Keymaster 4.1 Release V2.0

This is the Version 2.0 release for Javacard 4.1 Keymaster. Please refer to the following release notes for details.

Relese Tag : JC_KM_41_V20
Branch: master
Keymaster Version: 4.1

Detailed Release Notes: https://drive.google.com/file/d/1NDDO66zcFAjHeT6oDOdqLF3Z47B1GKRK/view?usp=sharing

Release Documents: https://drive.google.com/corp/drive/folders/1NtkHdL2jvXU1bdZRUu5BuDA_cjIxFPQM
Folder Contains :

• Detailed Release Notes
• VTS Setup Guide
• Intermediate Signing Document
• Integration Guide
• Provisiong Command and Document
• OMAPI Integration document
• Applet State Machine

Highlights of the changes as below: - Please refer to detailed release notes for complete list.

Javacard Keymaster HAL changes

• Fix for the CTS failures relating to Symmetric block ciphers and stream ciphers (buffering modes).
• Cache earlyBootEnded flag and send to the applet when OMAPI/Socket is initialized
• Fix for the issue that the operation handle(i.e Challenge), inside the HardwareAuthToken and VerificationToken is mismatching with the operation handle generated by Strongbox.

Keymaster Applet

• USER_SECURE_ID tag implementation with and without AUTH_TIMEOUT tag.
• Corrected the response error codes for a few tags as per specification.
• Reduced the writes in pool implementation.
• Reset HMac signer instance for failed operations (Issue with few simulators).
• Computed shared HMAC is stored in KeyObject rather than as a byte array.
• Added Configuration class - specifies configuration for TEE implementations, endianness etc.
• Added Support for few tags
• The AUTH_TAG, which is used as auth data while encrypting the secret in the key blob, is digested with SHA256 digest to restrict the length to 32 bytes.
• Support for PKCS8 decoding in the Keymaster Applet.
• Applet upgrade with versioning.
• Keymaster Provisioning data changes.