Merge pull request #6 from yenqileo/release/25.1.1-1

Release/25.1.1 1

Author: yenqileo

ServiceCore/src/main/java/com/intel/bkp/core/endianness/StructureField.java

@@ -100,6 +100,7 @@ public enum StructureField implements IStructureField {
     PSG_QEK_INFO_LENGTH,
     PSG_QEK_KEY_LENGTH,
     PSG_QEK_SHA_LENGTH,
+    PSG_QEK_KEY_VERSION,
     PSG_QEK_KEY_TYPE_MAGIC,
     PSG_QEK_MAX_KEY_USES,
     PSG_QEK_INTER_KEY_NUM,

ServiceCore/src/main/java/com/intel/bkp/core/endianness/maps/PsgQekEndiannessMapImpl.java

@@ -38,6 +38,7 @@
 import static com.intel.bkp.core.endianness.StructureField.PSG_QEK_INFO_LENGTH;
 import static com.intel.bkp.core.endianness.StructureField.PSG_QEK_INTER_KEY_NUM;
 import static com.intel.bkp.core.endianness.StructureField.PSG_QEK_KEY_LENGTH;
+import static com.intel.bkp.core.endianness.StructureField.PSG_QEK_KEY_VERSION;
 import static com.intel.bkp.core.endianness.StructureField.PSG_QEK_KEY_TYPE_MAGIC;
 import static com.intel.bkp.core.endianness.StructureField.PSG_QEK_MAGIC;
 import static com.intel.bkp.core.endianness.StructureField.PSG_QEK_MAX_KEY_USES;
@@ -59,6 +60,7 @@ protected void populateFirmwareMap() {
         put(PSG_QEK_INFO_LENGTH, CONVERT);
         put(PSG_QEK_KEY_LENGTH, CONVERT);
         put(PSG_QEK_SHA_LENGTH, CONVERT);
+        put(PSG_QEK_KEY_VERSION, CONVERT);
         put(PSG_QEK_KEY_TYPE_MAGIC, CONVERT);
         put(PSG_QEK_MAX_KEY_USES, CONVERT);
         put(PSG_QEK_INTER_KEY_NUM, CONVERT);

ServiceCore/src/main/java/com/intel/bkp/core/psgcertificate/PsgQekBuilderHSM.java

@@ -48,6 +48,7 @@
 import static com.intel.bkp.core.endianness.StructureField.PSG_QEK_INTER_KEY_NUM;
 import static com.intel.bkp.core.endianness.StructureField.PSG_QEK_KEY_LENGTH;
 import static com.intel.bkp.core.endianness.StructureField.PSG_QEK_KEY_TYPE_MAGIC;
+import static com.intel.bkp.core.endianness.StructureField.PSG_QEK_KEY_VERSION;
 import static com.intel.bkp.core.endianness.StructureField.PSG_QEK_MAGIC;
 import static com.intel.bkp.core.endianness.StructureField.PSG_QEK_MAX_KEY_USES;
 import static com.intel.bkp.core.endianness.StructureField.PSG_QEK_SHA_LENGTH;
@@ -73,7 +74,7 @@ public class PsgQekBuilderHSM extends StructureBuilder<PsgQekBuilderHSM, PsgQekH
     private byte[] infoLength = new byte[Integer.BYTES];
     private byte[] keyLength = new byte[Integer.BYTES];
     private byte[] shaLength = new byte[Integer.BYTES];
-    private final byte[] reserved = new byte[Integer.BYTES];
+    private byte[] version = new byte[Integer.BYTES];
     private byte[] keyTypeMagic = new byte[Integer.BYTES];
     private byte[] maxKeyUses = new byte[Integer.BYTES];
     private byte[] interKeyNum = new byte[Integer.BYTES];
@@ -103,7 +104,7 @@ public PsgQekHSM build() {
         entry.setInfoLength(convert(infoLength, PSG_QEK_INFO_LENGTH));
         entry.setKeyLength(convert(keyLength, PSG_QEK_KEY_LENGTH));
         entry.setShaLength(convert(shaLength, PSG_QEK_SHA_LENGTH));
-        entry.setReserved(reserved);
+        entry.setVersion(version);
         entry.setKeyTypeMagic(convert(keyTypeMagic, PSG_QEK_KEY_TYPE_MAGIC));
         entry.setMaxKeyUses(convert(maxKeyUses, PSG_QEK_MAX_KEY_USES));
         entry.setInterKeyNum(convert(interKeyNum, PSG_QEK_INTER_KEY_NUM));
@@ -145,8 +146,8 @@ public PsgQekBuilderHSM parse(ByteBufferSafe buffer) throws ParseStructureExcept
                 throw new ParseStructureException("Invalid SHA length 0x%x, expected 0x%x".formatted(new BigInteger(shaLength).intValue(), SHA_LEN));
             }
 
