Test: N/A
Change-Id: I1154d866611a744a34631a9bc129419b1e9f99e6

Android 13 / T / API 33 introduced a new class in Crypto Object
in the Android Framework. This allows auth-per-op for ECDH
keys.

Bug: 282058146
Test: atest FrameworksCoreTests
API-Coverage-Bug: 282058146
Change-Id: I17877fed90ae0b3894b28967c28786a091557dd2

Add a separate setter for the digests used by the MGF1 mask generation
function (for RSA OAEP operations).

Previously the MGF1 digests were specified according to the primary
digests specification, which is not accurate enough.

With the new setter:
* If the user does not explicitly specify MGF1 digests, then the
  default (SHA-1) will be specified in the tag passed to Keystore.
* If the user does explicitly specify MGF1 digests, only those
  digests will be specified in the tag passed to Keystore.
  The SHA-1 digest will not be added.

Bug: 284140060
Test: atest android.security.keystore.KeyGenParameterSpecTest android.security.ParcelableKeyGenParameterSpecTest
Test: atest CtsKeystoreTestCases:android.keystore.cts.CipherTest#testKatBasicWithDifferentProviders
Change-Id: I1521e9b4399ece33c2d17b79133543d490d3b377

Test: m
Change-Id: I9a0c7b5e912b882a1815afb1eddc02f7cb7872c5

This has strictmode annotations for when calls are
made into Keystore DB to make reads or writes.

Test: atest CtsKeystoreTestCases
Bug: 180135124
Change-Id: I819e1c63875a4af16a6fbe991a9f7c9c95ea8e6a

See https://source.android.com/setup/contribute/respectful-code for reference

For this round, the fixes are only applied to the following to minimize breaking dependencies:
  * comments (excluding javaDoc annotations)
	* private constants
	* private functions
	* parameters within functions

BYPASS_INCLUSIVE_LANGUAGE_REASON=Just updating a few select inclusive language violations.
No-Typo-Check: Changes focused on inclusive language violations.
BUG: 295342157
Change-Id: I70dcadc67c13c34edda553897847249e92c26239

Deduplicate the addition of the SIDs and USER_AUTH_TYPE, and consolidate
the handling of isUserAuthenticationValidWhileOnBody() into one place.
No change in behavior.

Test: atest KeystoreTests
Change-Id: Ic57e3506a62d90ee0fd7b5860d4cda44aa1b5acf

- Make core/java/android/security/keystore/OWNERS include
  keystore/OWNERS instead of duplicating it

- Make core/tests/coretests/src/android/security/keystore/ owned by
  keystore/OWNERS instead of no one

- Make core/java/android/security/Confirmation*.java owned by
  keystore/OWNERS instead of an individual person

- Remove core/java/android/security/keystore/recovery/OWNERS, as it was
  redundant with OWNERS of its parent directory

- Remove Xoogler jdanis@

Change-Id: I64c1c624dcc92fbf20a6d4fb667cf47240edf4d5

SecureKeyImport is failed because of MGF_DIGEST tag mismatch.
wrapping key has MGF_DIGEST tag when generate or import key
but importWrappedKey logic does not have MGF_DIGEST tag on WrappedKeyEntry
So MGF_DIGEST tat mismatch error occur when decrypt wrapped key using wrapping key

Insert SHA-1 value on MGF_DIGEST tag because ImportWrappedKey should have spcified format
that keymint is compulsorily checking main digest SHA-256 and MGF digest SHA-1.

And MGF_DIGEST tag will add only wrappingkey has MGF_DIGEST value
in order not to affect keys generated prior to Android14.

Bug: 277853193
Test: android.keystore.cts.ImportWrappedKeyTest#testKeyStore_ImportWrappedKey
Change-Id: Id7229a763e3041ffbe73989a2bb24306b7beb7a5
Signed-off-by: Jaeyoon Lee <joyful.lee@samsung.corp-partner.google.com>

This reverts commit dde5ebaa.

Reason for revert: Will re-introduce http://b/278157584

Even though KeyMint v2 supports the MGF_DIGEST tag, it does not include it in the key characteristics. This would not be a problem for keys generated on an Android U device with KeyMint v2 but it will be a problem on a device that was upgraded to Android U where keys were generated before the upgrade (so the MGF_DIGEST tag was not added).
Because we have no way of knowing if the MGF_DIGEST tag was specified when the key was created on KeyMint implementations older than v3, we should not add the tag on begin().

