Merge "Fix Android Keystore KeyPairGenerator for RSA PSS keys." into mnc-dev

author: Alex Klyubin <klyubin@google.com> 2015-06-12 19:54:18 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2015-06-12 19:54:20 +0000
commit: 6cb8e30bb7e79cb694bf44d185da201e9deb9363 (patch)
tree: 30c35f297274ec98d6bba5cdd2b31fe79c46e71d /keystore/java
parent: 768695a899825561a61f70740f642be0ed35c39f (diff)
parent: 7c475cc7c3f1159d5a8115382deb5332aca76144 (diff)
1 files changed, 30 insertions, 0 deletions
diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java
index c8ecbcd1cfd7..b93424dbf641 100644
--- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java
+++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java
@@ -691,6 +691,36 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
             }
             case KeymasterDefs.KM_ALGORITHM_RSA:
             {
+                // Check whether this key is authorized for PKCS#1 signature padding.
+                // We use Bouncy Castle to generate self-signed RSA certificates. Bouncy Castle
+                // only supports RSA certificates signed using PKCS#1 padding scheme. The key needs
+                // to be authorized for PKCS#1 padding or padding NONE which means any padding.
+                boolean pkcs1SignaturePaddingSupported = false;
+                for (int keymasterPadding : KeyProperties.SignaturePadding.allToKeymaster(
+                        spec.getSignaturePaddings())) {
+                    if ((keymasterPadding == KeymasterDefs.KM_PAD_RSA_PKCS1_1_5_SIGN)
+                            || (keymasterPadding == KeymasterDefs.KM_PAD_NONE)) {
+                        pkcs1SignaturePaddingSupported = true;
+                        break;
+                    }
+                }
+                if (!pkcs1SignaturePaddingSupported) {
+                    // Keymaster doesn't distinguish between encryption padding NONE and signature
+                    // padding NONE. In the Android Keystore API only encryption padding NONE is
+                    // exposed.
+                    for (int keymasterPadding : KeyProperties.EncryptionPadding.allToKeymaster(
+                            spec.getEncryptionPaddings())) {
+                        if (keymasterPadding == KeymasterDefs.KM_PAD_NONE) {
+                            pkcs1SignaturePaddingSupported = true;
+                            break;
+                        }
+                    }
+                }
+                if (!pkcs1SignaturePaddingSupported) {
+                    // Key not authorized for PKCS#1 signature padding -- can't sign
+                    return null;
+                }
+
                 Set<Integer> availableKeymasterDigests = getAvailableKeymasterSignatureDigests(
                         spec.getDigests(),
                         AndroidKeyStoreBCWorkaroundProvider.getSupportedEcdsaSignatureDigests());
author	Alex Klyubin <klyubin@google.com>	2015-06-12 19:54:18 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2015-06-12 19:54:20 +0000
commit	6cb8e30bb7e79cb694bf44d185da201e9deb9363 (patch)
tree	30c35f297274ec98d6bba5cdd2b31fe79c46e71d /keystore/java
parent	768695a899825561a61f70740f642be0ed35c39f (diff)
parent	7c475cc7c3f1159d5a8115382deb5332aca76144 (diff)