From 80aea6495b27fce4942aea6b0c864d713b8b35c3 Mon Sep 17 00:00:00 2001 From: subrahmanyaman Date: Thu, 24 Mar 2022 05:30:24 +0000 Subject: [PATCH 1/3] Renamed DeviceUnique Key --- .../javacard/keymaster/KMAndroidSEApplet.java | 22 +++++++++---------- .../seprovider/KMAndroidSEProvider.java | 2 +- .../javacard/seprovider/KMSEProvider.java | 2 +- .../javacard/keymaster/KMKeymasterApplet.java | 2 +- .../keymaster/KMKeymintDataStore.java | 14 ++++++------ 5 files changed, 21 insertions(+), 21 deletions(-) diff --git a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java index c50065ee..3a3d4983 100644 --- a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java +++ b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java @@ -49,7 +49,7 @@ public class KMAndroidSEApplet extends KMKeymasterApplet implements OnUpgradeLis private static final byte INS_LOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 3; private static final byte INS_GET_PROVISION_STATUS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 4; private static final byte INS_SET_BOOT_PARAMS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 5; - private static final byte INS_PROVISION_RKP_UNIQUE_DEVICE_KEYPAIR_CMD = + private static final byte INS_PROVISION_RKP_DEVICE_UNIQUE_KEYPAIR_CMD = INS_KEYMINT_PROVIDER_APDU_START + 6; private static final byte INS_PROVISION_RKP_ADDITIONAL_CERT_CHAIN_CMD = INS_KEYMINT_PROVIDER_APDU_START + 7; @@ -68,7 +68,7 @@ public class KMAndroidSEApplet extends KMKeymasterApplet implements OnUpgradeLis private static final byte PROVISION_STATUS_ATTEST_IDS = 0x08; private static final byte PROVISION_STATUS_PRESHARED_SECRET = 0x10; private static final byte PROVISION_STATUS_PROVISIONING_LOCKED = 0x20; - private static final byte PROVISION_STATUS_UNIQUE_DEVICE_KEYPAIR = 0x40; + private static final byte PROVISION_STATUS_DEVICE_UNIQUE_KEYPAIR = 0x40; private static final byte PROVISION_STATUS_ADDITIONAL_CERT_CHAIN = (byte) 0x80; public static final short SHARED_SECRET_KEY_SIZE = 32; @@ -159,12 +159,12 @@ public void process(APDU apdu) { processSetBootParamsCmd(apdu); break; - case INS_PROVISION_RKP_UNIQUE_DEVICE_KEYPAIR_CMD: - processProvisionDeviceUniqueKeyPair(apdu); + case INS_PROVISION_RKP_DEVICE_UNIQUE_KEYPAIR_CMD: + processProvisionRkpDeviceUniqueKeyPair(apdu); break; case INS_PROVISION_RKP_ADDITIONAL_CERT_CHAIN_CMD: - processProvisionAdditionalCertChain(apdu); + processProvisionRkpAdditionalCertChain(apdu); break; default: @@ -189,7 +189,7 @@ public void process(APDU apdu) { } } - private static void processProvisionDeviceUniqueKeyPair(APDU apdu) { + private static void processProvisionRkpDeviceUniqueKeyPair(APDU apdu) { // Re-purpose the apdu buffer as scratch pad. byte[] scratchPad = apdu.getBuffer(); short arr = KMArray.instance((short) 1); @@ -201,17 +201,17 @@ private static void processProvisionDeviceUniqueKeyPair(APDU apdu) { short pubKeyLen = KMCoseKey.cast(coseKey).getEcdsa256PublicKey(scratchPad, (short) 0); short privKeyLen = KMCoseKey.cast(coseKey).getPrivateKey(scratchPad, pubKeyLen); //Store the Device unique Key. - kmDataStore.createDeviceUniqueKeyPair(scratchPad, (short) 0, pubKeyLen, scratchPad, + kmDataStore.createRkpDeviceUniqueKeyPair(scratchPad, (short) 0, pubKeyLen, scratchPad, pubKeyLen, privKeyLen); short bcc = generateBcc(false, scratchPad); short len = KMKeymasterApplet.encodeToApduBuffer(bcc, scratchPad, (short) 0, MAX_COSE_BUF_SIZE); kmDataStore.persistBootCertificateChain(scratchPad, (short) 0, len); - kmDataStore.setProvisionStatus(PROVISION_STATUS_UNIQUE_DEVICE_KEYPAIR); + kmDataStore.setProvisionStatus(PROVISION_STATUS_DEVICE_UNIQUE_KEYPAIR); sendError(apdu, KMError.OK); } - private static void processProvisionAdditionalCertChain(APDU apdu) { + private static void processProvisionRkpAdditionalCertChain(APDU apdu) { // Prepare the expression to decode short headers = KMCoseHeaders.exp(); short arrInst = KMArray.instance((short) 