Test: m
Change-Id: I9a0c7b5e912b882a1815afb1eddc02f7cb7872c5

See https://source.android.com/setup/contribute/respectful-code for reference

For this round, the fixes are only applied to the following to minimize breaking dependencies:
  * comments (excluding javaDoc annotations)
	* private constants
	* private functions
	* parameters within functions

BYPASS_INCLUSIVE_LANGUAGE_REASON=Just updating a few select inclusive language violations.
No-Typo-Check: Changes focused on inclusive language violations.
BUG: 295342157
Change-Id: I70dcadc67c13c34edda553897847249e92c26239

Deduplicate the addition of the SIDs and USER_AUTH_TYPE, and consolidate
the handling of isUserAuthenticationValidWhileOnBody() into one place.
No change in behavior.

Test: atest KeystoreTests
Change-Id: Ic57e3506a62d90ee0fd7b5860d4cda44aa1b5acf

- Make core/java/android/security/keystore/OWNERS include
  keystore/OWNERS instead of duplicating it

- Make core/tests/coretests/src/android/security/keystore/ owned by
  keystore/OWNERS instead of no one

- Make core/java/android/security/Confirmation*.java owned by
  keystore/OWNERS instead of an individual person

- Remove core/java/android/security/keystore/recovery/OWNERS, as it was
  redundant with OWNERS of its parent directory

- Remove Xoogler jdanis@

Change-Id: I64c1c624dcc92fbf20a6d4fb667cf47240edf4d5

SecureKeyImport is failed because of MGF_DIGEST tag mismatch.
wrapping key has MGF_DIGEST tag when generate or import key
but importWrappedKey logic does not have MGF_DIGEST tag on WrappedKeyEntry
So MGF_DIGEST tat mismatch error occur when decrypt wrapped key using wrapping key

Insert SHA-1 value on MGF_DIGEST tag because ImportWrappedKey should have spcified format
that keymint is compulsorily checking main digest SHA-256 and MGF digest SHA-1.

And MGF_DIGEST tag will add only wrappingkey has MGF_DIGEST value
in order not to affect keys generated prior to Android14.

Bug: 277853193
Test: android.keystore.cts.ImportWrappedKeyTest#testKeyStore_ImportWrappedKey
Change-Id: Id7229a763e3041ffbe73989a2bb24306b7beb7a5
Signed-off-by: Jaeyoon Lee <joyful.lee@samsung.corp-partner.google.com>

This reverts commit dde5ebaa.

Reason for revert: Will re-introduce http://b/278157584

Even though KeyMint v2 supports the MGF_DIGEST tag, it does not include it in the key characteristics. This would not be a problem for keys generated on an Android U device with KeyMint v2 but it will be a problem on a device that was upgraded to Android U where keys were generated before the upgrade (so the MGF_DIGEST tag was not added).
Because we have no way of knowing if the MGF_DIGEST tag was specified when the key was created on KeyMint implementations older than v3, we should not add the tag on begin().

Change-Id: I7b34799b95eb2ff054ec4d090ccbd93e6442dcfe

Mixed build of Android T + U GSI misses to add RSA_OAEP_MGF_DIGEST in
key begin operation parameters and hence RSA cipher operation fails.
This was due to Keymint 200 implementation in Android T supported
RSA_OAEP_MGF_DIGEST tag but did not included into key characteristics and
the check in AndroidKeyStoreRSACipherSpi fails on Android T + U GSI
builds.

To fix this issue additional condition added to check if key
characteristics do not have RSA_OAEP_MGF_DIGEST tag but the KeyMint
version is 200 then it has to include in operation parameters.

Bug: 289859292
Bug: 289749312
Bug: 287891167
Bug: 287532460
Test: atest  CtsKeystoreWycheproofTestCases:com.google.security.wycheproof.RsaOaepTest
Test: atest CtsKeystoreTestCases:android.keystore.cts.CipherTest#testKatBasicWithDifferentProviders
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d8b18413ade6ba13817caae52abdffc609a92d89)
Merged-In: I13ca50a45e733276d1451d17904780eff86bf296
Change-Id: I13ca50a45e733276d1451d17904780eff86bf296

When a key requires user authentication and one of the authentication
methods permitted is the device's screen lock credentials, the
root SID is added as an authenticator, and change of biometrics
enrollment will not invalidate the key.

