updated provision status condition check for INS_OEM_LOCK_PROVISIONIN…

Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java

@@ -43,22 +43,22 @@ public class KMAndroidSEApplet extends KMKeymasterApplet implements OnUpgradeLis
 
   // Provider specific Commands
   private static final byte INS_KEYMINT_PROVIDER_APDU_START = 0x00;
-  private static final byte INS_PROVISION_ATTEST_IDS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 1;
+  private static final byte INS_PROVISION_ATTEST_IDS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 3;
   private static final byte INS_PROVISION_PRESHARED_SECRET_CMD =
-      INS_KEYMINT_PROVIDER_APDU_START + 2;
-  private static final byte INS_OEM_LOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 3;
-  private static final byte INS_GET_PROVISION_STATUS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 4;
+      INS_KEYMINT_PROVIDER_APDU_START + 4;
   private static final byte INS_SET_BOOT_PARAMS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 5; // Unused
+  private static final byte INS_OEM_LOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 6;
+  private static final byte INS_GET_PROVISION_STATUS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 7;
+  //0x08 was reserved for INS_INIT_STRONGBOX_CMD
+  //0x09 was reserved for INS_SET_BOOT_ENDED_CMD earlier. it is unused now.
+  private static final byte INS_SE_FACTORY_PROVISIONING_LOCK_CMD = INS_KEYMINT_PROVIDER_APDU_START + 10;
+  private static final byte INS_PROVISION_OEM_ROOT_PUBLIC_KEY_CMD = INS_KEYMINT_PROVIDER_APDU_START + 11;
+  private static final byte INS_OEM_UNLOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 12;
   private static final byte INS_PROVISION_RKP_DEVICE_UNIQUE_KEYPAIR_CMD =
-      INS_KEYMINT_PROVIDER_APDU_START + 6;
+      INS_KEYMINT_PROVIDER_APDU_START + 13;
   private static final byte INS_PROVISION_RKP_ADDITIONAL_CERT_CHAIN_CMD =
-      INS_KEYMINT_PROVIDER_APDU_START + 7;
-  private static final byte INS_SET_BOOT_ENDED_CMD = 
-		  INS_KEYMINT_PROVIDER_APDU_START + 8; //unused
-  private static final byte INS_SE_FACTORY_PROVISIONING_LOCK_CMD = INS_KEYMINT_PROVIDER_APDU_START + 9;
-  private static final byte INS_PROVISION_OEM_ROOT_PUBLIC_KEY_CMD = INS_KEYMINT_PROVIDER_APDU_START + 10;
-  private static final byte INS_OEM_UNLOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 11;
-
+      INS_KEYMINT_PROVIDER_APDU_START + 14;
+
   private static final byte INS_KEYMINT_PROVIDER_APDU_END = 0x1F;
   public static final byte BOOT_KEY_MAX_SIZE = 32;
   public static final byte BOOT_HASH_MAX_SIZE = 32;
@@ -505,7 +505,7 @@ private void processGetProvisionStatusCmd(APDU apdu) {
   private boolean isProvisioningComplete() {
     short pStatus = kmDataStore.getProvisionStatus();
     short pCompleteStatus = PROVISION_STATUS_DEVICE_UNIQUE_KEYPAIR | PROVISION_STATUS_ADDITIONAL_CERT_CHAIN | 
-    		     PROVISION_STATUS_PRESHARED_SECRET | PROVISION_STATUS_ATTEST_IDS;
+		     PROVISION_STATUS_PRESHARED_SECRET | PROVISION_STATUS_ATTEST_IDS | PROVISION_STATUS_OEM_PUBLIC_KEY;
     if (kmDataStore.isProvisionLocked() || (pCompleteStatus == (pStatus & pCompleteStatus))) {
       return true;
     }

Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMJCardSimApplet.java

@@ -30,24 +30,24 @@ public class KMJCardSimApplet extends KMKeymasterApplet {
   private static final byte ILLEGAL_STATE = KM_BEGIN_STATE + 1;
   private static final short POWER_RESET_MASK_FLAG = (short) 0x4000;
 
