| 7b0b9a1351df7fdcd9ea5d72fe5041186e3789fc |
|
25-Nov-2015 |
Alex Klyubin <klyubin@google.com> |
Merge "Custom engineUpdate/engineDoFinal(ByteBuffer, ByteBuffer)." am: e766e399c5 am: 4bc1904119
am: 0540e1b127
* commit '0540e1b127e03ecc97c32719ac79769d69c16aec':
Custom engineUpdate/engineDoFinal(ByteBuffer, ByteBuffer).
|
| d976c5a4ee0d093592a93ada6e5118dec6892e9b |
|
25-Nov-2015 |
Alex Klyubin <klyubin@google.com> |
Custom engineUpdate/engineDoFinal(ByteBuffer, ByteBuffer).
This makes Android Keystore's Cipher implementation use a custom
implementation of engineUpdate(ByteBuffer, ByteBuffer) and
engineDoFinal(ByteBuffer, ByteBuffer). The implementation is
explicitly designed around the fact that Android Keystore transmits
input and receives output via Binder and thus there's no need to
attempt any optimizations to avoid copying input and output.
Bug: 25863382
Change-Id: I311072891f02f5e7a283628b51b8d6058b55231c
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreCipherSpiBase.java
|
| 3876b1be27e3aefde9a72eb2e4f856e94fc5f946 |
|
09-Sep-2015 |
Alex Klyubin <klyubin@google.com> |
Support cross-UID access from AndroidKeyStore.
This is meant for exposing the pre-existing cross-UID access to keys
backed by the keystore service via higher-level JCA API. For example,
this lets system_server use Wi-Fi or VPN UID keys via JCA API.
To obtain a JCA AndroidKeyStore KeyStore for another UID, use the
hidden system API AndroidKeyStoreProvider.getKeyStoreForUid(uid).
To generate a key owned by another UID, invoke setUid(uid) on
KeyGenParameterSpec.Builder.
This CL does not change the security policy, such as which UID can
access/modify which UIDs' keys. The policy is that only certain system
UIDs are permitted to access keys of certain other system UIDs.
Bug: 23978113
Change-Id: Ie381530f41dc41c50d52f675fb9e68bc87c006de
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreCipherSpiBase.java
|
| 25d2270704e246d897596c991a36233cdc620790 |
|
25-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Support RSA encrypt using private key and PKCS#1 paddding.
Some apps such as OpenVPN Connect for some reason generate
PKCS#1-padded RSA signatures using Cipher (initialized in
Cipher.ENCRYPT_MODE with private key!) instead of using Signature.
Unfortunately, RI supports this strange behavior and previous releases
of Android Keystore did the same. So, we have to continue supporting
this craziness.
Bug: 22083023
Change-Id: Ife3950d0d4ceb4e44e08014635312c1252878b69
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreCipherSpiBase.java
|
| d23dc502b0a1952887d4453cba98aa2e3d2f5009 |
|
24-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Make NONEwithECDSA truncate input when necessary.
Keymaster's implementation of ECDSA with digest NONE rejects input
longer than group size in bytes. RI's NONEwithECDSA accepts inputs
of arbitrary length by truncating them to the above size. This CL
makes Android Keystore's NONEwithECDSA do the truncation to keep
the JCA and Keymaster happy.
The change is inside AndroidKeyStoreECDSASignatureSpi$NONE. All other
small modifications are for supporting that change by making it
possible for AndroidKeyStoreSignatureSpiBase to pass in the signature
being verified into KeyStoreCryptoOperationStreamer. This in turn is
needed to make it possible for NONEwithECDSA implementation to provide
a wrapper streamer which truncates input.
Bug: 22030217
Change-Id: I26064f6df37ef8c631d70a36a356aa0b76a9ad29
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreCipherSpiBase.java
|
| ae1e0e9265ce276d33ed47349074f443ea028b93 |
|
20-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Fix a bug in Android Keystore updateAAD.
