From 1fa4dc85b9b5bcf97c446be734302e9b2566f7ff Mon Sep 17 00:00:00 2001 From: Subrahmanyaman Date: Fri, 17 Jun 2022 00:36:23 +0000 Subject: [PATCH] Support Version jump --- .../javacard/keymaster/KMAndroidSEApplet.java | 52 ++++++++----------- .../keymaster/KMAndroidSEProvider.java | 8 ++- .../javacard/keymaster/KMKeymasterApplet.java | 1 + 3 files changed, 30 insertions(+), 31 deletions(-) diff --git a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java index d5d5674a..91430d8b 100644 --- a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java +++ b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java @@ -71,7 +71,7 @@ public void onRestore(Element element) { keymasterState = element.readByte(); repository.onRestore(element, oldPackageVersion, KM_APPLET_PACKAGE_VERSION); seProvider.onRestore(element, oldPackageVersion, KM_APPLET_PACKAGE_VERSION); - handleDataUpgrade(); + handleDataUpgrade(oldPackageVersion); } @Override @@ -99,38 +99,32 @@ public Element onSave() { } public boolean isUpgradeAllowed(short oldVersion) { - boolean upgradeAllowed = false; - short oldMajorVersion = (short) ((oldVersion >> 8) & 0x00FF); - short oldMinorVersion = (short) (oldVersion & 0x00FF); - short currentMajorVersion = (short) (KM_APPLET_PACKAGE_VERSION >> 8 & 0x00FF); - short currentMinorVersion = (short) (KM_APPLET_PACKAGE_VERSION & 0x00FF); // Downgrade of the Applet is not allowed. - // Upgrade is not allowed to a next version which is not immediate. - if ((short) (currentMajorVersion - oldMajorVersion) == 1) { - if (currentMinorVersion == 0) { - upgradeAllowed = true; - } - } else if ((short) (currentMajorVersion - oldMajorVersion) == 0) { - if (currentMinorVersion >= oldMinorVersion) { - upgradeAllowed = true; - } + if (oldVersion > KM_APPLET_PACKAGE_VERSION) { + return false; } - return upgradeAllowed; + return true; } - public void handleDataUpgrade() { - // In version 3.0, two new provisionStatus states are introduced - // 1. PROVISION_STATUS_SE_LOCKED - bit 6 of provisionStatus - // 2. PROVISION_STATUS_OEM_PUBLIC_KEY - bit 7 of provisionStatus - // In the process of upgrade from 2.0 to 3.0 OEM PUBLIC Key is provisioned - // in SEProvider.so update the state of the provision status by making - // 7th bit HIGH. - provisionStatus |= PROVISION_STATUS_OEM_ROOT_PUBLIC_KEY; - // Check if the provisioning is already locked. If so update - // the state of the provisionStatus by making 6th bit HIGH. - // Lock the SE Factory provisioning as well. - if ( 0 != (provisionStatus & PROVISION_STATUS_OEM_PROVISIONING_LOCKED)) { - provisionStatus |= PROVISION_STATUS_SE_FACTORY_PROVISIONING_LOCKED; + public void handleDataUpgrade(short oldVersion) { + switch (oldVersion) { + case KM_APPLET_PACKAGE_VERSION_2_0: + // In version 3.0, two new provisionStatus states are introduced + // 1. PROVISION_STATUS_SE_LOCKED - bit 6 of provisionStatus + // 2. PROVISION_STATUS_OEM_PUBLIC_KEY - bit 7 of provisionStatus + // In the process of upgrade from 2.0 to 3.0 OEM PUBLIC Key is provisioned + // in SEProvider.so update the state of the provision status by making + // 7th bit HIGH. + provisionStatus |= PROVISION_STATUS_OEM_ROOT_PUBLIC_KEY; + // Check if the provisioning is already locked. If so update + // the state of the provisionStatus by making 6th bit HIGH. + // Lock the SE Factory provisioning as well. + if (0 != (provisionStatus & PROVISION_STATUS_OEM_PROVISIONING_LOCKED)) { + provisionStatus |= PROVISION_STATUS_SE_FACTORY_PROVISIONING_LOCKED; + } + break; + default: + break; } } } diff --git a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEProvider.java b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEProvider.java index 2e1da9d0..5d5a80b4 100644 --- a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEProvider.java +++ b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEProvider.java @@ -112,6 +112,7 @@ public class KMAndroidSEProvider implements KMSEProvider { private static final short HMAC_MAX_OPERATIONS = 8; private static final short COMPUTED_HMAC_KEY_SIZE = 32; public static final short INVALID_DATA_VERSION = 0x7FFF; + public static final short KM_APPLET_PACKAGE_VERSION_2_0 = 0x0200; // 2.0 private static final short CERT_CHAIN_OFFSET = 0; private static final short CERT_ISSUER_OFFSET = KMConfigurations.CERT_CHAIN_MAX_SIZE; @@ -1305,10 +1306,13 @@ public void onRestore(Element element, short oldVersion, short currentVersion) { attestationKey = KMECPrivateKey.onRestore(element); preSharedKey = KMHmacKey.onRestore(element); computedHmacKey = KMHmacKey.onRestore(element); - if (oldVersion == 0x200) { + switch(oldVersion) { + case KM_APPLET_PACKAGE_VERSION_2_0: createOemRootPublicKey(); - } else { + break; + default: oemRootPublicKey = (byte[]) element.readObject(); + break; } } diff --git a/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java b/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java index 3ff962ab..f98104c2 100644 --- a/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java +++ b/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java @@ -46,6 +46,7 @@ public class KMKeymasterApplet extends Applet implements AppletEvent, ExtendedLe // MSB byte is for Major version and LSB byte is for Minor version. // Whenever there is an applet upgrade change the version. public static final short KM_APPLET_PACKAGE_VERSION = 0x0300; // 3.0 + public static final short KM_APPLET_PACKAGE_VERSION_2_0 = 0x0200; // 2.0 // "Keymaster HMAC Verification" - used for HMAC key verification. public static final byte[] sharingCheck = {