Revert "KeyMint HAL: add curve 25519, bump version"
Revert "Bump keystore2 AIDL API version 1->2"
Revert "Advertise support of KeyMint V2"
Revert submission 1900930-version-bump
Reason for revert: Broken build on sc-qpr1-dev-plus-aosp, b/210450339
Reverted Changes:
I42a9b854f:keystore2: cope with new curve25519 enum
I167d568d6:Bump keystore2 AIDL API version 1->2
I3a16d072e:Advertise support of KeyMint V2
Ibf2325329:KeyMint HAL: add curve 25519, bump version
Change-Id: I78d4b07c41aa6bfeb367b56a58deeac6adb6ec46
diff --git a/compatibility_matrices/compatibility_matrix.current.xml b/compatibility_matrices/compatibility_matrix.current.xml
index 416ac07..c39db36 100644
--- a/compatibility_matrices/compatibility_matrix.current.xml
+++ b/compatibility_matrices/compatibility_matrix.current.xml
@@ -343,7 +343,7 @@
</hal>
<hal format="aidl" optional="true">
<name>android.hardware.security.keymint</name>
- <version>1-2</version>
+ <version>1</version>
<interface>
<name>IKeyMintDevice</name>
<instance>default</instance>
@@ -352,7 +352,6 @@
</hal>
<hal format="aidl" optional="true">
<name>android.hardware.security.keymint</name>
- <version>1-2</version>
<interface>
<name>IRemotelyProvisionedComponent</name>
<instance>default</instance>
diff --git a/security/keymint/aidl/Android.bp b/security/keymint/aidl/Android.bp
index dcbe9c1..3cf6ff2 100644
--- a/security/keymint/aidl/Android.bp
+++ b/security/keymint/aidl/Android.bp
@@ -45,14 +45,14 @@
cc_defaults {
name: "keymint_use_latest_hal_aidl_ndk_static",
static_libs: [
- "android.hardware.security.keymint-V2-ndk",
+ "android.hardware.security.keymint-V1-ndk",
],
}
cc_defaults {
name: "keymint_use_latest_hal_aidl_ndk_shared",
shared_libs: [
- "android.hardware.security.keymint-V2-ndk",
+ "android.hardware.security.keymint-V1-ndk",
],
}
@@ -62,6 +62,6 @@
rust_defaults {
name: "keymint_use_latest_hal_aidl_rust",
rustlibs: [
- "android.hardware.security.keymint-V2-rust",
+ "android.hardware.security.keymint-V1-rust",
],
}
diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl
index ffc7efe..6b4a9ae 100644
--- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl
+++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl
@@ -39,5 +39,4 @@
P_256 = 1,
P_384 = 2,
P_521 = 3,
- CURVE_25519 = 4,
}
diff --git a/security/keymint/aidl/android/hardware/security/keymint/EcCurve.aidl b/security/keymint/aidl/android/hardware/security/keymint/EcCurve.aidl
index e9f81d8..5b1c10c 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/EcCurve.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/EcCurve.aidl
@@ -27,5 +27,4 @@
P_256 = 1,
P_384 = 2,
P_521 = 3,
- CURVE_25519 = 4,
}
diff --git a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
index 9846ee9..cd8cfc5 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
@@ -93,11 +93,6 @@
* P-521. STRONGBOX IKeyMintDevices must support NIST curve P-256.
* - TRUSTED_ENVIRONMENT IKeyMintDevices must support SHA1, SHA-2 224, SHA-2 256, SHA-2
* 384 and SHA-2 512 digest modes. STRONGBOX IKeyMintDevices must support SHA-2 256.
- * - TRUSTED_ENVRIONMENT IKeyMintDevices must support curve 25519 for Purpose::SIGN (Ed25519,
- * as specified in RFC 8032), Purpose::ATTEST_KEY (Ed25519) or for KeyPurpose::AGREE_KEY
- * (X25519, as specified in RFC 7748). However, a key must have exactly one of these
- * purpose values; the same key cannot be used for multiple purposes.
- * STRONGBOX IKeyMintDevices do not support curve 25519.
*
* o AES
*
@@ -292,7 +287,7 @@
* except AGREE_KEY must be supported for RSA keys.
