summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlex Klyubin <klyubin@google.com>2015-06-15 22:42:02 +0000
committerAndroid (Google) Code Review <android-gerrit@google.com>2015-06-15 22:42:04 +0000
commita8232452b6bea3c291a56a4e005e7a95eb99c5de (patch)
tree423e8e7872ae66677a3f908b8255d2c3cbde53d6
parent9f6d39f84423d59705c0c7a8746d40cc610caee7 (diff)
parentf78dd677e991ba8f76f3a6d4272ff5deef3faa69 (diff)
downloadframeworks_base-a8232452b6bea3c291a56a4e005e7a95eb99c5de.zip
frameworks_base-a8232452b6bea3c291a56a4e005e7a95eb99c5de.tar.gz
frameworks_base-a8232452b6bea3c291a56a4e005e7a95eb99c5de.tar.bz2
Merge "Fix Android Keystore key gen for keys requiring user auth." into mnc-dev
-rw-r--r--keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java6
1 files changed, 5 insertions, 1 deletions
diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java
index b93424d..2de60fd 100644
--- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java
+++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java
@@ -624,7 +624,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
int keySizeBits,
KeyGenParameterSpec spec) {
// Constraints:
- // 1. Key must be authorized for signing.
+ // 1. Key must be authorized for signing without user authentication.
// 2. Signature digest must be one of key's authorized digests.
// 3. For RSA keys, the digest output size must not exceed modulus size minus space needed
// for RSA PKCS#1 signature padding (about 29 bytes: minimum 10 bytes of padding + 15--19
@@ -636,6 +636,10 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
// Key not authorized for signing
return null;
}
+ if (spec.isUserAuthenticationRequired()) {
+ // Key not authorized for use without user authentication
+ return null;
+ }
if (!spec.isDigestsSpecified()) {
// Key not authorized for any digests -- can't sign
return null;