Bug: 275900161
Test: m docs
Change-Id: I180f28883a5ac62e8bfa0b0596396085ff676637

All error codes defined in ErrorCode.aidl file are expected to be
mapped in KeymasterDefs.java file, excluding -62 which is handled by
Keystore and not required to define on Jaya layer.
So missing error codes from KeymasterDefs are added and also categorized
in KeyStoreException class.

Bug: 206432492
Test: atest CtsKeystoreTestCases:android.keystore.cts.KeyStoreExceptionTest
Change-Id: I9df69e03379d0437457037e16de76feb27ea8aaf

If a key does not have the MGF_DIGEST tag in its key characteristics,
do not include the MGF_DIGEST tag for it (even if the algorithm string
specifies it).

This fixes an issue with keys that were generated on Android 13, where
the MGF_DIGEST tag was not propagated from the SPI layer. Such keys will
not have the MGF_DIGEST tag and so it will not be added by the SPI layer
even if the algorithm string specifies it. This maintains Android 13's
(incorrect) behaviour of ignoring the MGF Digest specification, but is
necessary to use those keys (otherwise KeyMint will error out
on begin() due to an incompatible MGF digest specification).

Bug: 278157584
Test: atest CtsKeystoreWycheproofTestCases:com.google.security.wycheproof.RsaOaepTest
Change-Id: I0f1fa7983f9c771bec3196c6a617eb7044ac2e79

With the move to rkpd, we no longer need to make calls from framework
into the remote provisioner to tell it that a key was consumed.

Bug: 274823784
Test: atest KeystoreTests
Test: atest CtsKeystoreTestCases:android.keystore.cts.KeyAttestationTest
Change-Id: I510d471a980c62e5798e459729f73c231321d2a9

Change interaction with Keystore2 in the following manner:
* Return an enumerator over the entries in Keystore2 rather than
  attempting to get all of them into one single data structure.
* Use a new Keystore2 method for getting the count of entries
  rather than count the size of the array returned.

The enumerator reads a batch of key descriptors from Keystore2.
Once the batch has been exhausted, the enumerator added asks
Keystore2 for the next batch of keys starting with the last
alias it has processed, until it receives an empty array.

Bug: 222287335
Test: atest KeystoreTests
Change-Id: I309b3188df998825557a3c5e6d777b1c0807a924

The latter might be initialized in the Zygote and return the same
sequence within app restarts.

Bug: 273524418
Fix: 273524418
Test: m
Change-Id: Id85082edffb7b769bb5f78d66b561e5e097227c5

Device ID attestation was failing in AOSP and GSI images due to
properties mismatch in Build.java and actual device properties.
(For example, the value of Build.DEVICE on a Raven device running
an AOSP build would be 'aosp_raven', but KeyMint was provisioned
with the value 'raven'.)

To fix above issue, properties ro.product.*_for_attestation were
introduced in AOSP build files (eg. aosp_raven.mk) only. But this
was not sufficient for both AOSP and GSI. The same solution does
not work for GSI images: GSI images are generic and so we cannot
set device-specific properties in them.

So, if ro.product.*_for_attestation properties are empty or unknown,
they are read from ro.product.vendor because these values are not
changed after flashing GSI images also. This fix will work for
both AOSP and GSI images. Device ID properties preferences for
eg. Build.BRAND_FOR_ATTESTATION = ro.product.brand_for_attestation ->
ro.product.vendor.brand -> UNKNOWN.

Bug: 268294752
Bug: 110779648
Bug: 259376922
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/0_android_hardware_security_keymint_IKeyMintDevice_default
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/1_android_hardware_security_keymint_IKeyMintDevice_strongbox
Test: atest CtsKeystoreTestCases:android.keystore.cts.KeyAttestationTest CtsKeystoreTestCases:DeviceOwnerKeyManagementTest
Change-Id: I574eca430cd2022cb9c270ca23ad33f6e5423cd4

After adding attestation properties for AOSP/GSI builds their comparison
in Spi layer missed one condition. If these values were not set they were assigned
as Build.UNKNOWN. Hence additional check is added in Spi layer.

Bug: 267643193
Test: atest CtsKeystoreTestCases:android.keystore.cts.KeyAttestationTest CtsKeystoreTestCases:DeviceOwnerKeyManagementTest
Change-Id: I5b3ef0a308bbb12bc4cac2efcf04468f65db1ef8

This is the first in a set of changes that get RKP error data directly
from keystore.

Starting with Android U, we get detailed RKP error information directly
in the ResponseCode from keystore. This means mRkpStatus and related
logic can be removed after AOSP fully switches over to using rkpd
from the old RemoteProvisioner.

