Always mix in additional entropy into keymaster.

This makes AndroidKeyStore Cipher and KeyGenerator implementations mix
in additional entropy into keymaster's RNG regardless of whether they
were provided with a SecureRandom instance.

In practice, they are always provided with a SecureRandom instance.
However, to be safe, when no SecureRandom instance is provided the
code now uses a platform-default SecureRandom implementation.

Bug: 18088752
Change-Id: I85bca30d7bdc82c2a342094dcbe6044e48a63dca

3 files changed, 34 insertions, 10 deletions

diff --git a/keystore/java/android/security/KeyStoreCipherSpi.java b/keystore/java/android/security/KeyStoreCipherSpi.java
index 094aa75..cf2765e 100644
--- a/keystore/java/android/security/KeyStoreCipherSpi.java
+++ b/keystore/java/android/security/KeyStoreCipherSpi.java
@@ -633,10 +633,9 @@ public abstract class KeyStoreCipherSpi extends CipherSpi implements KeyStoreCry
                 if ((mIv == null) && (mEncrypting)) {
                     // IV was not provided by the caller and thus will be generated by keymaster.
                     // Mix in some additional entropy from the provided SecureRandom.
-                    if (mRng != null) {
-                        mAdditionalEntropyForBegin = new byte[mBlockSizeBytes];
-                        mRng.nextBytes(mAdditionalEntropyForBegin);
-                    }
+                    mAdditionalEntropyForBegin =
+                            KeyStoreCryptoOperationUtils.getRandomBytesToMixIntoKeystoreRng(
+                                    mRng, mBlockSizeBytes);
                 }
             }
         }
diff --git a/keystore/java/android/security/KeyStoreCryptoOperationUtils.java b/keystore/java/android/security/KeyStoreCryptoOperationUtils.java
index e5933ad..311278b 100644
--- a/keystore/java/android/security/KeyStoreCryptoOperationUtils.java
+++ b/keystore/java/android/security/KeyStoreCryptoOperationUtils.java
@@ -21,6 +21,7 @@ import android.security.keymaster.KeymasterDefs;
 import java.security.GeneralSecurityException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
+import java.security.SecureRandom;
 
 /**
  * Assorted utility methods for implementing crypto operations on top of KeyStore.
@@ -28,6 +29,9 @@ import java.security.InvalidKeyException;
  * @hide
  */
 abstract class KeyStoreCryptoOperationUtils {
+
+    private static volatile SecureRandom sRng;
+
     private KeyStoreCryptoOperationUtils() {}
 
     /**
@@ -81,4 +85,28 @@ abstract class KeyStoreCryptoOperationUtils {
         // General cases
         return getInvalidKeyExceptionForInit(keyStore, key, beginOpResultCode);
     }
+
+    /**
+     * Returns the requested number of random bytes to mix into keystore/keymaster RNG.
+     *
+     * @param rng RNG from which to obtain the random bytes or {@code null} for the platform-default
+     *        RNG.
+     */
+    static byte[] getRandomBytesToMixIntoKeystoreRng(SecureRandom rng, int sizeBytes) {
+        if (rng == null) {
+            rng = getRng();
+        }
+        byte[] result = new byte[sizeBytes];
+        rng.nextBytes(result);
+        return result;
+    }
+
+    private static SecureRandom getRng() {
+        // IMPLEMENTATION NOTE: It's OK to share a SecureRandom instance because SecureRandom is
+        // required to be thread-safe.
+        if (sRng == null) {
+            sRng = new SecureRandom();
+        }
+        return sRng;
+    }
 }
diff --git a/keystore/java/android/security/KeyStoreKeyGeneratorSpi.java b/keystore/java/android/security/KeyStoreKeyGeneratorSpi.java
index 68b5751..4f6172e 100644
--- a/keystore/java/android/security/KeyStoreKeyGeneratorSpi.java
+++ b/keystore/java/android/security/KeyStoreKeyGeneratorSpi.java
@@ -174,12 +174,9 @@ public abstract class KeyStoreKeyGeneratorSpi extends KeyGeneratorSpi {
             args.addBoolean(KeymasterDefs.KM_TAG_CALLER_NONCE);
         }
 
-        byte[] additionalEntropy = null;
-        SecureRandom rng = mRng;
-        if (rng != null) {
-            additionalEntropy = new byte[(keySizeBits + 7) / 8];
-            rng.nextBytes(additionalEntropy);
-        }
+        byte[] additionalEntropy =
+                KeyStoreCryptoOperationUtils.getRandomBytesToMixIntoKeystoreRng(
+                        mRng, (keySizeBits + 7) / 8);
 
         int flags = spec.getFlags();
         String keyAliasInKeystore = Credentials.USER_SECRET_KEY + spec.getKeystoreAlias();