ab8aa1c0a604194dc1a0b7faf28fe8d5bf3e2aaf |
|
28-Nov-2017 |
Dmitry Dementyev <dementyev@google.com> |
Make libkeystore_aidl shared and export to PDK. Bug: 69539820 Test: manual Change-Id: I6b8e8543b89245062790443f1e8b759418f7c162
/system/security/keystore-engine/Android.mk
|
ecb258e775f3bab5783dfd49c9aa87f607f7c5b1 |
|
10-Apr-2017 |
Jiyong Park <jiyong@google.com> |
fix: wifi doesn't work on the generic system image libkeystore-wifi-hidl and libkeystore-engine-wifi-hidl are required by /vendor/bin/hw/wpa_supplicant. They are installed to /system partition. This does not cause any problem as long as both /system and /vendor partitions are built for the same target product, as we do for most of our products. However, it becomes a problem when we build only the /system partition for the generic AOSP system.img. In that case, the libs are not installed to the partition since we don't build vendor image for the target and thus wpa_supplicant (and its dependencies as well) aren't on the list of dmoules to be built/installed. Moving them to vendor partition by adding LOCAL_VENDOR_MODULE := true solves the problem. Bug: 37126829 Test: basic functionalities of wifi work on marlin/sailfish with system.img built from aosp_arm64_ab. Change-Id: I783756a5848786b15c1f227f06a1ee2e291d3ce9
/system/security/keystore-engine/Android.mk
|
bf7fc8df768203bb2812fd1e28b8dab23560e381 |
|
11-Mar-2017 |
Paul Stewart <pstew@google.com> |
Add a HIDL-based keystore_get variant Create a "keystore_get" library that uses the HIDL path insted of using binder directly. Bug: 34603782 Test: Able to connect to wifi passpoint networks. Change-Id: I0f545ea104e3f27bebd262bc5a2e79f6b517c972
/system/security/keystore-engine/Android.mk
|
657356c169c03498a789fd640cce3b3ffacf0c58 |
|
09-Mar-2017 |
Paul Stewart <pstew@google.com> |
Add HIDL backend to keystore service This CL adds variants of the public key retrieval and signing routine which use the WiFi Keystore HIDL for the backend. The Android.mk has been modified to build a second variant of the library to expose this HIDL backend. While here, add guards to all headers. Bug: 34603782 Test: Able to connect to wifi passpoint networks. Change-Id: I444ef383e4d3fdabc10c3e44c1bae9747613c8cf
/system/security/keystore-engine/Android.mk
|
ac0ffbf62c8f87f1b42f660979b4213d429e51cc |
|
04-Mar-2017 |
Paul Stewart <pstew@google.com> |
Separate the binder backend from android_engine Create a pure virtual class "KeystoreBackend" which supplies the crypto methods used by android_engine. Create a KestoreBackendBinder class which implements the binder backend as a no-op change that will allow future backends to be added. Bug: 34603782 Test: Compiles Change-Id: I16620aba569bd53290145b2b30242c4888106d0a
/system/security/keystore-engine/Android.mk
|
c7a9fa29c185a8c1889486d4acf00fd59c513870 |
|
13-Oct-2016 |
Janis Danisevskis <jdanis@google.com> |
Port to binderized keymaster HAL This patch ports keystore to the HIDL based binderized keymaster HAL. Keystore has no more dependencies on legacy keymaster headers, and therefore data structures, constant declarations, or enums. All keymaster related data structures and enums used by keystore are the once defined by the HIDL based keymaster HAL definition. In the process of porting, keystore underwent some changes: * Keystore got a new implementation of AuthorizationSet that is fully based on the new HIDL data structures. Key parameters are now either organised as AuthorizationSets or hidl_vec<KeyParameter>. (Formerly, this was a mixture of keymaster's AuthorizationSet, std::vec<keymaster_key_param_t>, and keymaster_key_param_set_t.) The