Merge pull request #102 from divegeek/Javacard_KeyMint_200_master

subrahmanyaman · web-flow · commit ba353ed81b48 · 2022-08-05T20:09:31.000Z
Javacard key mint 200 master
diff --git a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java
@@ -43,22 +43,22 @@ public class KMAndroidSEApplet extends KMKeymasterApplet implements OnUpgradeLis
 
   // Provider specific Commands
   private static final byte INS_KEYMINT_PROVIDER_APDU_START = 0x00;
-  private static final byte INS_PROVISION_ATTEST_IDS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 1;
+  private static final byte INS_PROVISION_ATTEST_IDS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 3;
   private static final byte INS_PROVISION_PRESHARED_SECRET_CMD =
-      INS_KEYMINT_PROVIDER_APDU_START + 2;
-  private static final byte INS_OEM_LOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 3;
-  private static final byte INS_GET_PROVISION_STATUS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 4;
+      INS_KEYMINT_PROVIDER_APDU_START + 4;
   private static final byte INS_SET_BOOT_PARAMS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 5; // Unused
+  private static final byte INS_OEM_LOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 6;
+  private static final byte INS_GET_PROVISION_STATUS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 7;
+  //0x08 was reserved for INS_INIT_STRONGBOX_CMD
+  //0x09 was reserved for INS_SET_BOOT_ENDED_CMD earlier. it is unused now.
+  private static final byte INS_SE_FACTORY_PROVISIONING_LOCK_CMD = INS_KEYMINT_PROVIDER_APDU_START + 10;
+  private static final byte INS_PROVISION_OEM_ROOT_PUBLIC_KEY_CMD = INS_KEYMINT_PROVIDER_APDU_START + 11;
+  private static final byte INS_OEM_UNLOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 12;
   private static final byte INS_PROVISION_RKP_DEVICE_UNIQUE_KEYPAIR_CMD =
-      INS_KEYMINT_PROVIDER_APDU_START + 6;
+      INS_KEYMINT_PROVIDER_APDU_START + 13;
   private static final byte INS_PROVISION_RKP_ADDITIONAL_CERT_CHAIN_CMD =
-      INS_KEYMINT_PROVIDER_APDU_START + 7;
-  private static final byte INS_SET_BOOT_ENDED_CMD = 
-		  INS_KEYMINT_PROVIDER_APDU_START + 8; //unused
-  private static final byte INS_SE_FACTORY_PROVISIONING_LOCK_CMD = INS_KEYMINT_PROVIDER_APDU_START + 9;
-  private static final byte INS_PROVISION_OEM_ROOT_PUBLIC_KEY_CMD = INS_KEYMINT_PROVIDER_APDU_START + 10;
-  private static final byte INS_OEM_UNLOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 11;
-  
+      INS_KEYMINT_PROVIDER_APDU_START + 14;
+
   private static final byte INS_KEYMINT_PROVIDER_APDU_END = 0x1F;
   public static final byte BOOT_KEY_MAX_SIZE = 32;
   public static final byte BOOT_HASH_MAX_SIZE = 32;
@@ -505,7 +505,7 @@ private void processGetProvisionStatusCmd(APDU apdu) {
   private boolean isProvisioningComplete() {
     short pStatus = kmDataStore.getProvisionStatus();
     short pCompleteStatus = PROVISION_STATUS_DEVICE_UNIQUE_KEYPAIR | PROVISION_STATUS_ADDITIONAL_CERT_CHAIN | 
-    		     PROVISION_STATUS_PRESHARED_SECRET | PROVISION_STATUS_ATTEST_IDS;
+		     PROVISION_STATUS_PRESHARED_SECRET | PROVISION_STATUS_ATTEST_IDS | PROVISION_STATUS_OEM_PUBLIC_KEY;
     if (kmDataStore.isProvisionLocked() || (pCompleteStatus == (pStatus & pCompleteStatus))) {
       return true;
     }
diff --git a/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMJCardSimApplet.java b/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMJCardSimApplet.java
@@ -30,24 +30,24 @@ public class KMJCardSimApplet extends KMKeymasterApplet {
   private static final byte ILLEGAL_STATE = KM_BEGIN_STATE + 1;
   private static final short POWER_RESET_MASK_FLAG = (short) 0x4000;
 
