mTransport;
72 |
73 | };
74 | }
75 |
--------------------------------------------------------------------------------
/ProvisioningTool/Makefile:
--------------------------------------------------------------------------------
1 | CC = g++
2 | SRC_DIR = src
3 | # source files for construct_apdus
4 | CONSTRUCT_APDUS_SRC = $(SRC_DIR)/construct_apdus.cpp \
5 | $(SRC_DIR)/cppbor.cpp \
6 | $(SRC_DIR)/cppbor_parse.cpp \
7 | $(SRC_DIR)/utils.cpp \
8 |
9 | CONSTRUCT_APDUS_OBJFILES = $(CONSTRUCT_APDUS_SRC:.cpp=.o)
10 | CONSTRUCT_APDUS_BIN = construct_apdus
11 |
12 | # source files for provision
13 | PROVISION_SRC = $(SRC_DIR)/provision.cpp \
14 | $(SRC_DIR)/socket.cpp \
15 | $(SRC_DIR)/cppbor.cpp \
16 | $(SRC_DIR)/cppbor_parse.cpp \
17 | $(SRC_DIR)/utils.cpp \
18 |
19 | PROVISION_OBJFILES = $(PROVISION_SRC:.cpp=.o)
20 | PROVISION_BIN = provision
21 |
22 |
23 | ifeq ($(OS),Windows_NT)
24 | uname_S := Windows
25 | else
26 | uname_S := $(shell uname -s)
27 | endif
28 |
29 | ifeq ($(uname_S), Windows)
30 | PLATFORM = -D__WIN32__
31 | endif
32 | ifeq ($(uname_S), Linux)
33 | PLATFORM = -D__LINUX__
34 | endif
35 |
36 | DEBUG = -g
37 | CXXFLAGS = $(DEBUG) $(PLATFORM) -Wall -std=c++2a
38 | CFLAGS = $(CXXFLAGS) -Iinclude
39 | LDFLAGS = -Llib/
40 | LIB_JSON = -ljsoncpp
41 | LIB_CRYPTO = -lcrypto
42 | LDLIBS = $(LIB_JSON) $(LIB_CRYPTO)
43 |
44 | all: $(CONSTRUCT_APDUS_BIN) $(PROVISION_BIN)
45 |
46 | $(CONSTRUCT_APDUS_BIN): $(CONSTRUCT_APDUS_OBJFILES)
47 | $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
48 |
49 | $(PROVISION_BIN): $(PROVISION_OBJFILES)
50 | $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
51 |
52 | %.o: %.cpp
53 | $(CC) $(CFLAGS) -c -o $@ $^
54 |
55 |
56 | .PHONY: clean
57 | clean:
58 | rm -f $(CONSTRUCT_APDUS_OBJFILES) $(CONSTRUCT_APDUS_BIN) $(PROVISION_OBJFILES) $(PROVISION_BIN)
59 |
--------------------------------------------------------------------------------
/ProvisioningTool/README.md:
--------------------------------------------------------------------------------
1 | # Provisioning tool
2 | This directory contains two tools. One which constructs the apdus and dumps them to a json file, Other which gets the apuds from the json file and provision them into a secure element simulator. Both the tools can be compiled and executed from a Linux machine.
3 |
4 | #### Build instruction
5 | The default target generates both the executables. One construct_apdus and the other provision.
6 | $ make
7 | Individual targets can also be selected as shown below
8 | $ make construct_apdus
9 | $ make provision
10 | Make clean will remove all the object files and binaries
11 | $ make clean
12 |
13 | #### Environment setup
14 | Before executing the binaries make sure LD_LIBRARY_PATH is set
15 | export LD_LIBRARY_PATH=./lib:$LD_LIBRARY_PATH
16 |
17 | #### Sample resources for quick testing
18 | Two sample json files are located in this directory with names
19 | [sample_json_cf.txt](sample_json_cf.txt) and and [sample_json_gf.txt](sample_json_gf.txt)
20 | for your reference. Use sample_json_cf.txt for cuttlefish target and use
21 | sample_json_gf.txt for goldfish target. Also the required certificates and
22 | keys can be found in [test_resources](test_resources) directory. Copy the
23 | certificates and the key into the emulator/device filesystem in their respective
24 | paths mentioned in the sample json file.
25 |
26 | #### Usage for construct_apdus
27 |
28 | Usage: construct_apdus options
29 | Valid options are:
30 | -h, --help show the help message and exit.
31 | -v, --km_version version Version of the keymaster ((4.0 or 4.1 for respective keymaster version))
32 | -i, --input jsonFile Input json file
33 | -o, --output jsonFile Output json file
34 |
35 |
36 | #### Usage for provision
37 |
38 | Usage: provision options
39 | Valid options are:
40 | -h, --help show the help message and exit.
41 | -v, --km_version version Version of the keymaster ((4.0 or 4.1 for respective keymaster version))
42 | -i, --input jsonFile Input json file
43 | -s, --provision_stautus Prints the current provision status.
44 | -l, --lock_provision Locks the provision state.
45 |
46 |
--------------------------------------------------------------------------------
/ProvisioningTool/include/UniquePtr.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (C) 2010 The Android Open Source Project
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * http://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | #pragma once
18 |
19 | #include // for size_t
20 |
21 | #include
22 |
23 | // Default deleter for pointer types.
24 | template struct DefaultDelete {
25 | enum { type_must_be_complete = sizeof(T) };
26 | DefaultDelete() {}
27 | void operator()(T* p) const { delete p; }
28 | };
29 |
30 | // Default deleter for array types.
31 | template struct DefaultDelete {
32 | enum { type_must_be_complete = sizeof(T) };
33 | void operator()(T* p) const { delete[] p; }
34 | };
35 |
36 | template >
37 | using UniquePtr = std::unique_ptr;
38 |
39 |
40 |
--------------------------------------------------------------------------------
/ProvisioningTool/include/constants.h:
--------------------------------------------------------------------------------
1 | /*
2 | **
3 | ** Copyright 2021, The Android Open Source Project
4 | **
5 | ** Licensed under the Apache License, Version 2.0 (the "License");
6 | ** you may not use this file except in compliance with the License.
7 | ** You may obtain a copy of the License at
8 | **
9 | ** http://www.apache.org/licenses/LICENSE-2.0
10 | **
11 | ** Unless required by applicable law or agreed to in writing, software
12 | ** distributed under the License is distributed on an "AS IS" BASIS,
13 | ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 | ** See the License for the specific language governing permissions and
15 | ** limitations under the License.
