From 8b5f05177d5132e44ed1f4f28c9e885cde8da3dc Mon Sep 17 00:00:00 2001
From: bvenkatswarlu <venki.manikanta@gmail.com>
Date: Fri, 25 Jun 2021 21:34:37 +0530
Subject: [PATCH 1/7] Fix for attestation failures in VTS.

---
 .../keymaster/KMAttestationCertImpl.java      | 17 ++++----
 .../keymaster/KMAttestationCertImpl.java      | 17 ++++----
 .../javacard/keymaster/KMKeymasterApplet.java | 39 +++++++++++++++++--
 3 files changed, 56 insertions(+), 17 deletions(-)

diff --git a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
index 1e3eae79..9eb24246 100644
--- a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
+++ b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
@@ -463,13 +463,16 @@ private static void pushHWParams() {
     short[] tagIds = {
         KMType.BOOT_PATCH_LEVEL, KMType.VENDOR_PATCH_LEVEL,
         KMType.OS_PATCH_LEVEL, KMType.OS_VERSION, KMType.ROOT_OF_TRUST,
-        KMType.ORIGIN, KMType.APPLICATION_ID,
-        KMType.TRUSTED_CONFIRMATION_REQUIRED,
-        KMType.TRUSTED_USER_PRESENCE_REQUIRED, KMType.ALLOW_WHILE_ON_BODY,
-        KMType.AUTH_TIMEOUT, KMType.USER_AUTH_TYPE, KMType.NO_AUTH_REQUIRED,
-        KMType.ROLLBACK_RESISTANCE, KMType.RSA_PUBLIC_EXPONENT,
-        KMType.ECCURVE, KMType.PADDING, KMType.DIGEST, KMType.KEYSIZE,
-        KMType.ALGORITHM, KMType.PURPOSE};
+        KMType.ORIGIN, KMType.AUTH_TIMEOUT, KMType.USER_AUTH_TYPE,
+        KMType.NO_AUTH_REQUIRED, KMType.ROLLBACK_RESISTANCE,
+        KMType.RSA_PUBLIC_EXPONENT, KMType.ECCURVE, KMType.PADDING,
+        KMType.DIGEST, KMType.KEYSIZE, KMType.ALGORITHM, KMType.PURPOSE,
+        KMType.BLOCK_MODE, KMType.CALLER_NONCE, KMType.MIN_MAC_LENGTH,
+        KMType.USER_SECURE_ID, KMType.ATTESTATION_ID_BRAND,
+        KMType.ATTESTATION_ID_DEVICE, KMType.ATTESTATION_ID_IMEI,
+        KMType.ATTESTATION_ID_MANUFACTURER, KMType.ATTESTATION_ID_MEID,
+        KMType.ATTESTATION_ID_MODEL, KMType.ATTESTATION_ID_PRODUCT,
+        KMType.ATTESTATION_ID_SERIAL};
 
     byte index = 0;
     do {
diff --git a/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java b/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
index 37e67d1c..ca8f86b8 100644
--- a/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
+++ b/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
@@ -457,13 +457,16 @@ private static void pushHWParams() {
     short[] tagIds = {
         KMType.BOOT_PATCH_LEVEL, KMType.VENDOR_PATCH_LEVEL,
         KMType.OS_PATCH_LEVEL, KMType.OS_VERSION, KMType.ROOT_OF_TRUST,
-        KMType.ORIGIN, KMType.APPLICATION_ID,
-        KMType.TRUSTED_CONFIRMATION_REQUIRED,
-        KMType.TRUSTED_USER_PRESENCE_REQUIRED, KMType.ALLOW_WHILE_ON_BODY,
-        KMType.AUTH_TIMEOUT, KMType.USER_AUTH_TYPE, KMType.NO_AUTH_REQUIRED,
-        KMType.ROLLBACK_RESISTANCE, KMType.RSA_PUBLIC_EXPONENT,
-        KMType.ECCURVE, KMType.PADDING, KMType.DIGEST, KMType.KEYSIZE,
-        KMType.ALGORITHM, KMType.PURPOSE};
+        KMType.ORIGIN, KMType.AUTH_TIMEOUT, KMType.USER_AUTH_TYPE,
+        KMType.NO_AUTH_REQUIRED, KMType.ROLLBACK_RESISTANCE,
+        KMType.RSA_PUBLIC_EXPONENT, KMType.ECCURVE, KMType.PADDING,
+        KMType.DIGEST, KMType.KEYSIZE, KMType.ALGORITHM, KMType.PURPOSE,
+        KMType.BLOCK_MODE, KMType.CALLER_NONCE, KMType.MIN_MAC_LENGTH,
+        KMType.USER_SECURE_ID, KMType.ATTESTATION_ID_BRAND,
+        KMType.ATTESTATION_ID_DEVICE, KMType.ATTESTATION_ID_IMEI,
+        KMType.ATTESTATION_ID_MANUFACTURER, KMType.ATTESTATION_ID_MEID,
+        KMType.ATTESTATION_ID_MODEL, KMType.ATTESTATION_ID_PRODUCT,
+        KMType.ATTESTATION_ID_SERIAL};
 
