Addressed review comments

Applet/src/com/android/javacard/keymaster/KMEncoder.java

@@ -82,8 +82,8 @@ public short encode(short object, byte[] buffer, short startOff) {
     bufferRef[0] = buffer;
     scratchBuf[START_OFFSET] = startOff;
     short len = (short) (buffer.length - startOff);
-    if ((len < 0) || len > KMKeymasterApplet.MAX_LENGTH) {
-      scratchBuf[LEN_OFFSET] = KMKeymasterApplet.MAX_LENGTH;
+    if ((len < 0) || len > KMRepository.HEAP_SIZE) {
+      scratchBuf[LEN_OFFSET] = KMRepository.HEAP_SIZE;
     } else {
       scratchBuf[LEN_OFFSET] = (short) buffer.length;
     }

Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java

@@ -44,7 +44,6 @@ public class KMKeymasterApplet extends Applet implements AppletEvent, ExtendedLe
   public static final byte[] F4 = {0x01, 0x00, 0x01};
   public static final byte AES_BLOCK_SIZE = 16;
   public static final byte DES_BLOCK_SIZE = 8;
-  public static final short MAX_LENGTH = 10000;
   public static final short MASTER_KEY_SIZE = 128;
   public static final short WRAPPING_KEY_SIZE = 32;
   public static final short MAX_OPERATIONS_COUNT = 4;
@@ -3491,8 +3490,9 @@ private void processAttestKeyCmd(APDU apdu) {
     data[APP_DATA] = getApplicationData(data[KEY_PARAMETERS]);
     // Check if key requires upgrade. The KeyBlob is parsed inside isKeyUpgradeRequired
     // function itself.
-    parseEncryptedKeyBlob(data[KEY_BLOB], data[APP_ID], data[APP_DATA], scratchPad,
-        KEYBLOB_CURRENT_VERSION);
+    if (isKeyUpgradeRequired(data[KEY_BLOB], data[APP_ID], data[APP_DATA], scratchPad)) {
+      KMException.throwIt(KMError.KEY_REQUIRES_UPGRADE);
+    }
     // Validate KeyParams Mac
     if (!validateKeyParamsMac(data[KEY_PARAMETERS], keyParamsMac, scratchPad)) {
       KMException.throwIt(KMError.INVALID_KEY_BLOB);

HAL/JavacardKeyMintDevice.cpp

@@ -93,20 +93,27 @@ ScopedAStatus JavacardKeyMintDevice::generateKey(const vector<KeyParameter>& key
     // Call attestKey only Asymmetric algorithms.
     keymaster_algorithm_t algorithm;
     paramSet.GetTagValue(TAG_ALGORITHM, &algorithm);
-    if (algorithm == KM_ALGORITHM_RSA || algorithm == KM_ALGORITHM_EC) { 
+    if (algorithm == KM_ALGORITHM_RSA || algorithm == KM_ALGORITHM_EC) {
         cppbor::Array attestKeyArray;
         attestKeyArray.add(creationResult->keyBlob);
         cbor_.addKeyparameters(attestKeyArray, keyParams);
         cbor_.addAttestationKey(attestKeyArray, attestationKey);
         attestKeyArray.add(keyParamsMac);
         auto [certItem, error] = card_->sendRequest(Instruction::INS_ATTEST_KEY_CMD, attestKeyArray);
         if (error != KM_ERROR_OK) {
-	    LOG(ERROR) << "Failed in attestKey err: ";
-	    return km_utils::kmError2ScopedAStatus(error);
+            LOG(ERROR) << "Failed in attestKey err: " << error;
+            if (error == KM_ERROR_KEY_REQUIRES_UPGRADE) {
+                // This is rare scenario where either the applet gets upgraded or system propeties 
+                // like osVersion, OsPatch, VendorPatch and bootPatches values changes.
+                LOG(DEBUG) << "This error occurs in case if either the applets get upgraded or if any"
+                    "system properties like OsVersion, OsPatch, VendorPatch or bootPatch values changes";
+                error = KM_ERROR_UNKNOWN_ERROR;
+            }
+            return km_utils::kmError2ScopedAStatus(error);
         }
         if (!cbor_.getCertificateChain(certItem, 1, creationResult->certificateChain)) {
-	    LOG(ERROR) << "Error in decoding og response in generateKey.";
-	    return km_utils::kmError2ScopedAStatus(KM_ERROR_UNKNOWN_ERROR);
+            LOG(ERROR) << "Error in decoding og response in generateKey.";
+            return km_utils::kmError2ScopedAStatus(KM_ERROR_UNKNOWN_ERROR);
         }
     }
     return ScopedAStatus::ok();
@@ -163,7 +170,14 @@ ScopedAStatus JavacardKeyMintDevice::importKey(const vector<KeyParameter>& keyPa
         attestKeyArray.add(keyParamsMac);
         auto [certItem, error] = card_->sendRequest(Instruction::INS_ATTEST_KEY_CMD, attestKeyArray);
         if (error != KM_ERROR_OK) {
-            LOG(ERROR) << "Failed in attestKey err: ";
+            LOG(ERROR) << "Failed in attestKey err: " << error;
+            if (error == KM_ERROR_KEY_REQUIRES_UPGRADE) {
+                // This is rare scenario where either the applet gets upgraded or system propeties 
+                // like osVersion, OsPatch, VendorPatch and bootPatches values changes.
+                LOG(DEBUG) << "This error occurs in case if either the applets get upgraded or if any"
+                    "system properties like OsVersion, OsPatch, VendorPatch or bootPatch values changes";
+                error = KM_ERROR_UNKNOWN_ERROR;
+            }
             return km_utils::kmError2ScopedAStatus(error);
         }
         if (!cbor_.getCertificateChain(certItem, 1, creationResult->certificateChain)) {
@@ -235,7 +249,14 @@ ScopedAStatus JavacardKeyMintDevice::importWrappedKey(const vector<uint8_t>& wra
         cbor_.addAttestationKey(attestKeyArray, std::nullopt);
         auto [certItem, error] = card_->sendRequest(Instruction::INS_ATTEST_KEY_CMD, attestKeyArray);
         if (error != KM_ERROR_OK) {
-            LOG(ERROR) << "Failed in attestKey err: ";
+            LOG(ERROR) << "Failed in attestKey err: " << error;
+            if (error == KM_ERROR_KEY_REQUIRES_UPGRADE) {
+                // This is rare scenario where either the applet gets upgraded or system propeties 
+                // like osVersion, OsPatch, VendorPatch and bootPatches values changes.
+                LOG(DEBUG) << "This error occurs in case if either the applets get upgraded or if any"
+                    "system properties like OsVersion, OsPatch, VendorPatch or bootPatch values changes";
+                error = KM_ERROR_UNKNOWN_ERROR;
+            }
             return km_utils::kmError2ScopedAStatus(error);
         }
         if (!cbor_.getCertificateChain(certItem, 1, creationResult->certificateChain)) {