16 | */
17 | #pragma once
18 |
19 | #include
20 | #include
21 | #include
22 | #include
23 | #include
24 | #include "UniquePtr.h"
25 |
26 | #define SUCCESS 0
27 | #define FAILURE 1
28 | #define KEYMASTER_VERSION_4_1 4.1
29 | #define KEYMASTER_VERSION_4_0 4
30 | #define P1_40 0x40
31 | #define P1_50 0x50
32 | #define APDU_CLS 0x80
33 | #define APDU_P1 P1_40
34 | #define APDU_P2 0x00
35 | #define INS_BEGIN_KM_CMD 0x00
36 | #define APDU_RESP_STATUS_OK 0x9000
37 | #define SE_POWER_RESET_STATUS_FLAG ( 1 << 30)
38 |
39 |
40 |
41 | template
42 | struct OpenSslObjectDeleter {
43 | void operator()(T* p) { FreeFunc(p); }
44 | };
45 |
46 | #define DEFINE_OPENSSL_OBJECT_POINTER(name) \
47 | typedef OpenSslObjectDeleter name##_Delete; \
48 | typedef UniquePtr name##_Ptr;
49 |
50 | DEFINE_OPENSSL_OBJECT_POINTER(EC_KEY)
51 | DEFINE_OPENSSL_OBJECT_POINTER(EVP_PKEY)
52 | DEFINE_OPENSSL_OBJECT_POINTER(X509)
53 |
54 | // OEM Lock / Unlock Verification message
55 | constexpr char kOemProvisioningLock[] = "OEM Provisioning Lock";
56 | constexpr char kEnableRma[] = "Enable RMA";
57 |
58 | // Tags
59 | constexpr uint64_t kTagAlgorithm = 268435458u;
60 | constexpr uint64_t kTagDigest = 536870917u;
61 | constexpr uint64_t kTagCurve = 268435466u;
62 | constexpr uint64_t kTagPurpose = 536870913u;
63 | constexpr uint64_t kTagAttestationIdBrand = 2415919814u;
64 | constexpr uint64_t kTagAttestationIdDevice = 2415919815u;
65 | constexpr uint64_t kTagAttestationIdProduct = 2415919816u;
66 | constexpr uint64_t kTagAttestationIdSerial = 2415919817u;
67 | constexpr uint64_t kTagAttestationIdImei = 2415919818u;
68 | constexpr uint64_t kTagAttestationIdMeid = 2415919819u;
69 | constexpr uint64_t kTagAttestationIdManufacturer = 2415919820u;
70 | constexpr uint64_t kTagAttestationIdModel = 2415919821u;
71 |
72 | // Values
73 | constexpr uint64_t kCurveP256 = 1;
74 | constexpr uint64_t kAlgorithmEc = 3;
75 | constexpr uint64_t kDigestSha256 = 4;
76 | constexpr uint64_t kPurposeAttest = 0x7F;
77 | constexpr uint64_t kPurposeVerify = 3;
78 | constexpr uint64_t kKeyFormatRaw = 3;
79 |
80 | // json keys
81 | constexpr char kAttestKey[] = "attest_key";
82 | constexpr char kAttestCertChain[] = "attest_cert_chain";
83 | constexpr char kSharedSecret[] = "shared_secret";
84 | constexpr char kBootParams[] = "boot_params";
85 | constexpr char kAttestationIds[] = "attestation_ids";
86 | constexpr char kDeviceUniqueKey[] = "device_unique_key";
87 | constexpr char kAdditionalCertChain[] = "additional_cert_chain";
88 | constexpr char kProvisionStatus[] = "provision_status";
89 | constexpr char kLockProvision[] = "lock_provision";
90 | constexpr char kOEMRootKey[] = "oem_root_key";
91 | constexpr char kSeFactoryProvisionLock[] = "se_factory_lock";
92 | constexpr char kUnLockProvision[] = "unlock_provision";
93 |
94 | // Instruction constatnts
95 | constexpr int kAttestationKeyCmd = INS_BEGIN_KM_CMD + 1;
96 | constexpr int kAttestCertDataCmd = INS_BEGIN_KM_CMD + 2;
97 | constexpr int kAttestationIdsCmd = INS_BEGIN_KM_CMD + 3;
98 | constexpr int kPresharedSecretCmd = INS_BEGIN_KM_CMD + 4;
99 | constexpr int kBootParamsCmd = INS_BEGIN_KM_CMD + 5;
100 | constexpr int kOemLockProvisionCmd = INS_BEGIN_KM_CMD + 6;
101 | constexpr int kGetProvisionStatusCmd = INS_BEGIN_KM_CMD + 7;
102 | constexpr int kSetVersionPatchLevelCmd = INS_BEGIN_KM_CMD + 8;
103 | constexpr int kSeFactoryLockCmd = INS_BEGIN_KM_CMD + 10;
104 | constexpr int kOemRootPublicKeyCmd = INS_BEGIN_KM_CMD + 11;
105 | constexpr int kOemUnLockProvisionCmd = INS_BEGIN_KM_CMD + 12;
106 |
107 |
--------------------------------------------------------------------------------
/ProvisioningTool/include/json/assertions.h:
--------------------------------------------------------------------------------
1 | // Copyright 2007-2010 Baptiste Lepilleur
2 | // Distributed under MIT license, or public domain if desired and
3 | // recognized in your jurisdiction.
4 | // See file LICENSE for detail or copy at http://jsoncpp.sourceforge.net/LICENSE
5 |
6 | #ifndef CPPTL_JSON_ASSERTIONS_H_INCLUDED
7 | #define CPPTL_JSON_ASSERTIONS_H_INCLUDED
8 |
9 | #include
10 | #include
11 |
12 | #if !defined(JSON_IS_AMALGAMATION)
13 | #include "config.h"
14 | #endif // if !defined(JSON_IS_AMALGAMATION)
15 |
16 | /** It should not be possible for a maliciously designed file to
17 | * cause an abort() or seg-fault, so these macros are used only
18 | * for pre-condition violations and internal logic errors.
19 | */
20 | #if JSON_USE_EXCEPTION
21 |
22 | // @todo <= add detail about condition in exception
23 | # define JSON_ASSERT(condition) \
24 | {if (!(condition)) {Json::throwLogicError( "assert json failed" );}}
25 |
26 | # define JSON_FAIL_MESSAGE(message) \
27 | { \
28 | std::ostringstream oss; oss << message; \
29 | Json::throwLogicError(oss.str()); \
30 | abort(); \
31 | }
32 |
33 | #else // JSON_USE_EXCEPTION
34 |
35 | # define JSON_ASSERT(condition) assert(condition)
36 |
37 | // The call to assert() will show the failure message in debug builds. In
38 | // release builds we abort, for a core-dump or debugger.
39 | # define JSON_FAIL_MESSAGE(message) \
40 | { \
41 | std::ostringstream oss; oss << message; \
42 | assert(false && oss.str().c_str()); \
43 | abort(); \
44 | }
45 |
46 |
47 | #endif
48 |
49 | #define JSON_ASSERT_MESSAGE(condition, message) \
50 | if (!(condition)) { \
51 | JSON_FAIL_MESSAGE(message); \
52 | }
53 |
54 | #endif // CPPTL_JSON_ASSERTIONS_H_INCLUDED
55 |
--------------------------------------------------------------------------------
/ProvisioningTool/include/json/autolink.h:
--------------------------------------------------------------------------------
1 | // Copyright 2007-2010 Baptiste Lepilleur
2 | // Distributed under MIT license, or public domain if desired and
3 | // recognized in your jurisdiction.
4 | // See file LICENSE for detail or copy at http://jsoncpp.sourceforge.net/LICENSE
5 |
6 | #ifndef JSON_AUTOLINK_H_INCLUDED
7 | #define JSON_AUTOLINK_H_INCLUDED
8 |
9 | #include "config.h"
10 |
11 | #ifdef JSON_IN_CPPTL
12 | #include
13 | #endif
14 |
15 | #if !defined(JSON_NO_AUTOLINK) && !defined(JSON_DLL_BUILD) && \
16 | !defined(JSON_IN_CPPTL)
17 | #define CPPTL_AUTOLINK_NAME "json"
18 | #undef CPPTL_AUTOLINK_DLL
19 | #ifdef JSON_DLL
20 | #define CPPTL_AUTOLINK_DLL
21 | #endif
22 | #include "autolink.h"
23 | #endif
24 |
25 | #endif // JSON_AUTOLINK_H_INCLUDED
26 |
--------------------------------------------------------------------------------
/ProvisioningTool/include/json/config.h:
--------------------------------------------------------------------------------
1 | // Copyright 2007-2010 Baptiste Lepilleur
2 | // Distributed under MIT license, or public domain if desired and
3 | // recognized in your jurisdiction.
4 | // See file LICENSE for detail or copy at http://jsoncpp.sourceforge.net/LICENSE
5 |
6 | #ifndef JSON_CONFIG_H_INCLUDED
7 | #define JSON_CONFIG_H_INCLUDED
8 |
9 | /// If defined, indicates that json library is embedded in CppTL library.
10 | //# define JSON_IN_CPPTL 1
11 |
12 | /// If defined, indicates that json may leverage CppTL library
13 | //# define JSON_USE_CPPTL 1
14 | /// If defined, indicates that cpptl vector based map should be used instead of
15 | /// std::map
16 | /// as Value container.
17 | //# define JSON_USE_CPPTL_SMALLMAP 1
18 |
19 | // If non-zero, the library uses exceptions to report bad input instead of C
20 | // assertion macros. The default is to use exceptions.
21 | #ifndef JSON_USE_EXCEPTION
22 | #define JSON_USE_EXCEPTION 1
23 | #endif
24 |
25 | /// If defined, indicates that the source file is amalgated
26 | /// to prevent private header inclusion.
27 | /// Remarks: it is automatically defined in the generated amalgated header.
28 | // #define JSON_IS_AMALGAMATION
29 |
30 | #ifdef JSON_IN_CPPTL
31 | #include
32 | #ifndef JSON_USE_CPPTL
33 | #define JSON_USE_CPPTL 1
34 | #endif
35 | #endif
36 |
37 | #ifdef JSON_IN_CPPTL
38 | #define JSON_API CPPTL_API
39 | #elif defined(JSON_DLL_BUILD)
40 | #if defined(_MSC_VER)
41 | #define JSON_API __declspec(dllexport)
42 | #define JSONCPP_DISABLE_DLL_INTERFACE_WARNING
43 | #endif // if defined(_MSC_VER)
44 | #elif defined(JSON_DLL)
45 | #if defined(_MSC_VER)
46 | #define JSON_API __declspec(dllimport)
47 | #define JSONCPP_DISABLE_DLL_INTERFACE_WARNING
48 | #endif // if defined(_MSC_VER)
49 | #endif // ifdef JSON_IN_CPPTL
50 | #if !defined(JSON_API)
51 | #define JSON_API
52 | #endif
53 |
54 | #if !defined(JSON_HAS_UNIQUE_PTR)
55 | #if __cplusplus >= 201103L
56 | #define JSON_HAS_UNIQUE_PTR (1)
57 | #elif _MSC_VER >= 1600
58 | #define JSON_HAS_UNIQUE_PTR (1)
59 | #else
60 | #define JSON_HAS_UNIQUE_PTR (0)
61 | #endif
62 | #endif
63 |
64 | // If JSON_NO_INT64 is defined, then Json only support C++ "int" type for
65 | // integer
66 | // Storages, and 64 bits integer support is disabled.
