Applet fixes

Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEProvider.java

@@ -100,7 +100,7 @@ public class KMAndroidSEProvider implements KMSEProvider {
           (byte) 0x25, (byte) 0x51 };
   static final short secp256r1_H = 1;
   // --------------------------------------------------------------
-  public static final short AES_GCM_TAG_LENGTH = 12;
+  public static final short AES_GCM_TAG_LENGTH = 16;
   public static final short AES_GCM_NONCE_LENGTH = 12;
   public static final byte KEYSIZE_128_OFFSET = 0x00;
   public static final byte KEYSIZE_256_OFFSET = 0x01;
@@ -608,7 +608,7 @@ public short aesGCMEncrypt(byte[] aesKey, short aesKeyStart, short aesKeyLen,
       short authTagStart, short authTagLen) {
 
     if (authTagLen != AES_GCM_TAG_LENGTH) {
-      KMException.throwIt(KMError.UNKNOWN_ERROR);
+      CryptoException.throwIt(CryptoException.ILLEGAL_VALUE);
     }
     if (nonceLen != AES_GCM_NONCE_LENGTH) {
       CryptoException.throwIt(CryptoException.ILLEGAL_VALUE);
@@ -1115,18 +1115,6 @@ public KMAttestationCert getAttestationCert(boolean rsaCert) {
     return KMAttestationCertImpl.instance(rsaCert);
   }
 
-  @Override
-  public short aesCCMSign(byte[] bufIn, short bufInStart, short buffInLength,
-      byte[] masterKeySecret, short masterKeyStart, short masterKeyLen,
-      byte[] bufOut, short bufStart) {
-    if (masterKeyLen > 16) {
-      return -1;
-    }
-    aesKeys[KEYSIZE_128_OFFSET].setKey(masterKeySecret, (short) masterKeyStart);
-    kdf.init(aesKeys[KEYSIZE_128_OFFSET], Signature.MODE_SIGN);
-    return kdf.sign(bufIn, bufInStart, buffInLength, bufOut, bufStart);
-  }
-
   @Override
   public short cmacKdf(byte[] keyMaterial, short keyMaterialStart,
       short keyMaterialLen, byte[] label, short labelStart, short labelLen,
@@ -1155,6 +1143,9 @@ public void persistPartialCertificateChain(byte[] buf, short offset, short len,
     // Next single byte holds the array header.
     // Next 3 bytes holds the Byte array header with the cert1 length.
     // Next 3 bytes holds the Byte array header with the cert2 length.
+    if (totalLen > CERT_CHAIN_MAX_SIZE) {
+      KMException.throwIt(KMError.INVALID_INPUT_LENGTH);
+    }
     short persistedLen = Util.getShort(certificateChain, (short) 0);
     if (persistedLen > totalLen) {
       KMException.throwIt(KMError.INVALID_INPUT_LENGTH);

Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java

@@ -30,8 +30,6 @@ public class KMAttestationCertImpl implements KMAttestationCert {
   private static final byte[] androidExtn = {
     0x06, 0x0A, 0X2B, 0X06, 0X01, 0X04, 0X01, (byte) 0XD6, 0X79, 0X02, 0X01, 0X11
   };
-  // Authority Key Identifier Extn - 2.5.29.35
-  private static final byte[] authKeyIdExtn = {0x06, 0x03, 0X55, 0X1D, 0X23};
 
   private static final short ECDSA_MAX_SIG_LEN = 72;
   //Signature algorithm identifier - always ecdsaWithSha256 - 1.2.840.10045.4.3.2
@@ -95,7 +93,6 @@ public class KMAttestationCertImpl implements KMAttestationCert {
   private static short verifiedBootKey;
   private static byte verifiedState;
   private static short verifiedHash;
-  private static short authKey;
   private static short issuer;
   private static short signPriv;
 
@@ -138,7 +135,6 @@ private static void init() {
     verifiedState = 0;
     rsaCert = true;
     deviceLocked = 0;
-    authKey = 0;
     signPriv = 0;
   }
 
@@ -148,12 +144,6 @@ public KMAttestationCert verifiedBootHash(short obj) {
     return this;
   }
 
-  @Override
-  public KMAttestationCert authKey(short obj) {
-    authKey = obj;
-    return this;
-  }
-
   @Override
   public KMAttestationCert verifiedBootKey(short obj) {
     verifiedBootKey = obj;
@@ -259,46 +249,6 @@ private void createKeyUsage(short tag) {
     }
   }
 
