diff options
author | Alex Klyubin <klyubin@google.com> | 2015-06-12 19:54:18 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2015-06-12 19:54:20 +0000 |
commit | 6cb8e30bb7e79cb694bf44d185da201e9deb9363 (patch) | |
tree | 30c35f297274ec98d6bba5cdd2b31fe79c46e71d /keystore | |
parent | 768695a899825561a61f70740f642be0ed35c39f (diff) | |
parent | 7c475cc7c3f1159d5a8115382deb5332aca76144 (diff) | |
download | frameworks_base-6cb8e30bb7e79cb694bf44d185da201e9deb9363.zip frameworks_base-6cb8e30bb7e79cb694bf44d185da201e9deb9363.tar.gz frameworks_base-6cb8e30bb7e79cb694bf44d185da201e9deb9363.tar.bz2 |
Merge "Fix Android Keystore KeyPairGenerator for RSA PSS keys." into mnc-dev
Diffstat (limited to 'keystore')
-rw-r--r-- | keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java index c8ecbcd..b93424d 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java @@ -691,6 +691,36 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato } case KeymasterDefs.KM_ALGORITHM_RSA: { + // Check whether this key is authorized for PKCS#1 signature padding. + // We use Bouncy Castle to generate self-signed RSA certificates. Bouncy Castle + // only supports RSA certificates signed using PKCS#1 padding scheme. The key needs + // to be authorized for PKCS#1 padding or padding NONE which means any padding. + boolean pkcs1SignaturePaddingSupported = false; + for (int keymasterPadding : KeyProperties.SignaturePadding.allToKeymaster( + spec.getSignaturePaddings())) { + if ((keymasterPadding == KeymasterDefs.KM_PAD_RSA_PKCS1_1_5_SIGN) + || (keymasterPadding == KeymasterDefs.KM_PAD_NONE)) { + pkcs1SignaturePaddingSupported = true; + break; + } + } + if (!pkcs1SignaturePaddingSupported) { + // Keymaster doesn't distinguish between encryption padding NONE and signature + // padding NONE. In the Android Keystore API only encryption padding NONE is + // exposed. + for (int keymasterPadding : KeyProperties.EncryptionPadding.allToKeymaster( + spec.getEncryptionPaddings())) { + if (keymasterPadding == KeymasterDefs.KM_PAD_NONE) { + pkcs1SignaturePaddingSupported = true; + break; + } + } + } + if (!pkcs1SignaturePaddingSupported) { + // Key not authorized for PKCS#1 signature padding -- can't sign + return null; + } + Set<Integer> availableKeymasterDigests = getAvailableKeymasterSignatureDigests( spec.getDigests(), AndroidKeyStoreBCWorkaroundProvider.getSupportedEcdsaSignatureDigests()); |