Merge pi-platform-release to stage-aosp-master - DO NOT MERGE
Change-Id: I2e34c0250a62fbd417f620e72504682f7bd9f577
diff --git a/keystore-engine/android_engine.cpp b/keystore-engine/android_engine.cpp
index bb0356b..fba2583 100644
--- a/keystore-engine/android_engine.cpp
+++ b/keystore-engine/android_engine.cpp
@@ -28,7 +28,7 @@
#include <string.h>
#include <unistd.h>
-#include <cutils/log.h>
+#include <log/log.h>
#include <openssl/bn.h>
#include <openssl/ec.h>
@@ -59,7 +59,7 @@
long /* argl */,
void* /* argp */) {
char *key_id = reinterpret_cast<char *>(*from_d);
- if (key_id != NULL) {
+ if (key_id != nullptr) {
*from_d = strdup(key_id);
}
return 1;
@@ -95,12 +95,12 @@
ensure_keystore_engine();
const char *key_id = rsa_get_key_id(rsa);
- if (key_id == NULL) {
+ if (key_id == nullptr) {
ALOGE("key had no key_id!");
return 0;
}
- uint8_t* reply = NULL;
+ uint8_t* reply = nullptr;
size_t reply_len;
int32_t ret = g_keystore_backend->sign(key_id, in, len, &reply, &reply_len);
if (ret < 0) {
@@ -109,7 +109,7 @@
} else if (ret != 0) {
ALOGW("Error during sign from keystore: %d", ret);
return 0;
- } else if (reply_len == 0 || reply == NULL) {
+ } else if (reply_len == 0 || reply == nullptr) {
ALOGW("No valid signature returned");
return 0;
}
@@ -149,21 +149,21 @@
ensure_keystore_engine();
const char *key_id = ecdsa_get_key_id(ec_key);
- if (key_id == NULL) {
+ if (key_id == nullptr) {
ALOGE("key had no key_id!");
return 0;
}
size_t ecdsa_size = ECDSA_size(ec_key);
- uint8_t* reply = NULL;
+ uint8_t* reply = nullptr;
size_t reply_len;
int32_t ret = g_keystore_backend->sign(
key_id, digest, digest_len, &reply, &reply_len);
if (ret < 0) {
ALOGW("There was an error during ecdsa_sign: could not connect");
return 0;
- } else if (reply_len == 0 || reply == NULL) {
+ } else if (reply_len == 0 || reply == nullptr) {
ALOGW("No valid signature returned");
return 0;
} else if (reply_len > ecdsa_size) {
@@ -186,13 +186,13 @@
public:
KeystoreEngine()
: rsa_index_(RSA_get_ex_new_index(0 /* argl */,
- NULL /* argp */,
- NULL /* new_func */,
+ nullptr /* argp */,
+ nullptr /* new_func */,
key_id_dup,
key_id_free)),
ec_key_index_(EC_KEY_get_ex_new_index(0 /* argl */,
- NULL /* argp */,
- NULL /* new_func */,
+ nullptr /* argp */,
+ nullptr /* new_func */,
key_id_dup,
key_id_free)),
engine_(ENGINE_new()) {
@@ -278,31 +278,31 @@
* KeyStore and operate on the key named |key_id|. */
static EVP_PKEY *wrap_rsa(const char *key_id, const RSA *public_rsa) {
Unique_RSA rsa(RSA_new_method(g_keystore_engine->engine()));
- if (rsa.get() == NULL) {
- return NULL;
+ if (rsa.get() == nullptr) {
+ return nullptr;
}
char *key_id_copy = strdup(key_id);
- if (key_id_copy == NULL) {
- return NULL;
+ if (key_id_copy == nullptr) {
+ return nullptr;
}
if (!RSA_set_ex_data(rsa.get(), g_keystore_engine->rsa_ex_index(),
key_id_copy)) {
free(key_id_copy);
- return NULL;
+ return nullptr;
}
rsa->n = BN_dup(public_rsa->n);
rsa->e = BN_dup(public_rsa->e);
- if (rsa->n == NULL || rsa->e == NULL) {
- return NULL;
+ if (rsa->n == nullptr || rsa->e == nullptr) {
+ return nullptr;
}
Unique_EVP_PKEY result(EVP_PKEY_new());
- if (result.get() == NULL ||
+ if (result.get() == nullptr ||
!EVP_PKEY_assign_RSA(result.get(), rsa.get())) {
- return NULL;
+ return nullptr;
}
OWNERSHIP_TRANSFERRED(rsa);
@@ -314,30 +314,30 @@
* KeyStore and operate on the key named |key_id|. */
static EVP_PKEY *wrap_ecdsa(const char *key_id, const EC_KEY *public_ecdsa) {
Unique_EC_KEY ec(EC_KEY_new_method(g_keystore_engine->engine()));
- if (ec.get() == NULL) {
- return NULL;
+ if (ec.get() == nullptr) {
+ return nullptr;
}
if (!EC_KEY_set_group(ec.get(), EC_KEY_get0_group(public_ecdsa)) ||
!EC_KEY_set_public_key(ec.get(), EC_KEY_get0_public_key(public_ecdsa))) {
- return NULL;
+ return nullptr;
}
char *key_id_copy = strdup(key_id);
- if (key_id_copy == NULL) {
- return NULL;
+ if (key_id_copy == nullptr) {
+ return nullptr;
}
if (!EC_KEY_set_ex_data(ec.get(), g_keystore_engine->ec_key_ex_index(),
key_id_copy)) {
free(key_id_copy);
- return NULL;
+ return nullptr;
}
Unique_EVP_PKEY result(EVP_PKEY_new());
- if (result.get() == NULL ||
+ if (result.get() == nullptr ||
!EVP_PKEY_assign_EC_KEY(result.get(), ec.get())) {
- return NULL;
+ return nullptr;
}
OWNERSHIP_TRANSFERRED(ec);
@@ -359,22 +359,22 @@
ensure_keystore_engine();
- uint8_t *pubkey = NULL;
+ uint8_t *pubkey = nullptr;
size_t pubkey_len;
int32_t ret = g_keystore_backend->get_pubkey(key_id, &pubkey, &pubkey_len);
if (ret < 0) {
ALOGW("could not contact keystore");
- return NULL;
- } else if (ret != 0 || pubkey == NULL) {
+ return nullptr;
+ } else if (ret != 0 || pubkey == nullptr) {
ALOGW("keystore reports error: %d", ret);
- return NULL;
+ return nullptr;
}
const uint8_t *inp = pubkey;
- Unique_EVP_PKEY pkey(d2i_PUBKEY(NULL, &inp, pubkey_len));
- if (pkey.get() == NULL) {
+ Unique_EVP_PKEY pkey(d2i_PUBKEY(nullptr, &inp, pubkey_len));
+ if (pkey.get() == nullptr) {
ALOGW("Cannot convert pubkey");
- return NULL;
+ return nullptr;
}
EVP_PKEY *result;
@@ -391,7 +391,7 @@
}
default:
ALOGE("Unsupported key type %d", EVP_PKEY_type(pkey->type));
- result = NULL;
+ result = nullptr;
}
return result;
diff --git a/keystore-engine/keystore_backend_binder.cpp b/keystore-engine/keystore_backend_binder.cpp
index f9e7be0..79b0ec3 100644
--- a/keystore-engine/keystore_backend_binder.cpp
+++ b/keystore-engine/keystore_backend_binder.cpp
@@ -42,7 +42,7 @@
sp<IBinder> binder = sm->getService(String16(keystore_service_name));
sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
- if (service == NULL) {
+ if (service == nullptr) {
ALOGE("could not contact keystore");
return -1;
}
@@ -66,7 +66,7 @@
sp<IBinder> binder = sm->getService(String16(keystore_service_name));
sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
- if (service == NULL) {
+ if (service == nullptr) {
ALOGE("could not contact keystore");
return -1;
}
diff --git a/keystore-engine/keystore_backend_hidl.cpp b/keystore-engine/keystore_backend_hidl.cpp
index 9a84e67..30cf890 100644
--- a/keystore-engine/keystore_backend_hidl.cpp
+++ b/keystore-engine/keystore_backend_hidl.cpp
