Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3875cf7e authored by Eran Messeri's avatar Eran Messeri
Browse files

Curve 25519: Support use via Android Keystore provider (part 1) 

Ensure that the user gets an accurate error message when they try to
generate Curve 25519 keys according to JEP 324
(https://openjdk.java.net/jeps/324).

Android Keystore requires every key to have a name, so it is not
possible to generate a key using NamedParameterSpec only (with a
KeyPairGenerator).

Support this and throw an exception to the caller indicating how they
_can_ generate keys with this curve.

Bug: 222440855
Bug: 195309719
Bug: 194359292
Test: atest android.keystore.cts.KeyFactoryTest android.keystore.cts.Curve25519Test
Test: atest CtsLibcoreTestCases:libcore.java.security.ProviderTest
Change-Id: I5aa163f177507906c6482d079eb6cb55d93accf7
parent 19935982

keystore/java/android/security/keystore2/AndroidKeyStoreKeyPairGeneratorSpi.java

+27 −0
Original line number Diff line number Diff line
@@ -108,6 +108,16 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato 
        }

    }



    /**

     * XDH represents Curve 25519 providers.

     */

    public static class XDH extends AndroidKeyStoreKeyPairGeneratorSpi {

        // XDH is treated as EC.

        public XDH() {

            super(KeymasterDefs.KM_ALGORITHM_EC);

        }

    }



    /*

     * These must be kept in sync with system/security/keystore/defaults.h

     */
@@ -242,6 +252,23 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato 
                } catch (NullPointerException | IllegalArgumentException e) {

                    throw new InvalidAlgorithmParameterException(e);

                }

            } else if (params instanceof NamedParameterSpec) {

                NamedParameterSpec namedSpec = (NamedParameterSpec) params;

                // Android Keystore cannot support initialization from a NamedParameterSpec

                // because an alias for the key is needed (a KeyGenParameterSpec cannot be

                // constructed).

                if (namedSpec.getName().equalsIgnoreCase(NamedParameterSpec.X25519.getName())

                        || namedSpec.getName().equalsIgnoreCase(

                        NamedParameterSpec.ED25519.getName())) {

                    throw new IllegalArgumentException(

                            "This KeyPairGenerator cannot be initialized using NamedParameterSpec."

                                    + " use " + KeyGenParameterSpec.class.getName() + " or "

                                    + KeyPairGeneratorSpec.class.getName());

                } else {

                    throw new InvalidAlgorithmParameterException(

                            "Unsupported algorithm specified via NamedParameterSpec: "

                            + namedSpec.getName());

                }

            } else {

                throw new InvalidAlgorithmParameterException(

                        "Unsupported params class: " + params.getClass().getName()

keystore/java/android/security/keystore2/AndroidKeyStoreProvider.java

+2 −0
Original line number Diff line number Diff line
@@ -83,10 +83,12 @@ public class AndroidKeyStoreProvider extends Provider { 
        // java.security.KeyPairGenerator

        put("KeyPairGenerator.EC", PACKAGE_NAME + ".AndroidKeyStoreKeyPairGeneratorSpi$EC");

        put("KeyPairGenerator.RSA", PACKAGE_NAME +  ".AndroidKeyStoreKeyPairGeneratorSpi$RSA");

        put("KeyPairGenerator.XDH", PACKAGE_NAME +  ".AndroidKeyStoreKeyPairGeneratorSpi$XDH");



        // java.security.KeyFactory

        putKeyFactoryImpl("EC");

        putKeyFactoryImpl("RSA");

        putKeyFactoryImpl("XDH");



        // javax.crypto.KeyGenerator

        put("KeyGenerator.AES", PACKAGE_NAME + ".AndroidKeyStoreKeyGeneratorSpi$AES");