former is used for memory management and provides algorithms for assembling, joining, and subtracting sets of parameters. The latter is used as wire format for the HAL IPC; it can wrap the memory owned by an AuthorizationSet for this purpose. The AuthorizationSet is accompanied by a new implementation of type safe functions for creating and accessing tagged key parameters, Authorizations (keystore/keymaster_tags.h). * A new type (KSSReturnCode) was introduced that wraps keystore service response codes. Keystore has two sets of error codes. ErrorCode errors are less than 0 and use 0 as success value. ResponseCode errors are greater than zero and use 1 as success value. This patch changes ResponseCode to be an enum class so that is no longer assignable to int without a cast. The new return type can only be initialized by ResponseCode or ErrorCode and when accessed as int32_t, which happens on serialization when the response is send to a client, the success values are coalesced onto 1 as expected by the clients. KSSreturnCode is also comparable to ResponseCode and ErrorCode, and the predicate isOk() returns true if it was initialized with either ErrorCode::OK (0) or ReponseCode::NO_ERROR (1). * A bug was fixed, that caused the keystore verify function to return success, regardless of the input, internal errors, or lack of permissions. * The marshalling code in IKeystoreService.cpp was rewritten. For data structures that are known to keymaster, the client facing side of keystore uses HIDL based data structures as (target) source for (un)marshaling to avoid further conversion. hidl_vecs are used to wrap parcel memory without copying and taking ownership where possible. * Explicit use of malloc is reduced (malloc was required by the C nature of the old HAL). The new implementations avoid explicit use of malloc/new and waive the use of pointers for return values. Instead, functions return by value objects that take ownership of secondary memory allocations where required. Test: runtest --path=cts/tests/tests/keystore/src/android/keystore/cts Bug: 32020919 Change-Id: I59d3a0f4a6bdf6bb3bbf791ad8827c463effa286
/system/security/keystore-engine/Android.mk
|
ddf4742f09688deacb8b369511c313eb35eda8b9 |
|
16-Sep-2016 |
Kenny Root <kroot@google.com> |
Remove OpenSSL support Only BoringSSL is supported anymore. The OpenSSL code is not tested. Test: make -j32 Bug: 31464605 Change-Id: I6394bcf71f9e0b17bd8cbb50f6868df03aa00780
/system/security/keystore-engine/Android.mk
|
de7d73463f32a5f11061d24cce58e35a85973fb3 |
|
11-Mar-2015 |
Kenny Root <kroot@google.com> |
keystore-engine: Restore module path The module relative path was accidentally erased when BoringSSL compatibility was added. This restores the path so that WiFi with keystore-backed credentials works again (among other things). Bug: 19680487 Change-Id: Iee7c13d7b60d93f1520886e90ec23875bd52ab9a
/system/security/keystore-engine/Android.mk
|
72b2bfb9422611009bccda0785d9f6b1ae69e2c9 |
|
23-Jan-2015 |
Adam Langley <agl@google.com> |
Remove superfluous OpenSSL include paths. The libcrypto and libssl modules (and their respective static and host versions) use LOCAL_EXPORT_C_INCLUDE_DIRS thus just including the module is sufficient. Change-Id: I53fed0932b9f15b273880810cf38a03ecf6dc274
/system/security/keystore-engine/Android.mk
|
1fb05838c437314355b098a2dfe520a661f82105 |
|
24-Sep-2014 |
Adam Langley <agl@google.com> |