-  // Provider specific Commands
-  private static final byte INS_KEYMINT_PROVIDER_APDU_START = 0x00;
-  private static final byte INS_PROVISION_ATTEST_IDS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 1;
-  private static final byte INS_PROVISION_PRESHARED_SECRET_CMD =
-      INS_KEYMINT_PROVIDER_APDU_START + 2;
-  private static final byte INS_OEM_LOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 3;
-  private static final byte INS_GET_PROVISION_STATUS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 4;
-  private static final byte INS_SET_BOOT_PARAMS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 5;
-  private static final byte INS_PROVISION_RKP_DEVICE_UNIQUE_KEYPAIR_CMD =
-      INS_KEYMINT_PROVIDER_APDU_START + 6;
-  private static final byte INS_PROVISION_RKP_ADDITIONAL_CERT_CHAIN_CMD =
-      INS_KEYMINT_PROVIDER_APDU_START + 7;
-  private static final byte INS_SET_BOOT_ENDED_CMD = 
-		  INS_KEYMINT_PROVIDER_APDU_START + 8; //unused
-  private static final byte INS_SE_FACTORY_PROVISIONING_LOCK_CMD = INS_KEYMINT_PROVIDER_APDU_START + 9;
-  private static final byte INS_PROVISION_OEM_ROOT_PUBLIC_KEY_CMD = INS_KEYMINT_PROVIDER_APDU_START + 10;
-  private static final byte INS_OEM_UNLOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 11;
-  
+//Provider specific Commands
+ private static final byte INS_KEYMINT_PROVIDER_APDU_START = 0x00;
+ private static final byte INS_PROVISION_ATTEST_IDS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 3;
+ private static final byte INS_PROVISION_PRESHARED_SECRET_CMD =
+     INS_KEYMINT_PROVIDER_APDU_START + 4;
+ private static final byte INS_SET_BOOT_PARAMS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 5; // Unused
+ private static final byte INS_OEM_LOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 6;
+ private static final byte INS_GET_PROVISION_STATUS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 7;
+ //0x08 was reserved for INS_INIT_STRONGBOX_CMD
+ //0x09 was reserved for INS_SET_BOOT_ENDED_CMD earlier. it is unused now.
+ private static final byte INS_SE_FACTORY_PROVISIONING_LOCK_CMD = INS_KEYMINT_PROVIDER_APDU_START + 10;
+ private static final byte INS_PROVISION_OEM_ROOT_PUBLIC_KEY_CMD = INS_KEYMINT_PROVIDER_APDU_START + 11;
+ private static final byte INS_OEM_UNLOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 12;
+ private static final byte INS_PROVISION_RKP_DEVICE_UNIQUE_KEYPAIR_CMD =
+     INS_KEYMINT_PROVIDER_APDU_START + 13;
+ private static final byte INS_PROVISION_RKP_ADDITIONAL_CERT_CHAIN_CMD =
+     INS_KEYMINT_PROVIDER_APDU_START + 14;
+
   private static final byte INS_KEYMINT_PROVIDER_APDU_END = 0x1F;
   public static final byte BOOT_KEY_MAX_SIZE = 32;
   public static final byte BOOT_HASH_MAX_SIZE = 32;
@@ -561,7 +561,7 @@ private void processSetBootParamsCmd(APDU apdu) {
   private boolean isProvisioningComplete() {
     short pStatus = kmDataStore.getProvisionStatus();
     short pCompleteStatus = PROVISION_STATUS_DEVICE_UNIQUE_KEYPAIR | PROVISION_STATUS_ADDITIONAL_CERT_CHAIN | 
-    		     PROVISION_STATUS_PRESHARED_SECRET | PROVISION_STATUS_ATTEST_IDS;
+		     PROVISION_STATUS_PRESHARED_SECRET | PROVISION_STATUS_ATTEST_IDS | PROVISION_STATUS_OEM_PUBLIC_KEY;
     if (kmDataStore.isProvisionLocked() || (pCompleteStatus == (pStatus & pCompleteStatus))) {
       return true;
     }

ProvisioningTool/include/constants.h

@@ -101,14 +101,16 @@ constexpr char kSeFactoryProvisionLock[] = "se_factory_lock";
 constexpr char kUnLockProvision[] = "unlock_provision";
 
 // Instruction constatnts
-// TODO Modify according to keymint
-constexpr int kAttestationIdsCmd = INS_BEGIN_KM_CMD + 1;
-constexpr int kPresharedSecretCmd = INS_BEGIN_KM_CMD + 2;
-constexpr int kOemLockProvisionCmd = INS_BEGIN_KM_CMD + 3;
-constexpr int kGetProvisionStatusCmd = INS_BEGIN_KM_CMD + 4;
+constexpr int kAttestationIdsCmd = INS_BEGIN_KM_CMD + 3;
+constexpr int kPresharedSecretCmd = INS_BEGIN_KM_CMD + 4;
 constexpr int kBootParamsCmd = INS_BEGIN_KM_CMD + 5;
-constexpr int kDeviceUniqueKeyCmd = INS_BEGIN_KM_CMD + 6;
-constexpr int kAdditionalCertChainCmd = INS_BEGIN_KM_CMD + 7;
-constexpr int kSeFactoryLockCmd = INS_BEGIN_KM_CMD + 9;
-constexpr int kOemRootPublicKeyCmd = INS_BEGIN_KM_CMD + 10;
-constexpr int kOemUnLockProvisionCmd = INS_BEGIN_KM_CMD + 11;
+constexpr int kOemLockProvisionCmd = INS_BEGIN_KM_CMD + 6;
+constexpr int kGetProvisionStatusCmd = INS_BEGIN_KM_CMD + 7;
+constexpr int kSeFactoryLockCmd = INS_BEGIN_KM_CMD + 10;
+constexpr int kOemRootPublicKeyCmd = INS_BEGIN_KM_CMD + 11;
+constexpr int kOemUnLockProvisionCmd = INS_BEGIN_KM_CMD + 12;
+constexpr int kDeviceUniqueKeyCmd = INS_BEGIN_KM_CMD + 13;
+constexpr int kAdditionalCertChainCmd = INS_BEGIN_KM_CMD + 14;
+
+
+