Allow entropy to be provided to some operations
generateKey and begin can now optionally take an array of bytes to add
to the rng entropy of the device before the operation. If entropy is
specified and the device does not support add_rng_entropy or the call
fails then that device will not be used, leading to fallback or error
depending on the situation.
Change-Id: Id7d33e3cc959594dfa5483d002993ba35c1fb134
diff --git a/core/java/android/security/IKeystoreService.aidl b/core/java/android/security/IKeystoreService.aidl
index d24bc13..14b5748 100644
--- a/core/java/android/security/IKeystoreService.aidl
+++ b/core/java/android/security/IKeystoreService.aidl
@@ -60,8 +60,8 @@
// Keymaster 0.4 methods
int addRngEntropy(in byte[] data);
- int generateKey(String alias, in KeymasterArguments arguments, int uid, int flags,
- out KeyCharacteristics characteristics);
+ int generateKey(String alias, in KeymasterArguments arguments, in byte[] entropy, int uid,
+ int flags, out KeyCharacteristics characteristics);
int getKeyCharacteristics(String alias, in KeymasterBlob clientId, in KeymasterBlob appId,
out KeyCharacteristics characteristics);
int importKey(String alias, in KeymasterArguments arguments, int format,
@@ -69,7 +69,7 @@
ExportResult exportKey(String alias, int format, in KeymasterBlob clientId,
in KeymasterBlob appId);
OperationResult begin(IBinder appToken, String alias, int purpose, boolean pruneable,
- in KeymasterArguments params, out KeymasterArguments operationParams);
+ in KeymasterArguments params, in byte[] entropy, out KeymasterArguments operationParams);
OperationResult update(IBinder token, in KeymasterArguments params, in byte[] input);
OperationResult finish(IBinder token, in KeymasterArguments params, in byte[] signature);
int abort(IBinder handle);
diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java
index 957e3c1..f68b3f6 100644
--- a/keystore/java/android/security/KeyStore.java
+++ b/keystore/java/android/security/KeyStore.java
@@ -389,19 +389,19 @@
}
}
- public int generateKey(String alias, KeymasterArguments args, int uid, int flags,
- KeyCharacteristics outCharacteristics) {
+ public int generateKey(String alias, KeymasterArguments args, byte[] entropy, int uid,
+ int flags, KeyCharacteristics outCharacteristics) {
try {
- return mBinder.generateKey(alias, args, uid, flags, outCharacteristics);
+ return mBinder.generateKey(alias, args, entropy, uid, flags, outCharacteristics);
} catch (RemoteException e) {
Log.w(TAG, "Cannot connect to keystore", e);
return SYSTEM_ERROR;
}
}
- public int generateKey(String alias, KeymasterArguments args, int flags,
+ public int generateKey(String alias, KeymasterArguments args, byte[] entropy, int flags,
KeyCharacteristics outCharacteristics) {
- return generateKey(alias, args, UID_SELF, flags, outCharacteristics);
+ return generateKey(alias, args, entropy, UID_SELF, flags, outCharacteristics);
}
public int getKeyCharacteristics(String alias, KeymasterBlob clientId, KeymasterBlob appId,
@@ -441,9 +441,9 @@
}
public OperationResult begin(String alias, int purpose, boolean pruneable,
- KeymasterArguments args, KeymasterArguments outArgs) {
+ KeymasterArguments args, byte[] entropy, KeymasterArguments outArgs) {
try {
- return mBinder.begin(getToken(), alias, purpose, pruneable, args, outArgs);
+ return mBinder.begin(getToken(), alias, purpose, pruneable, args, entropy, outArgs);
} catch (RemoteException e) {
Log.w(TAG, "Cannot connect to keystore", e);
return null;
diff --git a/keystore/tests/src/android/security/KeyStoreTest.java b/keystore/tests/src/android/security/KeyStoreTest.java
index f755bb0..7468fb5e 100644
--- a/keystore/tests/src/android/security/KeyStoreTest.java
+++ b/keystore/tests/src/android/security/KeyStoreTest.java
@@ -717,7 +717,7 @@
RSAKeyGenParameterSpec.F4.longValue());
KeyCharacteristics outCharacteristics = new KeyCharacteristics();
- int result = mKeyStore.generateKey(name, args, 0, outCharacteristics);
