diff options
author | Alex Klyubin <klyubin@google.com> | 2015-06-23 10:54:44 -0700 |
---|---|---|
committer | Alex Klyubin <klyubin@google.com> | 2015-06-23 10:54:44 -0700 |
commit | 856aebe571e2efe332c1258b3131bfbae6f4b396 (patch) | |
tree | 7a3f0d80f8d0fd21ba1390a401af1bd6e26496bd /keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java | |
parent | 6d2268a57603e1c60329b93fb853ac2c134cb932 (diff) | |
download | frameworks_base-856aebe571e2efe332c1258b3131bfbae6f4b396.zip frameworks_base-856aebe571e2efe332c1258b3131bfbae6f4b396.tar.gz frameworks_base-856aebe571e2efe332c1258b3131bfbae6f4b396.tar.bz2 |
Don't fail if self-signed certificate can't be signed.
This makes Android Keystore's KeyPairGenerator fall back to generating
a self-signed certificate with an invalid/fake signature when the
attempt to generate a self-signed certificate with a valid signature
fails.
There is a growing number of reasons/authorizations due to which the
generated private key cannot be used to sign the self-signed
certificate. It's safer for KeyPairGenerator to succeed than to fail.
Bug: 22033161
Change-Id: I1ecbd421346166bfd536b5cfbaea169b11f0b1c8
Diffstat (limited to 'keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java')
-rw-r--r-- | keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java index f7ff07f..02afa0a 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java @@ -515,15 +515,23 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato return generateSelfSignedCertificateWithFakeSignature(publicKey); } else { // Key can be used to sign a certificate - return generateSelfSignedCertificateWithValidSignature( - privateKey, publicKey, signatureAlgorithm); + try { + return generateSelfSignedCertificateWithValidSignature( + privateKey, publicKey, signatureAlgorithm); + } catch (Exception e) { + // Failed to generate the self-signed certificate with valid signature. Fall back + // to generating a self-signed certificate with a fake signature. This is done for + // all exception types because we prefer key pair generation to succeed and end up + // producing a self-signed certificate with an invalid signature to key pair + // generation failing. + return generateSelfSignedCertificateWithFakeSignature(publicKey); + } } } @SuppressWarnings("deprecation") private X509Certificate generateSelfSignedCertificateWithValidSignature( - PrivateKey privateKey, PublicKey publicKey, String signatureAlgorithm) - throws Exception { + PrivateKey privateKey, PublicKey publicKey, String signatureAlgorithm) throws Exception { final X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setPublicKey(publicKey); certGen.setSerialNumber(mSpec.getCertificateSerialNumber()); |