| ecb258e775f3bab5783dfd49c9aa87f607f7c5b1 |
|
10-Apr-2017 |
Jiyong Park <jiyong@google.com> |
fix: wifi doesn't work on the generic system image
libkeystore-wifi-hidl and libkeystore-engine-wifi-hidl are required by
/vendor/bin/hw/wpa_supplicant. They are installed to /system partition.
This does not cause any problem as long as both /system and /vendor
partitions are built for the same target product, as we do for most of
our products.
However, it becomes a problem when we build only the /system partition
for the generic AOSP system.img. In that case, the libs are not
installed to the partition since we don't build vendor image for the
target and thus wpa_supplicant (and its dependencies as well) aren't
on the list of dmoules to be built/installed.
Moving them to vendor partition by adding LOCAL_VENDOR_MODULE := true
solves the problem.
Bug: 37126829
Test: basic functionalities of wifi work on marlin/sailfish with
system.img built from aosp_arm64_ab.
Change-Id: I783756a5848786b15c1f227f06a1ee2e291d3ce9
/system/security/keystore-engine/Android.mk
|
| bf7fc8df768203bb2812fd1e28b8dab23560e381 |
|
11-Mar-2017 |
Paul Stewart <pstew@google.com> |
Add a HIDL-based keystore_get variant
Create a "keystore_get" library that uses the HIDL path insted
of using binder directly.
Bug: 34603782
Test: Able to connect to wifi passpoint networks.
Change-Id: I0f545ea104e3f27bebd262bc5a2e79f6b517c972
/system/security/keystore-engine/Android.mk
|
| 657356c169c03498a789fd640cce3b3ffacf0c58 |
|
09-Mar-2017 |
Paul Stewart <pstew@google.com> |
Add HIDL backend to keystore service
This CL adds variants of the public key retrieval and signing
routine which use the WiFi Keystore HIDL for the backend.
The Android.mk has been modified to build a second variant of
the library to expose this HIDL backend. While here, add
guards to all headers.
Bug: 34603782
Test: Able to connect to wifi passpoint networks.
Change-Id: I444ef383e4d3fdabc10c3e44c1bae9747613c8cf
/system/security/keystore-engine/Android.mk
|
| ac0ffbf62c8f87f1b42f660979b4213d429e51cc |
|
04-Mar-2017 |
Paul Stewart <pstew@google.com> |
Separate the binder backend from android_engine
Create a pure virtual class "KeystoreBackend" which supplies the
crypto methods used by android_engine. Create a KestoreBackendBinder
class which implements the binder backend as a no-op change that
will allow future backends to be added.
Bug: 34603782
Test: Compiles
Change-Id: I16620aba569bd53290145b2b30242c4888106d0a
/system/security/keystore-engine/Android.mk
|
| c7a9fa29c185a8c1889486d4acf00fd59c513870 |
|
13-Oct-2016 |
Janis Danisevskis <jdanis@google.com> |
Port to binderized keymaster HAL
This patch ports keystore to the HIDL based binderized keymaster HAL.
Keystore has no more dependencies on legacy keymaster headers, and
therefore data structures, constant declarations, or enums. All
keymaster related data structures and enums used by keystore are the
once defined by the HIDL based keymaster HAL definition. In the process
of porting, keystore underwent some changes:
* Keystore got a new implementation of AuthorizationSet that is fully
based on the new HIDL data structures. Key parameters are now either
organised as AuthorizationSets or hidl_vec<KeyParameter>. (Formerly,
this was a mixture of keymaster's AuthorizationSet,
std::vec<keymaster_key_param_t>, and keymaster_key_param_set_t.) The
former is used for memory management and provides algorithms for
assembling, joining, and subtracting sets of parameters. The latter
is used as wire format for the HAL IPC; it can wrap the memory owned
by an AuthorizationSet for this purpose. The AuthorizationSet is
accompanied by a new implementation of type safe functions for
creating and accessing tagged key parameters,
Authorizations (keystore/keymaster_tags.h).
