From 7ea97a310a4b95cbd92d001a330a65fc69c96ff6 Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Fri, 2 Sep 2022 10:08:40 +0100 Subject: [PATCH] KeyMint HAL: reinstate tags in extension schema Commit 93c72cef924e ("KeyMint: sync all attestation tags", http://aosp/1719302) removed various tags from the attestation that are only applicable to symmetric keys, on the assumption that these are irrelevant for the attestation extension that is generated for the certificate holding asymmetric public keys. However, that change did not take into account the fact that the AuthorizationList ASN.1 schema is re-used elsewhere in the KeyMint API, specifically as a way of describing the characteristics associated with a key that is being securely imported via IKeyMintDevice::importWrappedKey. That import process may be used for symmetrics keys, and so the tags that are specific to symmetric keys still need to be included in AuthorizationList. Similarly, USER_SECURE_ID values are never included in attestation extensions because they have no meaning off-device, but they may be needed as part of the import of a wrapped key. Test: TreeHugger, comment change only Bug: 244693617 Change-Id: Iaa941e120e3641a6e6c369b7c6a51f10b44df78a --- .../hardware/security/keymint/KeyCreationResult.aidl | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl index ae755791f6..4c2be89195 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl @@ -158,12 +158,23 @@ parcelable KeyCreationResult { * Failed (3), * } * + * -- Note that the AuthorizationList SEQUENCE is also used in IKeyMintDevice::importWrappedKey + * -- as a way of describing the authorizations associated with a key that is being securely + * -- imported. As such, it includes the ability to describe tags that are only relevant for + * -- symmetric keys, and which will never appear in the attestation extension of an X.509 + * -- certificate that holds the public key part of an asymmetric keypair. Importing a wrapped + * -- key also allows the use of Tag::USER_SECURE_ID, which is never included in an attestation + * -- extension because it has no meaning off-device. + * * AuthorizationList ::= SEQUENCE { * purpose [1] EXPLICIT SET OF INTEGER OPTIONAL, * algorithm [2] EXPLICIT INTEGER OPTIONAL, * keySize [3] EXPLICIT INTEGER OPTIONAL, + * blockMode [4] EXPLICIT SET OF INTEGER OPTIONAL, -- symmetric only * digest [5] EXPLICIT SET OF INTEGER OPTIONAL, * padding [6] EXPLICIT SET OF INTEGER OPTIONAL, + * callerNonce [7] EXPLICIT NULL OPTIONAL, -- symmetric only + * minMacLength [8] EXPLICIT INTEGER OPTIONAL, -- symmetric only * ecCurve [10] EXPLICIT INTEGER OPTIONAL, * rsaPublicExponent [200] EXPLICIT INTEGER OPTIONAL, * mgfDigest [203] EXPLICIT SET OF INTEGER OPTIONAL, @@ -173,6 +184,7 @@ parcelable KeyCreationResult { * originationExpireDateTime [401] EXPLICIT INTEGER OPTIONAL, * usageExpireDateTime [402] EXPLICIT INTEGER OPTIONAL, * usageCountLimit [405] EXPLICIT INTEGER OPTIONAL, + * userSecureId [502] EXPLICIT INTEGER OPTIONAL, -- only used on import * noAuthRequired [503] EXPLICIT NULL OPTIONAL, * userAuthType [504] EXPLICIT INTEGER OPTIONAL, * authTimeout [505] EXPLICIT INTEGER OPTIONAL,