67 | // #define JSON_NO_INT64 1
68 |
69 | #if defined(_MSC_VER) && _MSC_VER <= 1200 // MSVC 6
70 | // Microsoft Visual Studio 6 only support conversion from __int64 to double
71 | // (no conversion from unsigned __int64).
72 | #define JSON_USE_INT64_DOUBLE_CONVERSION 1
73 | // Disable warning 4786 for VS6 caused by STL (identifier was truncated to '255'
74 | // characters in the debug information)
75 | // All projects I've ever seen with VS6 were using this globally (not bothering
76 | // with pragma push/pop).
77 | #pragma warning(disable : 4786)
78 | #endif // if defined(_MSC_VER) && _MSC_VER < 1200 // MSVC 6
79 |
80 | #if defined(_MSC_VER) && _MSC_VER >= 1500 // MSVC 2008
81 | /// Indicates that the following function is deprecated.
82 | #define JSONCPP_DEPRECATED(message) __declspec(deprecated(message))
83 | #elif defined(__clang__) && defined(__has_feature)
84 | #if __has_feature(attribute_deprecated_with_message)
85 | #define JSONCPP_DEPRECATED(message) __attribute__ ((deprecated(message)))
86 | #endif
87 | #elif defined(__GNUC__) && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5))
88 | #define JSONCPP_DEPRECATED(message) __attribute__ ((deprecated(message)))
89 | #elif defined(__GNUC__) && (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 1))
90 | #define JSONCPP_DEPRECATED(message) __attribute__((__deprecated__))
91 | #endif
92 |
93 | #if !defined(JSONCPP_DEPRECATED)
94 | #define JSONCPP_DEPRECATED(message)
95 | #endif // if !defined(JSONCPP_DEPRECATED)
96 |
97 | namespace Json {
98 | typedef int Int;
99 | typedef unsigned int UInt;
100 | #if defined(JSON_NO_INT64)
101 | typedef int LargestInt;
102 | typedef unsigned int LargestUInt;
103 | #undef JSON_HAS_INT64
104 | #else // if defined(JSON_NO_INT64)
105 | // For Microsoft Visual use specific types as long long is not supported
106 | #if defined(_MSC_VER) // Microsoft Visual Studio
107 | typedef __int64 Int64;
108 | typedef unsigned __int64 UInt64;
109 | #else // if defined(_MSC_VER) // Other platforms, use long long
110 | typedef long long int Int64;
111 | typedef unsigned long long int UInt64;
112 | #endif // if defined(_MSC_VER)
113 | typedef Int64 LargestInt;
114 | typedef UInt64 LargestUInt;
115 | #define JSON_HAS_INT64
116 | #endif // if defined(JSON_NO_INT64)
117 | } // end namespace Json
118 |
119 | #endif // JSON_CONFIG_H_INCLUDED
120 |
--------------------------------------------------------------------------------
/ProvisioningTool/include/json/features.h:
--------------------------------------------------------------------------------
1 | // Copyright 2007-2010 Baptiste Lepilleur
2 | // Distributed under MIT license, or public domain if desired and
3 | // recognized in your jurisdiction.
4 | // See file LICENSE for detail or copy at http://jsoncpp.sourceforge.net/LICENSE
5 |
6 | #ifndef CPPTL_JSON_FEATURES_H_INCLUDED
7 | #define CPPTL_JSON_FEATURES_H_INCLUDED
8 |
9 | #if !defined(JSON_IS_AMALGAMATION)
10 | #include "forwards.h"
11 | #endif // if !defined(JSON_IS_AMALGAMATION)
12 |
13 | namespace Json {
14 |
15 | /** \brief Configuration passed to reader and writer.
16 | * This configuration object can be used to force the Reader or Writer
17 | * to behave in a standard conforming way.
18 | */
19 | class JSON_API Features {
20 | public:
21 | /** \brief A configuration that allows all features and assumes all strings
22 | * are UTF-8.
23 | * - C & C++ comments are allowed
24 | * - Root object can be any JSON value
25 | * - Assumes Value strings are encoded in UTF-8
26 | */
27 | static Features all();
28 |
29 | /** \brief A configuration that is strictly compatible with the JSON
30 | * specification.
31 | * - Comments are forbidden.
32 | * - Root object must be either an array or an object value.
33 | * - Assumes Value strings are encoded in UTF-8
34 | */
35 | static Features strictMode();
36 |
37 | /** \brief Initialize the configuration like JsonConfig::allFeatures;
38 | */
39 | Features();
40 |
41 | /// \c true if comments are allowed. Default: \c true.
42 | bool allowComments_;
43 |
44 | /// \c true if root must be either an array or an object value. Default: \c
45 | /// false.
46 | bool strictRoot_;
47 | };
48 |
49 | } // namespace Json
50 |
51 | #endif // CPPTL_JSON_FEATURES_H_INCLUDED
52 |
--------------------------------------------------------------------------------
/ProvisioningTool/include/json/forwards.h:
--------------------------------------------------------------------------------
1 | // Copyright 2007-2010 Baptiste Lepilleur
2 | // Distributed under MIT license, or public domain if desired and
3 | // recognized in your jurisdiction.
4 | // See file LICENSE for detail or copy at http://jsoncpp.sourceforge.net/LICENSE
5 |
6 | #ifndef JSON_FORWARDS_H_INCLUDED
7 | #define JSON_FORWARDS_H_INCLUDED
8 |
9 | #if !defined(JSON_IS_AMALGAMATION)
10 | #include "config.h"
11 | #endif // if !defined(JSON_IS_AMALGAMATION)
12 |
13 | namespace Json {
14 |
15 | // writer.h
16 | class FastWriter;
17 | class StyledWriter;
18 |
19 | // reader.h
20 | class Reader;
21 |
22 | // features.h
23 | class Features;
24 |
25 | // value.h
26 | typedef unsigned int ArrayIndex;
27 | class StaticString;
28 | class Path;
29 | class PathArgument;
30 | class Value;
31 | class ValueIteratorBase;
32 | class ValueIterator;
33 | class ValueConstIterator;
34 |
35 | } // namespace Json
36 |
37 | #endif // JSON_FORWARDS_H_INCLUDED
38 |
--------------------------------------------------------------------------------
/ProvisioningTool/include/json/json.h:
--------------------------------------------------------------------------------
1 | // Copyright 2007-2010 Baptiste Lepilleur
2 | // Distributed under MIT license, or public domain if desired and
3 | // recognized in your jurisdiction.
4 | // See file LICENSE for detail or copy at http://jsoncpp.sourceforge.net/LICENSE
5 |
6 | #ifndef JSON_JSON_H_INCLUDED
7 | #define JSON_JSON_H_INCLUDED
8 |
9 | #include "autolink.h"
10 | #include "value.h"
11 | #include "reader.h"
12 | #include "writer.h"
13 | #include "features.h"
14 |
15 | #endif // JSON_JSON_H_INCLUDED
16 |
--------------------------------------------------------------------------------
/ProvisioningTool/include/json/version.h:
--------------------------------------------------------------------------------
1 | // DO NOT EDIT. This file (and "version") is generated by CMake.
2 | // Run CMake configure step to update it.
3 | #ifndef JSON_VERSION_H_INCLUDED
4 | # define JSON_VERSION_H_INCLUDED
5 |
6 | # define JSONCPP_VERSION_STRING "0.10.7"
7 | # define JSONCPP_VERSION_MAJOR 0
8 | # define JSONCPP_VERSION_MINOR 10
9 | # define JSONCPP_VERSION_PATCH 7
10 | # define JSONCPP_VERSION_QUALIFIER
11 | # define JSONCPP_VERSION_HEXA ((JSONCPP_VERSION_MAJOR << 24) | (JSONCPP_VERSION_MINOR << 16) | (JSONCPP_VERSION_PATCH << 8))
12 |
13 | #endif // JSON_VERSION_H_INCLUDED
14 |
--------------------------------------------------------------------------------
/ProvisioningTool/include/socket.h:
--------------------------------------------------------------------------------
1 | /*
2 | **
3 | ** Copyright 2021, The Android Open Source Project
4 | **
5 | ** Licensed under the Apache License, Version 2.0 (the "License");
6 | ** you may not use this file except in compliance with the License.