The variant of CipherSpi.engineUpdateAAD which takes ByteBuffers
delegated to a byte[]-taking variant of superclass instead of its own
class.
Bug: 18088752
Change-Id: I3b426bbdca54bbf7f6f3939589da07b24db14d0d
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreCipherSpiBase.java
|
| 00af27b7d9010eb41e45959dab7c4ff6de119897 |
|
02-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Expose AES GCM backed by Android Keystore.
Bug: 18088752
Bug: 21786749
Change-Id: Ica90491037d2920f7635195894ba18882fc4406d
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreCipherSpiBase.java
|
| a72b55195c23fc06d1600efe8f6aac85290c7f8f |
|
12-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Obtain entropy later in crypto operations, when possible.
This makes Android Keystore crypto operations defer pulling entropy
from provided SecureRandom until KeyStore.finish, where appropriate.
Such as when performing asymmetric encryption or generating
signatures.
Bug: 18088752
Change-Id: I4a897754e9a846214cf0995c5514f98cf0edd76b
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreCipherSpiBase.java
|
| 508e665ceaee3e973c17588e8830030662f24b1f |
|
09-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Support for Android Keystore Cipher.wrap and unwrap.
Cipher.wrap and .unwrap are supported by Android Keystore in released
versions of Android. The new Android Keystore provider should thus
continue supporting these for backward compatibility.
Bug: 18088752
Change-Id: I95319b13d5c4e9681f6539016e6449d73f81131d
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreCipherSpiBase.java
|
| 5552c89fa9cb5ac72edbbcb5a71ef14a07f5ea11 |
|
04-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
RSA encrypt with private key in Android Keystore.
This adds support for RSA encryption using private key and no padding.
This mode of operation is needed because JCA does not offer an RSA
Signature primitive that does not apply padding.
Bug: 18088752
Bug: 20912868
Change-Id: I0b481b4c19916f601aa270fada5eabfb12987e8d
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreCipherSpiBase.java
|
| 4f389fd200fee9e055d3f28b20bee3132329a056 |
|
29-May-2015 |
Alex Klyubin <klyubin@google.com> |
Expose RSA Cipher from Android Keystore Provider.
The RSA Cipher supports OAEPPadding, PKCS1Padding and NoPadding
padding schemes.
Bug: 18088752
Bug: 20912868
Change-Id: Ie050e12705bb553a402760a1d253fdb2247a1d50
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreCipherSpiBase.java
|
| 966486e134c901ea61195b352fdd81476b3639b4 |
|
01-Jun-2015 |
Chad Brubaker <cbrubaker@google.com> |
Track changes to the keystore binder API
Output parameters are gone from begin, instead they will returned in the
OperationResult and begin, update, and finish may return output
parameters.
Change-Id: I072afeb6c65f6c512b40603824c25686ac44e7c8
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreCipherSpiBase.java
|
| 96d7245c00be386355ec583ac980b024b223218b |
|
29-May-2015 |
Alex Klyubin <klyubin@google.com> |
Cleanup Binder token resetting.
This is a follow-up to 7cbcfd4fc1e538bd391a20cdd00dd1494ace2d0e where
during the review it was pointed out that the code could be
streamlined.
Bug: 18088752
Change-Id: Iecb9fdbc31a0f3cdcb94ddb1b3e7e12a0543a231
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreCipherSpiBase.java
|
| 7cbcfd4fc1e538bd391a20cdd00dd1494ace2d0e |
|
28-May-2015 |
Alex Klyubin <klyubin@google.com> |
Refactor Android Keystore CipherSpi base class.
This makes Android Keystore's CipherSpi base class suitable for
implementing AES and RSA ciphers. Previously, the class was heavily
biased towards only AES.
Bug: 18088752
Change-Id: I6bd1ca54165592d28482e56471dcfe0344337cf4
/frameworks/base/keystore/java/android/security/keystore/AndroidKeyStoreCipherSpiBase.java
|