commit cef39477f9d5f52f716165be8fadcf94cab19b1e
author Pavel Grafov <pgrafov@google.com> Mon Feb 12 18:45:02 2018 +0000
committer Pavel Grafov <pgrafov@google.com> Thu Feb 15 18:20:28 2018 +0000
tree b157374fb2b68cb0028d05bb176063c692bf0e64
parent 3bd6a51a6d49e465bcb03a43998f5bd9367fb59c

NIAP: Log key integrity failure to audit log.

Logs key integrity violation in two cases:
1. software-detected corruption of key blob.
2. keymaster operation returning INVALID_KEY_BLOB

Changed AES_gcm_decrypt to return VALUE_CORRUPTED on decryption errors
to be consistent with digest check for older version blob.

Bug: 70886042
Test: manual, by patching some bytes in the blob.
Test: cts-tradefed run cts -m CtsKeystoreTestCases
Change-Id: Ic8f6b7a2a49aee01253b429644af409e568d7deb

keystore/key_store_service.cpp

diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 89c31a5..d59966f 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -64,11 +64,6 @@
 constexpr double kIdRotationPeriod = 30 * 24 * 60 * 60; /* Thirty days, in seconds */
 const char* kTimestampFilePath = "timestamp";
 
-// Tags for audit logging. Be careful and don't log sensitive data.
-// Should be in sync with frameworks/base/core/java/android/app/admin/SecurityLogTags.logtags
-constexpr int SEC_TAG_AUTH_KEY_GENERATED = 210024;
-constexpr int SEC_TAG_KEY_IMPORTED = 210025;
-
 struct BIGNUM_Delete {
     void operator()(BIGNUM* p) const { BN_free(p); }
 };
@@ -916,6 +911,9 @@
     auto hidlCb = [&](ErrorCode ret, const KeyCharacteristics& keyCharacteristics) {
         error = ret;
         if (!error.isOk()) {
+            if (error == ErrorCode::INVALID_KEY_BLOB) {
+                log_key_integrity_violation(name8, targetUid);
+            }
             return;
         }
         *outCharacteristics =
@@ -1100,6 +1098,9 @@
     auto hidlCb = [&](ErrorCode ret, const ::android::hardware::hidl_vec<uint8_t>& keyMaterial) {
         result->resultCode = ret;
         if (!result->resultCode.isOk()) {
+            if (result->resultCode == ErrorCode::INVALID_KEY_BLOB) {
+                log_key_integrity_violation(name8, targetUid);
+            }
             return;
         }
         result->exportData = keyMaterial;
@@ -1262,6 +1263,9 @@
                       uint64_t operationHandle) {
         result->resultCode = ret;
         if (!result->resultCode.isOk()) {
+            if (result->resultCode == ErrorCode::INVALID_KEY_BLOB) {
+                log_key_integrity_violation(name8, targetUid);
+            }
             return;
         }
         result->handle = operationHandle;
@@ -2151,6 +2155,9 @@
     auto hidlCb = [&](ErrorCode ret, const ::std::vector<uint8_t>& upgradedKeyBlob) {
         error = ret;
         if (!error.isOk()) {
+            if (error == ErrorCode::INVALID_KEY_BLOB) {
+                log_key_integrity_violation(name8, uid);
+            }
             return;
         }