-            buffer.get(reserved);
-            checkIfArrayFilledWithZeros(reserved);
+            buffer.get(version);
+            version = convert(version, PSG_QEK_KEY_VERSION);
             buffer.get(keyTypeMagic);
             keyTypeMagic = convert(keyTypeMagic, PSG_QEK_KEY_TYPE_MAGIC);
             if (KEY_TYPE_MAGIC != new BigInteger(keyTypeMagic).intValue()) {

ServiceCore/src/main/java/com/intel/bkp/core/psgcertificate/model/PsgQekHSM.java

@@ -47,7 +47,7 @@ public class PsgQekHSM implements IStructure {
     private byte[] infoLength = new byte[0];
     private byte[] keyLength = new byte[0];
     private byte[] shaLength = new byte[0];
-    private byte[] reserved = new byte[0];
+    private byte[] version = new byte[0];
     private byte[] keyTypeMagic = new byte[0];
     private byte[] maxKeyUses = new byte[0];
     private byte[] interKeyNum = new byte[0];
@@ -62,7 +62,7 @@ public class PsgQekHSM implements IStructure {
     @Override
     public byte[] array() {
         final int capacity = magic.length + qekDataLength.length + infoLength.length + keyLength.length
-            + shaLength.length + reserved.length + keyTypeMagic.length + maxKeyUses.length + interKeyNum.length
+            + shaLength.length + version.length + keyTypeMagic.length + maxKeyUses.length + interKeyNum.length
             + step.length + totalKeyUses.length + reservedNoSalt.length + ivData.length
             + encryptedAESKey.length + encryptedKDK.length + encryptedSHA384.length;
 
@@ -73,7 +73,7 @@ public byte[] array() {
             .put(infoLength)
             .put(keyLength)
             .put(shaLength)
-            .put(reserved)
+            .put(version)
             .put(keyTypeMagic)
             .put(maxKeyUses)
             .put(interKeyNum)

TestLibrary/src/main/resources/testfiles/BKPSAESKey32.qek

@@ -1,7 +1,7 @@
 
 # VERIFIER dependency list
 ## Dependency License Report
-_2025-02-21 03:23:35 UTC_
+_2025-07-11 02:14:53 UTC_
 ## Apache License 2.0
 
 **1** **Group:** `io.swagger.core.v3` **Name:** `swagger-annotations` **Version:** `2.2.28` 

TestLibrary/src/main/resources/testfiles/signed_efuse_wrapped_aes_version_1.ccert

@@ -1,7 +1,7 @@
 
 # BKPS dependency list
 ## Dependency License Report
-_2025-02-21 03:23:23 UTC_
+_2025-07-11 02:14:53 UTC_
 ## Apache 2
 
 **1** **Group:** `com.opencsv` **Name:** `opencsv` **Version:** `5.9` 

Verifier/verifier_third_party_licenses.md

@@ -73,8 +73,6 @@
 import org.springframework.transaction.annotation.Transactional;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
-import java.nio.ByteBuffer;
-import java.nio.ByteOrder;
 import java.util.Arrays;
 import java.util.List;
 import static com.intel.bkp.bkps.rest.RestUtil.createFormattingConversionService;
@@ -143,10 +141,16 @@ public class AesCtrEncryptionKeyTest {
 
     private ServiceConfiguration serviceConfiguration;
 
+    private ServiceConfiguration serviceConfigurationVer1;
+
     private byte[] qekContent;
 
+    private byte[] qekContentVer1;
+
     private byte[] aesKeyContent;
 
