK) != NEG_INT_TYPE) {
       ISOException.throwIt(ISO7816.SW_DATA_INVALID);
diff --git a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java
index 427634c..eac55a9 100644
--- a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java
+++ b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java
@@ -1047,7 +1047,6 @@ public class KMKeymasterApplet extends Applet implements AppletEvent, ExtendedLe
               KMCose.COSE_KEY_TYPE_EC2,
               KMType.INVALID_VALUE,
               alg,
-              KMType.INVALID_VALUE,
               KMCose.COSE_ECCURVE_256)) {
         KMException.throwIt(KMError.STATUS_FAILED);
       }
@@ -1127,7 +1126,6 @@ public class KMKeymasterApplet extends Applet implements AppletEvent, ExtendedLe
             KMInteger.uint_8(KMCose.COSE_KEY_TYPE_EC2),
             KMType.INVALID_VALUE,
             KMNInteger.uint_8(KMCose.COSE_ALG_ES256),
-            KMInteger.uint_8(KMCose.COSE_KEY_OP_VERIFY),
             KMInteger.uint_8(KMCose.COSE_ECCURVE_256),
             scratchPad,
             (short) 0,
diff --git a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMRemotelyProvisionedComponentDevice.java b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMRemotelyProvisionedComponentDevice.java
index ab28cd5..8ba0e2f 100644
--- a/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMRemotelyProvisionedComponentDevice.java
+++ b/ready_se/google/keymint/KM200/Applet/src/com/android/javacard/keymaster/KMRemotelyProvisionedComponentDevice.java
@@ -806,7 +806,6 @@ public class KMRemotelyProvisionedComponentDevice {
             KMCose.COSE_KEY_TYPE_EC2,
             KMType.INVALID_VALUE,
             KMCose.COSE_ALG_ES256,
-            KMType.INVALID_VALUE,
             KMCose.COSE_ECCURVE_256)) {
       KMException.throwIt(KMError.STATUS_FAILED);
     }
@@ -1423,7 +1422,6 @@ public class KMRemotelyProvisionedComponentDevice {
             KMInteger.uint_8(KMCose.COSE_KEY_TYPE_EC2),
             KMType.INVALID_VALUE,
             KMNInteger.uint_8(KMCose.COSE_ALG_ES256),
-            KMType.INVALID_VALUE,
             KMInteger.uint_8(KMCose.COSE_ECCURVE_256),
             data,
             pubKeyIndex,
@@ -1584,7 +1582,6 @@ public class KMRemotelyProvisionedComponentDevice {
             KMInteger.uint_8(KMCose.COSE_KEY_TYPE_EC2),
             KMType.INVALID_VALUE,
             KMNInteger.uint_8(KMCose.COSE_ALG_ES256),
-            KMType.INVALID_VALUE,
             KMInteger.uint_8(KMCose.COSE_ECCURVE_256),
             KMByteBlob.cast(pubKey).getBuffer(),
             KMByteBlob.cast(pubKey).getStartOff(),
author	Treehugger Robot <treehugger-gerrit@google.com>	2023-03-07 17:44:54 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	2023-03-07 17:44:54 +0000
commit	91e742dfbbadde0b56d40afcfb45e6bfff63e620 (patch)
tree	93d97321655f632a20fc52a48757811b63fba50d
parent	98fa81cbdda8f64d0d77bce20f1a37d2fa139059 (diff)
parent	0b90f56a0ab0c3a8ea8b831221cd7571b367b603 (diff)
download	libese-91e742dfbbadde0b56d40afcfb45e6bfff63e620.tar.gz