-  // Provider specific Commands
-  private static final byte INS_KEYMINT_PROVIDER_APDU_START = 0x00;
-  private static final byte INS_PROVISION_ATTEST_IDS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 1;
-  private static final byte INS_PROVISION_PRESHARED_SECRET_CMD =
-      INS_KEYMINT_PROVIDER_APDU_START + 2;
-  private static final byte INS_OEM_LOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 3;
-  private static final byte INS_GET_PROVISION_STATUS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 4;
-  private static final byte INS_SET_BOOT_PARAMS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 5;
-  private static final byte INS_PROVISION_RKP_DEVICE_UNIQUE_KEYPAIR_CMD =
-      INS_KEYMINT_PROVIDER_APDU_START + 6;
-  private static final byte INS_PROVISION_RKP_ADDITIONAL_CERT_CHAIN_CMD =
-      INS_KEYMINT_PROVIDER_APDU_START + 7;
-  private static final byte INS_SET_BOOT_ENDED_CMD = 
-		  INS_KEYMINT_PROVIDER_APDU_START + 8; //unused
-  private static final byte INS_SE_FACTORY_PROVISIONING_LOCK_CMD = INS_KEYMINT_PROVIDER_APDU_START + 9;
-  private static final byte INS_PROVISION_OEM_ROOT_PUBLIC_KEY_CMD = INS_KEYMINT_PROVIDER_APDU_START + 10;
-  private static final byte INS_OEM_UNLOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 11;
-  
+//Provider specific Commands
+ private static final byte INS_KEYMINT_PROVIDER_APDU_START = 0x00;
+ private static final byte INS_PROVISION_ATTEST_IDS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 3;
+ private static final byte INS_PROVISION_PRESHARED_SECRET_CMD =
+     INS_KEYMINT_PROVIDER_APDU_START + 4;
+ private static final byte INS_SET_BOOT_PARAMS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 5; // Unused
+ private static final byte INS_OEM_LOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 6;
+ private static final byte INS_GET_PROVISION_STATUS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 7;
+ //0x08 was reserved for INS_INIT_STRONGBOX_CMD
+ //0x09 was reserved for INS_SET_BOOT_ENDED_CMD earlier. it is unused now.
+ private static final byte INS_SE_FACTORY_PROVISIONING_LOCK_CMD = INS_KEYMINT_PROVIDER_APDU_START + 10;
+ private static final byte INS_PROVISION_OEM_ROOT_PUBLIC_KEY_CMD = INS_KEYMINT_PROVIDER_APDU_START + 11;
+ private static final byte INS_OEM_UNLOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 12;
+ private static final byte INS_PROVISION_RKP_DEVICE_UNIQUE_KEYPAIR_CMD =
+     INS_KEYMINT_PROVIDER_APDU_START + 13;
+ private static final byte INS_PROVISION_RKP_ADDITIONAL_CERT_CHAIN_CMD =
+     INS_KEYMINT_PROVIDER_APDU_START + 14;
+
   private static final byte INS_KEYMINT_PROVIDER_APDU_END = 0x1F;
   public static final byte BOOT_KEY_MAX_SIZE = 32;
   public static final byte BOOT_HASH_MAX_SIZE = 32;
@@ -561,7 +561,7 @@ private void processSetBootParamsCmd(APDU apdu) {
   private boolean isProvisioningComplete() {
     short pStatus = kmDataStore.getProvisionStatus();
     short pCompleteStatus = PROVISION_STATUS_DEVICE_UNIQUE_KEYPAIR | PROVISION_STATUS_ADDITIONAL_CERT_CHAIN | 
-    		     PROVISION_STATUS_PRESHARED_SECRET | PROVISION_STATUS_ATTEST_IDS;
+		     PROVISION_STATUS_PRESHARED_SECRET | PROVISION_STATUS_ATTEST_IDS | PROVISION_STATUS_OEM_PUBLIC_KEY;
     if (kmDataStore.isProvisionLocked() || (pCompleteStatus == (pStatus & pCompleteStatus))) {
       return true;
     }
diff --git a/Applet/src/com/android/javacard/keymaster/KMAsn1Parser.java b/Applet/src/com/android/javacard/keymaster/KMAsn1Parser.java
@@ -168,20 +168,21 @@ public short decodeRsaPrivateKey(short version){
     len = header(ASN1_INTEGER);
     short modulus = KMByteBlob.instance(len);
     getBytes(modulus);
-    updateModulus(modulus);
+    updateRsaKeyBuffer(modulus);
     len = header(ASN1_INTEGER);
     short pubKey = KMByteBlob.instance(len);
     getBytes(pubKey);
     len = header(ASN1_INTEGER);
     short privKey = KMByteBlob.instance(len);
     getBytes(privKey);
+    updateRsaKeyBuffer(privKey);
     KMArray.cast(resp).add((short)0, modulus);
     KMArray.cast(resp).add((short)1, pubKey);
     KMArray.cast(resp).add((short)2, privKey);
     return resp;
   }
   