     byte index = 0;
     do {
diff --git a/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java b/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java
index 6566dd55..101ae9f9 100644
--- a/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java
+++ b/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java
@@ -1512,6 +1512,19 @@ private void processAttestKeyCmd(APDU apdu) {
     sendOutgoing(apdu);
   }
 
+  private boolean isEmpty(byte[] buf, short offset, short len) {
+    boolean empty = true;
+    short index = 0;
+    while (index < len) {
+      if (buf[index] != 0) {
+        empty = false;
+        break;
+      }
+      index++;
+    }
+    return empty;
+  }
+
   // --------------------------------
   private void addAttestationIds(KMAttestationCert cert) {
     final short[] attTags =
@@ -1527,10 +1540,30 @@ private void addAttestationIds(KMAttestationCert cert) {
         };
     byte index = 0;
     short attIdTag;
+    short attIdTagValue;
+    short storedAttId;
     while (index < (short) attTags.length) {
-      attIdTag = repository.getAttId(mapToAttId(attTags[index]));
-      if (attIdTag != 0) {
-        attIdTag = KMByteTag.instance(attTags[index], attIdTag);
+      attIdTag = KMKeyParameters.findTag(KMType.BYTES_TAG, attTags[index], data[KEY_PARAMETERS]);
+      if (attIdTag != KMType.INVALID_VALUE) {
+        attIdTagValue = KMByteTag.cast(attIdTag).getValue();
+        storedAttId = repository.getAttId(mapToAttId(attTags[index]));
+        // Return CANNOT_ATTEST_IDS if Attestation IDs are not provisioned or
+        // Attestation IDs are deleted.
+        if (storedAttId == 0 ||
+            isEmpty(KMByteBlob.cast(storedAttId).getBuffer(),
+                    KMByteBlob.cast(storedAttId).getStartOff(),
+                    KMByteBlob.cast(storedAttId).length())) {
+          KMException.throwIt(KMError.CANNOT_ATTEST_IDS);
+        }
+        // Return INVALID_TAG if Attestation IDs does not match.
+        if ((KMByteBlob.cast(storedAttId).length() != KMByteBlob.cast(attIdTagValue).length()) ||
+            (0 != Util.arrayCompare(KMByteBlob.cast(storedAttId).getBuffer(),
+                                    KMByteBlob.cast(storedAttId).getStartOff(),
+                                    KMByteBlob.cast(attIdTagValue).getBuffer(),
+                                    KMByteBlob.cast(attIdTagValue).getStartOff(),
+                                    KMByteBlob.cast(storedAttId).length()))) {
+          KMException.throwIt(KMError.INVALID_TAG);
+        }
         cert.extensionTag(attIdTag, true);
       }
       index++;

From b26840632fd31fd01eea60f4af6c59eb4d9c43d7 Mon Sep 17 00:00:00 2001
From: bvenkatswarlu <venki.manikanta@gmail.com>
Date: Sat, 26 Jun 2021 22:18:53 +0530
Subject: [PATCH 2/7] Fix for attestation failures in VTS.