7 | ** You may obtain a copy of the License at
8 | **
9 | ** http://www.apache.org/licenses/LICENSE-2.0
10 | **
11 | ** Unless required by applicable law or agreed to in writing, software
12 | ** distributed under the License is distributed on an "AS IS" BASIS,
13 | ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 | ** See the License for the specific language governing permissions and
15 | ** limitations under the License.
16 | */
17 | #pragma once
18 |
19 | class SocketTransport
20 | {
21 | public:
22 | static inline std::shared_ptr getInstance() {
23 | static std::shared_ptr socket = std::shared_ptr(new SocketTransport());
24 | return socket;
25 | }
26 |
27 | ~SocketTransport();
28 | /**
29 | * Creates a socket instance and connects to the provided server IP and port.
30 | */
31 | bool openConnection();
32 | /**
33 | * Sends data over socket and receives data back.
34 | */
35 | bool sendData(const std::vector &inData, std::vector &output);
36 | /**
37 | * Closes the connection.
38 | */
39 | bool closeConnection();
40 | /**
41 | * Returns the state of the connection status. Returns true if the connection is active,
42 | * false if connection is broken.
43 | */
44 | bool isConnected();
45 |
46 | private:
47 | SocketTransport() : mSocket(-1), socketStatus(false) {}
48 | /**
49 | * Socket instance.
50 | */
51 | int mSocket;
52 | bool socketStatus;
53 | };
--------------------------------------------------------------------------------
/ProvisioningTool/include/utils.h:
--------------------------------------------------------------------------------
1 | /*
2 | **
3 | ** Copyright 2021, The Android Open Source Project
4 | **
5 | ** Licensed under the Apache License, Version 2.0 (the "License");
6 | ** you may not use this file except in compliance with the License.
7 | ** You may obtain a copy of the License at
8 | **
9 | ** http://www.apache.org/licenses/LICENSE-2.0
10 | **
11 | ** Unless required by applicable law or agreed to in writing, software
12 | ** distributed under the License is distributed on an "AS IS" BASIS,
13 | ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 | ** See the License for the specific language governing permissions and
15 | ** limitations under the License.
16 | */
17 | #pragma once
18 | #include
19 | #include
20 | #include
21 | #include
22 | #include
23 |
24 | std::string getHexString(std::vector& input);
25 |
26 | std::string hex2str(std::string a);
27 |
28 | int readJsonFile(Json::Value& root, std::string& inputFileName);
29 |
30 | int writeJsonFile(Json::Value& writerRoot, std::string& outputFileName);
--------------------------------------------------------------------------------
/ProvisioningTool/lib/README.md:
--------------------------------------------------------------------------------
1 | # Instructions to build jsoncpp
2 | Download the code from below opensource link:
3 | https://github.com/open-source-parsers/jsoncpp/tree/0.y.z
4 |
5 | #### Unzip it
6 |
7 | unzip jsoncpp-0.y.z.zip
8 | cd jsoncpp-0.y.z
9 |
10 |
11 | #### Build
12 |
13 | $ mkdir -p build/debug
14 | $ cd build/debug
15 | $ cmake -DCMAKE_BUILD_TYPE=debug -DBUILD_STATIC_LIBS=ON -DBUILD_SHARED_LIBS=ON -DARCHIVE_INSTALL_DIR=. -G "Unix Makefiles" ../..
16 | $ make
17 |
18 |
19 | #### Check the generated static and dynamic link library
20 |
21 | $ find . -name *.a
22 | ./src/lib_json/libjsoncpp.a
23 | $ find . -name *.so
24 | ./src/lib_json/libjsoncpp.so
25 |
26 |
--------------------------------------------------------------------------------
/ProvisioningTool/lib/libjsoncpp.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/divegeek/JavaCardKeymaster/8ee369f1f7a77d548930023e64ba36a3d79e5ae5/ProvisioningTool/lib/libjsoncpp.a
--------------------------------------------------------------------------------
/ProvisioningTool/lib/libjsoncpp.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/divegeek/JavaCardKeymaster/8ee369f1f7a77d548930023e64ba36a3d79e5ae5/ProvisioningTool/lib/libjsoncpp.so
--------------------------------------------------------------------------------
/ProvisioningTool/lib/libjsoncpp.so.0:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/divegeek/JavaCardKeymaster/8ee369f1f7a77d548930023e64ba36a3d79e5ae5/ProvisioningTool/lib/libjsoncpp.so.0
--------------------------------------------------------------------------------
/ProvisioningTool/lib/libjsoncpp.so.0.10.7:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/divegeek/JavaCardKeymaster/8ee369f1f7a77d548930023e64ba36a3d79e5ae5/ProvisioningTool/lib/libjsoncpp.so.0.10.7
--------------------------------------------------------------------------------
/ProvisioningTool/sample_json_cf.txt:
--------------------------------------------------------------------------------
1 | {
2 | "attest_ids": {
3 | "brand": "generic",
4 | "device": "vsoc_x86_64",
5 | "product": "aosp_cf_x86_64_phone",
6 | "serial": "",
7 | "imei": "000000000000000",
8 | "meid": "000000000000000",
9 | "manufacturer": "Google",
10 | "model": "Cuttlefish x86_64 phone"
11 | },
12 | "shared_secret": "0000000000000000000000000000000000000000000000000000000000000000",
13 | "set_boot_params": {
14 | "boot_patch_level": 0,
15 | "verified_boot_key": "268CCCE87338C993759F96124A232710E4ECFF38A83E96DC74765CB2DA89A787",
16 | "verified_boot_key_hash": "0000000000000000000000000000000000000000000000000000000000000000",
17 | "boot_state": 0,
18 | "device_locked": 1
19 | },
20 | "attest_key": "test_resources/batch_key.der",
21 | "attest_cert_chain": [
22 | "test_resources/batch_cert.der",
23 | "test_resources/intermediate_cert.der",
24 | "test_resources/ca_cert.der"
25 | ],
26 | "oem_root_key": "test_resources/oem_root_key.der"
27 | }
28 |
--------------------------------------------------------------------------------
/ProvisioningTool/sample_json_gf.txt:
--------------------------------------------------------------------------------
1 | {
2 | "attest_ids": {
3 | "brand": "Android",
4 | "device": "generic_x86_64",
5 | "product": "aosp_x86_64",
6 | "serial": "",
7 | "imei": "000000000000000",
8 | "meid": "000000000000000",
9 | "manufacturer": "unknown",
10 | "model": "AOSP on x86_64"
11 | },
12 | "shared_secret": "0000000000000000000000000000000000000000000000000000000000000000",
13 | "set_boot_params": {
14 | "boot_patch_level": 0,
15 | "verified_boot_key": "268CCCE87338C993759F96124A232710E4ECFF38A83E96DC74765CB2DA89A787",
16 | "verified_boot_key_hash": "0000000000000000000000000000000000000000000000000000000000000000",
17 | "boot_state": 0,
18 | "device_locked": 1
19 | },
20 | "attest_key": "test_resources/batch_key.der",
21 | "attest_cert_chain": [
22 | "test_resources/batch_cert.der",
23 | "test_resources/intermediate_cert.der",
24 | "test_resources/ca_cert.der"
25 | ],
26 | "oem_root_key": "test_resources/oem_root_key.der"
27 | }
28 |
--------------------------------------------------------------------------------
/ProvisioningTool/src/socket.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | **
3 | ** Copyright 2021, The Android Open Source Project
4 | **
5 | ** Licensed under the Apache License, Version 2.0 (the "License");
6 | ** you may not use this file except in compliance with the License.
7 | ** You may obtain a copy of the License at
8 | **
9 | ** http://www.apache.org/licenses/LICENSE-2.0
10 | **
11 | ** Unless required by applicable law or agreed to in writing, software
12 | ** distributed under the License is distributed on an "AS IS" BASIS,
13 | ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 | ** See the License for the specific language governing permissions and
15 | ** limitations under the License.
