From f78dd677e991ba8f76f3a6d4272ff5deef3faa69 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Mon, 15 Jun 2015 15:16:09 -0700
Subject: Fix Android Keystore key gen for keys requiring user auth.

When Android Keystore generates an asymmetric key pair, it needs to
create a self-signed certificate for that pair, in order to expose
the key pair in the JCA KeyStore abstraction through which keys are
later retrieved. The self-signed certificate is normally signed with
the private key.

This CL avoids using the private key to sign the certificate if the
private key can be used only once the user has been authenticated.
For such keys, a fake (non-verifying) signature is used on the
certificate, same as for cases where the key is not authorized for
signing.

Bug: 21852844
Change-Id: Id78bc1f51d12950db4e37c1e0da6c60057d4e693
---
 .../security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java       | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'keystore')

diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java
index b93424d..2de60fd 100644
--- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java
+++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java
@@ -624,7 +624,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
             int keySizeBits,
             KeyGenParameterSpec spec) {
         // Constraints:
-        // 1. Key must be authorized for signing.
+        // 1. Key must be authorized for signing without user authentication.
         // 2. Signature digest must be one of key's authorized digests.
         // 3. For RSA keys, the digest output size must not exceed modulus size minus space needed
         //    for RSA PKCS#1 signature padding (about 29 bytes: minimum 10 bytes of padding + 15--19
@@ -636,6 +636,10 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
             // Key not authorized for signing
             return null;
         }
+        if (spec.isUserAuthenticationRequired()) {
+            // Key not authorized for use without user authentication
+            return null;
+        }
         if (!spec.isDigestsSpecified()) {
             // Key not authorized for any digests -- can't sign
             return null;
-- 
cgit v1.1