Test: RkpdAppUnitTests
Bug: 264888027
Change-Id: I32e128cca51b2d7dfdd67824ecb100f4e1cd4341

Handle the case where a KeyMint implementation produced an invalid
X.509 certificate that is the container for the generated key's public
portion.

There's not much for the caller to do other than re-generate the key.

Bug: 261788762
Test: Not tested yet.
Change-Id: Ia883df4f5e29a7d75929d37a68b015e857b90560

Alternet device properties used for attestation on AOSP and GSI builds.
Attestation ids were different in AOSP/GSI builds than provisioned ids
in keymint. Hence additional properties used to make these ids identical
to provisioned ids.

Bug: 110779648
Bug: 259376922
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/0_android_hardware_security_keymint_IKeyMintDevice_default
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/1_android_hardware_security_keymint_IKeyMintDevice_strongbox
Test: atest CtsKeystoreTestCases:android.keystore.cts.KeyAttestationTest CtsKeystoreTestCases:DeviceOwnerKeyManagementTest

Change-Id: Idd87314b8e5a95de3daac0ea4ff4dffd4c4c6f63

We are adding the error codes ERROR_DEVICE_UNREGISTERED and
ERROR_DEVICE_POTENTIALLY_VULNERABLE to reflect the new changes
described in go/surface-rkp-status.

Test: Unit test and Cts test added to KeystoreExceptionTest and run using atest CtsKeystoreTestCases
Change-Id: Ie93814aaa5422e323d5a643e10e9fe4a51c07560

To support attestation of a second IMEI, when ID attestation (with IMEI)
is requested, pass in the 2nd IMEI as a SECOND_IMEI KeyMint tag.

Bug: 244732345
Test: atest android.keystore.cts.DeviceOwnerKeyManagementTest
Change-Id: I19a3733746fa6a35c6225f0c60fd9f4b51a62ab1

Added a KeyAgreement algorithm for X25519(XDH) in KeyProperties.
KM_ALGORITHM_EC is used for XDH because Keymint uses KM_ALGORITHM_EC along
with Curve25519 to differentiate X25519 and other EC keys.

Algorithm name XDH is set for X25519 private key.

Consilidated methods of Keymaster specific conversions of EC_CURVE into
KeymasterUtil.

Bug: 240682299
Test: run cts -m CtsKeystoreTestCases -t android.keystore.cts.Curve25519Test#x25519KeyImportAndAgreementTest
Change-Id: I3f95738194e62be0f1d821b1eb467ed810a5a175

If EC curves of Public and Private keys are different, an
InvalidKeyException is expected.

But the current implementation does not throw exception from doPhase method
and fails in generateSecret method.

The fix is in AndroidKeyStoreECPublicKey to provide
correct ECParameterSpec while creating a PrivateKey object.

Bug: 215175472
Test: run cts -m CtsKeystoreWycheproofTestCases -t com.google.security.wycheproof.JsonEcdhTest#testSecp224r1
Test: run cts -m CtsKeystoreWycheproofTestCases -t com.google.security.wycheproof.JsonEcdhTest#testSecp256r1
Test: run cts -m CtsKeystoreWycheproofTestCases -t com.google.security.wycheproof.JsonEcdhTest#testSecp384r1
Test: run cts -m CtsKeystoreWycheproofTestCases -t com.google.security.wycheproof.JsonEcdhTest#testSecp521r1
Test: run cts -m CtsKeystoreTestCases -t android.keystore.cts.KeyAgreementTest#testDoPhase_withDifferentCurveKey_fails
Change-Id: Ie221926d8a3be3fe6679e723575c5021cafba98e

As per Keymint documentation EC key import has to provide EC_CURVE tag.
This is required for Strongbox implementation test using wycheproof test
cases.

Also added a support to get KEY_SIZE based on EC_CURVE, if it is not
included into Authorization list.

Bug: 237634216
Test: run cts -m CtsKeystoreWycheproofTestCases
Change-Id: Ie981721c38477e74da3cba6613dc0b34e453609c

Included KM_TAG_RSA_OAEP_MGF_DIGEST for RSA keys generation and import
if supported padding is defined as OAEP. All supported digest are added
as KM_TAG_RSA_OAEP_MGF_DIGEST and also default MGF1-SHA1 digest is added
because crypto operations could fail is MGF1ParameterSpec is not provided.