Change-Id: I7b34799b95eb2ff054ec4d090ccbd93e6442dcfe

Mixed build of Android T + U GSI misses to add RSA_OAEP_MGF_DIGEST in
key begin operation parameters and hence RSA cipher operation fails.
This was due to Keymint 200 implementation in Android T supported
RSA_OAEP_MGF_DIGEST tag but did not included into key characteristics and
the check in AndroidKeyStoreRSACipherSpi fails on Android T + U GSI
builds.

To fix this issue additional condition added to check if key
characteristics do not have RSA_OAEP_MGF_DIGEST tag but the KeyMint
version is 200 then it has to include in operation parameters.

Bug: 289859292
Bug: 289749312
Bug: 287891167
Bug: 287532460
Test: atest  CtsKeystoreWycheproofTestCases:com.google.security.wycheproof.RsaOaepTest
Test: atest CtsKeystoreTestCases:android.keystore.cts.CipherTest#testKatBasicWithDifferentProviders
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d8b18413ade6ba13817caae52abdffc609a92d89)
Merged-In: I13ca50a45e733276d1451d17904780eff86bf296
Change-Id: I13ca50a45e733276d1451d17904780eff86bf296

When a key requires user authentication and one of the authentication
methods permitted is the device's screen lock credentials, the
root SID is added as an authenticator, and change of biometrics
enrollment will not invalidate the key.

Bug: 275900161
Test: m docs
Change-Id: I180f28883a5ac62e8bfa0b0596396085ff676637

If a key does not have the MGF_DIGEST tag in its key characteristics,
do not include the MGF_DIGEST tag for it (even if the algorithm string
specifies it).

This fixes an issue with keys that were generated on Android 13, where
the MGF_DIGEST tag was not propagated from the SPI layer. Such keys will
not have the MGF_DIGEST tag and so it will not be added by the SPI layer
even if the algorithm string specifies it. This maintains Android 13's
(incorrect) behaviour of ignoring the MGF Digest specification, but is
necessary to use those keys (otherwise KeyMint will error out
on begin() due to an incompatible MGF digest specification).

Bug: 278157584
Test: atest CtsKeystoreWycheproofTestCases:com.google.security.wycheproof.RsaOaepTest
Merged-In: I0f1fa7983f9c771bec3196c6a617eb7044ac2e79
Change-Id: I6a4c15ca04aa78c2191d47394811ba9338ee7f0b

If a key does not have the MGF_DIGEST tag in its key characteristics,
do not include the MGF_DIGEST tag for it (even if the algorithm string
specifies it).

This fixes an issue with keys that were generated on Android 13, where
the MGF_DIGEST tag was not propagated from the SPI layer. Such keys will
not have the MGF_DIGEST tag and so it will not be added by the SPI layer
even if the algorithm string specifies it. This maintains Android 13's
(incorrect) behaviour of ignoring the MGF Digest specification, but is
necessary to use those keys (otherwise KeyMint will error out
on begin() due to an incompatible MGF digest specification).

Bug: 278157584
Test: atest CtsKeystoreWycheproofTestCases:com.google.security.wycheproof.RsaOaepTest
(cherry picked from https://android-review.googlesource.com/q/commit:05d046390769a8ba6f113ea6b191d9addf183627)
Merged-In: I0f1fa7983f9c771bec3196c6a617eb7044ac2e79
Change-Id: I0f1fa7983f9c771bec3196c6a617eb7044ac2e79

All error codes defined in ErrorCode.aidl file are expected to be
mapped in KeymasterDefs.java file, excluding -62 which is handled by
Keystore and not required to define on Jaya layer.
So missing error codes from KeymasterDefs are added and also categorized
in KeyStoreException class.

Bug: 206432492
Test: atest CtsKeystoreTestCases:android.keystore.cts.KeyStoreExceptionTest
Change-Id: I9df69e03379d0437457037e16de76feb27ea8aaf

If a key does not have the MGF_DIGEST tag in its key characteristics,
do not include the MGF_DIGEST tag for it (even if the algorithm string
specifies it).

This fixes an issue with keys that were generated on Android 13, where
the MGF_DIGEST tag was not propagated from the SPI layer. Such keys will
not have the MGF_DIGEST tag and so it will not be added by the SPI layer
even if the algorithm string specifies it. This maintains Android 13's
(incorrect) behaviour of ignoring the MGF Digest specification, but is
necessary to use those keys (otherwise KeyMint will error out
on begin() due to an incompatible MGF digest specification).

