diff --git a/Applet/src/com/android/javacard/keymaster/KMEncoder.java b/Applet/src/com/android/javacard/keymaster/KMEncoder.java index 0ba1986c..e47d799d 100644 --- a/Applet/src/com/android/javacard/keymaster/KMEncoder.java +++ b/Applet/src/com/android/javacard/keymaster/KMEncoder.java @@ -82,8 +82,8 @@ public short encode(short object, byte[] buffer, short startOff) { bufferRef[0] = buffer; scratchBuf[START_OFFSET] = startOff; short len = (short) (buffer.length - startOff); - if ((len < 0) || len > KMKeymasterApplet.MAX_LENGTH) { - scratchBuf[LEN_OFFSET] = KMKeymasterApplet.MAX_LENGTH; + if ((len < 0) || len > KMRepository.HEAP_SIZE) { + scratchBuf[LEN_OFFSET] = KMRepository.HEAP_SIZE; } else { scratchBuf[LEN_OFFSET] = (short) buffer.length; } diff --git a/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java b/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java index 5171abde..66423fb9 100644 --- a/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java +++ b/Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java @@ -44,7 +44,6 @@ public class KMKeymasterApplet extends Applet implements AppletEvent, ExtendedLe public static final byte[] F4 = {0x01, 0x00, 0x01}; public static final byte AES_BLOCK_SIZE = 16; public static final byte DES_BLOCK_SIZE = 8; - public static final short MAX_LENGTH = 10000; public static final short MASTER_KEY_SIZE = 128; public static final short WRAPPING_KEY_SIZE = 32; public static final short MAX_OPERATIONS_COUNT = 4; @@ -3491,8 +3490,9 @@ private void processAttestKeyCmd(APDU apdu) { data[APP_DATA] = getApplicationData(data[KEY_PARAMETERS]); // Check if key requires upgrade. The KeyBlob is parsed inside isKeyUpgradeRequired // function itself. - parseEncryptedKeyBlob(data[KEY_BLOB], data[APP_ID], data[APP_DATA], scratchPad, - KEYBLOB_CURRENT_VERSION); + if (isKeyUpgradeRequired(data[KEY_BLOB], data[APP_ID], data[APP_DATA], scratchPad)) { + KMException.throwIt(KMError.KEY_REQUIRES_UPGRADE); + } // Validate KeyParams Mac if (!validateKeyParamsMac(data[KEY_PARAMETERS], keyParamsMac, scratchPad)) { KMException.throwIt(KMError.INVALID_KEY_BLOB); diff --git a/HAL/JavacardKeyMintDevice.cpp b/HAL/JavacardKeyMintDevice.cpp index 0cb1bec6..ae78079b 100644 --- a/HAL/JavacardKeyMintDevice.cpp +++ b/HAL/JavacardKeyMintDevice.cpp @@ -93,7 +93,7 @@ ScopedAStatus JavacardKeyMintDevice::generateKey(const vector& key // Call attestKey only Asymmetric algorithms. keymaster_algorithm_t algorithm; paramSet.GetTagValue(TAG_ALGORITHM, &algorithm); - if (algorithm == KM_ALGORITHM_RSA || algorithm == KM_ALGORITHM_EC) { + if (algorithm == KM_ALGORITHM_RSA || algorithm == KM_ALGORITHM_EC) { cppbor::Array attestKeyArray; attestKeyArray.add(creationResult->keyBlob); cbor_.addKeyparameters(attestKeyArray, keyParams); @@ -101,12 +101,19 @@ ScopedAStatus JavacardKeyMintDevice::generateKey(const vector& key attestKeyArray.add(keyParamsMac); auto [certItem, error] = card_->sendRequest(Instruction::INS_ATTEST_KEY_CMD, attestKeyArray); if (error != KM_ERROR_OK) { - LOG(ERROR) << "Failed in attestKey err: "; - return km_utils::kmError2ScopedAStatus(error); + LOG(ERROR) << "Failed in attestKey err: " << error; + if (error == KM_ERROR_KEY_REQUIRES_UPGRADE) { + // This is rare scenario where either the applet gets upgraded or system propeties + // like osVersion, OsPatch, VendorPatch and bootPatches values changes. + LOG(DEBUG) << "This error occurs in case if either the applets get upgraded or if any" + "system properties like OsVersion, OsPatch, VendorPatch or bootPatch values changes"; + error = KM_ERROR_UNKNOWN_ERROR; + } + return km_utils::kmError2ScopedAStatus(error); } if (!cbor_.getCertificateChain(certItem, 1, creationResult->certificateChain)) { - LOG(ERROR) << "Error in decoding og response in generateKey."; - return km_utils::kmError2ScopedAStatus(KM_ERROR_UNKNOWN_ERROR); + LOG(ERROR) << "Error in decoding og response in generateKey."; + return km_utils::kmError2ScopedAStatus(KM_ERROR_UNKNOWN_ERROR); } } return ScopedAStatus::ok(); @@ -163,7 +170,14 @@ ScopedAStatus JavacardKeyMintDevice::importKey(const vector& keyPa attestKeyArray.add(keyParamsMac); auto [certItem, error] = card_->sendRequest(Instruction::INS_ATTEST_KEY_CMD, attestKeyArray); if (error != KM_ERROR_OK) { - LOG(ERROR) << "Failed in attestKey err: "; + LOG(ERROR) << "Failed in attestKey err: " << error; + if (error == KM_ERROR_KEY_REQUIRES_UPGRADE) { + // This is rare scenario where either the applet gets upgraded or system propeties + // like osVersion, OsPatch, VendorPatch and bootPatches values changes. + LOG(DEBUG) << "This error occurs in case if either the applets get upgraded or if any" + "system properties like OsVersion, OsPatch, VendorPatch or bootPatch values changes"; + error = KM_ERROR_UNKNOWN_ERROR; + } return km_utils::kmError2ScopedAStatus(error); } if (!cbor_.getCertificateChain(certItem, 1, creationResult->certificateChain)) { @@ -235,7 +249,14 @@ ScopedAStatus JavacardKeyMintDevice::importWrappedKey(const vector& wra cbor_.addAttestationKey(attestKeyArray, std::nullopt); auto [certItem, error] = card_->sendRequest(Instruction::INS_ATTEST_KEY_CMD, attestKeyArray); if (error != KM_ERROR_OK) { - LOG(ERROR) << "Failed in attestKey err: "; + LOG(ERROR) << "Failed in attestKey err: " << error; + if (error == KM_ERROR_KEY_REQUIRES_UPGRADE) { + // This is rare scenario where either the applet gets upgraded or system propeties + // like osVersion, OsPatch, VendorPatch and bootPatches values changes. + LOG(DEBUG) << "This error occurs in case if either the applets get upgraded or if any" + "system properties like OsVersion, OsPatch, VendorPatch or bootPatch values changes"; + error = KM_ERROR_UNKNOWN_ERROR; + } return km_utils::kmError2ScopedAStatus(error); } if (!cbor_.getCertificateChain(certItem, 1, creationResult->certificateChain)) {