Note this includes additional Attestation parameter in returned
certificate and need to handle accordingly.

Bug: 203688354
Test: run cts -m CtsKeystoreTestCases -t android.keystore.cts.CipherTest#testKatBasicWithDifferentProviders
Change-Id: I2086f2520667ccac9116e04de39f6328a0d3fc5b

Previously, the key pair generation would error out even if we
successfully provisioned attestation keys. Instead, we should retry
key generation after the GenerateRkpKeyService reports an OK status.

Bug: 231495834
Test: RemoteProvisionerUnitTests
Change-Id: I049294cbc7119de55b5de02499bf4609d4c6de5d
Merged-In: I049294cbc7119de55b5de02499bf4609d4c6de5d

Previously, the key pair generation would error out even if we
successfully provisioned attestation keys. Instead, we should retry
key generation after the GenerateRkpKeyService reports an OK status.

Bug: 231495834
Test: RemoteProvisionerUnitTests
Change-Id: I049294cbc7119de55b5de02499bf4609d4c6de5d

Implement support for the X25519 key agreement functionality.

Similar to Ed25519, two new classes are added:
* AndroidKeyStoreXDHPrivateKey
* AndroidKeyStoreXDHPublicKey

The private key class is simply a handle to the KeyMint key.
The public key class implements XECPublicKey, the interface
needed for using this key in a platform-backed key agreement.

Because of Conscrypt API boundaries, the functionality of Conscrypt's
OpenSSLX25519PublicKey is duplicated here - namely, matching the
prefix of the encoded key.

Bug: 194359292
Test: atest android.keystore.cts.Curve25519Test
Change-Id: Ifc12be528ab544fd6909bb0dd6224a0a4dd400c6
Merged-In: Ifc12be528ab544fd6909bb0dd6224a0a4dd400c6

Wire Ed25519 signing into Keystore. This consists of registering a
provider for Ed25519.

Ed25519 has its own digest scheme, so the caller should specify "none"
as the digest scheme, and that's the tag that's going to be passed into
KeyMint.
However, unlike other uses of the "NONE" digest scheme, the input to the
signature algorithm should not be truncated.

Bug: 194359292
Test: atest android.keystore.cts.Curve25519Test
Merged-In: Icce4f7f2f8fa10081a9c6beff4813c2d91756469
Change-Id: Ic59ad0aa8343c6aecf6d5c273166d1f4d10e4f21

Implement support for the X25519 key agreement functionality.

Similar to Ed25519, two new classes are added:
* AndroidKeyStoreXDHPrivateKey
* AndroidKeyStoreXDHPublicKey

The private key class is simply a handle to the KeyMint key.
The public key class implements XECPublicKey, the interface
needed for using this key in a platform-backed key agreement.

Because of Conscrypt API boundaries, the functionality of Conscrypt's
OpenSSLX25519PublicKey is duplicated here - namely, matching the
prefix of the encoded key.

Bug: 194359292
Test: atest android.keystore.cts.Curve25519Test
Change-Id: Ifc12be528ab544fd6909bb0dd6224a0a4dd400c6

Wire Ed25519 signing into Keystore. This consists of registering a
provider for Ed25519.

Ed25519 has its own digest scheme, so the caller should specify "none"
as the digest scheme, and that's the tag that's going to be passed into
KeyMint.
However, unlike other uses of the "NONE" digest scheme, the input to the
signature algorithm should not be truncated.

Bug: 194359292
Test: atest android.keystore.cts.Curve25519Test
Change-Id: Icce4f7f2f8fa10081a9c6beff4813c2d91756469

Implement support for Ed25519 signing keys in Android Keystore.
Because Conscrypt does not yet handle those keys, the Keystore classes
implement EdECPublicKey directly and parse the keys.

Specifically, AndroidKeyStoreEdECPublicKey can take an encoded X.509 key
specification, validate the encoding is of an Ed25519 key, then parse
the oddity and Y point on the curve.
RFC8032 describes EdDSA signature scheme, particularly Ed25519.
RFC8410, Section 3, defines the OID for Ed25519 keys (1.3.101.112).
RFC8410, Section 4, describes the encoding of the public key.

Bug: 195309719
Bug: 194359292
Bug: 214203951
Test: atest android.security.keystore2.AndroidKeyStoreEdECPublicKeyTest
Merged-In: I07b793cbd5029630768368ad4a863bbc1c828ced
Change-Id: I477e87658b98bc3340da9a062d81508aad041c07

Implement support for Ed25519 signing keys in Android Keystore.
Because Conscrypt does not yet handle those keys, the Keystore classes
implement EdECPublicKey directly and parse the keys.