---
 .../keymaster/KMAttestationCertImpl.java        | 17 ++++++++---------
 .../keymaster/KMAttestationCertImpl.java        | 17 ++++++++---------
 .../javacard/keymaster/KMKeymasterApplet.java   |  5 +++--
 3 files changed, 19 insertions(+), 20 deletions(-)

diff --git a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
index 9eb24246..0aed6458 100644
--- a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
+++ b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
@@ -462,17 +462,16 @@ private static void pushHWParams() {
     // Below are the allowed hardwareEnforced Authorization tags inside the attestation certificate's extension.
     short[] tagIds = {
         KMType.BOOT_PATCH_LEVEL, KMType.VENDOR_PATCH_LEVEL,
+        KMType.ATTESTATION_ID_MODEL, KMType.ATTESTATION_ID_MANUFACTURER,
+        KMType.ATTESTATION_ID_MEID, KMType.ATTESTATION_ID_IMEI,
+        KMType.ATTESTATION_ID_SERIAL, KMType.ATTESTATION_ID_PRODUCT,
+        KMType.ATTESTATION_ID_DEVICE, KMType.ATTESTATION_ID_BRAND,
         KMType.OS_PATCH_LEVEL, KMType.OS_VERSION, KMType.ROOT_OF_TRUST,
         KMType.ORIGIN, KMType.AUTH_TIMEOUT, KMType.USER_AUTH_TYPE,
-        KMType.NO_AUTH_REQUIRED, KMType.ROLLBACK_RESISTANCE,
-        KMType.RSA_PUBLIC_EXPONENT, KMType.ECCURVE, KMType.PADDING,
-        KMType.DIGEST, KMType.KEYSIZE, KMType.ALGORITHM, KMType.PURPOSE,
-        KMType.BLOCK_MODE, KMType.CALLER_NONCE, KMType.MIN_MAC_LENGTH,
-        KMType.USER_SECURE_ID, KMType.ATTESTATION_ID_BRAND,
-        KMType.ATTESTATION_ID_DEVICE, KMType.ATTESTATION_ID_IMEI,
-        KMType.ATTESTATION_ID_MANUFACTURER, KMType.ATTESTATION_ID_MEID,
-        KMType.ATTESTATION_ID_MODEL, KMType.ATTESTATION_ID_PRODUCT,
-        KMType.ATTESTATION_ID_SERIAL};
+        KMType.NO_AUTH_REQUIRED, KMType.USER_SECURE_ID, KMType.ROLLBACK_RESISTANCE,
+        KMType.RSA_PUBLIC_EXPONENT, KMType.ECCURVE, KMType.MIN_MAC_LENGTH,
+        KMType.CALLER_NONCE, KMType.PADDING, KMType.DIGEST, KMType.BLOCK_MODE,
+        KMType.KEYSIZE, KMType.ALGORITHM, KMType.PURPOSE};
 
     byte index = 0;
     do {
diff --git a/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java b/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
index ca8f86b8..a1ddbd27 100644
--- a/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
+++ b/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
@@ -456,17 +456,16 @@ private static void pushHWParams() {
     // Below are the allowed hardwareEnforced Authorization tags inside the attestation certificate's extension.
     short[] tagIds = {
         KMType.BOOT_PATCH_LEVEL, KMType.VENDOR_PATCH_LEVEL,
+        KMType.ATTESTATION_ID_MODEL, KMType.ATTESTATION_ID_MANUFACTURER,
+        KMType.ATTESTATION_ID_MEID, KMType.ATTESTATION_ID_IMEI,
+        KMType.ATTESTATION_ID_SERIAL, KMType.ATTESTATION_ID_PRODUCT,
+        KMType.ATTESTATION_ID_DEVICE, KMType.ATTESTATION_ID_BRAND,
         KMType.OS_PATCH_LEVEL, KMType.OS_VERSION, KMType.ROOT_OF_TRUST,
         KMType.ORIGIN, KMType.AUTH_TIMEOUT, KMType.USER_AUTH_TYPE,
-        KMType.NO_AUTH_REQUIRED, KMType.ROLLBACK_RESISTANCE,
-        KMType.RSA_PUBLIC_EXPONENT, KMType.ECCURVE, KMType.PADDING,
-        KMType.DIGEST, KMType.KEYSIZE, KMType.ALGORITHM, KMType.PURPOSE,
-        KMType.BLOCK_MODE, KMType.CALLER_NONCE, KMType.MIN_MAC_LENGTH,
-        KMType.USER_SECURE_ID, KMType.ATTESTATION_ID_BRAND,
-        KMType.ATTESTATION_ID_DEVICE, KMType.ATTESTATION_ID_IMEI,
-        KMType.ATTESTATION_ID_MANUFACTURER, KMType.ATTESTATION_ID_MEID,
-        KMType.ATTESTATION_ID_MODEL, KMType.ATTESTATION_ID_PRODUCT,
-        KMType.ATTESTATION_ID_SERIAL};
+        KMType.NO_AUTH_REQUIRED, KMType.USER_SECURE_ID, KMType.ROLLBACK_RESISTANCE,
+        KMType.RSA_PUBLIC_EXPONENT, KMType.ECCURVE, KMType.MIN_MAC_LENGTH,
+        KMType.CALLER_NONCE, KMType.PADDING, KMType.DIGEST, KMType.BLOCK_MODE,
+        KMType.KEYSIZE, KMType.ALGORITHM, KMType.PURPOSE};
 