@@ -33,13 +33,13 @@
int32_t KeystoreBackendHidl::sign(
const char *key_id, const uint8_t* in, size_t len, uint8_t** reply,
size_t* reply_len) {
- if (key_id == NULL || in == NULL || reply == NULL || reply_len == NULL) {
+ if (key_id == nullptr || in == nullptr || reply == nullptr || reply_len == nullptr) {
ALOGE("Null pointer argument passed");
return -1;
}
sp<IKeystore> service = IKeystore::tryGetService();
- if (service == NULL) {
+ if (service == nullptr) {
ALOGE("could not contact keystore HAL");
return -1;
}
@@ -63,13 +63,13 @@
int32_t KeystoreBackendHidl::get_pubkey(
const char *key_id, uint8_t** pubkey, size_t* pubkey_len) {
- if (key_id == NULL || pubkey == NULL || pubkey_len == NULL) {
+ if (key_id == nullptr || pubkey == nullptr || pubkey_len == nullptr) {
ALOGE("Null pointer argument passed");
return -1;
}
sp<IKeystore> service = IKeystore::tryGetService();
- if (service == NULL) {
+ if (service == nullptr) {
ALOGE("could not contact keystore HAL");
return -1;
}
diff --git a/keystore/Android.bp b/keystore/Android.bp
index 8af8717..210b8b5 100644
--- a/keystore/Android.bp
+++ b/keystore/Android.bp
@@ -50,6 +50,7 @@
"libbase",
"libbinder",
"libcrypto",
+ "libcutils",
"libhardware",
"libhidlbase",
"libhidltransport",
@@ -85,7 +86,6 @@
cc_binary {
name: "keystore_cli",
defaults: ["keystore_defaults"],
- tags: ["debug"],
srcs: ["keystore_cli.cpp"],
shared_libs: [
@@ -106,7 +106,6 @@
cc_binary {
name: "keystore_cli_v2",
defaults: ["keystore_defaults"],
- tags: ["debug"],
cflags: [
"-DKEYMASTER_NAME_TAGS",
@@ -231,16 +230,25 @@
defaults: ["keystore_defaults"],
srcs: [
+ ":IKeyAttestationApplicationIdProvider.aidl",
"auth_token_table.cpp",
+ "keystore_attestation_id.cpp",
+ "KeyAttestationApplicationId.cpp",
+ "KeyAttestationPackageInfo.cpp",
+ "Signature.cpp",
],
cflags: [ "-O0", ],
static_libs: ["libgtest_main"],
shared_libs: [
"android.hardware.keymaster@4.0",
+ "libbinder",
+ "libcrypto",
"libhidlbase",
"libhwbinder",
"libkeymaster4support",
"libutils",
+ "libkeystore_aidl",
+ "libkeystore_parcelables",
],
export_shared_lib_headers: [
"android.hardware.keymaster@4.0",
@@ -249,6 +257,9 @@
"libkeymaster4support",
],
+ aidl: {
+ include_dirs: ["frameworks/base/core/java/"],
+ },
export_include_dirs: ["include"],
}
@@ -258,6 +269,7 @@
"binder/android/security/IConfirmationPromptCallback.aidl",
"binder/android/security/IKeystoreService.aidl",
],
+ path: "binder",
}
cc_library_shared {
@@ -286,5 +298,3 @@
"libkeystore_parcelables",
],
}
-
-subdirs = ["tests"]
diff --git a/keystore/KeyAttestationApplicationId.cpp b/keystore/KeyAttestationApplicationId.cpp
index 4bc939d..c62571f 100644
--- a/keystore/KeyAttestationApplicationId.cpp
+++ b/keystore/KeyAttestationApplicationId.cpp
@@ -31,6 +31,9 @@
packageInfos_->push_back(std::move(package));
}
+KeyAttestationApplicationId::KeyAttestationApplicationId(PackageInfoVector packages)
+ : packageInfos_(std::make_shared<PackageInfoVector>(std::move(packages))) {}
+
status_t KeyAttestationApplicationId::writeToParcel(Parcel* parcel) const {
return parcel->writeParcelableVector(packageInfos_);
}
diff --git a/keystore/KeyStore.cpp b/keystore/KeyStore.cpp
index f197d91..3a8861e 100644
--- a/keystore/KeyStore.cpp
+++ b/keystore/KeyStore.cpp
@@ -263,7 +263,7 @@
bool KeyStore::isEmpty(uid_t userId) const {
const UserState* userState = getUserState(userId);
- if (userState == NULL) {
+ if (userState == nullptr) {
return true;
}
@@ -274,7 +274,7 @@
bool result = true;
struct dirent* file;
- while ((file = readdir(dir)) != NULL) {
+ while ((file = readdir(dir)) != nullptr) {
// We only care about files.
if (file->d_type != DT_REG) {
continue;
@@ -487,7 +487,7 @@
}
struct dirent* file;
- while ((file = readdir(dir)) != NULL) {
+ while ((file = readdir(dir)) != nullptr) {
// We only care about files.
if (file->d_type != DT_REG) {
continue;
@@ -504,7 +504,7 @@
size_t extra = decode_key_length(p, plen);
char* match = (char*)malloc(extra + 1);
- if (match != NULL) {
+ if (match != nullptr) {
decode_key(match, p, plen);
matches->push(android::String16(match, extra));
free(match);
@@ -531,7 +531,7 @@
ResponseCode KeyStore::importKey(const uint8_t* key, size_t keyLen, const char* filename,
uid_t userId, int32_t flags) {
- Unique_PKCS8_PRIV_KEY_INFO pkcs8(d2i_PKCS8_PRIV_KEY_INFO(NULL, &key, keyLen));
+ Unique_PKCS8_PRIV_KEY_INFO pkcs8(d2i_PKCS8_PRIV_KEY_INFO(nullptr, &key, keyLen));
if (!pkcs8.get()) {
return ResponseCode::SYSTEM_ERROR;
}
@@ -584,7 +584,7 @@
return ResponseCode::SYSTEM_ERROR;
}
- Blob keyBlob(&blob[0], blob.size(), NULL, 0, TYPE_KEYMASTER_10);
+ Blob keyBlob(&blob[0], blob.size(), nullptr, 0, TYPE_KEYMASTER_10);
keyBlob.setEncrypted(flags & KEYSTORE_FLAG_ENCRYPTED);
keyBlob.setSecurityLevel(securityLevel);
@@ -651,7 +651,7 @@
}
}
- return NULL;
+ return nullptr;
}
const UserState* KeyStore::getUserStateByUid(uid_t uid) const {
@@ -705,19 +705,19 @@
ResponseCode KeyStore::importBlobAsKey(Blob* blob, const char* filename, uid_t userId) {
// We won't even write to the blob directly with this BIO, so const_cast is okay.
Unique_BIO b(BIO_new_mem_buf(const_cast<uint8_t*>(blob->getValue()), blob->getLength()));
- if (b.get() == NULL) {
+ if (b.get() == nullptr) {
ALOGE("Problem instantiating BIO");
return ResponseCode::SYSTEM_ERROR;
}
- Unique_EVP_PKEY pkey(PEM_read_bio_PrivateKey(b.get(), NULL, NULL, NULL));
- if (pkey.get() == NULL) {
+ Unique_EVP_PKEY pkey(PEM_read_bio_PrivateKey(b.get(), nullptr, nullptr, nullptr));
+ if (pkey.get() == nullptr) {
ALOGE("Couldn't read old PEM file");
return ResponseCode::SYSTEM_ERROR;
}
Unique_PKCS8_PRIV_KEY_INFO pkcs8(EVP_PKEY2PKCS8(pkey.get()));
- int len = i2d_PKCS8_PRIV_KEY_INFO(pkcs8.get(), NULL);
+ int len = i2d_PKCS8_PRIV_KEY_INFO(pkcs8.get(), nullptr);
if (len < 0) {
ALOGE("Couldn't measure PKCS#8 length");
return ResponseCode::SYSTEM_ERROR;
@@ -797,7 +797,7 @@
}
struct dirent* file;
- while ((file = readdir(dir)) != NULL) {
+ while ((file = readdir(dir)) != nullptr) {
// We only care about files.
if (file->d_type != DT_REG) {
continue;
@@ -821,7 +821,7 @@
// Rename the file into user directory.