Specifically, AndroidKeyStoreEdECPublicKey can take an encoded X.509 key
specification, validate the encoding is of an Ed25519 key, then parse
the oddity and Y point on the curve.
RFC8032 describes EdDSA signature scheme, particularly Ed25519.
RFC8410, Section 3, defines the OID for Ed25519 keys (1.3.101.112).
RFC8410, Section 4, describes the encoding of the public key.

Bug: 195309719
Bug: 194359292
Bug: 214203951
Test: atest android.security.keystore2.AndroidKeyStoreEdECPublicKeyTest
Change-Id: I07b793cbd5029630768368ad4a863bbc1c828ced

This change adds some integers to the AIDL interface in order to convey
status back to the caller of generateKey(). This will inform the caller
as to whether or not the errors that may occur during provisioning are
permanent, and if not, what to do with the transient error.

Bug: 227306369
Test: RemoteProvisionerUnitTests
Change-Id: I9202358a102b0fb0a104525632a005acb7355840

Bug: 187537410
Test: None, comment change only
Change-Id: If6085fa6f46a54df0700e2599f4f98e42f33a164

On systems that rely solely on remotely-provisioned keys (RKP),
the attestation keys may run out or be unavailable for attesting
a newly-generated key. This could happen when:
* the device first connects to the Internet
* The device had all the keys used and:
 ** It hadn't yet completed obtaining new ones.
 ** The RKP server declines to issue new keys.

In these cases, the caller must be informed that their key generation
request failed (likely temporarily), and that they should retry it.

The retry policy returned tells the caller when to re-try.
Bug: 227306369
Test: atest android.keystore.cts.KeyStoreExceptionTest

Merged-In: Ief30a3ab97da95b68d172e725c38acbefab92fa9
Change-Id: I0b2619fcbcb3ac4d94ed85f3ce5934e015c0828c

On systems that rely solely on remotely-provisioned keys (RKP),
the attestation keys may run out or be unavailable for attesting
a newly-generated key. This could happen when:
* the device first connects to the Internet
* The device had all the keys used and:
 ** It hadn't yet completed obtaining new ones.
 ** The RKP server declines to issue new keys.

In these cases, the caller must be informed that their key generation
request failed (likely temporarily), and that they should retry it.

The retry policy returned tells the caller when to re-try.
Bug: 227306369
Test: atest android.keystore.cts.KeyStoreExceptionTest

Change-Id: Ief30a3ab97da95b68d172e725c38acbefab92fa9

This reverts commit bb5c49e5.

Reason for revert: functionality removed

Change-Id: Ib04a1690b8892af53ca6449e3a38e10490baf9da

Ensure that the user gets an accurate error message when they try to
generate Curve 25519 keys according to JEP 324
(https://openjdk.java.net/jeps/324).

Android Keystore requires every key to have a name, so it is not
possible to generate a key using NamedParameterSpec only (with a
KeyPairGenerator).

Support this and throw an exception to the caller indicating how they
_can_ generate keys with this curve.

Bug: 222440855
Bug: 195309719
Bug: 194359292
Test: atest android.keystore.cts.KeyFactoryTest android.keystore.cts.Curve25519Test
Test: atest CtsLibcoreTestCases:libcore.java.security.ProviderTest
Change-Id: I5aa163f177507906c6482d079eb6cb55d93accf7

Do not register Curve 25519 algorithms as key factories, until we fix
the registration to be in compliance with JEP 324.

Bug: 222440855
Bug: 222194540
Test: atest android.keystore.cts.Curve25519Test android.keystore.cts.KeyFactoryTest#testAlgorithmList CtsLibcoreTestCases:libcore.java.security.ProviderTest#test_Provider_getServices
Merged-In: Ibd53070a890955affaff5e4e7213892afd423db7
Change-Id: I11b3574aeff54b3eb8bf496c4c14aa1338629ce5

Do not register Curve 25519 algorithms as key factories, until we fix
the registration to be in compliance with JEP 324.

Bug: 222440855
Bug: 222194540
Test: atest android.keystore.cts.Curve25519Test android.keystore.cts.KeyFactoryTest#testAlgorithmList CtsLibcoreTestCases:libcore.java.security.ProviderTest#test_Provider_getServices
Change-Id: Ibd53070a890955affaff5e4e7213892afd423db7