Loading keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java +4 −0 Original line number Original line Diff line number Diff line Loading @@ -210,6 +210,10 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { throw new InvalidAlgorithmParameterException( throw new InvalidAlgorithmParameterException( "HMAC key size must be at least 64 bits."); "HMAC key size must be at least 64 bits."); } } if (mKeySizeBits > 512 && spec.isStrongBoxBacked()) { throw new InvalidAlgorithmParameterException( "StrongBox HMAC key size must be smaller than 512 bits."); } // JCA HMAC key algorithm implies a digest (e.g., HmacSHA256 key algorithm // JCA HMAC key algorithm implies a digest (e.g., HmacSHA256 key algorithm // implies SHA-256 digest). Because keymaster HMAC key is authorized only for // implies SHA-256 digest). Because keymaster HMAC key is authorized only for Loading keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java +10 −2 Original line number Original line Diff line number Diff line Loading @@ -303,7 +303,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato if (mKeySizeBits == -1) { if (mKeySizeBits == -1) { mKeySizeBits = getDefaultKeySize(keymasterAlgorithm); mKeySizeBits = getDefaultKeySize(keymasterAlgorithm); } } checkValidKeySize(keymasterAlgorithm, mKeySizeBits); checkValidKeySize(keymasterAlgorithm, mKeySizeBits, mSpec.isStrongBoxBacked()); if (spec.getKeystoreAlias() == null) { if (spec.getKeystoreAlias() == null) { throw new InvalidAlgorithmParameterException("KeyStore entry alias not provided"); throw new InvalidAlgorithmParameterException("KeyStore entry alias not provided"); Loading Loading @@ -724,10 +724,18 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato } } } } private static void checkValidKeySize(int keymasterAlgorithm, int keySize) private static void checkValidKeySize( int keymasterAlgorithm, int keySize, boolean isStrongBoxBacked) throws InvalidAlgorithmParameterException { throws InvalidAlgorithmParameterException { switch (keymasterAlgorithm) { switch (keymasterAlgorithm) { case KeymasterDefs.KM_ALGORITHM_EC: case KeymasterDefs.KM_ALGORITHM_EC: if (isStrongBoxBacked && keySize != 256) { throw new InvalidAlgorithmParameterException( "Unsupported StrongBox EC key size: " + keySize + " bits. Supported: 256"); } if (!SUPPORTED_EC_NIST_CURVE_SIZES.contains(keySize)) { if (!SUPPORTED_EC_NIST_CURVE_SIZES.contains(keySize)) { throw new InvalidAlgorithmParameterException("Unsupported EC key size: " throw new InvalidAlgorithmParameterException("Unsupported EC key size: " + keySize + " bits. Supported: " + SUPPORTED_EC_NIST_CURVE_SIZES); + keySize + " bits. Supported: " + SUPPORTED_EC_NIST_CURVE_SIZES); Loading Loading
keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java +4 −0 Original line number Original line Diff line number Diff line Loading @@ -210,6 +210,10 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { throw new InvalidAlgorithmParameterException( throw new InvalidAlgorithmParameterException( "HMAC key size must be at least 64 bits."); "HMAC key size must be at least 64 bits."); } } if (mKeySizeBits > 512 && spec.isStrongBoxBacked()) { throw new InvalidAlgorithmParameterException( "StrongBox HMAC key size must be smaller than 512 bits."); } // JCA HMAC key algorithm implies a digest (e.g., HmacSHA256 key algorithm // JCA HMAC key algorithm implies a digest (e.g., HmacSHA256 key algorithm // implies SHA-256 digest). Because keymaster HMAC key is authorized only for // implies SHA-256 digest). Because keymaster HMAC key is authorized only for Loading
keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java +10 −2 Original line number Original line Diff line number Diff line Loading @@ -303,7 +303,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato if (mKeySizeBits == -1) { if (mKeySizeBits == -1) { mKeySizeBits = getDefaultKeySize(keymasterAlgorithm); mKeySizeBits = getDefaultKeySize(keymasterAlgorithm); } } checkValidKeySize(keymasterAlgorithm, mKeySizeBits); checkValidKeySize(keymasterAlgorithm, mKeySizeBits, mSpec.isStrongBoxBacked()); if (spec.getKeystoreAlias() == null) { if (spec.getKeystoreAlias() == null) { throw new InvalidAlgorithmParameterException("KeyStore entry alias not provided"); throw new InvalidAlgorithmParameterException("KeyStore entry alias not provided"); Loading Loading @@ -724,10 +724,18 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato } } } } private static void checkValidKeySize(int keymasterAlgorithm, int keySize) private static void checkValidKeySize( int keymasterAlgorithm, int keySize, boolean isStrongBoxBacked) throws InvalidAlgorithmParameterException { throws InvalidAlgorithmParameterException { switch (keymasterAlgorithm) { switch (keymasterAlgorithm) { case KeymasterDefs.KM_ALGORITHM_EC: case KeymasterDefs.KM_ALGORITHM_EC: if (isStrongBoxBacked && keySize != 256) { throw new InvalidAlgorithmParameterException( "Unsupported StrongBox EC key size: " + keySize + " bits. Supported: 256"); } if (!SUPPORTED_EC_NIST_CURVE_SIZES.contains(keySize)) { if (!SUPPORTED_EC_NIST_CURVE_SIZES.contains(keySize)) { throw new InvalidAlgorithmParameterException("Unsupported EC key size: " throw new InvalidAlgorithmParameterException("Unsupported EC key size: " + keySize + " bits. Supported: " + SUPPORTED_EC_NIST_CURVE_SIZES); + keySize + " bits. Supported: " + SUPPORTED_EC_NIST_CURVE_SIZES); Loading