DIR* otherdir = opendir(otherUser->getUserDirName());
- if (otherdir == NULL) {
+ if (otherdir == nullptr) {
ALOGW("couldn't open user directory for rename");
continue;
}
diff --git a/keystore/KeystoreArguments.cpp b/keystore/KeystoreArguments.cpp
index fe53c29..6b29e78 100644
--- a/keystore/KeystoreArguments.cpp
+++ b/keystore/KeystoreArguments.cpp
@@ -39,7 +39,7 @@
sp<KeystoreArg> arg = new KeystoreArg(in->readInplace(inSize), inSize);
args.push_back(arg);
} else {
- args.push_back(NULL);
+ args.push_back(nullptr);
}
}
}
diff --git a/keystore/Signature.cpp b/keystore/Signature.cpp
index 1566df9..284f358 100644
--- a/keystore/Signature.cpp
+++ b/keystore/Signature.cpp
@@ -31,6 +31,8 @@
return parcel->readByteVector(&sig_data_);
}
+Signature::Signature(std::vector<uint8_t> signature_data) : sig_data_(std::move(signature_data)) {}
+
} // namespace pm
} // namespace content
} // namespace android
diff --git a/keystore/auth_token_table.cpp b/keystore/auth_token_table.cpp
index 3c51c70..63282e6 100644
--- a/keystore/auth_token_table.cpp
+++ b/keystore/auth_token_table.cpp
@@ -23,7 +23,7 @@
#include <algorithm>
-#include <cutils/log.h>
+#include <log/log.h>
namespace keystore {
@@ -148,7 +148,7 @@
HardwareAuthenticatorType auth_type,
const AuthorizationSet& key_info,
const HardwareAuthToken** found) {
- Entry* newest_match = NULL;
+ Entry* newest_match = nullptr;
for (auto& entry : entries_)
if (entry.SatisfiesAuth(sids, auth_type) && entry.is_newer_than(newest_match))
newest_match = &entry;
diff --git a/keystore/auth_token_table.h b/keystore/auth_token_table.h
index db60003..4110370 100644
--- a/keystore/auth_token_table.h
+++ b/keystore/auth_token_table.h
@@ -97,9 +97,9 @@
class Entry {
public:
Entry(HardwareAuthToken&& token, time_t current_time);
- Entry(Entry&& entry) { *this = std::move(entry); }
+ Entry(Entry&& entry) noexcept { *this = std::move(entry); }
- void operator=(Entry&& rhs) {
+ void operator=(Entry&& rhs) noexcept {
token_ = std::move(rhs.token_);
time_received_ = rhs.time_received_;
last_use_ = rhs.last_use_;
diff --git a/keystore/blob.cpp b/keystore/blob.cpp
index d21c691..b901553 100644
--- a/keystore/blob.cpp
+++ b/keystore/blob.cpp
@@ -21,7 +21,7 @@
#include <fcntl.h>
#include <string.h>
-#include <cutils/log.h>
+#include <log/log.h>
#include "blob.h"
#include "entropy.h"
@@ -231,11 +231,10 @@
size_t fileLength = offsetof(blobv3, value) + dataLength + mBlob.info;
- const char* tmpFileName = ".tmp";
- int out =
- TEMP_FAILURE_RETRY(open(tmpFileName, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR));
+ char tmpFileName[] = ".tmpXXXXXX";
+ int out = TEMP_FAILURE_RETRY(mkstemp(tmpFileName));
if (out < 0) {
- ALOGW("could not open file: %s: %s", tmpFileName, strerror(errno));
+ ALOGW("could not open temporary file: %s: %s", tmpFileName, strerror(errno));
return ResponseCode::SYSTEM_ERROR;
}
diff --git a/keystore/entropy.cpp b/keystore/entropy.cpp
index 1bfe9a1..8d4d305 100644
--- a/keystore/entropy.cpp
+++ b/keystore/entropy.cpp
@@ -24,7 +24,7 @@
#include <string.h>
#include <unistd.h>
-#include <cutils/log.h>
+#include <log/log.h>
#include "keystore_utils.h"
diff --git a/keystore/include/keystore/KeyAttestationApplicationId.h b/keystore/include/keystore/KeyAttestationApplicationId.h
index c612929..dc914c1 100644
--- a/keystore/include/keystore/KeyAttestationApplicationId.h
+++ b/keystore/include/keystore/KeyAttestationApplicationId.h
@@ -30,8 +30,11 @@
public:
typedef SharedNullableIterator<const KeyAttestationPackageInfo, std::vector>
ConstKeyAttestationPackageInfoIterator;
+ typedef std::vector<std::unique_ptr<KeyAttestationPackageInfo>> PackageInfoVector;
KeyAttestationApplicationId();
+ // Following c'tors are for initializing instances containing test data.
KeyAttestationApplicationId(std::unique_ptr<KeyAttestationPackageInfo> package);
+ KeyAttestationApplicationId(PackageInfoVector packages);
status_t writeToParcel(Parcel*) const override;
status_t readFromParcel(const Parcel* parcel) override;
diff --git a/keystore/include/keystore/Signature.h b/keystore/include/keystore/Signature.h
index 3c996bb..31ecdef 100644
--- a/keystore/include/keystore/Signature.h
+++ b/keystore/include/keystore/Signature.h
@@ -25,6 +25,10 @@
class Signature : public Parcelable {
public:
+ Signature() = default;
+ // Intended for initializing instances containing test data.
+ Signature(std::vector<uint8_t> signature_data);
+
status_t writeToParcel(Parcel*) const override;
status_t readFromParcel(const Parcel* parcel) override;
diff --git a/keystore/include/keystore/utils.h b/keystore/include/keystore/utils.h
index f95ae71..1d8208a 100644
--- a/keystore/include/keystore/utils.h
+++ b/keystore/include/keystore/utils.h
@@ -34,7 +34,7 @@
SharedNullableIterator(const SharedNullableIterator& other)
: coll_(other.coll_), cur_(other.cur_) {}
- SharedNullableIterator(SharedNullableIterator&& other)
+ SharedNullableIterator(SharedNullableIterator&& other) noexcept
: coll_(std::move(other.coll_)), cur_(std::move(other.cur_)) {}
SharedNullableIterator& operator++() {
@@ -56,7 +56,7 @@
bool operator!=(const SharedNullableIterator& other) const { return !(*this == other); }
SharedNullableIterator& operator=(const SharedNullableIterator&) = default;
- SharedNullableIterator& operator=(SharedNullableIterator&&) = default;
+ SharedNullableIterator& operator=(SharedNullableIterator&&) noexcept = default;
private:
inline bool is_end() const { return !coll_ || cur_ == coll_->end(); }
diff --git a/keystore/key_proto_handler.cpp b/keystore/key_proto_handler.cpp
index 3bf8c06..a106213 100644
--- a/keystore/key_proto_handler.cpp
+++ b/keystore/key_proto_handler.cpp
@@ -22,6 +22,7 @@
#include <keymasterV4_0/Keymaster.h>
#include <keystore/keymaster_types.h>
#include <utils/String16.h>
+#include <utils/StrongPointer.h>
#include "key_config.pb.h"
@@ -74,7 +75,7 @@
bool wasCreationSuccessful) {
KeyConfig keyConfig;
checkEnforcedCharacteristics(keyParams, &keyConfig);
- auto dropbox = std::make_unique<android::os::DropBoxManager>();
+ android::sp<android::os::DropBoxManager> dropbox(new android::os::DropBoxManager());
keyConfig.set_was_creation_successful(wasCreationSuccessful);
size_t size = keyConfig.ByteSize();
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 9d035c8..2aaa625 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -30,6 +30,7 @@
#include <binder/IPCThreadState.h>
#include <binder/IPermissionController.h>
#include <binder/IServiceManager.h>
+#include <cutils/multiuser.h>
#include <log/log_event_list.h>
#include <private/android_filesystem_config.h>
@@ -84,7 +85,7 @@
std::pair<KeyStoreServiceReturnCode, bool> hadFactoryResetSinceIdRotation() {
struct stat sbuf;
if (stat(kTimestampFilePath, &sbuf) == 0) {
- double diff_secs = difftime(time(NULL), sbuf.st_ctime);
+ double diff_secs = difftime(time(nullptr), sbuf.st_ctime);
return {ResponseCode::NO_ERROR, diff_secs < kIdRotationPeriod};
}
@@ -107,7 +108,7 @@
return {ResponseCode::NO_ERROR, true};
}
-constexpr size_t KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE = 1024;
+using ::android::security::KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE;
KeyStoreServiceReturnCode updateParamsForAttestation(uid_t callingUid, AuthorizationSet* params) {
KeyStoreServiceReturnCode responseCode;
@@ -125,11 +126,14 @@
std::vector<uint8_t>& asn1_attestation_id = asn1_attestation_id_result;
/*
- * The attestation application ID cannot be longer than
- * KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE, so we truncate if too long.