+ int result = mKeyStore.generateKey(name, args, null, 0, outCharacteristics);
assertEquals("generateRsaKey should succeed", KeyStore.NO_ERROR, result);
return outCharacteristics;
}
@@ -726,6 +726,24 @@
generateRsaKey("test");
mKeyStore.delete("test");
}
+
+ public void testGenerateRsaWithEntropy() throws Exception {
+ byte[] entropy = new byte[] {1,2,3,4,5};
+ String name = "test";
+ KeymasterArguments args = new KeymasterArguments();
+ args.addInt(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_ENCRYPT);
+ args.addInt(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_DECRYPT);
+ args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_RSA);
+ args.addInt(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE);
+ args.addInt(KeymasterDefs.KM_TAG_KEY_SIZE, 2048);
+ args.addLong(KeymasterDefs.KM_TAG_RSA_PUBLIC_EXPONENT,
+ RSAKeyGenParameterSpec.F4.longValue());
+
+ KeyCharacteristics outCharacteristics = new KeyCharacteristics();
+ int result = mKeyStore.generateKey(name, args, entropy, 0, outCharacteristics);
+ assertEquals("generateKey should succeed", KeyStore.NO_ERROR, result);
+ }
+
public void testGenerateAndDelete() throws Exception {
generateRsaKey("test");
assertTrue("delete should succeed", mKeyStore.delete("test"));
@@ -756,7 +774,7 @@
RSAKeyGenParameterSpec.F4.longValue());
KeyCharacteristics outCharacteristics = new KeyCharacteristics();
- int result = mKeyStore.generateKey(name, args, 0, outCharacteristics);
+ int result = mKeyStore.generateKey(name, args, null, 0, outCharacteristics);
assertEquals("generateRsaKey should succeed", KeyStore.NO_ERROR, result);
assertEquals("getKeyCharacteristics should fail without application ID",
KeymasterDefs.KM_ERROR_INVALID_KEY_BLOB,
@@ -790,13 +808,13 @@
args.addInt(KeymasterDefs.KM_TAG_MAC_LENGTH, 16);
KeyCharacteristics outCharacteristics = new KeyCharacteristics();
- int rc = mKeyStore.generateKey(name, args, 0, outCharacteristics);
+ int rc = mKeyStore.generateKey(name, args, null, 0, outCharacteristics);
assertEquals("Generate should succeed", KeyStore.NO_ERROR, rc);
KeymasterArguments out = new KeymasterArguments();
args = new KeymasterArguments();
OperationResult result = mKeyStore.begin(name, KeymasterDefs.KM_PURPOSE_ENCRYPT,
- true, args, out);
+ true, args, null, out);
IBinder token = result.token;
assertEquals("Begin should succeed", KeyStore.NO_ERROR, result.resultCode);
result = mKeyStore.update(token, null, new byte[] {0x01, 0x02, 0x03, 0x04});
@@ -826,7 +844,7 @@
private byte[] doOperation(String name, int purpose, byte[] in, KeymasterArguments beginArgs) {
KeymasterArguments out = new KeymasterArguments();
OperationResult result = mKeyStore.begin(name, purpose,
- true, beginArgs, out);
+ true, beginArgs, null, out);
assertEquals("Begin should succeed", KeyStore.NO_ERROR, result.resultCode);
IBinder token = result.token;
result = mKeyStore.update(token, null, in);
@@ -885,18 +903,19 @@
args.addInt(KeymasterDefs.KM_TAG_MAC_LENGTH, 16);
KeyCharacteristics outCharacteristics = new KeyCharacteristics();
- int rc = mKeyStore.generateKey(name, args, 0, outCharacteristics);
+ int rc = mKeyStore.generateKey(name, args, null, 0, outCharacteristics);
assertEquals("Generate should succeed", KeyStore.NO_ERROR, rc);
KeymasterArguments out = new KeymasterArguments();
args = new KeymasterArguments();
OperationResult result = mKeyStore.begin(name, KeymasterDefs.KM_PURPOSE_ENCRYPT,
- true, args, out);
+ true, args, null, out);
assertEquals("Begin should succeed", KeyStore.NO_ERROR, result.resultCode);
IBinder first = result.token;
// Implementation detail: softkeymaster supports 16 concurrent operations
for (int i = 0; i < 16; i++) {
- result = mKeyStore.begin(name, KeymasterDefs.KM_PURPOSE_ENCRYPT, true, args, out);
+ result = mKeyStore.begin(name, KeymasterDefs.KM_PURPOSE_ENCRYPT, true, args, null,
+ out);
assertEquals("Begin should succeed", KeyStore.NO_ERROR, result.resultCode);
}
// At this point the first operation should be pruned.