Merge "Fix Android Keystore key gen for keys requiring user auth." into mnc-dev

1 files changed, 5 insertions, 1 deletions

diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java
index b93424d..2de60fd 100644
--- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java
+++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java
@@ -624,7 +624,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
             int keySizeBits,
             KeyGenParameterSpec spec) {
         // Constraints:
-        // 1. Key must be authorized for signing.
+        // 1. Key must be authorized for signing without user authentication.
         // 2. Signature digest must be one of key's authorized digests.
         // 3. For RSA keys, the digest output size must not exceed modulus size minus space needed
         //    for RSA PKCS#1 signature padding (about 29 bytes: minimum 10 bytes of padding + 15--19
@@ -636,6 +636,10 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
             // Key not authorized for signing
             return null;
         }
+        if (spec.isUserAuthenticationRequired()) {
+            // Key not authorized for use without user authentication
+            return null;
+        }
         if (!spec.isDigestsSpecified()) {
             // Key not authorized for any digests -- can't sign
             return null;