     byte index = 0;
     do {
diff --git a/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java b/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java
index 101ae9f9..1051cc0d 100644
--- a/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java
+++ b/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java
@@ -1442,6 +1442,8 @@ private void processAttestKeyCmd(APDU apdu) {
       rsaCert = false;
     }
     KMAttestationCert cert = seProvider.getAttestationCert(rsaCert);
+    // Validate and add attestation ids.
+    validateAndaddAttestationIds(cert);
     // Save attestation application id - must be present.
     tmpVariables[0] =
         KMKeyParameters.findTag(
@@ -1485,7 +1487,6 @@ private void processAttestKeyCmd(APDU apdu) {
         KMKeyParameters.findTag(KMType.DATE_TAG, KMType.USAGE_EXPIRE_DATETIME, data[SW_PARAMETERS]);
     cert.notAfter(tmpVariables[2], repository.getCertExpiryTime(), scratchPad, (short) 0);
 
-    addAttestationIds(cert);
     addTags(KMKeyCharacteristics.cast(data[KEY_CHARACTERISTICS]).getHardwareEnforced(), true, cert);
     addTags(
         KMKeyCharacteristics.cast(data[KEY_CHARACTERISTICS]).getSoftwareEnforced(), false, cert);
@@ -1526,7 +1527,7 @@ private boolean isEmpty(byte[] buf, short offset, short len) {
   }
 
   // --------------------------------
-  private void addAttestationIds(KMAttestationCert cert) {
+  private void validateAndaddAttestationIds(KMAttestationCert cert) {
     final short[] attTags =
         new short[]{
             KMType.ATTESTATION_ID_BRAND,

From 73fb489f92e1536b92c2a79a16342a1bb8172be9 Mon Sep 17 00:00:00 2001
From: bvenkateswarlu <venki.manikanta@gmail.com>
Date: Sat, 26 Jun 2021 18:29:23 +0100
Subject: [PATCH 3/7] Updated the README and sample json files

---
 ProvisioningTool/README.md                    | 11 ++++----
 ProvisioningTool/sample_json_cf.txt           | 26 +++++++++++++++++++
 .../{sample_json.txt => sample_json_gf.txt}   | 18 ++++++-------
 3 files changed, 41 insertions(+), 14 deletions(-)
 create mode 100644 ProvisioningTool/sample_json_cf.txt
 rename ProvisioningTool/{sample_json.txt => sample_json_gf.txt} (71%)

diff --git a/ProvisioningTool/README.md b/ProvisioningTool/README.md
index 0eeb4f8d..bb24c82a 100644
--- a/ProvisioningTool/README.md
+++ b/ProvisioningTool/README.md
@@ -9,11 +9,12 @@ This tool can be built along with aosp build. It has dependency on
 [libjc_provision](Android.bp).
 
 #### Sample resources for quick testing
-A sample json file is located in this directory with name [sample_json.txt](sample_json.txt)
-for your reference. Also the required certificates and keys can be found
-in [test_resources](test_resources) directory. Copy the certificates and the key into the 
-emulator/device filesystem in their respective paths mentioned in the 
-sample_json.txt.
+Two sample json files are located in this directory with names sample_json_cf.txt
+and sample_json_gf.txt for your reference. Use sample_json_cf.txt for cuttlefish
+target and use sample_json_gf.txt for goldfish target. Also the required certificates
+and keys can be found in [test_resources](test_resources) directory. Copy the
+certificates and the key into the emulator/device filesystem in their respective
+paths mentioned in the sample json file.
 