16 | */
17 | #include
18 | #include
19 | #include
20 | #include
21 | #include
22 | #include
23 | #include
24 | #include
25 | #include "socket.h"
26 |
27 | #define PORT 8080
28 | #define IPADDR "127.0.0.1"
29 | //#define IPADDR "192.168.0.5"
30 | #define MAX_RECV_BUFFER_SIZE 2500
31 |
32 | using namespace std;
33 |
34 | SocketTransport::~SocketTransport() {
35 | if (closeConnection())
36 | std::cout << "Socket is closed";
37 | }
38 |
39 | bool SocketTransport::openConnection() {
40 | struct sockaddr_in serv_addr;
41 | if ((mSocket = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
42 | perror("Socket ");
43 | return false;
44 | }
45 |
46 | serv_addr.sin_family = AF_INET;
47 | serv_addr.sin_port = htons(PORT);
48 |
49 | // Convert IPv4 and IPv6 addresses from text to binary form
50 | if (inet_pton(AF_INET, IPADDR, &serv_addr.sin_addr) <= 0) {
51 | std::cout << "Invalid address/ Address not supported.";
52 | return false;
53 | }
54 |
55 | if (connect(mSocket, (struct sockaddr*)&serv_addr, sizeof(serv_addr)) < 0) {
56 | close(mSocket);
57 | perror("Socket ");
58 | return false;
59 | }
60 | socketStatus = true;
61 | return true;
62 | }
63 |
64 | bool SocketTransport::sendData(const std::vector& inData, std::vector& output) {
65 | uint8_t buffer[MAX_RECV_BUFFER_SIZE];
66 | int count = 1;
67 | while (!socketStatus && count++ < 5) {
68 | sleep(1);
69 | std::cout << "Trying to open socket connection... count: " << count;
70 | openConnection();
71 | }
72 |
73 | if (count >= 5) {
74 | std::cout << "Failed to open socket connection";
75 | return false;
76 | }
77 |
78 | if (0 > send(mSocket, inData.data(), inData.size(), 0)) {
79 | static int connectionResetCnt = 0; /* To avoid loop */
80 | if (ECONNRESET == errno && connectionResetCnt == 0) {
81 | // Connection reset. Try open socket and then sendData.
82 | socketStatus = false;
83 | connectionResetCnt++;
84 | return sendData(inData, output);
85 | }
86 | std::cout << "Failed to send data over socket err: " << errno;
87 | connectionResetCnt = 0;
88 | return false;
89 | }
90 |
91 | ssize_t valRead = read(mSocket, buffer, MAX_RECV_BUFFER_SIZE);
92 | if (0 > valRead) {
93 | std::cout << "Failed to read data from socket.";
94 | }
95 | for (ssize_t i = 0; i < valRead; i++) {
96 | output.push_back(buffer[i]);
97 | }
98 | return true;
99 | }
100 |
101 | bool SocketTransport::closeConnection() {
102 | close(mSocket);
103 | socketStatus = false;
104 | return true;
105 | }
106 |
107 | bool SocketTransport::isConnected() {
108 | return socketStatus;
109 | }
110 |
111 |
--------------------------------------------------------------------------------
/ProvisioningTool/src/utils.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | **
3 | ** Copyright 2021, The Android Open Source Project
4 | **
5 | ** Licensed under the Apache License, Version 2.0 (the "License");
6 | ** you may not use this file except in compliance with the License.
7 | ** You may obtain a copy of the License at
8 | **
9 | ** http://www.apache.org/licenses/LICENSE-2.0
10 | **
11 | ** Unless required by applicable law or agreed to in writing, software
12 | ** distributed under the License is distributed on an "AS IS" BASIS,
13 | ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 | ** See the License for the specific language governing permissions and
15 | ** limitations under the License.
16 | */
17 | #include
18 | #include
19 | #include
20 | #include
21 |
22 |
23 | constexpr char hex_value[256] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
24 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
25 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
26 | 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, // '0'..'9'
27 | 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'A'..'F'
28 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
29 | 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'a'..'f'
30 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
31 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
32 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
33 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
34 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
35 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
36 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
37 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
38 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
39 |
40 | std::string getHexString(std::vector& input) {
41 | std::stringstream ss;
42 | for (auto b : input) {
43 | ss << std::setw(2) << std::setfill('0') << std::hex << (int) (b & 0xFF);
44 | }
45 | return ss.str();
46 | }
47 |
48 |
49 | std::string hex2str(std::string a) {
50 | std::string b;
51 | size_t num = a.size() / 2;
52 | b.resize(num);
53 | for (size_t i = 0; i < num; i++) {
54 | b[i] = (hex_value[a[i * 2] & 0xFF] << 4) + (hex_value[a[i * 2 + 1] & 0xFF]);
55 | }
56 | return b;
57 | }
58 |
59 |
60 | // Parses the json file and returns 0 if success; otherwise 1.
61 | int readJsonFile(Json::Value& root, std::string& inputFileName) {
62 | Json::CharReaderBuilder builder;
63 | std::string errorMessage;
64 |
65 | if(!root.empty()) {
66 | // Already parsed.
67 | return 0;
68 | }
69 | std::ifstream stream(inputFileName);
70 | if (Json::parseFromStream(builder, stream, &root, &errorMessage)) {
71 | printf("\n Parsed json file successfully.\n");
72 | return 0;
73 | } else {
74 | printf("\n Failed to parse json file error:%s\n", errorMessage.c_str());
75 | return 1;
76 | }
77 | }
78 |
79 | // Write the json data to the output file.
80 | int writeJsonFile(Json::Value& writerRoot, std::string& outputFileName) {
81 |
82 | std::ofstream ofs;
83 | // Delete file if already exists.
84 | std::remove(outputFileName.data());
85 | ofs.open(outputFileName, std::ofstream::out | std::ios_base::app);
86 | if (ofs.fail()) {
87 | printf("\n Fail to open the output file:%s", outputFileName.c_str());
88 | return FAILURE;
89 | }
90 |
91 | Json::StyledWriter styledWriter;
92 | ofs << styledWriter.write(writerRoot);
93 |
94 | ofs.close();
95 | return SUCCESS;
96 | }
--------------------------------------------------------------------------------
/ProvisioningTool/test_resources/batch_cert.der:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/divegeek/JavaCardKeymaster/8ee369f1f7a77d548930023e64ba36a3d79e5ae5/ProvisioningTool/test_resources/batch_cert.der
--------------------------------------------------------------------------------
/ProvisioningTool/test_resources/batch_key.der:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/divegeek/JavaCardKeymaster/8ee369f1f7a77d548930023e64ba36a3d79e5ae5/ProvisioningTool/test_resources/batch_key.der
--------------------------------------------------------------------------------
/ProvisioningTool/test_resources/ca_cert.der:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/divegeek/JavaCardKeymaster/8ee369f1f7a77d548930023e64ba36a3d79e5ae5/ProvisioningTool/test_resources/ca_cert.der
--------------------------------------------------------------------------------
/ProvisioningTool/test_resources/ca_key.der:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/divegeek/JavaCardKeymaster/8ee369f1f7a77d548930023e64ba36a3d79e5ae5/ProvisioningTool/test_resources/ca_key.der
--------------------------------------------------------------------------------
/ProvisioningTool/test_resources/intermediate_cert.der:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/divegeek/JavaCardKeymaster/8ee369f1f7a77d548930023e64ba36a3d79e5ae5/ProvisioningTool/test_resources/intermediate_cert.der
--------------------------------------------------------------------------------
/ProvisioningTool/test_resources/intermediate_key.der:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/divegeek/JavaCardKeymaster/8ee369f1f7a77d548930023e64ba36a3d79e5ae5/ProvisioningTool/test_resources/intermediate_key.der
--------------------------------------------------------------------------------
/ProvisioningTool/test_resources/oem_root_key.der:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/divegeek/JavaCardKeymaster/8ee369f1f7a77d548930023e64ba36a3d79e5ae5/ProvisioningTool/test_resources/oem_root_key.der
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # JavaCardKeymaster
2 | JavaCard implementation of the [Android Keymaster 4.1 HAL](https://android.googlesource.com/platform/hardware/interfaces/+/master/keymaster/4.1/IKeymasterDevice.hal) (most of the specification is in the [Android Keymaster 4.0 HAL](https://android.googlesource.com/platform/hardware/interfaces/+/master/keymaster/4.0/IKeymasterDevice.hal)), intended for creation of StrongBox Keymaster instances to support the [Android Hardware-backed Keystore](https://source.android.com/security/keystore).
3 |
4 | Here is the [JavaCard Applet design doc](https://docs.google.com/document/d/1bTAmhDqCNq1HYzChNDv8kLJEi64cwTIZ2PfdMMz3o8U/edit#heading=h.gjdgxs) and the [HAL design doc](https://docs.google.com/document/d/1-1MLJ781wAPJ2YxCdCtHMepld8F8KVAxpPtCw9J3b3o/edit#heading=h.gjdgxs) (the content will move here when it stablizes, for now these are a limited-access links).
