Commit 3b10f385 authored Aug 28, 2025 by Catherine Vlasov

Accept "EdDSA" as the JCA key algorithm name when generating Ed25519 keys.

Conscrypt added support for Ed25519 signatures in
https://github.com/google/conscrypt/commit/5473d34964ce77ab2594ae0cc0ecf74931f28cc3.
This involved introducing a "OpenSslEdDsaPublicKey" class that returns
"EdDSA" as the algorithm name and is registered in the
"OpenSSLProvider".

When the "AndroidKeyStoreProvider" generates a key pair, the public key
operations are delegated to the "OpenSSLProvider". It uses the
"OpenSSLX509Certificate" class to extract the key algorithm name from
the public key's X.509 certificate. If the OID in the certificate can't
be mapped to an algorithm name, the OID itself is returned in a string
as the algorithm name.

The introduction of the "OpenSslEdDsaPublicKey" class meant that the
"OpenSSLProvider" was able to produce a more meaningful key algorithm
name, but the "AndroidKeyStoreProvider" didn't recognize it since the
OID was hard-coded in the algorithm validation logic to reflect the
fallback logic in the "OpenSSLX509Certificate" class. This caused the
Android Keystore CTS tests related to Ed25519 to fail due to the
unrecognized algorithm name and the merge had to be reverted. See
ag/34292636.

This fix accepts both the OID and "EdDSA" as algorithm names. Once the
upstream Conscrypt changes get merged into Android and are stable for
a while, we can stop accepting the OID.

Bug: 430870763
Flag: EXEMPT BUGFIX
Test: atest CtsKeystoreTestCases:android.keystore.cts.Curve25519Test
      (with the OpenSSLProvider changes manually patched)
Test: atest CtsKeystoreTestCases:android.keystore.cts.KeyAttestationTest
      (with the OpenSSLProvider changes manually patched)
Change-Id: I4fc42e46cfbeaaca5691bdaf03af98417fe8192d

parent 9b80ed20

keystore/java/android/security/keystore2/AndroidKeyStoreProvider.java

+12 −2

Original line number	Diff line number	Diff line
		@@ -68,8 +68,14 @@ public class AndroidKeyStoreProvider extends Provider {
		private static final String DESEDE_SYSTEM_PROPERTY =
		"ro.hardware.keystore_desede";

		// Conscrypt returns the Ed25519 OID as the JCA key algorithm.
		// Conscrypt added EdDSA classes to the "OpenSSLProvider" in
		// https://github.com/google/conscrypt/commit/5473d34964ce77ab2594ae0cc0ecf74931f28cc3.
		// The public key class returns "EdDSA" as the JCA key algorithm name. Before this class was
		// introduced, the OpenSSLX509Certificate class would fall back to using the OID as the
		// algorithm name.
		private static final String ED25519_OID = "1.3.101.112";
		private static final String EDDSA_ALGORITHM_NAME = "EdDSA";

		// Conscrypt returns "XDH" as the X25519 JCA key algorithm.
		private static final String X25519_ALIAS = "XDH";

		@@ -245,7 +251,11 @@ public class AndroidKeyStoreProvider extends Provider {
		} else if (KeyProperties.KEY_ALGORITHM_RSA.equalsIgnoreCase(jcaKeyAlgorithm)) {
		return new AndroidKeyStoreRSAPublicKey(descriptor, metadata,
		iSecurityLevel, (RSAPublicKey) publicKey);
		} else if (ED25519_OID.equalsIgnoreCase(jcaKeyAlgorithm)) {
		} else if (ED25519_OID.equalsIgnoreCase(jcaKeyAlgorithm)
		\|\| EDDSA_ALGORITHM_NAME.equalsIgnoreCase(jcaKeyAlgorithm)) {
		// This condition should be updated to only accept "EdDSA" as the algorithm name once
		// https://github.com/google/conscrypt/commit/5473d34964ce77ab2594ae0cc0ecf74931f28cc3
		// is merged into Android.
		final byte[] publicKeyEncoded = publicKey.getEncoded();
		return new AndroidKeyStoreEdECPublicKey(descriptor, metadata, ED25519_OID,
		iSecurityLevel, publicKeyEncoded);