-  private static void encodeCert(
-      short buf,
-      short keyChar,
-      short uniqueId,
-      short notBefore,
-      short notAfter,
-      short pubKey,
-      short attChallenge,
-      short attAppId,
-      boolean rsaCert) {
-    init();
-    stack = KMByteBlob.cast(buf).getBuffer();
-    start = KMByteBlob.cast(buf).getStartOff();
-    length = KMByteBlob.cast(buf).length();
-    stackPtr = (short) (start + length);
-    /*    KMAttestationCertImpl.attChallenge = attChallenge;
-       KMAttestationCertImpl.attAppId = attAppId;
-       KMAttestationCertImpl.hwParams = KMKeyCharacteristics.cast(keyChar).getHardwareEnforced();
-       KMAttestationCertImpl.swParams = KMKeyCharacteristics.cast(keyChar).getSoftwareEnforced();
-       KMAttestationCertImpl.notBefore = notBefore;
-       KMAttestationCertImpl.notAfter = notAfter;
-       KMAttestationCertImpl.pubKey = pubKey;
-       KMAttestationCertImpl.uniqueId = uniqueId;
-
-    */
-    short last = stackPtr;
-    decrementStackPtr((short) 256);
-    signatureOffset = stackPtr;
-    pushBitStringHeader((byte) 0, (short) (last - stackPtr));
-    // signatureOffset = pushSignature(null, (short) 0, (short) 256);
-    pushAlgorithmId(X509SignAlgIdentifier);
-    tbsLength = stackPtr;
-    pushTbsCert(rsaCert);
-    tbsOffset = stackPtr;
-    tbsLength = (short) (tbsLength - tbsOffset);
-    pushSequenceHeader((short) (last - stackPtr));
-    // print(stack, stackPtr, (short)(last - stackPtr));
-    certStart = stackPtr;
-  }
-
   private static void pushTbsCert(boolean rsaCert) {
     short last = stackPtr;
     pushExtensions();
@@ -335,7 +285,6 @@ private static void pushExtensions() {
     short last = stackPtr;
     //    byte keyusage = 0;
     //    byte unusedBits = 8;
-    pushAuthKeyId();
     /*
     if (KMEnumArrayTag.contains(KMType.PURPOSE, KMType.SIGN, hwParams)) {
       keyusage = (byte) (keyusage | keyUsageSign);
@@ -480,27 +429,21 @@ private static void pushKeyDescription() {
 
   private static void pushSWParams() {
     short last = stackPtr;
-    // ATTESTATION_APPLICATION_ID 709 is softwareEnforced.
+    // Below are the allowed softwareEnforced Authorization tags inside the attestation certificate's extension.
     short[] tagIds = {
             KMType.ATTESTATION_APPLICATION_ID, KMType.CREATION_DATETIME,
             KMType.USAGE_EXPIRE_DATETIME, KMType.ORIGINATION_EXPIRE_DATETIME,
             KMType.ACTIVE_DATETIME, KMType.UNLOCKED_DEVICE_REQUIRED };
     byte index = 0;
     do {
-      /*
-       if(tagIds[index] == KMType.ATTESTATION_APPLICATION_ID) {
-      pushAttIds(tagIds[index]);
-      continue;
-       }
-        */
       pushParams(swParams, swParamsIndex, tagIds[index]);
     } while (++index < tagIds.length);
     pushSequenceHeader((short) (last - stackPtr));
   }
 
   private static void pushHWParams() {
     short last = stackPtr;
-    // Attestation ids are not included. As per VTS attestation ids are not supported currenlty.
+    // Below are the allowed hardwareEnforced Authorization tags inside the attestation certificate's extension.
     short[] tagIds = {
             KMType.BOOT_PATCH_LEVEL, KMType.VENDOR_PATCH_LEVEL,
             KMType.OS_PATCH_LEVEL, KMType.OS_VERSION, KMType.ROOT_OF_TRUST,
@@ -511,9 +454,9 @@ private static void pushHWParams() {
             KMType.ROLLBACK_RESISTANCE, KMType.RSA_PUBLIC_EXPONENT,
             KMType.ECCURVE, KMType.PADDING, KMType.DIGEST, KMType.KEYSIZE,
             KMType.ALGORITHM, KMType.PURPOSE };
+
     byte index = 0;
     do {
-      // if(pushAttIds(tagIds[index])) continue;
       if (tagIds[index] == KMType.ROOT_OF_TRUST) {
         pushRoT();
         continue;
@@ -600,7 +543,6 @@ private static void pushTag(short tag) {
   //      }
   private static void pushRoT() {
     short last = stackPtr;
-    byte val = 0x00;
     // verified boot hash
     // pushOctetString(repo.verifiedBootHash, (short) 0, (short) repo.verifiedBootHash.length);
     pushOctetString(
@@ -764,39 +706,10 @@ private static void pushKeyUsage(byte keyUsage, byte unusedBits) {
     pushSequenceHeader((short) (last - stackPtr));
   }
 
