diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2021-05-27 01:10:33 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2021-05-27 01:10:33 +0000 |
| commit | 076b1850006d3ca383fe07fec46efc3dfac362df (patch) | |
| tree | d4f8862690c9b71e22730df462e4522f4e3a7a9f | |
| parent | 09a3712fc32dc52dcd6e3dd09039dcf483bcd936 (diff) | |
| parent | 0faf82f20f1e7a1d7ee85f1a9a7c89d57c59a0c5 (diff) | |
| download | keymaster-076b1850006d3ca383fe07fec46efc3dfac362df.tar.gz | |
Snap for 7402811 from 0faf82f20f1e7a1d7ee85f1a9a7c89d57c59a0c5 to sc-release
Change-Id: Ib0c6208212fc0a50a0be3b824554a5ad81e1471a
| -rw-r--r-- | Android.bp | 32 | ||||
| -rw-r--r-- | include/keymaster/android_keymaster_utils.h | 2 | ||||
| -rw-r--r-- | include/keymaster/attestation_context.h | 4 | ||||
| -rw-r--r-- | include/keymaster/km_openssl/certificate_utils.h | 4 | ||||
| -rw-r--r-- | km_openssl/certificate_utils.cpp | 46 | ||||
| -rw-r--r-- | ng/include/KeyMintUtils.h | 2 |
6 files changed, 64 insertions, 26 deletions
@@ -369,6 +369,24 @@ cc_library_shared { } cc_library { + name: "lib_android_keymaster_keymint_utils", + vendor_available: true, + srcs: [ + "ng/KeyMintUtils.cpp", + ], + defaults: ["keymaster_defaults"], + shared_libs: [ + "android.hardware.security.keymint-V1-ndk_platform", + "libbase", + "libhardware", + ], + export_include_dirs: [ + "ng/include", + "include", + ], +} + +cc_library { name: "libkeymint", vendor_available: true, srcs: [ @@ -381,21 +399,20 @@ cc_library { "ng/AndroidRemotelyProvisionedComponentDevice.cpp", "ng/AndroidSharedSecret.cpp", "ng/AndroidSecureClock.cpp", - "ng/KeyMintUtils.cpp", ], defaults: ["keymaster_defaults"], shared_libs: [ "libhidlbase", "android.hardware.security.keymint-V1-ndk_platform", - "android.hardware.security.sharedsecret-V1-ndk_platform", "android.hardware.security.secureclock-V1-ndk_platform", + "android.hardware.security.sharedsecret-V1-ndk_platform", + "lib_android_keymaster_keymint_utils", "libbase", "libbinder_ndk", "libcppbor_external", "libcrypto", "libcutils", "libkeymaster_messages", - "libkeymaster_messages", "libkeymaster_portable", "liblog", "libpuresoftkeymasterdevice", @@ -421,15 +438,6 @@ cc_library { ], } -// libkeymasterfiles is an empty library that exports all of the files in keymaster as includes. -cc_library_static { - name: "libkeymasterfiles", - export_include_dirs: [ - ".", - "include", - ], -} - cc_defaults { name: "keymaster_fuzz_defaults", header_libs: ["libhardware_headers"], diff --git a/include/keymaster/android_keymaster_utils.h b/include/keymaster/android_keymaster_utils.h index e96e2a0..b0a4052 100644 --- a/include/keymaster/android_keymaster_utils.h +++ b/include/keymaster/android_keymaster_utils.h @@ -350,7 +350,7 @@ struct CertificateChain : public keymaster_cert_chain_t { // Per RFC 5280 4.1.2.5, an undefined expiration (not-after) field should be set to GeneralizedTime // 999912312359559, which is 253402300799000 ms from Jan 1, 1970. -constexpr uint64_t kUndefinedExpirationDateTime = 253402300799000; +constexpr int64_t kUndefinedExpirationDateTime = 253402300799000; // A confirmation token is the output of HMAC-SHA256. */ constexpr size_t kConfirmationTokenSize = 32; diff --git a/include/keymaster/attestation_context.h b/include/keymaster/attestation_context.h index 707fbac..6d2887d 100644 --- a/include/keymaster/attestation_context.h +++ b/include/keymaster/attestation_context.h @@ -98,8 +98,8 @@ class AttestationContext { virtual CertificateChain GetAttestationChain(keymaster_algorithm_t algorithm, keymaster_error_t* error) const = 0; - private: - const KmVersion version_; + protected: + KmVersion version_; }; } // namespace keymaster diff --git a/include/keymaster/km_openssl/certificate_utils.h b/include/keymaster/km_openssl/certificate_utils.h index e18a78d..03b9c59 100644 --- a/include/keymaster/km_openssl/certificate_utils.h +++ b/include/keymaster/km_openssl/certificate_utils.h @@ -39,8 +39,8 @@ keymaster_error_t get_common_name(X509_NAME* name, UniquePtr<const char[]>* name struct CertificateCallerParams { BIGNUM_Ptr serial; X509_NAME_Ptr subject_name; - uint64_t