* A new type (KSSReturnCode) was introduced that wraps keystore service
response codes. Keystore has two sets of error codes. ErrorCode
errors are less than 0 and use 0 as success value. ResponseCode
errors are greater than zero and use 1 as success value. This patch
changes ResponseCode to be an enum class so that is no longer
assignable to int without a cast. The new return type can only be
initialized by ResponseCode or ErrorCode and when accessed as int32_t,
which happens on serialization when the response is send to a client,
the success values are coalesced onto 1 as expected by the
clients. KSSreturnCode is also comparable to ResponseCode and
ErrorCode, and the predicate isOk() returns true if it was initialized
with either ErrorCode::OK (0) or ReponseCode::NO_ERROR (1).
* A bug was fixed, that caused the keystore verify function to return
success, regardless of the input, internal errors, or lack of
permissions.
* The marshalling code in IKeystoreService.cpp was rewritten. For data
structures that are known to keymaster, the client facing side of
keystore uses HIDL based data structures as (target) source
for (un)marshaling to avoid further conversion. hidl_vecs are used to
wrap parcel memory without copying and taking ownership where
possible.
* Explicit use of malloc is reduced (malloc was required by the C nature
of the old HAL). The new implementations avoid explicit use of
malloc/new and waive the use of pointers for return values. Instead,
functions return by value objects that take ownership of secondary
memory allocations where required.
Test: runtest --path=cts/tests/tests/keystore/src/android/keystore/cts
Bug: 32020919
Change-Id: I59d3a0f4a6bdf6bb3bbf791ad8827c463effa286
/system/security/keystore-engine/Android.mk
|
| ddf4742f09688deacb8b369511c313eb35eda8b9 |
|
16-Sep-2016 |
Kenny Root <kroot@google.com> |
Remove OpenSSL support
Only BoringSSL is supported anymore. The OpenSSL code is not tested.
Test: make -j32
Bug: 31464605
Change-Id: I6394bcf71f9e0b17bd8cbb50f6868df03aa00780
/system/security/keystore-engine/Android.mk
|
| de7d73463f32a5f11061d24cce58e35a85973fb3 |
|
11-Mar-2015 |
Kenny Root <kroot@google.com> |
keystore-engine: Restore module path
The module relative path was accidentally erased when BoringSSL
compatibility was added. This restores the path so that WiFi with
keystore-backed credentials works again (among other things).
Bug: 19680487
Change-Id: Iee7c13d7b60d93f1520886e90ec23875bd52ab9a
/system/security/keystore-engine/Android.mk
|
| 72b2bfb9422611009bccda0785d9f6b1ae69e2c9 |
|
23-Jan-2015 |
Adam Langley <agl@google.com> |
Remove superfluous OpenSSL include paths.
The libcrypto and libssl modules (and their respective static and host
versions) use LOCAL_EXPORT_C_INCLUDE_DIRS thus just including the module
is sufficient.
Change-Id: I53fed0932b9f15b273880810cf38a03ecf6dc274
/system/security/keystore-engine/Android.mk
|
| 1fb05838c437314355b098a2dfe520a661f82105 |
|
24-Sep-2014 |
Adam Langley <agl@google.com> |
Add ENGINE for BoringSSL.
This change adds a new ENGINE implementation for BoringSSL. It's a no-op
until external/openssl is switched to BoringSSL.
BoringSSL's ENGINEs are very different from OpenSSL's (and very much
smaller). Thus this change adds replacement code that is conditionally
compiled when BoringSSL is used.
Rather than building a .so that is put in a special directory and loaded
by OpenSSL dymanically, the code becomes a normal library that exports a
single function: EVP_PKEY_from_keystore. All the |ENGINE_load| etc
functions that callers previously needed become moot with BoringSSL.