4); @@ -244,7 +244,7 @@ private static void processProvisionAdditionalCertChain(APDU apdu) { srcBuffer, null); // Compare the DK_Pub. short pubKeyLen = KMCoseKey.cast(leafCoseKey).getEcdsa256PublicKey(srcBuffer, (short) 0); - KMDeviceUniqueKeyPair uniqueKey = kmDataStore.getDeviceUniqueKeyPair(false); + KMDeviceUniqueKeyPair uniqueKey = kmDataStore.getRkpDeviceUniqueKeyPair(false); if (uniqueKey == null) { KMException.throwIt(KMError.STATUS_FAILED); } @@ -408,7 +408,7 @@ private boolean isProvisioningComplete() { byte data[] = repository.getHeap(); kmDataStore.getProvisionStatus(data, dInex); boolean result = false; - if ((0 != (data[dInex] & PROVISION_STATUS_UNIQUE_DEVICE_KEYPAIR)) + if ((0 != (data[dInex] & PROVISION_STATUS_DEVICE_UNIQUE_KEYPAIR)) && (0 != (data[dInex] & PROVISION_STATUS_ADDITIONAL_CERT_CHAIN)) && (0 != (data[dInex] & PROVISION_STATUS_PRESHARED_SECRET))) { result = true; diff --git a/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMAndroidSEProvider.java b/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMAndroidSEProvider.java index 12a6cbc2..ddaece5c 100644 --- a/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMAndroidSEProvider.java +++ b/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMAndroidSEProvider.java @@ -1108,7 +1108,7 @@ public short ecSign256(KMDeviceUniqueKeyPair ecPrivKey, byte[] inputDataBuf, } @Override - public KMDeviceUniqueKeyPair createDeviceUniqueKeyPair(KMDeviceUniqueKeyPair key, + public KMDeviceUniqueKeyPair createRkpDeviceUniqueKeyPair(KMDeviceUniqueKeyPair key, byte[] pubKey, short pubKeyOff, short pubKeyLen, byte[] privKey, short privKeyOff, short privKeyLen) { if (key == null) { diff --git a/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMSEProvider.java b/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMSEProvider.java index 1fe1467a..c4445114 100644 --- a/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMSEProvider.java +++ b/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMSEProvider.java @@ -626,7 +626,7 @@ KMOperation initAsymmetricOperation( * @param privKeyLen private key buffer length. * @return instance of KMDeviceUniqueKey. */ - KMDeviceUniqueKeyPair createDeviceUniqueKeyPair(KMDeviceUniqueKeyPair key, + KMDeviceUniqueKeyPair createRkpDeviceUniqueKeyPair(KMDeviceUniqueKeyPair key, byte[] pubKey, short pubKeyOff, short pubKeyLen, byte[] privKey, short privKeyOff, short privKeyLen); diff --git a/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java b/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java index c335bca0..49418f90 100644 --- a/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java +++ b/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java @@ -4055,7 +4055,7 @@ public static short generateBcc(boolean testMode, byte[] scratchPad) { if (!testMode && kmDataStore.isProvisionLocked()) { KMException.throwIt(KMError.STATUS_FAILED); } - KMDeviceUniqueKeyPair deviceUniqueKey = kmDataStore.getDeviceUniqueKeyPair(testMode); + KMDeviceUniqueKeyPair deviceUniqueKey = kmDataStore.getRkpDeviceUniqueKeyPair(testMode); short temp = deviceUniqueKey.getPublicKey(scratchPad, (short) 0); short coseKey = KMCose.constructCoseKey( diff --git a/Applet/src/com/android/javacard/keymaster/KMKeymintDataStore.java b/Applet/src/com/android/javacard/keymaster/KMKeymintDataStore.java index 5f643ba5..2a1f24e8 100644 --- a/Applet/src/com/android/javacard/keymaster/KMKeymintDataStore.java +++ b/Applet/src/com/android/javacard/keymaster/KMKeymintDataStore.java @@ -530,35 +530,35 @@ public KMComputedHmacKey getComputedHmacKey() { return computedHmacKey; } - public KMDeviceUniqueKeyPair createTestDeviceUniqueKeyPair(byte[] pubKey, short pubKeyOff, short pubKeyLen, + public KMDeviceUniqueKeyPair createRkpTestDeviceUniqueKeyPair(byte[] pubKey, short pubKeyOff, short pubKeyLen, byte[] privKey, short privKeyOff, short privKeyLen) { if (testDeviceUniqueKeyPair == null) { - testDeviceUniqueKeyPair = seProvider.createDeviceUniqueKeyPair(testDeviceUniqueKeyPair, pubKey, pubKeyOff, + testDeviceUniqueKeyPair = seProvider.createRkpDeviceUniqueKeyPair(testDeviceUniqueKeyPair, pubKey, pubKeyOff, pubKeyLen, privKey, privKeyOff, privKeyLen); } else { - seProvider.createDeviceUniqueKeyPair(testDeviceUniqueKeyPair, pubKey, pubKeyOff, pubKeyLen, privKey, + seProvider.createRkpDeviceUniqueKeyPair(testDeviceUniqueKeyPair, pubKey, pubKeyOff, pubKeyLen, privKey, privKeyOff, privKeyLen); } return testDeviceUniqueKeyPair; } - public KMDeviceUniqueKeyPair createDeviceUniqueKeyPair(byte[] pubKey, short pubKeyOff, short pubKeyLen, + public KMDeviceUniqueKeyPair createRkpDeviceUniqueKeyPair(byte[] pubKey, short pubKeyOff, short pubKeyLen, byte[] privKey, short privKeyOff, short privKeyLen) { if (deviceUniqueKeyPair == null) { - deviceUniqueKeyPair = seProvider.createDeviceUniqueKeyPair(deviceUniqueKeyPair, pubKey, pubKeyOff, + deviceUniqueKeyPair = seProvider.createRkpDeviceUniqueKeyPair(deviceUniqueKeyPair, pubKey, pubKeyOff, pubKeyLen, privKey, privKeyOff, privKeyLen); } else { - seProvider.createDeviceUniqueKeyPair(deviceUniqueKeyPair, pubKey, pubKeyOff, pubKeyLen, privKey, + seProvider.createRkpDeviceUniqueKeyPair(deviceUniqueKeyPair, pubKey, pubKeyOff, pubKeyLen, privKey, privKeyOff, privKeyLen); } return deviceUniqueKeyPair; } - public KMDeviceUniqueKeyPair getDeviceUniqueKeyPair(boolean testMode) { + public KMDeviceUniqueKeyPair getRkpDeviceUniqueKeyPair(boolean testMode) { return ((KMDeviceUniqueKeyPair) (testMode ? testDeviceUniqueKeyPair : deviceUniqueKeyPair)); } From ccc5f98372088961287f1a35de37e9a6a3a32893 Mon Sep 17 00:00:00 2001 From: subrahmanyaman Date: Fri, 25 Mar 2022 06:09:58 +0000 Subject: [PATCH 2/3] Refactored deviceUniqueKey --- .../{KMDeviceUniqueKey.java => KMDeviceUniqueKeyPair.java} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/{KMDeviceUniqueKey.java => KMDeviceUniqueKeyPair.java} (94%) diff --git a/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMDeviceUniqueKey.java b/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMDeviceUniqueKeyPair.java similarity index 94% rename from Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMDeviceUniqueKey.java rename to Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMDeviceUniqueKeyPair.java index 08e60a3f..9bbccd8f 100644 --- a/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMDeviceUniqueKey.java +++ b/Applet/AndroidSEProviderLib/src/com/android/javacard/seprovider/KMDeviceUniqueKeyPair.java @@ -15,7 +15,7 @@ */ package com.android.javacard.seprovider; -public interface KMDeviceUniqueKey { +public interface KMDeviceUniqueKeyPair { short getPublicKey(byte[] buf, short offset); } From fee81ccc7a7d2a86dd4a8f44073edf1e190706ee Mon Sep 17 00:00:00 2001 From: subrahmanyaman Date: Fri, 25 Mar 2022 06:16:12 +0000 Subject: [PATCH 3/3] Updated the function name deviceUniqueKeyPair --- .../keymaster/RemotelyProvisionedComponentDevice.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Applet/src/com/android/javacard/keymaster/RemotelyProvisionedComponentDevice.java b/Applet/src/com/android/javacard/keymaster/RemotelyProvisionedComponentDevice.java index bb62d0ec..19ac6a82 100644 --- a/Applet/src/com/android/javacard/keymaster/RemotelyProvisionedComponentDevice.java +++ b/Applet/src/com/android/javacard/keymaster/RemotelyProvisionedComponentDevice.java @@ -813,10 +813,10 @@ private KMDeviceUniqueKeyPair createDeviceUniqueKeyPair(boolean testMode, byte[] (short) 128, lengths); deviceUniqueKeyPair = - storeDataInst.createTestDeviceUniqueKeyPair(scratchPad, (short) 128, lengths[1], + storeDataInst.createRkpTestDeviceUniqueKeyPair(scratchPad, (short) 128, lengths[1], scratchPad, (short) 0, lengths[0]); } else { - deviceUniqueKeyPair = storeDataInst.getDeviceUniqueKeyPair(false); + deviceUniqueKeyPair = storeDataInst.getRkpDeviceUniqueKeyPair(false); } return deviceUniqueKeyPair; }