Add ENGINE for BoringSSL. This change adds a new ENGINE implementation for BoringSSL. It's a no-op until external/openssl is switched to BoringSSL. BoringSSL's ENGINEs are very different from OpenSSL's (and very much smaller). Thus this change adds replacement code that is conditionally compiled when BoringSSL is used. Rather than building a .so that is put in a special directory and loaded by OpenSSL dymanically, the code becomes a normal library that exports a single function: EVP_PKEY_from_keystore. All the |ENGINE_load| etc functions that callers previously needed become moot with BoringSSL. Bug: 17409664 Change-Id: I8b5ba255f86ec5d0f28994358dc0f0b516f0af40
/system/security/keystore-engine/Android.mk
|
3d2f4fd026fc918af3f4ef0efd35079410d28b16 |
|
25-Jan-2014 |
Colin Cross <ccross@android.com> |
system/security: convert LOCAL_MODULE_PATH to LOCAL_MODULE_RELATIVE_PATH LOCAL_MODULE_PATH doesn't work for multiarch builds, replace it with LOCAL_MODULE_RELATIVE_PATH. Change-Id: I4e4ceec61d026bbe74ba604554c06104bde42e5e
/system/security/keystore-engine/Android.mk
|
77acaa0d42a616d40951651d0cbc2f97411f807d |
|
07-Sep-2013 |
Kenny Root <kroot@google.com> |
Revert to old-style API for EC_KEY handling Nothing using the EVP_PKEY correctly, so we should revert to the EC_KEY and ECDSA interfaces. Unfortunately, the SSL client certificate library uses EC_KEY directly, so just having the EVP_PKEY interface doesn't work. Remove the EVP_PKEY interface entirely because it just adds complexity since the EC_KEY path will do the same thing. (cherry picked from commit 47041552bd545846a1b7787823af4b5ca9e36dea) Bug: 10655329 Change-Id: Ibf8c36780fe93284b88e91b7860baf1b951b4266
/system/security/keystore-engine/Android.mk
|
6071179a371fcd4c238375068ffd7d3cedea615d |
|
16-Aug-2013 |
Kenny Root <kroot@google.com> |
Add support for DSA and ECDSA key types Change-Id: Ibee8d172eeb36f1a2e2ce62f275aea55ada5bcbf
/system/security/keystore-engine/Android.mk
|
9d422a535cb4170acf46ec9fcb26cd3f428a2dc7 |
|
27-Jun-2013 |
Kenny Root <kroot@google.com> |
Revert "Revert "Split up main engine from methods"" Added missing Android.mk change in this commit. This reverts commit 1fcabcd3279635e66ceffc42443c5bf0dae69d44. Change-Id: I71e7fbc8f80a35b4666af985cffb4e7a2eb5634f
/system/security/keystore-engine/Android.mk
|
6a9cafc30a90b3dfd188212a105ef57c32ed7541 |
|
16-Nov-2012 |
Kenny Root <kroot@google.com> |
Add Android.mk as a dependency as well Change-Id: I19e91eb766fcc55e9a610421a67a7c8706fdaa46
/system/security/keystore-engine/Android.mk
|
07438c8d7256d3788dac323b4d0055f201e0bec9 |
|
02-Nov-2012 |
Kenny Root <kroot@google.com> |
Switch keystore to binder Change-Id: I6dacdc43bcc1a56e47655e37e825ee6a205eb56b
/system/security/keystore-engine/Android.mk
|
98c2f8fcc1263a9d94adac66994fffc96c0df699 |
|
28-Mar-2012 |
Colin Cross <ccross@android.com> |
use UniquePtr.h from frameworks/native Use the UniquePtr.h include from frameworks/native/include/utils to fix the pdk build. Change-Id: Ic415b43d2eb8c0b7ef54b6f3f75b7fa0d5f7a058
/system/security/keystore-engine/Android.mk
|
70e3a86abd2c412d602a018967c01c177eb6cf4e |
|
16-Feb-2012 |
Kenny Root <kroot@google.com> |
Add keymaster to keystore with soft implementation Add hardware crypto capabilities to keystore. This allows hardware escrow of private key material. There is also an OpenSSL engine that connects to keystore to allow use of the keystore keys from native code built into the platform. This includes a software implementation of keymaster using OpenSSL as the backend. This is just as insecure as the previous solution, but it's needed so devices without hardware support can continue to operate in the new scheme without a lot of compatibility code. Change-Id: I2bc67766e1f633ef1cbbd2874a65962074e84f4f
/system/security/keystore-engine/Android.mk
|