5 |
--------------------------------------------------------------------------------
/TestingTools/JCProxy/.project:
--------------------------------------------------------------------------------
1 |
2 |
3 | JCProxy
4 |
5 |
6 |
7 |
8 |
9 | org.eclipse.jdt.core.javabuilder
10 |
11 |
12 |
13 |
14 |
15 | org.eclipse.jdt.core.javanature
16 |
17 |
18 |
--------------------------------------------------------------------------------
/TestingTools/JCProxy/lib/apduio-RELEASE71.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/divegeek/JavaCardKeymaster/8ee369f1f7a77d548930023e64ba36a3d79e5ae5/TestingTools/JCProxy/lib/apduio-RELEASE71.jar
--------------------------------------------------------------------------------
/TestingTools/JCProxy/lib/jcardsim-3.0.5-SNAPSHOT.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/divegeek/JavaCardKeymaster/8ee369f1f7a77d548930023e64ba36a3d79e5ae5/TestingTools/JCProxy/lib/jcardsim-3.0.5-SNAPSHOT.jar
--------------------------------------------------------------------------------
/TestingTools/JCProxy/src/com/android/javacard/jcproxy/JCProxyMain.java:
--------------------------------------------------------------------------------
1 | package com.android.javacard.jcproxy;
2 |
3 | import java.io.*;
4 | import java.net.*;
5 | import java.util.ArrayList;
6 | import java.util.Arrays;
7 | import java.util.Date;
8 |
9 | import com.sun.javacard.apduio.CadTransportException;
10 |
11 | /**
12 | * This program demonstrates a simple TCP/IP socket server.
13 | *
14 | * @author www.codejava.net
15 | */
16 | public class JCProxyMain {
17 |
18 | public static void main(String[] args) {
19 | if (args.length < 1) {
20 | System.out.println("Port no is expected as argument.");
21 | return;
22 | }
23 |
24 | int port = Integer.parseInt(args[0]);
25 | Simulator simulator = new JCardSimulator();
26 |
27 | try (ServerSocket serverSocket = new ServerSocket(port)) {
28 | simulator.initaliseSimulator();
29 | if (!simulator.setupKeymasterOnSimulator()) {
30 | System.out.println("Failed to setup Java card keymaster simulator.");
31 | System.exit(-1);
32 | }
33 | byte[] outData;
34 |
35 | while (true) {
36 | try {
37 | Socket socket = serverSocket.accept();
38 | System.out.println("\n\n\n\n\n");
39 | System.out.println("------------------------New client connected on "
40 | + socket.getPort() + "--------------------");
41 | OutputStream output = null;
42 | InputStream isReader = null;
43 | try {
44 | socket.setReceiveBufferSize(1024 * 5);
45 | output = socket.getOutputStream();
46 | isReader = socket.getInputStream();
47 |
48 | byte[] inBytes = new byte[65536];
49 | int readLen = 0, index = 0;
50 | System.out.println("Socket input buffer size: "
51 | + socket.getReceiveBufferSize());
52 | while ((readLen = isReader.read(inBytes, index, 1024 * 5)) > 0) {
53 | if (readLen > 0) {
54 | System.out.println("Bytes read from index (" + index
55 | + ") socket: " + readLen + " Estimate read: "
56 | + isReader.available());
57 | byte[] outBytes;
58 |
59 | try {
60 | outBytes = simulator.executeApdu(
61 | Arrays.copyOfRange(inBytes, 0, index + readLen));
62 | outData = simulator.decodeDataOut();
63 | System.out.println(
64 | "Return Data " + Utils.byteArrayToHexString(outData));
65 | byte[] finalOutData = new byte[outData.length
66 | + outBytes.length];
67 | System.arraycopy(outData, 0, finalOutData, 0, outData.length);
68 | System.arraycopy(outBytes, 0, finalOutData, outData.length,
69 | outBytes.length);
70 | output.write(finalOutData);
71 | output.flush();
72 | index = 0;
73 | } catch (IllegalArgumentException e) {
74 | e.printStackTrace();
75 | index = readLen;
76 | }
77 | }
78 | }
79 | } catch (IOException e) {
80 | e.printStackTrace();
81 | } catch (Exception e) {
82 | e.printStackTrace();
83 | } finally {
84 | if (output != null)
85 | output.close();
86 | if (isReader != null)
87 | isReader.close();
88 | socket.close();
89 | }
90 | } catch (IOException e) {
91 | break;
92 | } catch (Exception e) {
93 | break;
94 | }
95 | System.out.println("Client disconnected.");
96 | }
97 | simulator.disconnectSimulator();
98 | } catch (IOException ex) {
99 | System.out.println("Server exception: " + ex.getMessage());
100 | ex.printStackTrace();
101 | } catch (CadTransportException e1) {
102 | e1.printStackTrace();
103 | } catch (Exception e1) {
104 | e1.printStackTrace();
105 | }
106 | }
107 | }
108 |
--------------------------------------------------------------------------------
/TestingTools/JCProxy/src/com/android/javacard/jcproxy/JCardSimulator.java:
--------------------------------------------------------------------------------
1 | package com.android.javacard.jcproxy;
2 |
3 | import javax.smartcardio.CommandAPDU;
4 | import javax.smartcardio.ResponseAPDU;
5 |
6 | import com.android.javacard.keymaster.KMJCardSimApplet;
7 | import com.licel.jcardsim.smartcardio.CardSimulator;
8 | import com.licel.jcardsim.utils.AIDUtil;
9 |
10 | import javacard.framework.AID;
11 |
12 | public class JCardSimulator implements Simulator {
13 |
14 | private CardSimulator simulator;
15 | ResponseAPDU response;
16 |
17 | public JCardSimulator() {
18 | simulator = new CardSimulator();
19 | }
20 |
21 | @Override
22 | public void initaliseSimulator() throws Exception {
23 | }
24 |
25 | @Override
26 | public void disconnectSimulator() throws Exception {
27 | AID appletAID1 = AIDUtil.create("A000000062");
28 | // Delete i.e. uninstall applet
29 | simulator.deleteApplet(appletAID1);
30 | }
31 |
32 | @Override
33 | public boolean setupKeymasterOnSimulator() throws Exception {
34 | AID appletAID1 = AIDUtil.create("A000000062");
35 | simulator.installApplet(appletAID1, KMJCardSimApplet.class);
36 | // Select applet
37 | simulator.selectApplet(appletAID1);
38 | return true;
39 | }
40 |
41 | private final byte[] intToByteArray(int value) {
42 | return new byte[] {
43 | (byte) (value >>> 8), (byte) value };
44 | }
45 |
46 | @Override
47 | public byte[] executeApdu(byte[] apdu) throws Exception {
48 | System.out.println("Executing APDU = " + Utils.byteArrayToHexString(apdu));
49 | CommandAPDU apduCmd = new CommandAPDU(apdu);
50 | response = simulator.transmitCommand(apduCmd);
51 | System.out.println("Status = "
52 | + Utils.byteArrayToHexString(intToByteArray(response.getSW())));
53 | return intToByteArray(response.getSW());
54 | }
55 |
56 | @Override
57 | public byte[] decodeDataOut() {
58 | return response.getData();
59 | }
60 |
61 | }
62 |
--------------------------------------------------------------------------------
/TestingTools/JCProxy/src/com/android/javacard/jcproxy/Simulator.java:
--------------------------------------------------------------------------------
1 | package com.android.javacard.jcproxy;
2 |
3 | public interface Simulator {
4 | byte[] STATUS_OK = Utils.hexStringToByteArray("9000");
5 |
6 | void initaliseSimulator() throws Exception;
7 |
8 | void disconnectSimulator() throws Exception;
9 |
10 | public boolean setupKeymasterOnSimulator() throws Exception;
11 |
12 | byte[] executeApdu(byte[] apdu) throws Exception;
13 |
14 | byte[] decodeDataOut();
15 | }
16 |
--------------------------------------------------------------------------------
/TestingTools/JCProxy/src/com/android/javacard/jcproxy/Utils.java:
--------------------------------------------------------------------------------
1 | package com.android.javacard.jcproxy;
2 |
3 | public class Utils {
4 |
5 | public static byte[] hexStringToByteArray(String s) {
6 | int len = s.length();
7 | if (len % 2 != 0)
8 | throw new IllegalArgumentException("Expecting each byte of 2 char.");
9 | byte[] data = new byte[len / 2];
10 | for (int i = 0; i < len; i += 2) {
11 | data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4)
12 | + Character.digit(s.charAt(i + 1), 16));
13 | }
14 | return data;
15 | }
16 |
17 | private static final char[] HEX_ARRAY = "0123456789ABCDEF".toCharArray();
18 |
19 | public static String byteArrayToHexString(byte[] bytes) {
20 | char[] hexChars = new char[bytes.length * 2];
21 | for (int j = 0; j < bytes.length; j++) {
22 | int v = bytes[j] & 0xFF;
23 | hexChars[j * 2] = HEX_ARRAY[v >>> 4];
24 | hexChars[j * 2 + 1] = HEX_ARRAY[v & 0x0F];
25 | }
26 | return new String(hexChars);
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/TestingTools/README.md:
--------------------------------------------------------------------------------
1 | # TestingTools
2 | [JCProxy](JCProxy) is a testing tool, which provides a way to communicate with
3 | JCardSimulator from android emulator/device.
