This adds MD5, SHA-1, SHA-224, SHA-384, and SHA-512. SHA-256 was
already there.
MD5 is not exposed for HMAC on purpose, because MD5 has been
deprecated for years.
Bug: 18088752
Change-Id: I4df3d3f6cf10805c7910a1bdb577a91c85055945
This makes IV-using Cipher implementations backed by AndroidKeyStore
refuse to be reused. After Cipher.doFinal completes, invoking update
or doFinal will raise an exception. This is to make it harder to
violate the security best practice of not reusing IV in encryption
mode.
Bug: 18088752
Change-Id: I5102f9e8b2ff428254294703e48948ea8576603d
GCM mode is not yet implemented. This is just adding a constant to
KeyStoreKeyConstraints.BlockMode.
Bug: 18088752
Change-Id: Ibba5b393f56ab9f6bb96d994f110687ab8d65ff3
This makes the new AndroidKeyStore API conform with the latest
Keymaster API changes as well as the latest Android framework API
design guidelines.
Keymaster changes:
* Multiple paddings, block modes, and digests can be set on a key.
* "max uses per boot" and "min seconds between use" restrictions will
not be exposed in the framework API.
* Padding scheme ZERO will not be exposed.
Changes due to Android framework design guidelines:
* Sets of enum values have been replaced with bitsets represented as
ints.
* Integer has been replaced with int, with null being represented
with a special value (e.g., -1 or 0) where possible.
Bug: 18088752
Change-Id: Ib21739aa9b42d48895cb7a681e836a5c6d972ac6
This avoids loading all AndroidKeyStore crypto SPI classes when the
AndroidKeyStore provider is instantiated and installed. This provider
is installed early on during the initialization of each app. Most apps
don't need these classes loaded.
Bug: 18088752
Change-Id: Ib43c9dd6a7d434b128916e0f9c8652ba61df0d47
The code in question talks to KeyStore which returns error codes
which are a mix of keystore and keymaster error codes. To better
match the layering of KeyStore on top of keystore and keymaster,
this CL renames KeymasterException into KeyStoreException. It also
adds human-readable error messages to exceptions raised by keystore
rather than keymaster (e.g., key not found).
Bug: 18088752
Change-Id: I4cd1235e16518c9f2e8c5557a457774c6e687b88
Now that auth token checks are in keystore keys without any auth tags
are invalid.
Also adds a test to check that a key with auth required fails when none
is present.
Change-Id: I0d5d44d70a849978e9b2e809675b8343c6650ff2
This defers the start of a new KeyStore operation after Mac.doFinal
until the next Mac.update or .doFinal. Previously, the a new KeyStore
operation was started immediately, at the end of doFinal.
Bug: 18088752
Change-Id: I2d594067ef261f519631d09f7a6087b715801656
Keymaster HAL currently requires that key validity start and end dates
always be specified. The framework API does not. This CL expresses
the framework API's "not specified" instants to Keymaster as instants
in distant past or future.
Bug: 18088752
Change-Id: Ia9d66d5e57bfca30628cdef6e0925a2781a3acfb
This adds AndroidKeyStore.getKeyStoreOperationHandle method which can
be used to obtain the KeyStore operation handle corresponding to the
provided JCA cryto primitive (provided it's backed by
AndroidKeyStore).
Bug: 18088752
Change-Id: Iaa3b6f9b2281b2ec2de8fd5946d353dc7fdb3d2d
This factory provides a way to obtain information about a SecretKey
backed by AndroidKeyStore. The information is provided in a form of an
instance of KeyStoreKeySpec class.
EXAMPLE
SecretKeyFactory factory = SecretKeyFactory.getInstance(
key.getAlgorithm(), "AndroidKeyStore");
KeyStoreKeySpec keySpec =
factory.getKeySpec(key, KeyStoreKeySpec.class);
Bug: 18088752
Change-Id: I26c9dd544f80230fe7039501eeb471eaf875452b