*
* o Tag::DIGEST specifies digest algorithms that may be used with the new key. TEE
- * IKeyMintDevice implementations must support all Digest values (see Digest.aidl) for RSA
+ * IKeyMintDevice implementations must support all Digest values (see digest.aidl) for RSA
* keys. StrongBox IKeyMintDevice implementations must support SHA_2_256.
*
* o Tag::PADDING specifies the padding modes that may be used with the new
@@ -303,24 +298,13 @@
* == ECDSA Keys ==
*
* Tag::EC_CURVE must be provided to generate an ECDSA key. If it is not provided, generateKey
- * must return ErrorCode::UNSUPPORTED_KEY_SIZE or ErrorCode::UNSUPPORTED_EC_CURVE. TEE
- * IKeyMintDevice implementations must support all required curves. StrongBox implementations
- * must support P_256 and no other curves.
- *
+ * must return ErrorCode::UNSUPPORTED_KEY_SIZE. TEE IKeyMintDevice implementations must support
+ * all curves. StrongBox implementations must support P_256.
+
* Tag::CERTIFICATE_NOT_BEFORE and Tag::CERTIFICATE_NOT_AFTER must be provided to specify the
* valid date range for the returned X.509 certificate holding the public key. If omitted,
* generateKey must return ErrorCode::MISSING_NOT_BEFORE or ErrorCode::MISSING_NOT_AFTER.
*
- * Keys with EC_CURVE of EcCurve::CURVE_25519 must have exactly one purpose in the set
- * {KeyPurpose::SIGN, KeyPurpose::ATTEST_KEY, KeyPurpose::AGREE_KEY}. Key generation with more
- * than one purpose should be rejected with ErrorCode::INCOMPATIBLE_PURPOSE.
- * StrongBox implementation do not support CURVE_25519.
- *
- * Tag::DIGEST specifies digest algorithms that may be used with the new key. TEE
- * IKeyMintDevice implementations must support all Digest values (see Digest.aidl) for ECDSA
- * keys; Ed25519 keys only support Digest::NONE. StrongBox IKeyMintDevice implementations must
- * support SHA_2_256.
- *
* == AES Keys ==
*
* Only Tag::KEY_SIZE is required to generate an AES key. If omitted, generateKey must return
diff --git a/security/keymint/aidl/android/hardware/security/keymint/KeyFormat.aidl b/security/keymint/aidl/android/hardware/security/keymint/KeyFormat.aidl
index 3faef38..da3d521 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/KeyFormat.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/KeyFormat.aidl
@@ -25,10 +25,8 @@
enum KeyFormat {
/** X.509 certificate format, for public key export. */
X509 = 0,
- /** PKCS#8 format, asymmetric key pair import. */
+ /** PCKS#8 format, asymmetric key pair import. */
PKCS8 = 1,
- /**
- * Raw bytes, for symmetric key import, and for import of raw asymmetric keys for curve 25519.
- */
+ /** Raw bytes, for symmetric key import. */
RAW = 3,
}
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
index fb9afe4..2a7911c 100644
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
@@ -6566,7 +6566,7 @@
typedef KeyMintAidlTestBase KeyAgreementTest;
-static int EcdhCurveToOpenSslCurveName(EcCurve curve) {
+int CurveToOpenSslCurveName(EcCurve curve) {
switch (curve) {
case EcCurve::P_224:
return NID_secp224r1;
@@ -6576,8 +6576,6 @@
return NID_secp384r1;
case EcCurve::P_521:
return NID_secp521r1;
- case EcCurve::CURVE_25519:
- return NID_X25519;
}
}
@@ -6599,7 +6597,7 @@
for (auto localCurve : ValidCurves()) {
// Generate EC key locally (with access to private key material)
auto ecKey = EC_KEY_Ptr(EC_KEY_new());
- int curveName = EcdhCurveToOpenSslCurveName(localCurve);
+ int curveName = CurveToOpenSslCurveName(localCurve);
auto group = EC_GROUP_Ptr(EC_GROUP_new_by_curve_name(curveName));
ASSERT_NE(group, nullptr);
ASSERT_EQ(EC_KEY_set_group(ecKey.get(), group.get()), 1);