| d23dc502b0a1952887d4453cba98aa2e3d2f5009 |
|
24-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Make NONEwithECDSA truncate input when necessary.
Keymaster's implementation of ECDSA with digest NONE rejects input
longer than group size in bytes. RI's NONEwithECDSA accepts inputs
of arbitrary length by truncating them to the above size. This CL
makes Android Keystore's NONEwithECDSA do the truncation to keep
the JCA and Keymaster happy.
The change is inside AndroidKeyStoreECDSASignatureSpi$NONE. All other
small modifications are for supporting that change by making it
possible for AndroidKeyStoreSignatureSpiBase to pass in the signature
being verified into KeyStoreCryptoOperationStreamer. This in turn is
needed to make it possible for NONEwithECDSA implementation to provide
a wrapper streamer which truncates input.
Bug: 22030217
Change-Id: I26064f6df37ef8c631d70a36a356aa0b76a9ad29
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreSignatureSpiBase.java
|
| a72b55195c23fc06d1600efe8f6aac85290c7f8f |
|
12-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Obtain entropy later in crypto operations, when possible.
This makes Android Keystore crypto operations defer pulling entropy
from provided SecureRandom until KeyStore.finish, where appropriate.
Such as when performing asymmetric encryption or generating
signatures.
Bug: 18088752
Change-Id: I4a897754e9a846214cf0995c5514f98cf0edd76b
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreSignatureSpiBase.java
|
| 4a0ff7ca984d29bd34b02e54441957cad65e8b53 |
|
09-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Android Keystore keys are no longer backed by Conscrypt.
This switches Android Keystore asymmetric keys from being backed by
Conscrypt (via keystore-engine which is an OpenSSL/BoringSSL ENGINE
which talks to keystore via the old KeyStore API) to being backed by
the AndroidKeyStore Provider which talks to keystore via the new
KeyStore API. In effect, this switches asymmetric crypto offered by
Android Keystore from old Keystore API to new KeyStore API, enabling
all the new features such as enforcement of authorizations on key use.
Some algorithms offered by Android Keystore, such as RSA with OAEP
or PSS padding schemes, are not supported by other providers. This
complicates matters because Android Keystore only supports public key
operations if the corresponding private key is in the keystore. Thus,
Android Keystore can only offer these operations for its own public
keys only. This requires AndroidKeyStore to use its own subclasses of
PublicKey everywhere. The ugliest place is where it needs to return
its own subclass of X509Certificate only to be able to return its
own subclass of PublicKey from Certificate.getPublicKey().
Bug: 18088752
Bug: 19284418
Bug: 20912868
Change-Id: Id234f9ab9ff72d353ca1ff66768bd3d46da50d64
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreSignatureSpiBase.java
|
| ccbe88a505848896e59ef8eb4e8405037ba94e88 |
|
03-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Expose RSA and ECDSA Signature from Android Keystore Provider.
The RSA Signature supports PKCS#1 and PSS padding.
Bug: 18088752
Bug: 20912868
Change-Id: I03cdc86d1935af36f7c87a0b23d67f813829cfb0
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreSignatureSpiBase.java
|