-  private void updateModulus(short blob) {
+  private void updateRsaKeyBuffer(short blob) {
 	  byte[] buffer = KMByteBlob.cast(blob).getBuffer();
 	  short startOff = KMByteBlob.cast(blob).getStartOff();
 	  short len = KMByteBlob.cast(blob).length();
diff --git a/ProvisioningTool/include/constants.h b/ProvisioningTool/include/constants.h
@@ -101,14 +101,16 @@ constexpr char kSeFactoryProvisionLock[] = "se_factory_lock";
 constexpr char kUnLockProvision[] = "unlock_provision";
 
 // Instruction constatnts
-// TODO Modify according to keymint
-constexpr int kAttestationIdsCmd = INS_BEGIN_KM_CMD + 1;
-constexpr int kPresharedSecretCmd = INS_BEGIN_KM_CMD + 2;
-constexpr int kOemLockProvisionCmd = INS_BEGIN_KM_CMD + 3;
-constexpr int kGetProvisionStatusCmd = INS_BEGIN_KM_CMD + 4;
+constexpr int kAttestationIdsCmd = INS_BEGIN_KM_CMD + 3;
+constexpr int kPresharedSecretCmd = INS_BEGIN_KM_CMD + 4;
 constexpr int kBootParamsCmd = INS_BEGIN_KM_CMD + 5;
-constexpr int kDeviceUniqueKeyCmd = INS_BEGIN_KM_CMD + 6;
-constexpr int kAdditionalCertChainCmd = INS_BEGIN_KM_CMD + 7;
-constexpr int kSeFactoryLockCmd = INS_BEGIN_KM_CMD + 9;
-constexpr int kOemRootPublicKeyCmd = INS_BEGIN_KM_CMD + 10;
-constexpr int kOemUnLockProvisionCmd = INS_BEGIN_KM_CMD + 11;
+constexpr int kOemLockProvisionCmd = INS_BEGIN_KM_CMD + 6;
+constexpr int kGetProvisionStatusCmd = INS_BEGIN_KM_CMD + 7;
+constexpr int kSeFactoryLockCmd = INS_BEGIN_KM_CMD + 10;
+constexpr int kOemRootPublicKeyCmd = INS_BEGIN_KM_CMD + 11;
+constexpr int kOemUnLockProvisionCmd = INS_BEGIN_KM_CMD + 12;
+constexpr int kDeviceUniqueKeyCmd = INS_BEGIN_KM_CMD + 13;
+constexpr int kAdditionalCertChainCmd = INS_BEGIN_KM_CMD + 14;
+
+
+
