From ca0d4d8f42b7a2f8234fb6213d6d6a3f5125435b Mon Sep 17 00:00:00 2001 From: Max Bires Date: Tue, 12 Nov 2019 13:42:58 -0800 Subject: Updating accepted HMAC key sizes In order to keep conformity across the ecosystem, keystore will enforce that HMAC key sizes coming in through the framework must be limited to the range of 64-512 bits, inclusive. This will be the case for both TEE and StrongBox Keymaster implementations. Bug: 143404829 Test: atest CtsKeystoreTestCases Change-Id: I2ea867392060f4478b5a01bd747a4345e1fded4c --- .../android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java index 3dc884eb38ad..17aacb9756aa 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java @@ -210,13 +210,9 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { } } if (mKeymasterAlgorithm == KeymasterDefs.KM_ALGORITHM_HMAC) { - if (mKeySizeBits < 64) { + if (mKeySizeBits < 64 || mKeySizeBits > 512) { throw new InvalidAlgorithmParameterException( - "HMAC key size must be at least 64 bits."); - } - if (mKeySizeBits > 512 && spec.isStrongBoxBacked()) { - throw new InvalidAlgorithmParameterException( - "StrongBox HMAC key size must be smaller than 512 bits."); + "HMAC key sizes must be within 64-512 bits, inclusive."); } // JCA HMAC key algorithm implies a digest (e.g., HmacSHA256 key algorithm -- cgit v1.2.3-59-g8ed1b