 #### Usage
 <pre>
diff --git a/ProvisioningTool/sample_json_cf.txt b/ProvisioningTool/sample_json_cf.txt
new file mode 100644
index 00000000..5a28a4b3
--- /dev/null
+++ b/ProvisioningTool/sample_json_cf.txt
@@ -0,0 +1,26 @@
+{
+   "attest_ids": {
+      "brand": "generic",
+      "device": "vsoc_x86_64",
+      "product": "aosp_cf_x86_64_phone",
+      "serial": "",
+      "imei": "000000000000000",
+      "meid": "000000000000000",
+      "manufacturer": "Google",
+      "model": "Cuttlefish x86_64 phone"
+   },
+   "shared_secret": "0000000000000000000000000000000000000000000000000000000000000000",
+   "set_boot_params": {
+      "boot_patch_level": 0,
+      "verified_boot_key": "0000000000000000000000000000000000000000000000000000000000000000",
+      "verified_boot_key_hash": "0000000000000000000000000000000000000000000000000000000000000000",
+      "boot_state": 2,
+      "device_locked": 0
+   },
+   "attest_key": "/data/vendor/batch_key.der",
+   "attest_cert_chain": [
+   "/data/vendor/batch_cert.der",
+   "/data/vendor/intermediate_cert.der",
+   "/data/vendor/ca_cert.der"
+   ]
+}
\ No newline at end of file
diff --git a/ProvisioningTool/sample_json.txt b/ProvisioningTool/sample_json_gf.txt
similarity index 71%
rename from ProvisioningTool/sample_json.txt
rename to ProvisioningTool/sample_json_gf.txt
index 7885b2aa..41c9a708 100644
--- a/ProvisioningTool/sample_json.txt
+++ b/ProvisioningTool/sample_json_gf.txt
@@ -1,13 +1,13 @@
 {
    "attest_ids": {
-      "brand": "Google",
-      "device": "Pixel 3A",
-      "product": "Pixel",
-      "serial": "UGYJFDjFeRuBEH",
-      "imei": "987080543071019",
-      "meid": "27863510227963",
-      "manufacturer": "Foxconn",
-      "model": "HD1121"
+      "brand": "Android",
+      "device": "generic_x86_64",
+      "product": "aosp_x86_64",
+      "serial": "",
+      "imei": "000000000000000",
+      "meid": "000000000000000",
+      "manufacturer": "unknown",
+      "model": "AOSP on x86_64"
    },
    "shared_secret": "0000000000000000000000000000000000000000000000000000000000000000",
    "set_boot_params": {
@@ -23,4 +23,4 @@
    "/data/vendor/intermediate_cert.der",
    "/data/vendor/ca_cert.der"
    ]
-}
+}
\ No newline at end of file

From cd78032dcc3b9b6ba0dba1609e93714215df462a Mon Sep 17 00:00:00 2001
From: BKSSMVenkateswarlu
 <40534495+BKSSMVenkateswarlu@users.noreply.github.com>
Date: Sat, 26 Jun 2021 18:33:27 +0100
Subject: [PATCH 4/7] Update README.md

---
 ProvisioningTool/README.md | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/ProvisioningTool/README.md b/ProvisioningTool/README.md
index bb24c82a..9d65e5d1 100644
--- a/ProvisioningTool/README.md
+++ b/ProvisioningTool/README.md
@@ -9,10 +9,11 @@ This tool can be built along with aosp build. It has dependency on
 [libjc_provision](Android.bp).
 
 #### Sample resources for quick testing
-Two sample json files are located in this directory with names sample_json_cf.txt
-and sample_json_gf.txt for your reference. Use sample_json_cf.txt for cuttlefish
-target and use sample_json_gf.txt for goldfish target. Also the required certificates
-and keys can be found in [test_resources](test_resources) directory. Copy the
+Two sample json files are located in this directory with names
+[sample_json_cf.txt](sample_json_cf.txt) and and [sample_json_gf.txt](sample_json_gf.txt)
+for your reference. Use sample_json_cf.txt for cuttlefish target and use
+sample_json_gf.txt for goldfish target. Also the required certificates and
+keys can be found in [test_resources](test_resources) directory. Copy the
 certificates and the key into the emulator/device filesystem in their respective
 paths mentioned in the sample json file.
 