-  // SEQUENCE {ObjId, OCTET STRING{SEQUENCE{[0]keyIdentifier}}}
-  private static void pushAuthKeyId() {
-    short last = stackPtr;
-    // if (repo.getAuthKeyId() == 0) return;
-    if (authKey == 0) return;
-
-    pushKeyIdentifier(
-        KMByteBlob.cast(authKey).getBuffer(),
-        KMByteBlob.cast(authKey).getStartOff(),
-        KMByteBlob.cast(authKey).length());
-    pushSequenceHeader((short) (last - stackPtr));
-    pushOctetStringHeader((short) (last - stackPtr));
-    pushBytes(authKeyIdExtn, (short) 0, (short) authKeyIdExtn.length); // ObjId
-    pushSequenceHeader((short) (last - stackPtr));
-  }
-
-  private static void pushKeyIdentifier(byte[] buf, short start, short len) {
-    pushBytes(buf, start, len); // keyIdentifier
-    pushLength(len); // len
-    pushByte((byte) 0x80); // Context specific tag [0]
-  }
-
   private static void pushAlgorithmId(byte[] algId) {
     pushBytes(algId, (short) 0, (short) algId.length);
   }
 
-  private static short pushSignature(byte[] buf, short start, short len) {
-    pushBytes(buf, start, len);
-    short signatureOff = stackPtr;
-    pushBitStringHeader((byte) 0, len);
-    return signatureOff;
-  }
-
   private static void pushIntegerHeader(short len) {
     pushLength(len);
     pushByte((byte) 0x02);

Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMOperationImpl.java

@@ -161,6 +161,12 @@ public short finish(byte[] inputDataBuf, short inputDataStart,
           // padding byte always should be <= block size
           if ((short) paddingByte > blkSize || (short) paddingByte <= 0)
             KMException.throwIt(KMError.INVALID_ARGUMENT);
+
+          for(short j = 1; j <= paddingByte; ++j) {
+            if (outputDataBuf[(short) (outputDataStart + len - j)] != paddingByte) {
+              KMException.throwIt(KMError.INVALID_ARGUMENT);
+            }
+          }          
           len = (short) (len - (short) paddingByte);// remove the padding bytes
         }
       } else if (cipherAlg == KMType.AES && blockMode == KMType.GCM) {

Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMUtils.java

@@ -13,23 +13,23 @@ public class KMUtils {
   public static final byte[] oneDayMsec = {
           0, 0, 0, 0, 0x05, 0x26, 0x5C, 0x00 }; // 86400000 msec
   public static final byte[] oneMonthMsec = {
-          0, 0, 0, 0, (byte) 0x9A, 0x7E, (byte) 0xC8, 0x00 }; // 2592000000 msec
+          0, 0, 0, 0, (byte) 0x9C,(byte) 0xBE, (byte) 0xBD, 0x50}; // 2629746000 msec
   public static final byte[] oneYearMsec = {
-          0, 0, 0, 0x07, 0x57, (byte) 0xB1, 0x2C, 0x00 }; // 31536000000 msec
+          0, 0, 0, 0x75, (byte) 0x8F, 0x0D, (byte) 0xFC, 0x00 }; // 31556952000 msec
   // Leap year + 3 yrs
   public static final byte[] fourYrsMsec = {
-          0, 0, 0, 0x1D, 0x63, (byte) 0xEB, 0x0C, 0x00 }; // 126230400000 msec
+          0, 0, 0, 0x1D, 0x63, (byte) 0xC3, 0x7F, 0x00 }; // 126227808000 msec
   public static final byte[] firstJan2020 = {
-          0, 0, 0x01, 0x6F, 0x60, 0x1E, 0x5C, 0x00 }; // 1577865600000 msec
+    0, 0, 0x01, 0x6F, 0x5E, 0x66, (byte)0xE8, 0x00 }; // 1577836800000 msec
   public static final byte[] firstJan2051 = {
-          0, 0, 0x02, 0x53, 0x27, (byte) 0xC5, (byte) 0x90, 0x00 }; // 2556172800000
+          0, 0, 0x02, 0x53, 0x26, (byte) 0x0E, (byte) 0x1C, 0x00 }; // 2556144000000
                                                                     // msec
 
   // --------------------------------------
   public static short convertToDate(short time, byte[] scratchPad,
           boolean utcFlag) {
     short yrsCount = 0;
-    short monthCount = 0;
+    short monthCount = 1;
     short dayCount = 0;
     short hhCount = 0;
     short mmCount = 0;
@@ -102,6 +102,7 @@ public static short convertToDate(short time, byte[] scratchPad,
       Util.arrayCopyNonAtomic(oneMonthMsec, (short) 0, scratchPad, (short) 8,
               (short) 8);
       monthCount = divide(scratchPad, (short) 0, (short) 8, (short) 16);
+      monthCount++;
       Util.arrayCopyNonAtomic(scratchPad, (short) 16, scratchPad, (short) 0,
               (short) 8);
     }