4 | It basically opens a socket connection on the port (port mentioned in program arguments)
5 | and listens for the incomming data on this port. This tool uses apduio and JCarsim jars
6 | to validate and transmit the APDUs to the Keymaster Applet.
7 |
8 | ###Build
9 | Import JCProxy server application either in Eclipse or IntelliJ. Add the provided jars inside
10 | [lib](JCProxy/lib) directory to the project and also add [Keymaster Applet](../Applet) as
11 | dependent project. Add port number (Ex: 8080) as program arguments.
12 |
--------------------------------------------------------------------------------
/aosp_integration_patches/device_google_cuttlefish.patch:
--------------------------------------------------------------------------------
1 | diff --git a/shared/device.mk b/shared/device.mk
2 | index c9221ec36..eeae0a965 100644
3 | --- a/shared/device.mk
4 | +++ b/shared/device.mk
5 | @@ -621,6 +621,9 @@ endif
6 | PRODUCT_PACKAGES += \
7 | $(LOCAL_KEYMINT_PRODUCT_PACKAGE)
8 |
9 | +PRODUCT_PACKAGES += \
10 | + android.hardware.keymaster@4.1-strongbox.service \
11 | +
12 | # Keymint configuration
13 | ifneq ($(LOCAL_PREFER_VENDOR_APEX),true)
14 | PRODUCT_COPY_FILES += \
15 | diff --git a/shared/sepolicy/vendor/file_contexts b/shared/sepolicy/vendor/file_contexts
16 | index 6c471b8b8..5baf83c4c 100644
17 | --- a/shared/sepolicy/vendor/file_contexts
18 | +++ b/shared/sepolicy/vendor/file_contexts
19 | @@ -94,6 +94,7 @@
20 | /vendor/bin/hw/android\.hardware\.identity-service\.remote u:object_r:hal_identity_remote_exec:s0
21 | /vendor/bin/hw/android\.hardware\.security\.keymint-service\.remote u:object_r:hal_keymint_remote_exec:s0
22 | /vendor/bin/hw/android\.hardware\.keymaster@4\.1-service.remote u:object_r:hal_keymaster_remote_exec:s0
23 | +/vendor/bin/hw/android\.hardware\.keymaster@4\.1-strongbox\.service u:object_r:hal_keymaster_strongbox_exec:s0
24 | /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service.remote u:object_r:hal_gatekeeper_remote_exec:s0
25 | /vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service.cuttlefish u:object_r:hal_confirmationui_cuttlefish_exec:s0
26 | /vendor/bin/hw/android\.hardware\.oemlock-service.example u:object_r:hal_oemlock_default_exec:s0
27 | diff --git a/shared/sepolicy/vendor/hal_keymaster_strongbox.te b/shared/sepolicy/vendor/hal_keymaster_strongbox.te
28 | new file mode 100644
29 | index 000000000..40cb82c3f
30 | --- /dev/null
31 | +++ b/shared/sepolicy/vendor/hal_keymaster_strongbox.te
32 | @@ -0,0 +1,14 @@
33 | +type hal_keymaster_strongbox, domain;
34 | +hal_server_domain(hal_keymaster_strongbox, hal_keymaster)
35 | +
36 | +type hal_keymaster_strongbox_exec, exec_type, vendor_file_type, file_type;
37 | +init_daemon_domain(hal_keymaster_strongbox)
38 | +
39 | +vndbinder_use(hal_keymaster_strongbox)
40 | +get_prop(hal_keymaster_strongbox, vendor_security_patch_level_prop);
41 | +
42 | +# Allow access to sockets
43 | +allow hal_keymaster_strongbox self:tcp_socket { connect create write read getattr getopt setopt };
44 | +allow hal_keymaster_strongbox port_type:tcp_socket name_connect;
45 | +allow hal_keymaster_strongbox port:tcp_socket { name_connect };
46 | +allow hal_keymaster_strongbox vendor_data_file:file { open read getattr };
47 |
--------------------------------------------------------------------------------
/aosp_integration_patches/hardware_interfaces_keymaster.patch:
--------------------------------------------------------------------------------
1 | diff --git a/keymaster/4.0/vts/functional/Android.bp b/keymaster/4.0/vts/functional/Android.bp
2 | index a7be660c4..dd91e9089 100644
3 | --- a/keymaster/4.0/vts/functional/Android.bp
4 | +++ b/keymaster/4.0/vts/functional/Android.bp
5 | @@ -31,9 +31,11 @@ cc_test {
6 | "VerificationTokenTest.cpp",
7 | "keymaster_hidl_hal_test.cpp",
8 | ],
9 | + shared_libs: [
10 | + "libcrypto",
11 | + ],
12 | static_libs: [
13 | "android.hardware.keymaster@4.0",
14 | - "libcrypto_static",
15 | "libkeymaster4support",
16 | "libkeymaster4vtstest",
17 | ],
18 | diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
19 | index 476eed8b1..823683d75 100644
20 | --- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
21 | +++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
22 | @@ -1079,9 +1079,12 @@ TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
23 | * presented.
24 | */
25 | TEST_P(SigningOperationsTest, NoUserConfirmation) {
26 | - if (SecLevel() == SecurityLevel::STRONGBOX) return;
27 | + size_t key_size = 1024;
28 | + if (SecLevel() == SecurityLevel::STRONGBOX){
29 | + key_size = 2048;
30 | + }
31 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
32 | - .RsaSigningKey(1024, 65537)
33 | + .RsaSigningKey(key_size, 65537)
34 | .Digest(Digest::NONE)
35 | .Padding(PaddingMode::NONE)
36 | .Authorization(TAG_NO_AUTH_REQUIRED)
37 |
--------------------------------------------------------------------------------
/aosp_integration_patches/omapi_patches/packages_apps_secureElement.patch:
--------------------------------------------------------------------------------
1 | diff --git a/Android.bp b/Android.bp
2 | index f86ad26..afea5c6 100644
3 | --- a/Android.bp
4 | +++ b/Android.bp
5 | @@ -42,6 +42,9 @@ android_app {
6 | "src/**/*.java",
7 | ":statslog-secure-element-java-gen",
8 | ],
9 | + vintf_fragments: [
10 | + "secure_element-service.xml",
11 | + ],
12 | platform_apis: true,
13 | certificate: "platform",
14 | static_libs: ["android.hardware.secure_element-V1.0-java",
15 | diff --git a/res/values/config.xml b/res/values/config.xml
16 | index 5811b10..da6e50e 100644
17 | --- a/res/values/config.xml
18 | +++ b/res/values/config.xml
19 | @@ -6,5 +6,5 @@
20 |
21 |
23 | - false
24 | + true
25 |
26 |
--------------------------------------------------------------------------------
/aosp_integration_patches/system_sepolicy.patch:
--------------------------------------------------------------------------------
1 | diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
2 | index cd1591009..56f3ad1c4 100644
3 | --- a/public/hal_neverallows.te
4 | +++ b/public/hal_neverallows.te
5 | @@ -2,6 +2,7 @@
6 | # network capabilities
7 | neverallow {
8 | halserverdomain
9 | + -hal_keymaster_server
10 | -hal_bluetooth_server
11 | -hal_can_controller_server
12 | -hal_wifi_server
13 | @@ -21,6 +22,7 @@ neverallow {
14 | # will result in CTS failure.