Bug: 17409664
Change-Id: I8b5ba255f86ec5d0f28994358dc0f0b516f0af40
/system/security/keystore-engine/Android.mk
|
| 3d2f4fd026fc918af3f4ef0efd35079410d28b16 |
|
25-Jan-2014 |
Colin Cross <ccross@android.com> |
system/security: convert LOCAL_MODULE_PATH to LOCAL_MODULE_RELATIVE_PATH
LOCAL_MODULE_PATH doesn't work for multiarch builds, replace it
with LOCAL_MODULE_RELATIVE_PATH.
Change-Id: I4e4ceec61d026bbe74ba604554c06104bde42e5e
/system/security/keystore-engine/Android.mk
|
| 77acaa0d42a616d40951651d0cbc2f97411f807d |
|
07-Sep-2013 |
Kenny Root <kroot@google.com> |
Revert to old-style API for EC_KEY handling
Nothing using the EVP_PKEY correctly, so we should revert to the EC_KEY
and ECDSA interfaces. Unfortunately, the SSL client certificate library
uses EC_KEY directly, so just having the EVP_PKEY interface doesn't
work.
Remove the EVP_PKEY interface entirely because it just adds complexity
since the EC_KEY path will do the same thing.
(cherry picked from commit 47041552bd545846a1b7787823af4b5ca9e36dea)
Bug: 10655329
Change-Id: Ibf8c36780fe93284b88e91b7860baf1b951b4266
/system/security/keystore-engine/Android.mk
|
| 6071179a371fcd4c238375068ffd7d3cedea615d |
|
16-Aug-2013 |
Kenny Root <kroot@google.com> |
Add support for DSA and ECDSA key types
Change-Id: Ibee8d172eeb36f1a2e2ce62f275aea55ada5bcbf
/system/security/keystore-engine/Android.mk
|
| 9d422a535cb4170acf46ec9fcb26cd3f428a2dc7 |
|
27-Jun-2013 |
Kenny Root <kroot@google.com> |
Revert "Revert "Split up main engine from methods""
Added missing Android.mk change in this commit.
This reverts commit 1fcabcd3279635e66ceffc42443c5bf0dae69d44.
Change-Id: I71e7fbc8f80a35b4666af985cffb4e7a2eb5634f
/system/security/keystore-engine/Android.mk
|
| 6a9cafc30a90b3dfd188212a105ef57c32ed7541 |
|
16-Nov-2012 |
Kenny Root <kroot@google.com> |
Add Android.mk as a dependency as well
Change-Id: I19e91eb766fcc55e9a610421a67a7c8706fdaa46
/system/security/keystore-engine/Android.mk
|
| 07438c8d7256d3788dac323b4d0055f201e0bec9 |
|
02-Nov-2012 |
Kenny Root <kroot@google.com> |
Switch keystore to binder
Change-Id: I6dacdc43bcc1a56e47655e37e825ee6a205eb56b
/system/security/keystore-engine/Android.mk
|
| 98c2f8fcc1263a9d94adac66994fffc96c0df699 |
|
28-Mar-2012 |
Colin Cross <ccross@android.com> |
use UniquePtr.h from frameworks/native
Use the UniquePtr.h include from frameworks/native/include/utils
to fix the pdk build.
Change-Id: Ic415b43d2eb8c0b7ef54b6f3f75b7fa0d5f7a058
/system/security/keystore-engine/Android.mk
|
| 70e3a86abd2c412d602a018967c01c177eb6cf4e |
|
16-Feb-2012 |
Kenny Root <kroot@google.com> |
Add keymaster to keystore with soft implementation
Add hardware crypto capabilities to keystore. This allows hardware
escrow of private key material.
There is also an OpenSSL engine that connects to keystore to allow use
of the keystore keys from native code built into the platform.
This includes a software implementation of keymaster using OpenSSL
as the backend. This is just as insecure as the previous solution,
but it's needed so devices without hardware support can continue
to operate in the new scheme without a lot of compatibility code.
Change-Id: I2bc67766e1f633ef1cbbd2874a65962074e84f4f
/system/security/keystore-engine/Android.mk
|