+    private byte[] aesKeyContentVer1;
+
     @BeforeEach
     void setup() {
         final ServiceConfigurationController serviceConfigurationResource =
@@ -161,11 +165,18 @@ void setup() {
         qek.setKeyName(TestHelper.DEFAULT_KEY_NAME);
         qekContent = loadBinary(ResourceDir.ROOT, "aes_testmode1.qek");
         qek.setValue(toHex(qekContent));
+        Qek qekVer1 = new Qek();
+        qekVer1.setKeyName(TestHelper.DEFAULT_KEY_NAME);
+        qekContentVer1 = loadBinary(ResourceDir.ROOT, "BKPSAESKey32.qek");
+        qekVer1.setValue(toHex(qekContentVer1));
         byte[] encryptionKeyData = fromHex(loadFile(ResourceDir.ROOT, "aes_key_sdm1_5_ver2.txt"));
         ENCRYPTION_KEY = toHex(encryptionKeyData);
         aesKeyContent = loadBinary(ResourceDir.ROOT, "signed_UDS_intelpuf_wrapped_aes_testmode1.ccert");
+        aesKeyContentVer1 = loadBinary(ResourceDir.ROOT, "signed_efuse_wrapped_aes_version_1.ccert");
         serviceConfiguration = TestHelper.createServiceConfigurationEntity(
             DEFAULT_OVERBUILD_MAX, STORAGE_TYPE, null, false, PUF_TYPE, KEY_WRAPPING_TYPE, qek, aesKeyContent);
+        serviceConfigurationVer1 = TestHelper.createServiceConfigurationEntity(
+            DEFAULT_OVERBUILD_MAX, STORAGE_TYPE, null, false, PufType.EFUSE, KeyWrappingType.INTERNAL, qekVer1, aesKeyContentVer1);
     }
 
     @Test
@@ -208,6 +219,42 @@ public void getServiceConfiguration() throws Exception {
                 .value(TestHelper.DEFAULT_EFUSES_PUB_VALUE));
     }
 
+    @Test
+    @Transactional
+    public void createVersion1ServiceConfigurationWithTestProgramFlag() throws Exception {
+        prepareSealingKey();
+        prepareAesKey(SecurityKeyType.AES_CTR, TestHelper.DEFAULT_KEY_NAME, ENCRYPTION_KEY, "AES/CTR/NoPadding");
+        int databaseSizeBeforeCreate = serviceConfigurationRepository.findAll().size();
+        // Create the ServiceConfiguration
+        ServiceConfigurationDTO serviceConfigurationDTO = serviceConfigurationMapper.toDto(serviceConfigurationVer1);
+        serviceConfigurationDTO.getConfidentialData().getAesKey().setTestProgram(true);
+        restMockMvc.perform(post(CONFIG_NODE + CONFIGURATION)
+                .contentType(RestUtil.APPLICATION_JSON_UTF8)
+                .content(RestUtil.convertObjectToJsonBytes(serviceConfigurationDTO)))
+            .andExpect(status().isCreated());
+
+        // Validate the ServiceConfiguration in the database
+        List<ServiceConfiguration> serviceConfigurationList = serviceConfigurationRepository.findAll();
+        assertEquals(databaseSizeBeforeCreate + 1, serviceConfigurationList.size());
+        ServiceConfiguration testServiceConfiguration = serviceConfigurationList.get(
+            serviceConfigurationList.size() - 1);
+        assertEquals(TestHelper.DEFAULT_NAME, testServiceConfiguration.getName());
+        assertEquals(PufType.EFUSE, testServiceConfiguration.getPufType());
+        assertEquals(DEFAULT_OVERBUILD_MAX, testServiceConfiguration.getOverbuildMax());
+
+        final AesKey aesKey = testServiceConfiguration.getConfidentialData().getAesKey();
+        assertEquals(StorageType.EFUSES, aesKey.getStorage());
+        assertEquals(KeyWrappingType.INTERNAL, aesKey.getKeyWrappingType());
+        aesGcmSealingKeyProvider.initialize(securityService.getKeyFromSecurityObject(SEALING_KEYNAME));
+        final byte[] decryptedAesContent = aesGcmSealingKeyProvider.decrypt(fromHex(aesKey.getValue()));
+        assert Arrays.equals(aesKeyContentVer1, decryptedAesContent);
+        assertEquals(false, aesKey.getTestProgram());
+        final Qek qek = testServiceConfiguration.getConfidentialData().getQek();
+        assertEquals(TestHelper.DEFAULT_KEY_NAME, qek.getKeyName());
+        final byte[] decryptedQekValue = aesGcmSealingKeyProvider.decrypt(fromHex(qek.getValue()));
+        assert Arrays.equals(qekContentVer1, decryptedQekValue);
+    }
+
     @Test
     @Transactional
     public void createServiceConfigurationWithTestProgramFlag() throws Exception {