+ * The attestation application ID must not be longer than
+ * KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE, error out if gather_attestation_application_id
+ * returned such an invalid vector.
*/
if (asn1_attestation_id.size() > KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE) {
- asn1_attestation_id.resize(KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE);
+ ALOGE("BUG: Gathered Attestation Application ID is too big (%d)",
+ static_cast<int32_t>(asn1_attestation_id.size()));
+ return ErrorCode::CANNOT_ATTEST_IDS;
}
params->push_back(TAG_ATTESTATION_APPLICATION_ID, asn1_attestation_id);
@@ -194,7 +198,7 @@
String8 name8(name);
String8 filename(mKeyStore->getKeyNameForUidWithDir(name8, targetUid, ::TYPE_GENERIC));
- Blob keyBlob(&item[0], item.size(), NULL, 0, ::TYPE_GENERIC);
+ Blob keyBlob(&item[0], item.size(), nullptr, 0, ::TYPE_GENERIC);
keyBlob.setEncrypted(flags & KEYSTORE_FLAG_ENCRYPTED);
*aidl_return =
@@ -462,10 +466,10 @@
return Status::ok();
} else if (args->size() == 1) {
const sp<KeystoreArg>& expArg = args->itemAt(0);
- if (expArg != NULL) {
+ if (expArg != nullptr) {
Unique_BIGNUM pubExpBn(BN_bin2bn(
- reinterpret_cast<const unsigned char*>(expArg->data()), expArg->size(), NULL));
- if (pubExpBn.get() == NULL) {
+ reinterpret_cast<const unsigned char*>(expArg->data()), expArg->size(), nullptr));
+ if (pubExpBn.get() == nullptr) {
ALOGI("Could not convert public exponent to BN");
*aidl_return = static_cast<int32_t>(ResponseCode::SYSTEM_ERROR);
return Status::ok();
@@ -508,7 +512,7 @@
const uint8_t* ptr = &data[0];
- Unique_PKCS8_PRIV_KEY_INFO pkcs8(d2i_PKCS8_PRIV_KEY_INFO(NULL, &ptr, data.size()));
+ Unique_PKCS8_PRIV_KEY_INFO pkcs8(d2i_PKCS8_PRIV_KEY_INFO(nullptr, &ptr, data.size()));
if (!pkcs8.get()) {
*aidl_return = static_cast<int32_t>(ResponseCode::SYSTEM_ERROR);
return Status::ok();
@@ -537,7 +541,7 @@
int import_result;
auto rc = importKey(name, KeymasterArguments(params.hidl_data()),
static_cast<int32_t>(KeyFormat::PKCS8), data, targetUid, flags,
- /*outCharacteristics*/ NULL, &import_result);
+ /*outCharacteristics*/ nullptr, &import_result);
if (!KeyStoreServiceReturnCode(import_result).isOk()) {
ALOGW("importKey failed: %d", int32_t(import_result));
@@ -806,7 +810,7 @@
String8 name8(name);
String8 filename(mKeyStore->getKeyNameForUidWithDir(name8, uid, ::TYPE_KEYMASTER_10));
- Blob keyBlob(&hidlKeyBlob[0], hidlKeyBlob.size(), NULL, 0, ::TYPE_KEYMASTER_10);
+ Blob keyBlob(&hidlKeyBlob[0], hidlKeyBlob.size(), nullptr, 0, ::TYPE_KEYMASTER_10);
keyBlob.setSecurityLevel(securityLevel);
keyBlob.setCriticalToDeviceEncryption(flags & KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION);
if (isAuthenticationBound(params.getParameters()) &&
@@ -859,7 +863,7 @@
// Most Java processes don't have access to this tag
KeyParameter user_id;
user_id.tag = Tag::USER_ID;
- user_id.f.integer = mActiveUserId;
+ user_id.f.integer = multiuser_get_user_id(uid);
keyCharacteristics.push_back(user_id);
}
@@ -874,7 +878,7 @@
return Status::ok();
}
auto kc_buf = kc_stream.str();
- Blob charBlob(reinterpret_cast<const uint8_t*>(kc_buf.data()), kc_buf.size(), NULL, 0,
+ Blob charBlob(reinterpret_cast<const uint8_t*>(kc_buf.data()), kc_buf.size(), nullptr, 0,
::TYPE_KEY_CHARACTERISTICS);
charBlob.setSecurityLevel(securityLevel);
charBlob.setEncrypted(flags & KEYSTORE_FLAG_ENCRYPTED);
@@ -992,7 +996,6 @@
const ::std::vector<uint8_t>& keyData, int uid, int flags,
::android::security::keymaster::KeyCharacteristics* outCharacteristics,
int32_t* aidl_return) {
-
uid = getEffectiveUid(uid);
auto logOnScopeExit = android::base::make_scope_guard([&] {
if (__android_log_security()) {
@@ -1037,7 +1040,7 @@
// Write the key:
String8 filename(mKeyStore->getKeyNameForUidWithDir(name8, uid, ::TYPE_KEYMASTER_10));
- Blob ksBlob(&keyBlob[0], keyBlob.size(), NULL, 0, ::TYPE_KEYMASTER_10);
+ Blob ksBlob(&keyBlob[0], keyBlob.size(), nullptr, 0, ::TYPE_KEYMASTER_10);
ksBlob.setSecurityLevel(securityLevel);
ksBlob.setCriticalToDeviceEncryption(flags & KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION);
if (isAuthenticationBound(params.getParameters()) &&
@@ -1100,7 +1103,7 @@
// Most Java processes don't have access to this tag
KeyParameter user_id;
user_id.tag = Tag::USER_ID;
- user_id.f.integer = mActiveUserId;
+ user_id.f.integer = multiuser_get_user_id(uid);
opParams.push_back(user_id);
}
@@ -1112,7 +1115,7 @@
}
auto kcBuf = kcStream.str();
- Blob charBlob(reinterpret_cast<const uint8_t*>(kcBuf.data()), kcBuf.size(), NULL, 0,
+ Blob charBlob(reinterpret_cast<const uint8_t*>(kcBuf.data()), kcBuf.size(), nullptr, 0,
::TYPE_KEY_CHARACTERISTICS);
charBlob.setSecurityLevel(securityLevel);
charBlob.setEncrypted(flags & KEYSTORE_FLAG_ENCRYPTED);
@@ -1324,23 +1327,34 @@
result->outParams = outParams;
};
- ErrorCode rc =
+ KeyStoreServiceReturnCode rc =
KS_HANDLE_HIDL_ERROR(dev->begin(keyPurpose, key, opParams.hidl_data(), authToken, hidlCb));
- if (rc != ErrorCode::OK) {
- ALOGW("Got error %d from begin()", rc);
+ if (!rc.isOk()) {
+ LOG(ERROR) << "Got error " << rc << " from begin()";
+ result->resultCode = ResponseCode::SYSTEM_ERROR;
+ return Status::ok();
}
+ rc = result->resultCode;
+
// If there are too many operations abort the oldest operation that was
// started as pruneable and try again.