From ea0d31f4de2dd3ee20c274f128241b9d76f44eb9 Mon Sep 17 00:00:00 2001
From: bvenkatswarlu <venki.manikanta@gmail.com>
Date: Sun, 27 Jun 2021 01:17:05 +0530
Subject: [PATCH 5/7] added comments

---
 .../android/javacard/keymaster/KMKeymasterApplet.java    | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java b/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java
index 1051cc0d..0949177f 100644
--- a/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java
+++ b/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java
@@ -1443,7 +1443,7 @@ private void processAttestKeyCmd(APDU apdu) {
     }
     KMAttestationCert cert = seProvider.getAttestationCert(rsaCert);
     // Validate and add attestation ids.
-    validateAndaddAttestationIds(cert);
+    addAttestationIds(cert);
     // Save attestation application id - must be present.
     tmpVariables[0] =
         KMKeyParameters.findTag(
@@ -1527,7 +1527,12 @@ private boolean isEmpty(byte[] buf, short offset, short len) {
   }
 
   // --------------------------------
-  private void validateAndaddAttestationIds(KMAttestationCert cert) {
+  // Only add the Attestation ids which are requested in the attestation parameters.
+  // If the requested attestation ids are not provisioned or deleted then
+  // throw CANNOT_ATTEST_IDS error. If there is mismatch in the attestation
+  // id values of both the requested parameters and the provisioned parameters
+  // then throw INVALID_TAG error.
+  private void addAttestationIds(KMAttestationCert cert) {
     final short[] attTags =
         new short[]{
             KMType.ATTESTATION_ID_BRAND,

From 81e292223964d3c3ed2a99c58cbe7e61b55d646b Mon Sep 17 00:00:00 2001
From: bvenkatswarlu <venki.manikanta@gmail.com>
Date: Sun, 27 Jun 2021 01:50:55 +0530
Subject: [PATCH 6/7] Changed the version of keymaster in attestation

---
 .../com/android/javacard/keymaster/KMAttestationCertImpl.java | 4 ++--
 .../com/android/javacard/keymaster/KMAttestationCertImpl.java | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
index 0aed6458..9558041b 100644
--- a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
+++ b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
@@ -84,8 +84,8 @@ public class KMAttestationCertImpl implements KMAttestationCert {
   private static final byte keyUsageKeyEncipher = (byte) 0x20; // 2nd- bit
   private static final byte keyUsageDataEncipher = (byte) 0x10; // 3rd- bit
 
-  private static final byte KEYMASTER_VERSION = 4;
-  private static final byte ATTESTATION_VERSION = 3;
+  private static final byte KEYMASTER_VERSION = 41;
+  private static final byte ATTESTATION_VERSION = 4;
   private static final byte[] pubExponent = {0x01, 0x00, 0x01};
   private static final byte SERIAL_NUM = (byte) 0x01;
   private static final byte X509_VERSION = (byte) 0x02;
diff --git a/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java b/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
index a1ddbd27..3bc941d4 100644
--- a/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
+++ b/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
@@ -78,8 +78,8 @@ public class KMAttestationCertImpl implements KMAttestationCert {
   private static final byte keyUsageKeyEncipher = (byte) 0x20; // 2nd- bit
   private static final byte keyUsageDataEncipher = (byte) 0x10; // 3rd- bit
 
-  private static final byte KEYMASTER_VERSION = 4;
-  private static final byte ATTESTATION_VERSION = 3;
+  private static final byte KEYMASTER_VERSION = 41;
+  private static final byte ATTESTATION_VERSION = 4;
   private static final byte[] pubExponent = {0x01, 0x00, 0x01};
   private static final byte SERIAL_NUM = (byte) 0x01;
   private static final byte X509_VERSION = (byte) 0x02;

From 85895446e72ada22fce6da674fadf6edaecacab2 Mon Sep 17 00:00:00 2001
From: BKSSM Venkateswarlu
 <kameswarasrisubrahmanya.bhamidipati@quest-global.com>
Date: Tue, 29 Jun 2021 20:37:33 +0100
Subject: [PATCH 7/7] 1. Removed rollback_resistance from attest tags 2.
 updated device_locked in sample json test file.