15 | neverallow {
16 | halserverdomain
17 | + -hal_keymaster_server
18 | -hal_automotive_socket_exemption
19 | -hal_can_controller_server
20 | -hal_tetheroffload_server
21 | @@ -35,6 +37,7 @@ neverallow {
22 |
23 | neverallow {
24 | halserverdomain
25 | + -hal_keymaster_server
26 | -hal_automotive_socket_exemption
27 | -hal_can_controller_server
28 | -hal_tetheroffload_server
29 |
--------------------------------------------------------------------------------
/aosp_integration_patches_aosp_12_r15/device_google_cuttlefish.patch:
--------------------------------------------------------------------------------
1 | diff --git a/shared/device.mk b/shared/device.mk
2 | index 8647d0175..6fc99ff94 100644
3 | --- a/shared/device.mk
4 | +++ b/shared/device.mk
5 | @@ -538,6 +538,10 @@ endif
6 | PRODUCT_PACKAGES += \
7 | $(LOCAL_KEYMINT_PRODUCT_PACKAGE)
8 |
9 | +PRODUCT_PACKAGES += \
10 | + android.hardware.keymaster@4.1-strongbox.service \
11 | +
12 | +
13 | # Keymint configuration
14 | PRODUCT_COPY_FILES += \
15 | frameworks/native/data/etc/android.software.device_id_attestation.xml:$(TARGET_COPY_OUT_VENDOR)/etc/permissions/android.software.device_id_attestation.xml
16 | diff --git a/shared/sepolicy/vendor/file_contexts b/shared/sepolicy/vendor/file_contexts
17 | index 20538a50f..553232889 100644
18 | --- a/shared/sepolicy/vendor/file_contexts
19 | +++ b/shared/sepolicy/vendor/file_contexts
20 | @@ -88,6 +88,7 @@
21 | /vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.mock u:object_r:hal_thermal_default_exec:s0
22 | /vendor/bin/hw/android\.hardware\.security\.keymint-service\.remote u:object_r:hal_keymint_remote_exec:s0
23 | /vendor/bin/hw/android\.hardware\.keymaster@4\.1-service.remote u:object_r:hal_keymaster_remote_exec:s0
24 | +/vendor/bin/hw/android\.hardware\.keymaster@4\.1-strongbox\.service u:object_r:hal_keymaster_strongbox_exec:s0
25 | /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service.remote u:object_r:hal_gatekeeper_remote_exec:s0
26 | /vendor/bin/hw/android\.hardware\.oemlock-service.example u:object_r:hal_oemlock_default_exec:s0
27 | /vendor/bin/hw/android\.hardware\.weaver-service.example u:object_r:hal_weaver_default_exec:s0
28 | diff --git a/shared/sepolicy/vendor/hal_keymaster_strongbox.te b/shared/sepolicy/vendor/hal_keymaster_strongbox.te
29 | new file mode 100644
30 | index 000000000..1412e07fd
31 | --- /dev/null
32 | +++ b/shared/sepolicy/vendor/hal_keymaster_strongbox.te
33 | @@ -0,0 +1,15 @@
34 | +type hal_keymaster_strongbox, domain;
35 | +hal_server_domain(hal_keymaster_strongbox, hal_keymaster)
36 | +
37 | +type hal_keymaster_strongbox_exec, exec_type, vendor_file_type, file_type;
38 | +init_daemon_domain(hal_keymaster_strongbox)
39 | +
40 | +vndbinder_use(hal_keymaster_strongbox)
41 | +get_prop(hal_keymaster_strongbox, vendor_security_patch_level_prop);
42 | +
43 | +# Allow access to sockets
44 | +allow hal_keymaster_strongbox self:tcp_socket { connect create write read getattr getopt setopt };
45 | +allow hal_keymaster_strongbox port_type:tcp_socket name_connect;
46 | +allow hal_keymaster_strongbox port:tcp_socket { name_connect };
47 | +allow hal_keymaster_strongbox vendor_data_file:file { open read getattr };
48 | +
49 | diff --git a/shared/sepolicy/vendor/service_contexts b/shared/sepolicy/vendor/service_contexts
50 | index d20d026cf..214576e3e 100644
51 | --- a/shared/sepolicy/vendor/service_contexts
52 | +++ b/shared/sepolicy/vendor/service_contexts
53 | @@ -4,6 +4,7 @@ android.hardware.neuralnetworks.IDevice/nnapi-sample_float_slow u:object_r:hal_n
54 | android.hardware.neuralnetworks.IDevice/nnapi-sample_minimal u:object_r:hal_neuralnetworks_service:s0
55 | android.hardware.neuralnetworks.IDevice/nnapi-sample_quant u:object_r:hal_neuralnetworks_service:s0
56 | android.hardware.neuralnetworks.IDevice/nnapi-sample_sl_shim u:object_r:hal_neuralnetworks_service:s0
57 | +android.hardware.keymaster@4.1::IKeymasterDevice/strongbox u:object_r:hal_keymaster_service:s0
58 |
59 | # Binder service mappings
60 | gce u:object_r:gce_service:s0
61 |
--------------------------------------------------------------------------------
/aosp_integration_patches_aosp_12_r15/hardware_interfaces_keymaster.patch:
--------------------------------------------------------------------------------
1 | diff --git a/keymaster/4.0/vts/functional/Android.bp b/keymaster/4.0/vts/functional/Android.bp
2 | index a7be660c4..dd91e9089 100644
3 | --- a/keymaster/4.0/vts/functional/Android.bp
4 | +++ b/keymaster/4.0/vts/functional/Android.bp
5 | @@ -31,9 +31,11 @@ cc_test {
6 | "VerificationTokenTest.cpp",
7 | "keymaster_hidl_hal_test.cpp",
8 | ],
9 | + shared_libs: [
10 | + "libcrypto",
11 | + ],
12 | static_libs: [
13 | "android.hardware.keymaster@4.0",
14 | - "libcrypto_static",
15 | "libkeymaster4support",
16 | "libkeymaster4vtstest",
17 | ],
18 | diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
19 | index 476eed8b1..823683d75 100644
20 | --- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
21 | +++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
22 | @@ -1079,9 +1079,12 @@ TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
23 | * presented.
24 | */
25 | TEST_P(SigningOperationsTest, NoUserConfirmation) {
26 | - if (SecLevel() == SecurityLevel::STRONGBOX) return;
27 | + size_t key_size = 1024;
28 | + if (SecLevel() == SecurityLevel::STRONGBOX){
29 | + key_size = 2048;
30 | + }
31 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
32 | - .RsaSigningKey(1024, 65537)
33 | + .RsaSigningKey(key_size, 65537)
34 | .Digest(Digest::NONE)
35 | .Padding(PaddingMode::NONE)
36 | .Authorization(TAG_NO_AUTH_REQUIRED)
37 |
--------------------------------------------------------------------------------
/aosp_integration_patches_aosp_12_r15/system_security_keystore2.patch:
--------------------------------------------------------------------------------
1 | diff --git a/keystore2/src/km_compat/km_compat.cpp b/keystore2/src/km_compat/km_compat.cpp
2 | index 64849c1..40ca554 100644
3 | --- a/keystore2/src/km_compat/km_compat.cpp
4 | +++ b/keystore2/src/km_compat/km_compat.cpp
5 | @@ -1314,7 +1314,7 @@ KeymasterDevices initializeKeymasters() {
6 | CHECK(serviceManager.get()) << "Failed to get ServiceManager";
7 | auto result = enumerateKeymasterDevices(serviceManager.get());
8 | auto softKeymaster = result[SecurityLevel::SOFTWARE];
9 | - if (!result[SecurityLevel::TRUSTED_ENVIRONMENT]) {
10 | + if ((!result[SecurityLevel::TRUSTED_ENVIRONMENT]) && (!result[SecurityLevel::STRONGBOX])) {
11 | result = enumerateKeymasterDevices(serviceManager.get());
12 | }
13 | if (softKeymaster) result[SecurityLevel::SOFTWARE] = softKeymaster;
14 |
--------------------------------------------------------------------------------
/aosp_integration_patches_aosp_12_r15/system_sepolicy.patch:
--------------------------------------------------------------------------------
1 | diff --git a/prebuilts/api/31.0/public/hal_neverallows.te b/prebuilts/api/31.0/public/hal_neverallows.te
2 | index 105689b8a..d7dc6baaf 100644
3 | --- a/prebuilts/api/31.0/public/hal_neverallows.te
4 | +++ b/prebuilts/api/31.0/public/hal_neverallows.te
5 | @@ -2,6 +2,7 @@
6 | # network capabilities
7 | neverallow {
8 | halserverdomain
9 | + -hal_keymaster_server
10 | -hal_bluetooth_server
11 | -hal_can_controller_server
12 | -hal_wifi_server
13 | @@ -19,6 +20,7 @@ neverallow {
14 | # will result in CTS failure.
15 | neverallow {
16 | halserverdomain
17 | + -hal_keymaster_server
18 | -hal_automotive_socket_exemption
19 | -hal_can_controller_server
20 | -hal_tetheroffload_server
21 | diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
22 | index 105689b8a..d7dc6baaf 100644
23 | --- a/public/hal_neverallows.te
24 | +++ b/public/hal_neverallows.te
25 | @@ -2,6 +2,7 @@
26 | # network capabilities
27 | neverallow {
28 | halserverdomain
29 | + -hal_keymaster_server
30 | -hal_bluetooth_server
31 | -hal_can_controller_server
32 | -hal_wifi_server
33 | @@ -19,6 +20,7 @@ neverallow {
34 | # will result in CTS failure.
35 | neverallow {
36 | halserverdomain
37 | + -hal_keymaster_server
38 | -hal_automotive_socket_exemption
39 | -hal_can_controller_server
40 | -hal_tetheroffload_server
41 |
--------------------------------------------------------------------------------