+ LOG(INFO) << rc << " " << mOperationMap.hasPruneableOperation();
while (rc == ErrorCode::TOO_MANY_OPERATIONS && mOperationMap.hasPruneableOperation()) {
- ALOGW("Ran out of operation handles");
+ LOG(INFO) << "Ran out of operation handles";
if (!pruneOperation()) {
break;
}
rc = KS_HANDLE_HIDL_ERROR(
dev->begin(keyPurpose, key, opParams.hidl_data(), authToken, hidlCb));
+ if (!rc.isOk()) {
+ LOG(ERROR) << "Got error " << rc << " from begin()";
+ result->resultCode = ResponseCode::SYSTEM_ERROR;
+ return Status::ok();
+ }
+ rc = result->resultCode;
}
- if (rc != ErrorCode::OK) {
+ if (!rc.isOk()) {
result->resultCode = rc;
return Status::ok();
}
@@ -1359,8 +1373,15 @@
verificationToken = token;
}));
- if (rc != ErrorCode::OK) result->resultCode = rc;
- if (result->resultCode != ErrorCode::OK) return Status::ok();
+ if (!rc.isOk()) result->resultCode = rc;
+ if (!result->resultCode.isOk()) {
+ LOG(ERROR) << "Failed to verify authorization " << rc << " from begin()";
+ rc = KS_HANDLE_HIDL_ERROR(dev->abort(result->handle));
+ if (!rc.isOk()) {
+ LOG(ERROR) << "Failed to abort operation " << rc << " from begin()";
+ }
+ return Status::ok();
+ }
}
// Note: The operation map takes possession of the contents of "characteristics".
@@ -1451,7 +1472,12 @@
// just a reminder: on success result->resultCode was set in the callback. So we only overwrite
// it if there was a communication error indicated by the ErrorCode.
- if (!rc.isOk()) result->resultCode = rc;
+ if (!rc.isOk()) {
+ result->resultCode = rc;
+ // removeOperation() will free the memory 'op' used, so the order is important
+ mAuthTokenTable.MarkCompleted(op.handle);
+ mOperationMap.removeOperation(token, /* wasOpSuccessful */ false);
+ }
return Status::ok();
}
@@ -1573,7 +1599,7 @@
}
int isDeviceIdAttestationRequested(const KeymasterArguments& params) {
- const hardware::hidl_vec<KeyParameter> paramsVec = params.getParameters();
+ const hardware::hidl_vec<KeyParameter>& paramsVec = params.getParameters();
int result = 0;
for (size_t i = 0; i < paramsVec.size(); ++i) {
switch (paramsVec[i].tag) {
@@ -1676,7 +1702,7 @@
uid_t callingUid = IPCThreadState::self()->getCallingUid();
sp<IBinder> binder = defaultServiceManager()->getService(String16("permission"));
- if (binder == 0) {
+ if (binder == nullptr) {
*aidl_return =
static_cast<int32_t>(KeyStoreServiceReturnCode(ErrorCode::CANNOT_ATTEST_IDS));
return Status::ok();
@@ -1697,11 +1723,9 @@
}
// Generate temporary key.
- sp<Keymaster> dev;
- SecurityLevel securityLevel;
- std::tie(dev, securityLevel) = mKeyStore->getMostSecureDevice();
+ sp<Keymaster> dev = mKeyStore->getDevice(SecurityLevel::TRUSTED_ENVIRONMENT);
- if (securityLevel == SecurityLevel::SOFTWARE) {
+ if (!dev) {
*aidl_return = static_cast<int32_t>(ResponseCode::SYSTEM_ERROR);
return Status::ok();
}
@@ -1816,7 +1840,7 @@
String8 filename(
mKeyStore->getKeyNameForUidWithDir(wrappedKeyAlias8, callingUid, ::TYPE_KEYMASTER_10));
- Blob ksBlob(&keyBlob[0], keyBlob.size(), NULL, 0, ::TYPE_KEYMASTER_10);
+ Blob ksBlob(&keyBlob[0], keyBlob.size(), nullptr, 0, ::TYPE_KEYMASTER_10);
ksBlob.setSecurityLevel(securityLevel);
if (containsTag(keyCharacteristics.hardwareEnforced, Tag::USER_SECURE_ID)) {
@@ -1851,7 +1875,7 @@
}
auto kcBuf = kcStream.str();
- Blob charBlob(reinterpret_cast<const uint8_t*>(kcBuf.data()), kcBuf.size(), NULL, 0,
+ Blob charBlob(reinterpret_cast<const uint8_t*>(kcBuf.data()), kcBuf.size(), nullptr, 0,
::TYPE_KEY_CHARACTERISTICS);
charBlob.setSecurityLevel(securityLevel);
@@ -2291,9 +2315,6 @@
Status KeyStoreService::onKeyguardVisibilityChanged(bool isShowing, int32_t userId,
int32_t* aidl_return) {
enforcement_policy.set_device_locked(isShowing, userId);
- if (!isShowing) {
- mActiveUserId = userId;
- }
*aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
return Status::ok();
diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h
index 0056342..8d3f1f2 100644
--- a/keystore/key_store_service.h
+++ b/keystore/key_store_service.h
@@ -39,7 +39,7 @@
public:
explicit KeyStoreService(KeyStore* keyStore)
: mKeyStore(keyStore), mOperationMap(this),
- mConfirmationManager(new ConfirmationManager(this)), mActiveUserId(0) {}
+ mConfirmationManager(new ConfirmationManager(this)) {}
virtual ~KeyStoreService() = default;
void binderDied(const android::wp<android::IBinder>& who);
@@ -300,7 +300,6 @@
android::sp<ConfirmationManager> mConfirmationManager;
keystore::AuthTokenTable mAuthTokenTable;
KeystoreKeymasterEnforcement enforcement_policy;
- int32_t mActiveUserId;
};
}; // namespace keystore
diff --git a/keystore/keyblob_utils.cpp b/keystore/keyblob_utils.cpp
index 3616822..6c2fac9 100644
--- a/keystore/keyblob_utils.cpp
+++ b/keystore/keyblob_utils.cpp
@@ -48,7 +48,7 @@
uint8_t* add_softkey_header(uint8_t* key_blob, size_t key_blob_length) {
if (key_blob_length < sizeof(SOFT_KEY_MAGIC)) {
- return NULL;
+ return nullptr;
}
memcpy(key_blob, SOFT_KEY_MAGIC, sizeof(SOFT_KEY_MAGIC));
diff --git a/keystore/keymaster_enforcement.cpp b/keystore/keymaster_enforcement.cpp
index 5a6e591..1a7fa80 100644
--- a/keystore/keymaster_enforcement.cpp
+++ b/keystore/keymaster_enforcement.cpp
@@ -25,8 +25,9 @@
#include <openssl/evp.h>
-#include <cutils/log.h>
#include <hardware/hw_auth_token.h>
+#include <log/log.h>
+
#include <list>
#include <keystore/keystore_hidl_support.h>
diff --git a/keystore/keystore_attestation_id.cpp b/keystore/keystore_attestation_id.cpp
index 3d34ac5..b48639f 100644
--- a/keystore/keystore_attestation_id.cpp
+++ b/keystore/keystore_attestation_id.cpp
@@ -17,7 +17,7 @@
#define LOG_TAG "keystore_att_id"
-#include <cutils/log.h>
+#include <log/log.h>
#include <memory>
#include <string>
@@ -47,6 +47,7 @@
namespace {
constexpr const char* kAttestationSystemPackageName = "AndroidSystem";
+constexpr const char* kUnknownPackageName = "UnknownPackage";
std::vector<uint8_t> signature2SHA256(const content::pm::Signature& sig) {
std::vector<uint8_t> digest_buffer(SHA256_DIGEST_LENGTH);
@@ -82,6 +83,10 @@
ASN1_INTEGER* version;
} KM_ATTESTATION_PACKAGE_INFO;
+// Estimated size:
+// 4 bytes for the package name + package_name length
+// 11 bytes for the version (2 bytes header and up to 9 bytes of data).
