From 0c610f5f6935977142a7dbb9dbca4b9b1bc83c55 Mon Sep 17 00:00:00 2001 From: Janis Danisevskis Date: Mon, 20 Dec 2021 13:16:23 -0800 Subject: [PATCH] Keystore 2.0: Add CREATION_DATETIME only for Keymint V1 and higher. Adding CREATION_DATETIME unconditionally should be accepted by all keymaster implementations. Alas, VTS tests never covered this before Keymint V1 and so there are implementations that fail when the caller presents the tag. Test: CtsKeystoreTestCases for regression testing. Bug: 210792876 Bug: 204578637 Change-Id: I3cf7e8def7a369839844ef1b3628f477d8fe6b53 --- keystore2/src/security_level.rs | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs index 1b2e3485..0f4c0f7d 100644 --- a/keystore2/src/security_level.rs +++ b/keystore2/src/security_level.rs @@ -405,23 +405,26 @@ impl KeystoreSecurityLevel { ); } - result.push(KeyParameter { - tag: Tag::CREATION_DATETIME, - value: KeyParameterValue::DateTime( - SystemTime::now() - .duration_since(SystemTime::UNIX_EPOCH) - .context( - "In KeystoreSecurityLevel::add_required_parameters: \ + // Add CREATION_DATETIME only if the backend version Keymint V1 (100) or newer. + if self.hw_info.versionNumber >= 100 { + result.push(KeyParameter { + tag: Tag::CREATION_DATETIME, + value: KeyParameterValue::DateTime( + SystemTime::now() + .duration_since(SystemTime::UNIX_EPOCH) + .context( + "In KeystoreSecurityLevel::add_required_parameters: \ Failed to get epoch time.", - )? - .as_millis() - .try_into() - .context( - "In KeystoreSecurityLevel::add_required_parameters: \ + )? + .as_millis() + .try_into() + .context( + "In KeystoreSecurityLevel::add_required_parameters: \ Failed to convert epoch time.", - )?, - ), - }); + )?, + ), + }); + } // If there is an attestation challenge we need to get an application id. if params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE) { -- 2.35.3