active_date_time; - uint64_t expire_date_time; + int64_t active_date_time; // Time since epoch in ms + int64_t expire_date_time; // Time since epoch in ms bool is_signing_key = false; bool is_encryption_key = false; bool is_agreement_key = false; diff --git a/km_openssl/certificate_utils.cpp b/km_openssl/certificate_utils.cpp index 15e2737..d9419c8 100644 --- a/km_openssl/certificate_utils.cpp +++ b/km_openssl/certificate_utils.cpp @@ -24,6 +24,7 @@ #include <keymaster/km_openssl/asymmetric_key.h> #include <keymaster/km_openssl/certificate_utils.h> #include <keymaster/km_openssl/openssl_err.h> +#include <keymaster/logger.h> namespace keymaster { @@ -125,20 +126,49 @@ keymaster_error_t get_certificate_params(const AuthorizationSet& caller_params, } cert_params->serial = move(serial); - if (!caller_params.GetTagValue(TAG_CERTIFICATE_NOT_BEFORE, &cert_params->active_date_time)) { - if (kmVersion >= KmVersion::KEYMINT_1) return KM_ERROR_MISSING_NOT_BEFORE; - cert_params->active_date_time = 0; - } + cert_params->active_date_time = 0; + cert_params->expire_date_time = kUndefinedExpirationDateTime; + + uint64_t tmp; + switch (kmVersion) { + case KmVersion::KEYMASTER_1: + case KmVersion::KEYMASTER_1_1: + case KmVersion::KEYMASTER_2: + case KmVersion::KEYMASTER_3: + case KmVersion::KEYMASTER_4: + case KmVersion::KEYMASTER_4_1: + if (caller_params.GetTagValue(TAG_ACTIVE_DATETIME, &tmp)) { + LOG_D("Using TAG_ACTIVE_DATETIME: %lu", tmp); + cert_params->active_date_time = static_cast<int64_t>(tmp); + } + if (caller_params.GetTagValue(TAG_ORIGINATION_EXPIRE_DATETIME, &tmp)) { + LOG_D("Using TAG_ORIGINATION_EXPIRE_DATETIME: %lu", tmp); + cert_params->expire_date_time = static_cast<int64_t>(tmp); + } + break; + + case KmVersion::KEYMINT_1: + if (!caller_params.GetTagValue(TAG_CERTIFICATE_NOT_BEFORE, &tmp)) { + return KM_ERROR_MISSING_NOT_BEFORE; + } + LOG_D("Using TAG_CERTIFICATE_NOT_BEFORE: %lu", tmp); + cert_params->active_date_time = static_cast<int64_t>(tmp); - if (!caller_params.GetTagValue(TAG_CERTIFICATE_NOT_AFTER, &cert_params->expire_date_time)) { - if (kmVersion >= KmVersion::KEYMINT_1) return KM_ERROR_MISSING_NOT_AFTER; - cert_params->expire_date_time = kUndefinedExpirationDateTime; + if (!caller_params.GetTagValue(TAG_CERTIFICATE_NOT_AFTER, &tmp)) { + return KM_ERROR_MISSING_NOT_AFTER; + } + LOG_D("Using TAG_CERTIFICATE_NOT_AFTER: %lu", tmp); + cert_params->expire_date_time = static_cast<int64_t>(tmp); } + LOG_D("Got certificate date params: NotBefore = %ld, NotAfter = %ld", + cert_params->active_date_time, cert_params->expire_date_time); + keymaster_blob_t subject{}; if (caller_params.GetTagValue(TAG_CERTIFICATE_SUBJECT, &subject) && subject.data_length) { return make_name_from_der(subject, &cert_params->subject_name); } + return make_name_from_str(kDefaultSubject, &cert_params->subject_name); } @@ -246,6 +276,7 @@ keymaster_error_t make_cert_rump(const X509_NAME* issuer, // Set activation date. ASN1_TIME_Ptr notBefore(ASN1_TIME_new()); + LOG_D("Setting notBefore to %ld: ", cert_params.active_date_time / 1000); time_t notBeforeTime = static_cast<time_t>(cert_params.active_date_time / 1000); if (!notBefore.get() || !ASN1_TIME_set(notBefore.get(), notBeforeTime) || !X509_set_notBefore(certificate.get(), notBefore.get() /* Don't release; copied */)) { @@ -254,6 +285,7 @@ keymaster_error_t make_cert_rump(const X509_NAME* issuer, // Set expiration date. ASN1_TIME_Ptr notAfter(ASN1_TIME_new()); + LOG_D("Setting notAfter to %ld: ", cert_params.expire_date_time / 1000); time_t notAfterTime = static_cast<time_t>(cert_params.expire_date_time / 1000); if (!notAfter.get() || !ASN1_TIME_set(notAfter.get(), notAfterTime) || diff --git a/ng/include/KeyMintUtils.h b/ng/include/KeyMintUtils.h index 3699d73..6e232e1 100644 --- a/ng/include/KeyMintUtils.h +++ b/ng/include/KeyMintUtils.h @@ -16,8 +16,6 @@ #pragma once -#include <log/log.h> - #include <aidl/android/hardware/security/keymint/Certificate.h> #include <aidl/android/hardware/security/keymint/HardwareAuthToken.h> #include <aidl/android/hardware/security/keymint/HardwareAuthenticatorType.h> |