Bug: 278157584
Test: atest CtsKeystoreWycheproofTestCases:com.google.security.wycheproof.RsaOaepTest
Change-Id: I0f1fa7983f9c771bec3196c6a617eb7044ac2e79

Bug: 272704160
Test: com.android.server.locksettings
      com.android.cts.devicepolicy.QuietModeHostsideTest
      KeyGenParameterSpecTest
      Manual
Change-Id: I620cc4455ca0f7a8508f12b7550039200b42b8e8

With the move to rkpd, we no longer need to make calls from framework
into the remote provisioner to tell it that a key was consumed.

Bug: 274823784
Test: atest KeystoreTests
Test: atest CtsKeystoreTestCases:android.keystore.cts.KeyAttestationTest
Change-Id: I510d471a980c62e5798e459729f73c231321d2a9

Change interaction with Keystore2 in the following manner:
* Return an enumerator over the entries in Keystore2 rather than
  attempting to get all of them into one single data structure.
* Use a new Keystore2 method for getting the count of entries
  rather than count the size of the array returned.

The enumerator reads a batch of key descriptors from Keystore2.
Once the batch has been exhausted, the enumerator added asks
Keystore2 for the next batch of keys starting with the last
alias it has processed, until it receives an empty array.

Bug: 222287335
Test: atest KeystoreTests
Change-Id: I309b3188df998825557a3c5e6d777b1c0807a924

The latter might be initialized in the Zygote and return the same
sequence within app restarts.

Bug: 273524418
Fix: 273524418
Test: m
Change-Id: Id85082edffb7b769bb5f78d66b561e5e097227c5

Device ID attestation was failing in AOSP and GSI images due to
properties mismatch in Build.java and actual device properties.
(For example, the value of Build.DEVICE on a Raven device running
an AOSP build would be 'aosp_raven', but KeyMint was provisioned
with the value 'raven'.)

To fix above issue, properties ro.product.*_for_attestation were
introduced in AOSP build files (eg. aosp_raven.mk) only. But this
was not sufficient for both AOSP and GSI. The same solution does
not work for GSI images: GSI images are generic and so we cannot
set device-specific properties in them.

So, if ro.product.*_for_attestation properties are empty or unknown,
they are read from ro.product.vendor because these values are not
changed after flashing GSI images also. This fix will work for
both AOSP and GSI images. Device ID properties preferences for
eg. Build.BRAND_FOR_ATTESTATION = ro.product.brand_for_attestation ->
ro.product.vendor.brand -> UNKNOWN.

Bug: 268294752
Bug: 110779648
Bug: 259376922
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/0_android_hardware_security_keymint_IKeyMintDevice_default
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/1_android_hardware_security_keymint_IKeyMintDevice_strongbox
Test: atest CtsKeystoreTestCases:android.keystore.cts.KeyAttestationTest CtsKeystoreTestCases:DeviceOwnerKeyManagementTest
Change-Id: I574eca430cd2022cb9c270ca23ad33f6e5423cd4

After adding attestation properties for AOSP/GSI builds their comparison
in Spi layer missed one condition. If these values were not set they were assigned
as Build.UNKNOWN. Hence additional check is added in Spi layer.

Bug: 267643193
Test: atest CtsKeystoreTestCases:android.keystore.cts.KeyAttestationTest CtsKeystoreTestCases:DeviceOwnerKeyManagementTest
Change-Id: I5b3ef0a308bbb12bc4cac2efcf04468f65db1ef8

This is the first in a set of changes that get RKP error data directly
from keystore.

Starting with Android U, we get detailed RKP error information directly
in the ResponseCode from keystore. This means mRkpStatus and related
logic can be removed after AOSP fully switches over to using rkpd
from the old RemoteProvisioner.

Test: RkpdAppUnitTests
Bug: 264888027
Change-Id: I32e128cca51b2d7dfdd67824ecb100f4e1cd4341

Handle the case where a KeyMint implementation produced an invalid
X.509 certificate that is the container for the generated key's public
portion.

There's not much for the caller to do other than re-generate the key.

Bug: 261788762
Test: Not tested yet.
Change-Id: Ia883df4f5e29a7d75929d37a68b015e857b90560

Alternet device properties used for attestation on AOSP and GSI builds.
Attestation ids were different in AOSP/GSI builds than provisioned ids
in keymint. Hence additional properties used to make these ids identical
to provisioned ids.

Bug: 110779648
Bug: 259376922
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/0_android_hardware_security_keymint_IKeyMintDevice_default
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/1_android_hardware_security_keymint_IKeyMintDevice_strongbox
Test: atest CtsKeystoreTestCases:android.keystore.cts.KeyAttestationTest CtsKeystoreTestCases:DeviceOwnerKeyManagementTest

Change-Id: Idd87314b8e5a95de3daac0ea4ff4dffd4c4c6f63

We are adding the error codes ERROR_DEVICE_UNREGISTERED and
ERROR_DEVICE_POTENTIALLY_VULNERABLE to reflect the new changes
described in go/surface-rkp-status.