---
 .../com/android/javacard/keymaster/KMAttestationCertImpl.java | 2 +-
 .../com/android/javacard/keymaster/KMAttestationCertImpl.java | 2 +-
 ProvisioningTool/sample_json_cf.txt                           | 4 ++--
 ProvisioningTool/sample_json_gf.txt                           | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
index 9558041b..8abbd04e 100644
--- a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
+++ b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
@@ -468,7 +468,7 @@ private static void pushHWParams() {
         KMType.ATTESTATION_ID_DEVICE, KMType.ATTESTATION_ID_BRAND,
         KMType.OS_PATCH_LEVEL, KMType.OS_VERSION, KMType.ROOT_OF_TRUST,
         KMType.ORIGIN, KMType.AUTH_TIMEOUT, KMType.USER_AUTH_TYPE,
-        KMType.NO_AUTH_REQUIRED, KMType.USER_SECURE_ID, KMType.ROLLBACK_RESISTANCE,
+        KMType.NO_AUTH_REQUIRED, KMType.USER_SECURE_ID,
         KMType.RSA_PUBLIC_EXPONENT, KMType.ECCURVE, KMType.MIN_MAC_LENGTH,
         KMType.CALLER_NONCE, KMType.PADDING, KMType.DIGEST, KMType.BLOCK_MODE,
         KMType.KEYSIZE, KMType.ALGORITHM, KMType.PURPOSE};
diff --git a/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java b/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
index 3bc941d4..1f242f38 100644
--- a/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
+++ b/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMAttestationCertImpl.java
@@ -462,7 +462,7 @@ private static void pushHWParams() {
         KMType.ATTESTATION_ID_DEVICE, KMType.ATTESTATION_ID_BRAND,
         KMType.OS_PATCH_LEVEL, KMType.OS_VERSION, KMType.ROOT_OF_TRUST,
         KMType.ORIGIN, KMType.AUTH_TIMEOUT, KMType.USER_AUTH_TYPE,
-        KMType.NO_AUTH_REQUIRED, KMType.USER_SECURE_ID, KMType.ROLLBACK_RESISTANCE,
+        KMType.NO_AUTH_REQUIRED, KMType.USER_SECURE_ID,
         KMType.RSA_PUBLIC_EXPONENT, KMType.ECCURVE, KMType.MIN_MAC_LENGTH,
         KMType.CALLER_NONCE, KMType.PADDING, KMType.DIGEST, KMType.BLOCK_MODE,
         KMType.KEYSIZE, KMType.ALGORITHM, KMType.PURPOSE};
diff --git a/ProvisioningTool/sample_json_cf.txt b/ProvisioningTool/sample_json_cf.txt
index 5a28a4b3..fd79e227 100644
--- a/ProvisioningTool/sample_json_cf.txt
+++ b/ProvisioningTool/sample_json_cf.txt
@@ -15,7 +15,7 @@
       "verified_boot_key": "0000000000000000000000000000000000000000000000000000000000000000",
       "verified_boot_key_hash": "0000000000000000000000000000000000000000000000000000000000000000",
       "boot_state": 2,
-      "device_locked": 0
+      "device_locked": 1
    },
    "attest_key": "/data/vendor/batch_key.der",
    "attest_cert_chain": [
@@ -23,4 +23,4 @@
    "/data/vendor/intermediate_cert.der",
    "/data/vendor/ca_cert.der"
    ]
-}
\ No newline at end of file
+}
diff --git a/ProvisioningTool/sample_json_gf.txt b/ProvisioningTool/sample_json_gf.txt
index 41c9a708..7825e693 100644
--- a/ProvisioningTool/sample_json_gf.txt
+++ b/ProvisioningTool/sample_json_gf.txt
@@ -15,7 +15,7 @@
       "verified_boot_key": "0000000000000000000000000000000000000000000000000000000000000000",
       "verified_boot_key_hash": "0000000000000000000000000000000000000000000000000000000000000000",
       "boot_state": 2,
-      "device_locked": 0
+      "device_locked": 1
    },
    "attest_key": "/data/vendor/batch_key.der",
    "attest_cert_chain": [
@@ -23,4 +23,4 @@
    "/data/vendor/intermediate_cert.der",
    "/data/vendor/ca_cert.der"
    ]
-}
\ No newline at end of file
+}