commit dcf02fd3736ec10ed292faff010ab7802c24a399
author David Drysdale <drysdale@google.com> Mon Mar 08 13:52:17 2021 +0000
committer David Drysdale <drysdale@google.com> Wed May 19 18:42:02 2021 +0100
tree 168454edaab9044be9c17f6ca31c744daf84e631
parent 99d3ad54de2b009298c006b850242f8d3c03b6f4

Key{Master,Mint}: stricter parameter checking

 - reject more than 2KiB of entropy (both KeyMaster and KeyMint AIDL specs
   require >2KiB to be rejected; the KeyMint VTS test now checks this)
 - check that HMAC length is a multiple of 8
 - check that an attestation challenge is provided whenever an attestion
   key is included
 - in KeyMint mode, strip out any locally-generated CREATION_DATETIME
   tag (but return any value that came from the request)
 - allow EARLY_BOOT key creation but not import

Bug: 188672564
Test: VtsAidlKeyMintTargetTest
Merged-In: I77bcc13cbf096a531d13f85a94d19a16cb812a43
Change-Id: I77bcc13cbf096a531d13f85a94d19a16cb812a43

ng/AndroidKeyMintDevice.cpp

diff --git a/ng/AndroidKeyMintDevice.cpp b/ng/AndroidKeyMintDevice.cpp
index 5d1d4e9..3d349bc 100644
--- a/ng/AndroidKeyMintDevice.cpp
+++ b/ng/AndroidKeyMintDevice.cpp
@@ -44,6 +44,7 @@
 namespace {
 
 vector<KeyCharacteristics> convertKeyCharacteristics(SecurityLevel keyMintSecurityLevel,
+                                                     const AuthorizationSet& requestParams,
                                                      const AuthorizationSet& sw_enforced,
                                                      const AuthorizationSet& hw_enforced) {
     KeyCharacteristics keyMintEnforced{keyMintSecurityLevel, {}};
@@ -83,8 +84,14 @@
         case KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED:
             break;
 
-        /* Unenforceable */
+        /* Keystore-enforced if not locally generated. */
         case KM_TAG_CREATION_DATETIME:
+            // A KeyMaster implementation is required to add this tag to generated/imported keys.
+            // A KeyMint implementation is not required to create this tag, only to echo it back if
+            // it was included in the key generation/import request.
+            if (requestParams.Contains(KM_TAG_CREATION_DATETIME)) {
+                keystoreEnforced.authorizations.push_back(kmParam2Aidl(entry));
+            }
             break;
 
         /* Disallowed in KeyCharacteristics */
@@ -254,8 +261,8 @@
     }
 
     creationResult->keyBlob = kmBlob2vector(response.key_blob);
-    creationResult->keyCharacteristics =
-        convertKeyCharacteristics(securityLevel_, response.unenforced, response.enforced);
+    creationResult->keyCharacteristics = convertKeyCharacteristics(
+        securityLevel_, request.key_description, response.unenforced, response.enforced);
     creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
     return ScopedAStatus::ok();
 }
@@ -285,8 +292,8 @@
     }
 
     creationResult->keyBlob = kmBlob2vector(response.key_blob);
-    creationResult->keyCharacteristics =
-        convertKeyCharacteristics(securityLevel_, response.unenforced, response.enforced);
+    creationResult->keyCharacteristics = convertKeyCharacteristics(
+        securityLevel_, request.key_description, response.unenforced, response.enforced);
     creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
 
     return ScopedAStatus::ok();
@@ -316,8 +323,8 @@
     }
 
     creationResult->keyBlob = kmBlob2vector(response.key_blob);
-    creationResult->keyCharacteristics =
-        convertKeyCharacteristics(securityLevel_, response.unenforced, response.enforced);
+    creationResult->keyCharacteristics = convertKeyCharacteristics(
+        securityLevel_, request.additional_params, response.unenforced, response.enforced);
     creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
 
     return ScopedAStatus::ok();