Test: Unit test and Cts test added to KeystoreExceptionTest and run using atest CtsKeystoreTestCases
Change-Id: Ie93814aaa5422e323d5a643e10e9fe4a51c07560

To support attestation of a second IMEI, when ID attestation (with IMEI)
is requested, pass in the 2nd IMEI as a SECOND_IMEI KeyMint tag.

Bug: 244732345
Test: atest android.keystore.cts.DeviceOwnerKeyManagementTest
Change-Id: I19a3733746fa6a35c6225f0c60fd9f4b51a62ab1

Added a KeyAgreement algorithm for X25519(XDH) in KeyProperties.
KM_ALGORITHM_EC is used for XDH because Keymint uses KM_ALGORITHM_EC along
with Curve25519 to differentiate X25519 and other EC keys.

Algorithm name XDH is set for X25519 private key.

Consilidated methods of Keymaster specific conversions of EC_CURVE into
KeymasterUtil.

Bug: 240682299
Test: run cts -m CtsKeystoreTestCases -t android.keystore.cts.Curve25519Test#x25519KeyImportAndAgreementTest
Change-Id: I3f95738194e62be0f1d821b1eb467ed810a5a175

Bug: 245258360
Change-Id: I4d9215486df275012dad495730ce0ff00839b7a6
Test: TH

If EC curves of Public and Private keys are different, an
InvalidKeyException is expected.

But the current implementation does not throw exception from doPhase method
and fails in generateSecret method.

The fix is in AndroidKeyStoreECPublicKey to provide
correct ECParameterSpec while creating a PrivateKey object.

Bug: 215175472
Test: run cts -m CtsKeystoreWycheproofTestCases -t com.google.security.wycheproof.JsonEcdhTest#testSecp224r1
Test: run cts -m CtsKeystoreWycheproofTestCases -t com.google.security.wycheproof.JsonEcdhTest#testSecp256r1
Test: run cts -m CtsKeystoreWycheproofTestCases -t com.google.security.wycheproof.JsonEcdhTest#testSecp384r1
Test: run cts -m CtsKeystoreWycheproofTestCases -t com.google.security.wycheproof.JsonEcdhTest#testSecp521r1
Test: run cts -m CtsKeystoreTestCases -t android.keystore.cts.KeyAgreementTest#testDoPhase_withDifferentCurveKey_fails
Change-Id: Ie221926d8a3be3fe6679e723575c5021cafba98e

As per Keymint documentation EC key import has to provide EC_CURVE tag.
This is required for Strongbox implementation test using wycheproof test
cases.

Also added a support to get KEY_SIZE based on EC_CURVE, if it is not
included into Authorization list.

Bug: 237634216
Test: run cts -m CtsKeystoreWycheproofTestCases
Change-Id: Ie981721c38477e74da3cba6613dc0b34e453609c

Included KM_TAG_RSA_OAEP_MGF_DIGEST for RSA keys generation and import
if supported padding is defined as OAEP. All supported digest are added
as KM_TAG_RSA_OAEP_MGF_DIGEST and also default MGF1-SHA1 digest is added
because crypto operations could fail is MGF1ParameterSpec is not provided.

Note this includes additional Attestation parameter in returned
certificate and need to handle accordingly.

Bug: 203688354
Test: run cts -m CtsKeystoreTestCases -t android.keystore.cts.CipherTest#testKatBasicWithDifferentProviders
Change-Id: I2086f2520667ccac9116e04de39f6328a0d3fc5b

The keystore2 binder API supports rollback resistance when KeyMint
supports it, but until now this wasn't exposed to Java code that uses
AndroidKeyStore.  Add support for rollback-resistant keys to
KeyProtection and AndroidKeyStoreSpi.setSecretKeyEntry() so that
LockSettingsService can request it for SP protector keys.

This CL does *not* do any of the following:

- Add any non-hidden APIs.  KeyMint implementations only support a
  limited number of rollback-resistant keys; currently the available
  space is reserved for platform use only.  Note that other examples of
  "hidden", platform-only key properties are
  isCriticalToDeviceEncryption() and getBoundToSpecificSecureUserId().

- Support rollback resistance with keys directly generated by Keystore.
  This isn't currently needed.  Note that this would require changes
  KeyGenParameterSpec and AndroidKeyStoreKeyGeneratorSpi.

