Merge "Keystore 2.0 SPI: Add EC_CURVE tag on key generation." into sc-dev
This commit is contained in:
TreeHugger Robot
committed by
Android (Google) Code Review
Android (Google) Code Review
commit
214d129500
@ -20,6 +20,7 @@ import android.annotation.NonNull;
|
||||
import android.annotation.Nullable;
|
||||
import android.app.ActivityThread;
|
||||
import android.content.Context;
|
||||
import android.hardware.security.keymint.EcCurve;
|
||||
import android.hardware.security.keymint.KeyParameter;
|
||||
import android.hardware.security.keymint.KeyPurpose;
|
||||
import android.hardware.security.keymint.SecurityLevel;
|
||||
@ -122,6 +123,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
|
||||
new HashMap<String, Integer>();
|
||||
private static final List<String> SUPPORTED_EC_NIST_CURVE_NAMES = new ArrayList<String>();
|
||||
private static final List<Integer> SUPPORTED_EC_NIST_CURVE_SIZES = new ArrayList<Integer>();
|
||||
|
||||
static {
|
||||
// Aliases for NIST P-224
|
||||
SUPPORTED_EC_NIST_CURVE_NAME_TO_SIZE.put("p-224", 224);
|
||||
@ -175,6 +177,23 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
|
||||
mOriginalKeymasterAlgorithm = keymasterAlgorithm;
|
||||
}
|
||||
|
||||
private @EcCurve int keySize2EcCurve(int keySizeBits)
|
||||
throws InvalidAlgorithmParameterException {
|
||||
switch (keySizeBits) {
|
||||
case 224:
|
||||
return EcCurve.P_224;
|
||||
case 256:
|
||||
return EcCurve.P_256;
|
||||
case 384:
|
||||
return EcCurve.P_384;
|
||||
case 521:
|
||||
return EcCurve.P_521;
|
||||
default:
|
||||
throw new InvalidAlgorithmParameterException(
|
||||
"Unsupported EC curve keysize: " + keySizeBits);
|
||||
}
|
||||
}
|
||||
|
||||
@SuppressWarnings("deprecation")
|
||||
@Override
|
||||
public void initialize(int keysize, SecureRandom random) {
|
||||
@ -459,8 +478,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
|
||||
private void initAlgorithmSpecificParameters() throws InvalidAlgorithmParameterException {
|
||||
AlgorithmParameterSpec algSpecificSpec = mSpec.getAlgorithmParameterSpec();
|
||||
switch (mKeymasterAlgorithm) {
|
||||
case KeymasterDefs.KM_ALGORITHM_RSA:
|
||||
{
|
||||
case KeymasterDefs.KM_ALGORITHM_RSA: {
|
||||
BigInteger publicExponent = null;
|
||||
if (algSpecificSpec instanceof RSAKeyGenParameterSpec) {
|
||||
RSAKeyGenParameterSpec rsaSpec = (RSAKeyGenParameterSpec) algSpecificSpec;
|
||||
@ -487,7 +505,8 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
|
||||
|| (publicExponent.compareTo(KeymasterArguments.UINT64_MAX_VALUE) > 0)) {
|
||||
throw new InvalidAlgorithmParameterException(
|
||||
"Unsupported RSA public exponent: " + publicExponent
|
||||
+ ". Maximum supported value: " + KeymasterArguments.UINT64_MAX_VALUE);
|
||||
+ ". Maximum supported value: "
|
||||
+ KeymasterArguments.UINT64_MAX_VALUE);
|
||||
}
|
||||
mRSAPublicExponent = publicExponent.longValue();
|
||||
break;
|
||||
@ -585,7 +604,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
|
||||
success = true;
|
||||
return new KeyPair(publicKey, publicKey.getPrivateKey());
|
||||
} catch (android.security.KeyStoreException e) {
|
||||
switch(e.getErrorCode()) {
|
||||
switch (e.getErrorCode()) {
|
||||
case KeymasterDefs.KM_ERROR_HARDWARE_TYPE_UNAVAILABLE:
|
||||
throw new StrongBoxUnavailableException("Failed to generated key pair.", e);
|
||||
case ResponseCode.OUT_OF_KEYS:
|
||||
@ -605,7 +624,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
|
||||
throw p;
|
||||
}
|
||||
} catch (UnrecoverableKeyException | IllegalArgumentException
|
||||
| DeviceIdAttestationException e) {
|
||||
| DeviceIdAttestationException | InvalidAlgorithmParameterException e) {
|
||||
throw new ProviderException(
|
||||
"Failed to construct key object from newly generated key pair.", e);
|
||||
} finally {
|
||||
@ -715,12 +734,20 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
|
||||
}
|
||||
|
||||
private Collection<KeyParameter> constructKeyGenerationArguments()
|
||||
throws DeviceIdAttestationException, IllegalArgumentException {
|
||||
throws DeviceIdAttestationException, IllegalArgumentException,
|
||||
InvalidAlgorithmParameterException {
|
||||
List<KeyParameter> params = new ArrayList<>();
|
||||
params.add(KeyStore2ParameterUtils.makeInt(KeymasterDefs.KM_TAG_KEY_SIZE, mKeySizeBits));
|
||||
params.add(KeyStore2ParameterUtils.makeEnum(
|
||||
KeymasterDefs.KM_TAG_ALGORITHM, mKeymasterAlgorithm
|
||||
));
|
||||
|
||||
if (mKeymasterAlgorithm == KeymasterDefs.KM_ALGORITHM_EC) {
|
||||
params.add(KeyStore2ParameterUtils.makeEnum(
|
||||
Tag.EC_CURVE, keySize2EcCurve(mKeySizeBits)
|
||||
));
|
||||
}
|
||||
|
||||
ArrayUtils.forEach(mKeymasterPurposes, (purpose) -> {
|
||||
params.add(KeyStore2ParameterUtils.makeEnum(
|
||||
KeymasterDefs.KM_TAG_PURPOSE, purpose
|
||||
@ -892,8 +919,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
|
||||
return null;
|
||||
}
|
||||
switch (keymasterAlgorithm) {
|
||||
case KeymasterDefs.KM_ALGORITHM_EC:
|
||||
{
|
||||
case KeymasterDefs.KM_ALGORITHM_EC: {
|
||||
Set<Integer> availableKeymasterDigests = getAvailableKeymasterSignatureDigests(
|
||||
spec.getDigests(),
|
||||
AndroidKeyStoreBCWorkaroundProvider.getSupportedEcdsaSignatureDigests());
|
||||
@ -940,8 +966,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
|
||||
return KeyProperties.Digest.fromKeymasterToSignatureAlgorithmDigest(
|
||||
bestKeymasterDigest) + "WithECDSA";
|
||||
}
|
||||
case KeymasterDefs.KM_ALGORITHM_RSA:
|
||||
{
|
||||
case KeymasterDefs.KM_ALGORITHM_RSA: {
|
||||
// Check whether this key is authorized for PKCS#1 signature padding.
|
||||
// We use Bouncy Castle to generate self-signed RSA certificates. Bouncy Castle
|
||||
// only supports RSA certificates signed using PKCS#1 padding scheme. The key needs
|
||||
|
||||
Reference in New Issue
Block a user