3876b1be27e3aefde9a72eb2e4f856e94fc5f946 |
|
09-Sep-2015 |
Alex Klyubin <klyubin@google.com> |
Support cross-UID access from AndroidKeyStore. This is meant for exposing the pre-existing cross-UID access to keys backed by the keystore service via higher-level JCA API. For example, this lets system_server use Wi-Fi or VPN UID keys via JCA API. To obtain a JCA AndroidKeyStore KeyStore for another UID, use the hidden system API AndroidKeyStoreProvider.getKeyStoreForUid(uid). To generate a key owned by another UID, invoke setUid(uid) on KeyGenParameterSpec.Builder. This CL does not change the security policy, such as which UID can access/modify which UIDs' keys. The policy is that only certain system UIDs are permitted to access keys of certain other system UIDs. Bug: 23978113 Change-Id: Ie381530f41dc41c50d52f675fb9e68bc87c006de
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreSignatureSpiBase.java
|
d23dc502b0a1952887d4453cba98aa2e3d2f5009 |
|
24-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Make NONEwithECDSA truncate input when necessary. Keymaster's implementation of ECDSA with digest NONE rejects input longer than group size in bytes. RI's NONEwithECDSA accepts inputs of arbitrary length by truncating them to the above size. This CL makes Android Keystore's NONEwithECDSA do the truncation to keep the JCA and Keymaster happy. The change is inside AndroidKeyStoreECDSASignatureSpi$NONE. All other small modifications are for supporting that change by making it possible for AndroidKeyStoreSignatureSpiBase to pass in the signature being verified into KeyStoreCryptoOperationStreamer. This in turn is needed to make it possible for NONEwithECDSA implementation to provide a wrapper streamer which truncates input. Bug: 22030217 Change-Id: I26064f6df37ef8c631d70a36a356aa0b76a9ad29
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreSignatureSpiBase.java
|
a72b55195c23fc06d1600efe8f6aac85290c7f8f |
|
12-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Obtain entropy later in crypto operations, when possible. This makes Android Keystore crypto operations defer pulling entropy from provided SecureRandom until KeyStore.finish, where appropriate. Such as when performing asymmetric encryption or generating signatures. Bug: 18088752 Change-Id: I4a897754e9a846214cf0995c5514f98cf0edd76b
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreSignatureSpiBase.java
|
4a0ff7ca984d29bd34b02e54441957cad65e8b53 |
|
09-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Android Keystore keys are no longer backed by Conscrypt. This switches Android Keystore asymmetric keys from being backed by Conscrypt (via keystore-engine which is an OpenSSL/BoringSSL ENGINE which talks to keystore via the old KeyStore API) to being backed by the AndroidKeyStore Provider which talks to keystore via the new KeyStore API. In effect, this switches asymmetric crypto offered by Android Keystore from old Keystore API to new KeyStore API, enabling all the new features such as enforcement of authorizations on key use. Some algorithms offered by Android Keystore, such as RSA with OAEP or PSS padding schemes, are not supported by other providers. This complicates matters because Android Keystore only supports public key operations if the corresponding private key is in the keystore. Thus, Android Keystore can only offer these operations for its own public keys only. This requires AndroidKeyStore to use its own subclasses of PublicKey everywhere. The ugliest place is where it needs to return its own subclass of X509Certificate only to be able to return its own subclass of PublicKey from Certificate.getPublicKey(). Bug: 18088752 Bug: 19284418 Bug: 20912868 Change-Id: Id234f9ab9ff72d353ca1ff66768bd3d46da50d64
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreSignatureSpiBase.java
|
ccbe88a505848896e59ef8eb4e8405037ba94e88 |
|
03-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Expose RSA and ECDSA Signature from Android Keystore Provider. The RSA Signature supports PKCS#1 and PSS padding. Bug: 18088752 Bug: 20912868 Change-Id: I03cdc86d1935af36f7c87a0b23d67f813829cfb0
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreSignatureSpiBase.java
|