bkps/bkps_third_party_licenses.md

@@ -63,6 +63,7 @@
 import com.intel.bkp.crypto.exceptions.EncryptionProviderException;
 import com.intel.bkp.crypto.exceptions.HMacProviderException;
 import com.intel.bkp.crypto.hmac.HMacKdfProviderImpl;
+import com.intel.bkp.utils.ByteConverter;
 import org.apache.commons.codec.digest.DigestUtils;
 import lombok.AccessLevel;
 import lombok.RequiredArgsConstructor;
@@ -149,18 +150,37 @@ private void validateAESAndQek(Qek qek) {
 
             // Decrypt and extract actual AES root key from QEK data
             aesCtrEncryptionKeyProvider.initialize(new AesCtrQekIvProvider(qekBuilderHSM.getIvData()), qek.getKeyName());
-            byte[] aesRootKey = aesCtrEncryptionKeyProvider.decrypt(qekBuilderHSM.getEncryptedAESKey());
+            byte[] aesRootKey = new byte[32];
+            byte[] kdkKey = new byte[32];
+            byte[] expectedSHA384Hash = new byte[48];
 
+            Integer version = ByteConverter.toInt(qekBuilderHSM.getVersion());
             // Verify hash of QEK
-            byte[] kdkKey = aesCtrEncryptionKeyProvider.decrypt(qekBuilderHSM.getEncryptedKDK());
+            if (version == 1) {
+                // Decrypt block of AES key, KDK and SHA384 hash
+                ByteBuffer buffer = ByteBuffer.allocate(0x70);
+                buffer.order(ByteOrder.LITTLE_ENDIAN);
+                buffer.put(qekBuilderHSM.getEncryptedAESKey());
+                buffer.put(qekBuilderHSM.getEncryptedKDK());
+                buffer.put(qekBuilderHSM.getEncryptedSHA384());
+                byte[] decodedData = aesCtrEncryptionKeyProvider.decrypt(buffer.array());
+                ByteBuffer decodedBuffer = ByteBuffer.wrap(decodedData);
+                decodedBuffer.get(aesRootKey);
+                decodedBuffer.get(kdkKey);
+                decodedBuffer.get(expectedSHA384Hash);
+            } else {
+                aesRootKey = aesCtrEncryptionKeyProvider.decrypt(qekBuilderHSM.getEncryptedAESKey());
+                kdkKey = aesCtrEncryptionKeyProvider.decrypt(qekBuilderHSM.getEncryptedKDK());
+                expectedSHA384Hash = aesCtrEncryptionKeyProvider.decrypt(qekBuilderHSM.getEncryptedSHA384());
+            }
+
             ByteBuffer bufferCheckHash = ByteBuffer.allocate(0x60);
             bufferCheckHash.order(ByteOrder.LITTLE_ENDIAN);
             bufferCheckHash.put(qekBuilderHSM.getReservedNoSalt());
             bufferCheckHash.put(qekBuilderHSM.getIvData());
             bufferCheckHash.put(aesRootKey);
             bufferCheckHash.put(kdkKey);
             byte[] sha384Hash = DigestUtils.sha384(bufferCheckHash.array());
-            byte[] expectedSHA384Hash = aesCtrEncryptionKeyProvider.decrypt(qekBuilderHSM.getEncryptedSHA384());
             if (!Arrays.equals(sha384Hash, expectedSHA384Hash)) {
                 throw new IOException("Failed to decrypt QEK data. QEK data is either corrupted or QEK encryption key that associated with the key name is mismatch.");
             }