- Make clear that CERTIFICATE_NOT_{BEFORE,AFTER} must be specified for
generating/importing asymmetric keys.
- Fix enforcement level of Tag::UNLOCKED_DEVICE_REQUIRED.
- Fix reference to exportKey() for Tag::STORAGE_KEY to mention
convertStorageKeyToEphemeral instead.
- Mark Tag::CONFIRMATION_TOKEN as deprecated.
Test: none, comment change
Bug: 188672564
Change-Id: I68727b024f6b6743403941763aefca64e3eb091a
Include a unit test to verify the GEEK cert chain is valid.
Test: libkeymint_remote_prov_support_test
Bug: 191301285
Change-Id: Icf9cfa165fbccb24b36b03ff3ce729a7e9c44cfd
Merged-In: Icf9cfa165fbccb24b36b03ff3ce729a7e9c44cfd
This functionality will be used for the factory tooling, so we should
test it. Additionally, some new functionality will soon be added, and
it also needs to be tested.
Test: libkeymint_remote_prov_support_test
Bug: 191301285
Change-Id: I6a8798fc4b09fff1e829185a4b9e471921e5d2a9
Merged-In: I6a8798fc4b09fff1e829185a4b9e471921e5d2a9
It's possible that corrupted ciphertext decrypts just fine. e.g. the
output ends with "0x01".
However, the chances of this happening are relatively low
(roughly 1/256). Corrupt the ciphertext up to 8 times, ensuring that
the likelihood of multiple successful decryptions is so miniscule that
it's effectively impossible.
Test: Ran *PaddingCorrupted tests 50000 times
Change-Id: If40ecd7817819921c020ea9b86ada18c4c77ea55
Include a unit test to verify the GEEK cert chain is valid.
Test: libkeymint_remote_prov_support_test
Ignore-AOSP-First: No merge path to aosp, will manually merge
Bug: 191301285
Change-Id: Icf9cfa165fbccb24b36b03ff3ce729a7e9c44cfd
This flag is never used anywhere, so just remove it. When used, it would
bypass signature checks. This is something we generally don't want to
do, even in testing. So remove the flag so there's no temptation to use
it.
Bug: 190942528
Test: VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I0433c1eedc08e9a5a5ad71347154867dba61689e
Merged-In: I0433c1eedc08e9a5a5ad71347154867dba61689e
This functionality will be used for the factory tooling, so we should
test it. Additionally, some new functionality will soon be added, and
it also needs to be tested.
Ignore-AOSP-First: No merge path to aosp, will manually merge
Test: libkeymint_remote_prov_support_test
Bug: 191301285
Change-Id: I6a8798fc4b09fff1e829185a4b9e471921e5d2a9
The KeyMint AIDL spec requires that "Tag::EC_CURVE must be provided to
generate an ECDSA key". Move the VTS tests to always create ECDSA keys
by curve not key size.
Bug: 188672564
Test: VtsAidlKeyMintTargetTest
Merged-In: I33036387c243b21ab0ecd49221b7e7757598913e
Change-Id: I33036387c243b21ab0ecd49221b7e7757598913e
Ignore-AOSP-First: already merged in aosp/master
Try all tags in attestion extension one by one
Test: VtsAidlKeyMintTargetTest on CF
Bug: 186735514
Merged-In: I63ca8d298d2d16f707f2437ab48aaa69c1d7563d
Change-Id: I63ca8d298d2d16f707f2437ab48aaa69c1d7563d
Ignore-AOSP-First: already merged in aosp/master
The KeyMint AIDL spec requires that "Tag::EC_CURVE must be provided to
generate an ECDSA key". Move the VTS tests to always create ECDSA keys
by curve not key size.
Bug: 188672564
Test: VtsAidlKeyMintTargetTest
Change-Id: I33036387c243b21ab0ecd49221b7e7757598913e
Remove TODOs from the KeyMint specification that were not concrete
enough or did not have enough context to act upon.
Bug: 183737811
Test: That it compiles.
Change-Id: I01899be5e65e9943053aa796a2ab23f1a783a1aa
Makes the AIDL (and its dependencies) available to allow client code
to build against it.
Fixes: 190995136
Test: Client code (in progress) builds.
Change-Id: I06e7486463bca93ed25377c0dca30484a6bbf656
Try all tags in attestion extension one by one
Test: VtsAidlKeyMintTargetTest on CF
Bug: 186735514
Change-Id: I63ca8d298d2d16f707f2437ab48aaa69c1d7563d
This flag is never used anywhere, so just remove it. When used, it would
bypass signature checks. This is something we generally don't want to
do, even in testing. So remove the flag so there's no temptation to use
it.
Ignore-AOSP-First: Will cherry-pick to AOSP
Bug: 190942528
Test: VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I0433c1eedc08e9a5a5ad71347154867dba61689e
Check that the various ATTESTATION_ID_* tags are included if they
have the correct value, and that keygen fails if they have an invalid
value.
Also update attestation tags to include vendor/boot patchlevel if
they're available. (They always should be, but fixing that is a
separate task.)
Bug: 190757200
Test: VtsAidlKeyMintTargetTest
Merged-In: Ibaed7364c6d08c0982e2a9fb6cb864ae42cf39fe
Change-Id: Ibaed7364c6d08c0982e2a9fb6cb864ae42cf39fe
Check that the various ATTESTATION_ID_* tags are included if they
have the correct value, and that keygen fails if they have an invalid
value.
Also update attestation tags to include vendor/boot patchlevel if
they're available. (They always should be, but fixing that is a
separate task.)
Bug: 190757200
Test: VtsAidlKeyMintTargetTest
Change-Id: Ibaed7364c6d08c0982e2a9fb6cb864ae42cf39fe
Improve the documentation and tests related to device-unique
attestation on StrongBox KeyMint devices:
* Test that the chain produced is exactly of length 2.
* Document how the chain needs to be structured.
* Explain the trust properties of the key used for the
self-signed root.
Test: atest VtsAidlKeyMintTargetTest
Bug: 187803288
Ignore-AOSP-First: Already merged in AOSP
Merged-In: I09bb16d6938b567c114485d2df00bde9d3e1ccf9
Change-Id: Ib7efdd428ce5a2e14c281077e3a77048c9721702
Now that the aidl compiler supports it, use constants from TagType to
indicate the type of each tag, rather than duplicating the values of
the constants.
Test: atest VtsAidlKeyMintTargetTest
Bug: 183737811
Change-Id: Ie8af1f00d04fa05c59cfc72692caecbcf2fae483
The vendor patchlevel is YYYYMMDD not YYYYMM
Bug: 188672564
Bug: 186735514
Test: VtsAidlKeyMintTargetTest
Change-Id: Ia641f8eef84a85aec8f2a0551c192b6874301126