- Allow querying the rollback resistance property of keys.  This isn't
  currently needed.  Note that this would require changes to KeyInfo and
  AndroidKeyStoreSecretKeyFactorySpi.

Bug: 239632930
Test: see I05f3b7e5c139471febe5c266a39e3dc3bca4831f
Change-Id: Ifcfd0b8f1bf440ef1ac80a9ac2b0e9c7f62106dd

Previously, the key pair generation would error out even if we
successfully provisioned attestation keys. Instead, we should retry
key generation after the GenerateRkpKeyService reports an OK status.

Bug: 231495834
Test: RemoteProvisionerUnitTests
Change-Id: I049294cbc7119de55b5de02499bf4609d4c6de5d
Merged-In: I049294cbc7119de55b5de02499bf4609d4c6de5d

Previously, the key pair generation would error out even if we
successfully provisioned attestation keys. Instead, we should retry
key generation after the GenerateRkpKeyService reports an OK status.

Bug: 231495834
Test: RemoteProvisionerUnitTests
Change-Id: I049294cbc7119de55b5de02499bf4609d4c6de5d

Implement support for the X25519 key agreement functionality.

Similar to Ed25519, two new classes are added:
* AndroidKeyStoreXDHPrivateKey
* AndroidKeyStoreXDHPublicKey

The private key class is simply a handle to the KeyMint key.
The public key class implements XECPublicKey, the interface
needed for using this key in a platform-backed key agreement.

Because of Conscrypt API boundaries, the functionality of Conscrypt's
OpenSSLX25519PublicKey is duplicated here - namely, matching the
prefix of the encoded key.

Bug: 194359292
Test: atest android.keystore.cts.Curve25519Test
Change-Id: Ifc12be528ab544fd6909bb0dd6224a0a4dd400c6
Merged-In: Ifc12be528ab544fd6909bb0dd6224a0a4dd400c6

Wire Ed25519 signing into Keystore. This consists of registering a
provider for Ed25519.

Ed25519 has its own digest scheme, so the caller should specify "none"
as the digest scheme, and that's the tag that's going to be passed into
KeyMint.
However, unlike other uses of the "NONE" digest scheme, the input to the
signature algorithm should not be truncated.

Bug: 194359292
Test: atest android.keystore.cts.Curve25519Test
Merged-In: Icce4f7f2f8fa10081a9c6beff4813c2d91756469
Change-Id: Ic59ad0aa8343c6aecf6d5c273166d1f4d10e4f21

Implement support for the X25519 key agreement functionality.

Similar to Ed25519, two new classes are added:
* AndroidKeyStoreXDHPrivateKey
* AndroidKeyStoreXDHPublicKey

The private key class is simply a handle to the KeyMint key.
The public key class implements XECPublicKey, the interface
needed for using this key in a platform-backed key agreement.

Because of Conscrypt API boundaries, the functionality of Conscrypt's
OpenSSLX25519PublicKey is duplicated here - namely, matching the
prefix of the encoded key.

Bug: 194359292
Test: atest android.keystore.cts.Curve25519Test
Change-Id: Ifc12be528ab544fd6909bb0dd6224a0a4dd400c6

Wire Ed25519 signing into Keystore. This consists of registering a
provider for Ed25519.

Ed25519 has its own digest scheme, so the caller should specify "none"
as the digest scheme, and that's the tag that's going to be passed into
KeyMint.
However, unlike other uses of the "NONE" digest scheme, the input to the
signature algorithm should not be truncated.

Bug: 194359292
Test: atest android.keystore.cts.Curve25519Test
Change-Id: Icce4f7f2f8fa10081a9c6beff4813c2d91756469

Implement support for Ed25519 signing keys in Android Keystore.
Because Conscrypt does not yet handle those keys, the Keystore classes
implement EdECPublicKey directly and parse the keys.

Specifically, AndroidKeyStoreEdECPublicKey can take an encoded X.509 key
specification, validate the encoding is of an Ed25519 key, then parse
the oddity and Y point on the curve.
RFC8032 describes EdDSA signature scheme, particularly Ed25519.
RFC8410, Section 3, defines the OID for Ed25519 keys (1.3.101.112).
RFC8410, Section 4, describes the encoding of the public key.

Bug: 195309719
Bug: 194359292
Bug: 214203951
Test: atest android.security.keystore2.AndroidKeyStoreEdECPublicKeyTest
Merged-In: I07b793cbd5029630768368ad4a863bbc1c828ced
Change-Id: I477e87658b98bc3340da9a062d81508aad041c07