+constexpr size_t AAID_PKG_INFO_OVERHEAD = 15;
ASN1_SEQUENCE(KM_ATTESTATION_PACKAGE_INFO) = {
ASN1_SIMPLE(KM_ATTESTATION_PACKAGE_INFO, package_name, ASN1_OCTET_STRING),
ASN1_SIMPLE(KM_ATTESTATION_PACKAGE_INFO, version, ASN1_INTEGER),
@@ -90,11 +95,21 @@
DECLARE_STACK_OF(KM_ATTESTATION_PACKAGE_INFO);
+// Estimated size:
+// See estimate above for the stack of package infos.
+// 34 (32 + 2) bytes for each signature digest.
+constexpr size_t AAID_SIGNATURE_SIZE = 34;
typedef struct km_attestation_application_id {
STACK_OF(KM_ATTESTATION_PACKAGE_INFO) * package_infos;
STACK_OF(ASN1_OCTET_STRING) * signature_digests;
} KM_ATTESTATION_APPLICATION_ID;
+// Estimated overhead:
+// 4 for the header of the octet string containing the fully-encoded data.
+// 4 for the sequence header.
+// 4 for the header of the package info set.
+// 4 for the header of the signature set.
+constexpr size_t AAID_GENERAL_OVERHEAD = 16;
ASN1_SEQUENCE(KM_ATTESTATION_APPLICATION_ID) = {
ASN1_SET_OF(KM_ATTESTATION_APPLICATION_ID, package_infos, KM_ATTESTATION_PACKAGE_INFO),
ASN1_SET_OF(KM_ATTESTATION_APPLICATION_ID, signature_digests, ASN1_OCTET_STRING),
@@ -165,10 +180,23 @@
return retval;
}
+/* The following function are not used. They are mentioned here to silence
+ * warnings about them not being used.
+ */
+void unused_functions_silencer() __attribute__((unused));
+void unused_functions_silencer() {
+ i2d_KM_ATTESTATION_PACKAGE_INFO(nullptr, nullptr);
+ d2i_KM_ATTESTATION_APPLICATION_ID(nullptr, nullptr, 0);
+ d2i_KM_ATTESTATION_PACKAGE_INFO(nullptr, nullptr, 0);
+}
+
+} // namespace
+
StatusOr<std::vector<uint8_t>>
build_attestation_application_id(const KeyAttestationApplicationId& key_attestation_id) {
auto attestation_id =
std::unique_ptr<KM_ATTESTATION_APPLICATION_ID>(KM_ATTESTATION_APPLICATION_ID_new());
+ size_t estimated_encoded_size = AAID_GENERAL_OVERHEAD;
auto attestation_pinfo_stack = reinterpret_cast<_STACK*>(attestation_id->package_infos);
@@ -187,6 +215,10 @@
ALOGE("Building DER attestation package info failed %d", rc);
return rc;
}
+ estimated_encoded_size += AAID_PKG_INFO_OVERHEAD + package_name.size();
+ if (estimated_encoded_size > KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE) {
+ break;
+ }
if (!sk_push(attestation_pinfo_stack, attestation_package_info.get())) {
return NO_MEMORY;
}
@@ -207,6 +239,10 @@
auto signature_digest_stack = reinterpret_cast<_STACK*>(attestation_id->signature_digests);
for (auto si : signature_digests) {
+ estimated_encoded_size += AAID_SIGNATURE_SIZE;
+ if (estimated_encoded_size > KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE) {
+ break;
+ }
auto asn1_item = std::unique_ptr<ASN1_OCTET_STRING>(ASN1_OCTET_STRING_new());
if (!asn1_item) return NO_MEMORY;
if (!ASN1_OCTET_STRING_set(asn1_item.get(), si.data(), si.size())) {
@@ -229,18 +265,6 @@
return result;
}
-/* The following function are not used. They are mentioned here to silence
- * warnings about them not being used.
- */
-void unused_functions_silencer() __attribute__((unused));
-void unused_functions_silencer() {
- i2d_KM_ATTESTATION_PACKAGE_INFO(nullptr, nullptr);
- d2i_KM_ATTESTATION_APPLICATION_ID(nullptr, nullptr, 0);
- d2i_KM_ATTESTATION_PACKAGE_INFO(nullptr, nullptr, 0);
-}
-
-} // namespace
-
StatusOr<std::vector<uint8_t>> gather_attestation_application_id(uid_t uid) {
KeyAttestationApplicationId key_attestation_id;
@@ -254,10 +278,15 @@
/* Get the attestation application ID from package manager */
auto& pm = KeyAttestationApplicationIdProvider::get();
auto status = pm.getKeyAttestationApplicationId(uid, &key_attestation_id);
+ // Package Manager call has failed, perform attestation but indicate that the
+ // caller is unknown.
if (!status.isOk()) {
- ALOGE("package manager request for key attestation ID failed with: %s %d",
+ ALOGW("package manager request for key attestation ID failed with: %s %d",
status.exceptionMessage().string(), status.exceptionCode());
- return FAILED_TRANSACTION;
+ auto pinfo = std::make_unique<KeyAttestationPackageInfo>(
+ String16(kUnknownPackageName), 1 /* version code */,
+ std::make_shared<KeyAttestationPackageInfo::SignaturesVector>());
+ key_attestation_id = KeyAttestationApplicationId(std::move(pinfo));
}
}
diff --git a/keystore/keystore_attestation_id.h b/keystore/keystore_attestation_id.h
index 8d20550..f45d5be 100644
--- a/keystore/keystore_attestation_id.h
+++ b/keystore/keystore_attestation_id.h
@@ -23,6 +23,14 @@
namespace android {
namespace security {
+constexpr size_t KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE = 1024;
+
+namespace keymaster {
+
+class KeyAttestationApplicationId;
+
+} // namespace keymaster
+
template <typename T> class StatusOr {
public:
StatusOr(const status_t error) : _status(error), _value() {}
@@ -57,6 +65,14 @@
*/
StatusOr<std::vector<uint8_t>> gather_attestation_application_id(uid_t uid);
+/**
+ * Generates a DER-encoded vector containing information from KeyAttestationApplicationId.
+ * The size of the returned vector will not exceed KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE.
