diff options
author | Alex Klyubin <klyubin@google.com> | 2015-06-22 18:09:35 -0700 |
---|---|---|
committer | Alex Klyubin <klyubin@google.com> | 2015-06-23 20:04:28 -0700 |
commit | ae6cb7aad56bb006769cd8a69b92af7236644fc1 (patch) | |
tree | e70a45074619bb3e1f97cb5dcfe0c28bbfe60129 /keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java | |
parent | 12402dafeaf2ec8255d6331d3e82028d694b87d7 (diff) | |
download | frameworks_base-ae6cb7aad56bb006769cd8a69b92af7236644fc1.zip frameworks_base-ae6cb7aad56bb006769cd8a69b92af7236644fc1.tar.gz frameworks_base-ae6cb7aad56bb006769cd8a69b92af7236644fc1.tar.bz2 |
Keymaster INT, LONG and DATE tag values are unsigned.
This CL ensures that Android Keystore framework code complies with
signedness of keymaster tags. In particular:
* INT tags are unsigned 32-bit numbers, and
* LONG and DATE tags are unsigned 64-bit numbers.
The ensure compliance, KeymasterArguments and KeyCharacteristics
classes through which Android Keystore interacts with Keymaster tags
have been modified as follows:
* ENUM and INT tags which used to be conflated are now added/queried
via separate methods, because ENUM can remain represented as an int
data type whereas INT is now represented as a long data type with
permitted range being [0; 2^32).
* Methods for adding/quering LONG tags have been switched from the long
data type to the BigInteger data type and now ensure that the value
is in the permitted [0; 2^63).
* Methods for adding/querying DATE tags now ensure the Date value is
in the permitted range [0; 2^63) ms since Unix epoch.
* Methods for adding tags throw an IllegalArgumentException if the tag
type is unsuitable for the method. This is to ensure that tags with
invalid values cannot be added through similar methods (e.g., INT tag
added via an ENUM tag addition method invoked with a negative value).
Bug: 22008538
Change-Id: I6eefd5cbb561cc52d27de952691af4d9d5e1af1e
Diffstat (limited to 'keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java')
-rw-r--r-- | keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java | 27 |
1 files changed, 14 insertions, 13 deletions
diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java index ff265cf..3058bd3 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java @@ -160,7 +160,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato private int[] mKeymasterSignaturePaddings; private int[] mKeymasterDigests; - private long mRSAPublicExponent; + private BigInteger mRSAPublicExponent; protected AndroidKeyStoreKeyPairGeneratorSpi(int keymasterAlgorithm) { mOriginalKeymasterAlgorithm = keymasterAlgorithm; @@ -320,7 +320,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato mKeymasterDigests = null; mKeySizeBits = 0; mSpec = null; - mRSAPublicExponent = -1; + mRSAPublicExponent = null; mEncryptionAtRestRequired = false; mRng = null; mKeyStore = null; @@ -353,12 +353,12 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato throw new InvalidAlgorithmParameterException( "RSA public exponent must be positive: " + publicExponent); } - if (publicExponent.compareTo(BigInteger.valueOf(Long.MAX_VALUE)) > 0) { + if (publicExponent.compareTo(KeymasterArguments.UINT64_MAX_VALUE) > 0) { throw new InvalidAlgorithmParameterException( "Unsupported RSA public exponent: " + publicExponent - + ". Only exponents <= " + Long.MAX_VALUE + " supported"); + + ". Maximum supported value: " + KeymasterArguments.UINT64_MAX_VALUE); } - mRSAPublicExponent = publicExponent.longValue(); + mRSAPublicExponent = publicExponent; break; } case KeymasterDefs.KM_ALGORITHM_EC: @@ -404,13 +404,13 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato } KeymasterArguments args = new KeymasterArguments(); - args.addInt(KeymasterDefs.KM_TAG_KEY_SIZE, mKeySizeBits); - args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, mKeymasterAlgorithm); - args.addInts(KeymasterDefs.KM_TAG_PURPOSE, mKeymasterPurposes); - args.addInts(KeymasterDefs.KM_TAG_BLOCK_MODE, mKeymasterBlockModes); - args.addInts(KeymasterDefs.KM_TAG_PADDING, mKeymasterEncryptionPaddings); - args.addInts(KeymasterDefs.KM_TAG_PADDING, mKeymasterSignaturePaddings); - args.addInts(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigests); + args.addUnsignedInt(KeymasterDefs.KM_TAG_KEY_SIZE, mKeySizeBits); + args.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, mKeymasterAlgorithm); + args.addEnums(KeymasterDefs.KM_TAG_PURPOSE, mKeymasterPurposes); + args.addEnums(KeymasterDefs.KM_TAG_BLOCK_MODE, mKeymasterBlockModes); + args.addEnums(KeymasterDefs.KM_TAG_PADDING, mKeymasterEncryptionPaddings); + args.addEnums(KeymasterDefs.KM_TAG_PADDING, mKeymasterSignaturePaddings); + args.addEnums(KeymasterDefs.KM_TAG_DIGEST, mKeymasterDigests); KeymasterUtils.addUserAuthArgs(args, mSpec.isUserAuthenticationRequired(), @@ -493,7 +493,8 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato private void addAlgorithmSpecificParameters(KeymasterArguments keymasterArgs) { switch (mKeymasterAlgorithm) { case KeymasterDefs.KM_ALGORITHM_RSA: - keymasterArgs.addLong(KeymasterDefs.KM_TAG_RSA_PUBLIC_EXPONENT, mRSAPublicExponent); + keymasterArgs.addUnsignedLong( + KeymasterDefs.KM_TAG_RSA_PUBLIC_EXPONENT, mRSAPublicExponent); break; case KeymasterDefs.KM_ALGORITHM_EC: break; |