Ensure key algorithm name of HMAC keys is preserved.

When Android KeyStore loads an HMAC key, it needs to compose the JCA key algorithm name (e.g., HmacSHA256) based on the digests the key is authorized for. A key can be authorized for multiple digests. Thus, the approach is to use the first one for constructing the JCA key algorithm name. This CL ensures that when importing HMAC keys the first KM_TAG_DIGEST tag is set to the digest of the JCA key algorithm name. Bug: 18088752 Change-Id: I911ca7427b249ee823d06e988687af6146ebaff8
author: Alex Klyubin <klyubin@google.com> 2015-05-13 12:30:19 -0700
committer: Alex Klyubin <klyubin@google.com> 2015-05-13 12:35:15 -0700
commit: cbdd377db84d58dff31a380e85fdd94a27d863c6 (patch)
tree: 6c47679638c0caac460815d929eb6dbb8fe70e93 /keystore/java
parent: 55e603ee9de06125751292c84f1b25fb9a78d4e4 (diff)
download: frameworks_base-cbdd377db84d58dff31a380e85fdd94a27d863c6.zip
frameworks_base-cbdd377db84d58dff31a380e85fdd94a27d863c6.tar.gz
frameworks_base-cbdd377db84d58dff31a380e85fdd94a27d863c6.tar.bz2
1 files changed, 15 insertions, 0 deletions
diff --git a/keystore/java/android/security/AndroidKeyStore.java b/keystore/java/android/security/AndroidKeyStore.java
index 7ac236a..b834641 100644
--- a/keystore/java/android/security/AndroidKeyStore.java
+++ b/keystore/java/android/security/AndroidKeyStore.java
@@ -476,6 +476,21 @@ public class AndroidKeyStore extends KeyStoreSpi {
                             + ". Key: " + keyAlgorithmString
                             + ", parameter spec: " + Arrays.asList(params.getDigests()));
                 }
+                // When the key is read back from keystore we reconstruct the JCA key algorithm
+                // name from the KM_TAG_ALGORITHM and the first KM_TAG_DIGEST. Thus we need to
+                // ensure that the digest reflected in the JCA key algorithm name is the first
+                // KM_TAG_DIGEST tag.
+                if (keymasterDigests[0] != keymasterDigest) {
+                    // The first digest is not the one implied by the JCA key algorithm name.
+                    // Swap the implied digest with the first one.
+                    for (int i = 0; i < keymasterDigests.length; i++) {
+                        if (keymasterDigests[i] == keymasterDigest) {
+                            keymasterDigests[i] = keymasterDigests[0];
+                            keymasterDigests[0] = keymasterDigest;
+                            break;
+                        }
+                    }
+                }
             }
         } else {
             // No digest specified in parameters
author	Alex Klyubin <klyubin@google.com>	2015-05-13 12:30:19 -0700
committer	Alex Klyubin <klyubin@google.com>	2015-05-13 12:35:15 -0700
commit	cbdd377db84d58dff31a380e85fdd94a27d863c6 (patch)
tree	6c47679638c0caac460815d929eb6dbb8fe70e93 /keystore/java
parent	55e603ee9de06125751292c84f1b25fb9a78d4e4 (diff)
download	frameworks_base-cbdd377db84d58dff31a380e85fdd94a27d863c6.zip frameworks_base-cbdd377db84d58dff31a380e85fdd94a27d863c6.tar.gz frameworks_base-cbdd377db84d58dff31a380e85fdd94a27d863c6.tar.bz2