+ */
+
+StatusOr<std::vector<uint8_t>> build_attestation_application_id(
+ const ::android::security::keymaster::KeyAttestationApplicationId& key_attestation_id);
+
} // namespace security
} // namespace android
#endif // KEYSTORE_KEYSTORE_ATTESTATION_ID_H_
diff --git a/keystore/keystore_cli.cpp b/keystore/keystore_cli.cpp
index 1e100fc..d5a8afa 100644
--- a/keystore/keystore_cli.cpp
+++ b/keystore/keystore_cli.cpp
@@ -31,7 +31,7 @@
using android::security::IKeystoreService;
static const char* responses[] = {
- NULL,
+ nullptr,
/* [NO_ERROR] = */ "No error",
/* [LOCKED] = */ "Locked",
/* [UNINITIALIZED] = */ "Uninitialized",
@@ -218,7 +218,7 @@
sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
- if (service == NULL) {
+ if (service == nullptr) {
fprintf(stderr, "%s: error: could not connect to keystore service\n", argv[0]);
return 1;
}
diff --git a/keystore/keystore_cli_v2.cpp b/keystore/keystore_cli_v2.cpp
index 6377ec1..157417f 100644
--- a/keystore/keystore_cli_v2.cpp
+++ b/keystore/keystore_cli_v2.cpp
@@ -144,7 +144,7 @@
if (!sha256_only) {
parameters.Digest(Digest::SHA_2_224).Digest(Digest::SHA_2_384).Digest(Digest::SHA_2_512);
}
- return parameters;
+ return std::move(parameters);
}
AuthorizationSet GetRSAEncryptParameters(uint32_t key_size) {
@@ -153,7 +153,7 @@
.Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)
.Padding(PaddingMode::RSA_OAEP)
.Authorization(TAG_NO_AUTH_REQUIRED);
- return parameters;
+ return std::move(parameters);
}
AuthorizationSet GetECDSAParameters(uint32_t key_size, bool sha256_only) {
@@ -164,7 +164,7 @@
if (!sha256_only) {
parameters.Digest(Digest::SHA_2_224).Digest(Digest::SHA_2_384).Digest(Digest::SHA_2_512);
}
- return parameters;
+ return std::move(parameters);
}
AuthorizationSet GetAESParameters(uint32_t key_size, bool with_gcm_mode) {
@@ -179,7 +179,7 @@
parameters.Authorization(TAG_BLOCK_MODE, BlockMode::CTR);
parameters.Padding(PaddingMode::NONE);
}
- return parameters;
+ return std::move(parameters);
}
AuthorizationSet GetHMACParameters(uint32_t key_size, Digest digest) {
@@ -188,7 +188,7 @@
.Digest(digest)
.Authorization(TAG_MIN_MAC_LENGTH, 224)
.Authorization(TAG_NO_AUTH_REQUIRED);
- return parameters;
+ return std::move(parameters);
}
std::vector<TestCase> GetTestCases() {
@@ -496,7 +496,7 @@
sp<android::IServiceManager> sm = android::defaultServiceManager();
sp<android::IBinder> binder = sm->getService(String16("android.security.keystore"));
sp<IKeystoreService> service = android::interface_cast<IKeystoreService>(binder);
- if (service == NULL) {
+ if (service == nullptr) {
printf("error: could not connect to keystore service.\n");
return 1;
}
diff --git a/keystore/keystore_get.cpp b/keystore/keystore_get.cpp
index cf67fa4..fec36c4 100644
--- a/keystore/keystore_get.cpp
+++ b/keystore/keystore_get.cpp
@@ -29,7 +29,7 @@
sp<android::security::IKeystoreService> service =
interface_cast<android::security::IKeystoreService>(binder);
- if (service == NULL) {
+ if (service == nullptr) {
return -1;
}
diff --git a/keystore/keystore_get_wifi_hidl.cpp b/keystore/keystore_get_wifi_hidl.cpp
index 79639b6..155201f 100644
--- a/keystore/keystore_get_wifi_hidl.cpp
+++ b/keystore/keystore_get_wifi_hidl.cpp
@@ -34,13 +34,13 @@
using android::system::wifi::keystore::V1_0::IKeystore;
ssize_t keystore_get(const char *key, size_t keyLength, uint8_t** value) {
- if (key == NULL || keyLength == 0 || value == NULL) {
+ if (key == nullptr || keyLength == 0 || value == nullptr) {
ALOGE("Null pointer argument passed");
return -1;
}
sp<IKeystore> service = IKeystore::tryGetService();
- if (service == NULL) {
+ if (service == nullptr) {
ALOGE("could not contact keystore HAL");
return -1;
}
diff --git a/keystore/keystore_keymaster_enforcement.h b/keystore/keystore_keymaster_enforcement.h
index e114ea9..e7515a1 100644
--- a/keystore/keystore_keymaster_enforcement.h
+++ b/keystore/keystore_keymaster_enforcement.h
@@ -39,7 +39,7 @@
}
bool activation_date_valid(uint64_t activation_date) const override {
- time_t now = time(NULL);
+ time_t now = time(nullptr);
if (now == static_cast<time_t>(-1)) {
// Failed to obtain current time -- fail safe: activation_date hasn't yet occurred.
return false;
@@ -57,7 +57,7 @@
}
bool expiration_date_passed(uint64_t expiration_date) const override {
- time_t now = time(NULL);
+ time_t now = time(nullptr);
if (now == static_cast<time_t>(-1)) {
// Failed to obtain current time -- fail safe: expiration_date has passed.
return true;
diff --git a/keystore/keystore_utils.cpp b/keystore/keystore_utils.cpp
index e5ae29a..71e8ed2 100644
--- a/keystore/keystore_utils.cpp
+++ b/keystore/keystore_utils.cpp
@@ -22,7 +22,7 @@
#include <string.h>
#include <unistd.h>
-#include <cutils/log.h>
+#include <log/log.h>
#include <private/android_filesystem_config.h>
#include <private/android_logger.h>
diff --git a/keystore/legacy_keymaster_device_wrapper.cpp b/keystore/legacy_keymaster_device_wrapper.cpp
index 187252e..1f1aa96 100644
--- a/keystore/legacy_keymaster_device_wrapper.cpp
+++ b/keystore/legacy_keymaster_device_wrapper.cpp
@@ -19,7 +19,7 @@
#include "legacy_keymaster_device_wrapper.h"
-#include <cutils/log.h>
+#include <log/log.h>
#include <hardware/keymaster2.h>
#include <hardware/keymaster_defs.h>
@@ -106,7 +106,8 @@
}
}
}
- KmParamSet(KmParamSet&& other) : keymaster_key_param_set_t{other.params, other.length} {
+ KmParamSet(KmParamSet&& other) noexcept
+ : keymaster_key_param_set_t{other.params, other.length} {
other.length = 0;
other.params = nullptr;
}
diff --git a/keystore/operation_proto_handler.cpp b/keystore/operation_proto_handler.cpp
index 77e1b73..992232d 100644
--- a/keystore/operation_proto_handler.cpp
+++ b/keystore/operation_proto_handler.cpp
@@ -23,6 +23,7 @@
#include <keystore/keymaster_types.h>
#include <keystore/keystore_hidl_support.h>
#include <utils/String16.h>
+#include <utils/StrongPointer.h>
#include "operation_config.pb.h"
@@ -108,7 +109,7 @@
checkKeyCharacteristics(op.characteristics.softwareEnforced, &operationConfig);
checkKeyCharacteristics(op.characteristics.hardwareEnforced, &operationConfig);
checkOpCharacteristics(op.params, &operationConfig);
- auto dropbox = std::make_unique<android::os::DropBoxManager>();
+ android::sp<android::os::DropBoxManager> dropbox(new android::os::DropBoxManager);
operationConfig.set_was_op_successful(wasOpSuccessful);
size_t size = operationConfig.ByteSize();
diff --git a/keystore/permissions.cpp b/keystore/permissions.cpp
index 1ba91d9..cd79539 100644
--- a/keystore/permissions.cpp
+++ b/keystore/permissions.cpp
@@ -18,8 +18,8 @@
#include "permissions.h"
-#include <cutils/log.h>
#include <cutils/sockets.h>
+#include <log/log.h>
#include <private/android_filesystem_config.h>
#include <selinux/android.h>
@@ -119,7 +119,7 @@
static bool keystore_selinux_check_access(uid_t uid, perm_t perm, pid_t spid) {
audit_data ad;
- char* sctx = NULL;
+ char* sctx = nullptr;
const char* selinux_class = "keystore_key";
const char* str_perm = get_perm_label(perm);
diff --git a/keystore/tests/Android.bp b/keystore/tests/Android.bp
index c3f5177..103fa0e 100644
--- a/keystore/tests/Android.bp
+++ b/keystore/tests/Android.bp
@@ -8,23 +8,30 @@
"-O0",
],
srcs: [
+ "aaid_truncation_test.cpp",
"auth_token_table_test.cpp",
"auth_token_formatting_test.cpp",
"confirmationui_rate_limiting_test.cpp",
"gtest_main.cpp",
],
name: "keystore_unit_tests",
- tags: ["test"],
static_libs: [
"android.hardware.confirmationui@1.0",
"libbase",
+ "libcrypto",
+ "libcutils",
"libgtest_main",
"libhidlbase",
"libkeymaster4support",
"libkeystore_test",
"liblog",
+ "libutils",
+ "libvndksupport",
],
- shared_libs: ["libkeymaster_messages"],
+ shared_libs: [
+ "libbinder",
+ "libkeymaster_messages",
+ ],
sanitize: {
cfi: false,
}
diff --git a/keystore/tests/aaid_truncation_test.cpp b/keystore/tests/aaid_truncation_test.cpp
new file mode 100644
index 0000000..e5d5e9f
--- /dev/null
+++ b/keystore/tests/aaid_truncation_test.cpp
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <gtest/gtest.h>
+
+#include <string>
+#include <utils/String16.h>
+
+#include "../keystore_attestation_id.h"
+#include <keymaster/logger.h>
+
+#include <keystore/KeyAttestationApplicationId.h>
+#include <keystore/KeyAttestationPackageInfo.h>
+#include <keystore/Signature.h>
+
+using ::android::String16;
+using ::android::security::KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE;
+using ::android::security::keymaster::KeyAttestationApplicationId;
+using ::android::security::keymaster::KeyAttestationPackageInfo;
+using std::vector;
+
+namespace keystore {
+
+namespace test {
+
+namespace {
+
+constexpr const char* kDummyPackageName = "DummyPackage";
+
+constexpr const char* kLongPackageName =
+ "a.long.package.name"
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+
+constexpr const char* kReasonablePackageName =
+ "a.reasonable.length.package.name"
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+
+constexpr const size_t kTooManyPackages = 4;
+
+// Signatures should be 32 bytes
+constexpr const uint8_t kDummySignature[32] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f};
+constexpr const size_t kTooManySignatures = 35;
+
+} // namespace
+
+using ::android::content::pm::Signature;
+using ::android::security::build_attestation_application_id;
+
+std::unique_ptr<KeyAttestationPackageInfo>
+make_package_info_with_signatures(const char* package_name,
+ KeyAttestationPackageInfo::SignaturesVector signatures) {
+ return std::make_unique<KeyAttestationPackageInfo>(
+ String16(package_name), 1 /* version code */,
+ std::make_shared<KeyAttestationPackageInfo::SignaturesVector>(std::move(signatures)));
+}
+
+std::unique_ptr<KeyAttestationPackageInfo> make_package_info(const char* package_name) {
+ return make_package_info_with_signatures(package_name,
+ KeyAttestationPackageInfo::SignaturesVector());
+}
+
+TEST(AaidTruncationTest, shortPackageInfoTest) {
+ KeyAttestationApplicationId app_id(make_package_info(kDummyPackageName));
+
+ auto result = build_attestation_application_id(app_id);
+ ASSERT_TRUE(result.isOk());
+ std::vector<uint8_t>& encoded_app_id = result;
+ ASSERT_LT(encoded_app_id.size(), KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE);
+}
+
+TEST(AaidTruncationTest, tooLongPackageNameTest) {
+ KeyAttestationApplicationId app_id(make_package_info(kLongPackageName));
+
+ auto result = build_attestation_application_id(app_id);
+ ASSERT_TRUE(result.isOk());
+ std::vector<uint8_t>& encoded_app_id = result;
+ ASSERT_LT(encoded_app_id.size(), KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE);
+}
+
+TEST(AaidTruncationTest, tooManySignaturesTest) {
+ std::vector<uint8_t> dummy_sig_data(kDummySignature, kDummySignature + 32);
+ KeyAttestationPackageInfo::SignaturesVector signatures;
+ // Add 35 signatures which will surely exceed the 1K limit.
+ for (size_t i = 0; i < kTooManySignatures; ++i) {
+ signatures.push_back(std::make_unique<Signature>(dummy_sig_data));
+ }
+
+ KeyAttestationApplicationId app_id(
+ make_package_info_with_signatures(kDummyPackageName, std::move(signatures)));
+
+ auto result = build_attestation_application_id(app_id);
+ ASSERT_TRUE(result.isOk());
+ std::vector<uint8_t>& encoded_app_id = result;
+ ASSERT_LT(encoded_app_id.size(), KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE);
+}
+
+TEST(AaidTruncationTest, combinedPackagesAndSignaturesTest) {
+ std::vector<uint8_t> dummy_sig_data(kDummySignature, kDummySignature + 32);
+ KeyAttestationApplicationId::PackageInfoVector packages;
+
+ for (size_t i = 0; i < kTooManyPackages; ++i) {
+ KeyAttestationPackageInfo::SignaturesVector signatures;
+ // Add a few signatures for each package
+ for (int j = 0; j < 3; ++j) {
+ signatures.push_back(std::make_unique<Signature>(dummy_sig_data));
+ }
+ packages.push_back(
+ make_package_info_with_signatures(kReasonablePackageName, std::move(signatures)));
+ }
+
+ KeyAttestationApplicationId app_id(std::move(packages));
+ auto result = build_attestation_application_id(app_id);
+ ASSERT_TRUE(result.isOk());
+ std::vector<uint8_t>& encoded_app_id = result;
+ ASSERT_LT(encoded_app_id.size(), KEY_ATTESTATION_APPLICATION_ID_MAX_SIZE);
+}
+
+} // namespace test
+} // namespace keystore
diff --git a/keystore/tests/auth_token_table_test.cpp b/keystore/tests/auth_token_table_test.cpp
index 511a78d..29aa71e 100644
--- a/keystore/tests/auth_token_table_test.cpp
+++ b/keystore/tests/auth_token_table_test.cpp
@@ -79,7 +79,7 @@
.Authorization(TAG_USER_SECURE_ID, rsid);
// Use timeout == 0 to indicate tags that require auth per operation.
if (timeout != 0) builder.Authorization(TAG_AUTH_TIMEOUT, timeout);
- return builder;
+ return std::move(builder);
}
// Tests obviously run so fast that a real-time clock with a one-second granularity rarely changes
diff --git a/keystore/user_state.cpp b/keystore/user_state.cpp
index 5f9cd5f..af3336b 100644
--- a/keystore/user_state.cpp
+++ b/keystore/user_state.cpp
@@ -26,7 +26,7 @@
#include <openssl/evp.h>
-#include <cutils/log.h>
+#include <log/log.h>
#include "blob.h"
#include "keystore_utils.h"
@@ -155,7 +155,7 @@
if (length > SALT_SIZE && rawBlob.info == SALT_SIZE) {
salt = (uint8_t*)&rawBlob + length - SALT_SIZE;
} else {
- salt = NULL;
+ salt = nullptr;
}
uint8_t passwordKey[MASTER_KEY_SIZE_BYTES];
generateKeyFromPassword(passwordKey, MASTER_KEY_SIZE_BYTES, pw, salt);
@@ -166,7 +166,7 @@
}
if (response == ResponseCode::NO_ERROR && masterKeyBlob.getLength() == MASTER_KEY_SIZE_BYTES) {
// If salt was missing, generate one and write a new master key file with the salt.
- if (salt == NULL) {
+ if (salt == nullptr) {
if (!generateSalt(entropy)) {
return ResponseCode::SYSTEM_ERROR;
}
@@ -209,7 +209,7 @@
}
struct dirent* file;
- while ((file = readdir(dir)) != NULL) {
+ while ((file = readdir(dir)) != nullptr) {
// skip . and ..
if (!strcmp(".", file->d_name) || !strcmp("..", file->d_name)) {
continue;
@@ -224,7 +224,7 @@
void UserState::generateKeyFromPassword(uint8_t* key, ssize_t keySize, const android::String8& pw,
uint8_t* salt) {
size_t saltSize;
- if (salt != NULL) {
+ if (salt != nullptr) {
saltSize = SALT_SIZE;
} else {
// Pre-gingerbread used this hardwired salt, readMasterKey will rewrite these when found