Loading keystore/java/android/security/keystore/AndroidKeyStoreCipherSpiBase.java +30 −11 Original line number Diff line number Diff line Loading @@ -368,7 +368,10 @@ abstract class AndroidKeyStoreCipherSpiBase extends CipherSpi implements KeyStor byte[] output; try { output = mMainDataStreamer.doFinal(input, inputOffset, inputLen); byte[] additionalEntropy = KeyStoreCryptoOperationUtils.getRandomBytesToMixIntoKeystoreRng( mRng, getAdditionalEntropyAmountForFinish()); output = mMainDataStreamer.doFinal(input, inputOffset, inputLen, additionalEntropy); } catch (KeyStoreException e) { switch (e.getErrorCode()) { case KeymasterDefs.KM_ERROR_INVALID_INPUT_LENGTH: Loading Loading @@ -667,20 +670,36 @@ abstract class AndroidKeyStoreCipherSpiBase extends CipherSpi implements KeyStor /** * Returns the amount of additional entropy (in bytes) to be provided to the KeyStore's * {@code begin} operation. * {@code begin} operation. This amount of entropy is typically what's consumed to generate * random parameters, such as IV. * * <p>For decryption, this should be {@code 0} because decryption should not be consuming any * entropy. For encryption, this value should match (or exceed) the amount of Shannon entropy of * the ciphertext produced by this cipher assuming the key, the plaintext, and all explicitly * provided parameters to {@code Cipher.init} are known. For example, for AES CBC encryption * with an explicitly provided IV this should be {@code 0}, whereas for the case where IV is * generated by the KeyStore's {@code begin} operation this should be {@code 16}. For RSA with * OAEP this should be the size of the OAEP hash output. For RSA with PKCS#1 padding this should * be the size of the padding string or could be raised (for simplicity) to the size of the * modulus. * <p>For decryption, the return value should be {@code 0} because decryption should not be * consuming any entropy. For encryption, the value combined with * {@link #getAdditionalEntropyAmountForFinish()} should match (or exceed) the amount of Shannon * entropy of the ciphertext produced by this cipher assuming the key, the plaintext, and all * explicitly provided parameters to {@code Cipher.init} are known. For example, for AES CBC * encryption with an explicitly provided IV the return value should be {@code 0}, whereas for * the case where IV is generated by the KeyStore's {@code begin} operation it should be * {@code 16}. */ protected abstract int getAdditionalEntropyAmountForBegin(); /** * Returns the amount of additional entropy (in bytes) to be provided to the KeyStore's * {@code finish} operation. This amount of entropy is typically what's consumed by encryption * padding scheme. * * <p>For decryption, the return value should be {@code 0} because decryption should not be * consuming any entropy. For encryption, the value combined with * {@link #getAdditionalEntropyAmountForBegin()} should match (or exceed) the amount of Shannon * entropy of the ciphertext produced by this cipher assuming the key, the plaintext, and all * explicitly provided parameters to {@code Cipher.init} are known. For example, for RSA with * OAEP the return value should be the size of the OAEP hash output. For RSA with PKCS#1 padding * the return value should be the size of the padding string or could be raised (for simplicity) * to the size of the modulus. */ protected abstract int getAdditionalEntropyAmountForFinish(); /** * Invoked to add algorithm-specific parameters for the KeyStore's {@code begin} operation. * Loading keystore/java/android/security/keystore/AndroidKeyStoreECDSASignatureSpi.java +2 −2 Original line number Diff line number Diff line Loading @@ -117,7 +117,7 @@ abstract class AndroidKeyStoreECDSASignatureSpi extends AndroidKeyStoreSignature } @Override protected int getAdditionalEntropyAmountForBegin() { return (isSigning()) ? mGroupSizeBytes : 0; protected int getAdditionalEntropyAmountForSign() { return mGroupSizeBytes; } } keystore/java/android/security/keystore/AndroidKeyStoreHmacSpi.java +4 −1 Original line number Diff line number Diff line Loading @@ -232,7 +232,10 @@ public abstract class AndroidKeyStoreHmacSpi extends MacSpi implements KeyStoreC byte[] result; try { result = mChunkedStreamer.doFinal(null, 0, 0); result = mChunkedStreamer.doFinal( null, 0, 0, null // no additional entropy needed -- HMAC is deterministic ); } catch (KeyStoreException e) { throw new ProviderException("Keystore operation failed", e); } Loading keystore/java/android/security/keystore/AndroidKeyStoreRSACipherSpi.java +18 −2 Original line number Diff line number Diff line Loading @@ -98,6 +98,11 @@ abstract class AndroidKeyStoreRSACipherSpi extends AndroidKeyStoreCipherSpiBase return 0; } @Override protected final int getAdditionalEntropyAmountForFinish() { return 0; } @Override @NonNull protected KeyStoreCryptoOperationStreamer createMainDataStreamer( Loading Loading @@ -142,7 +147,8 @@ abstract class AndroidKeyStoreRSACipherSpi extends AndroidKeyStoreCipherSpiBase } @Override public byte[] doFinal(byte[] input, int inputOffset, int inputLength) public byte[] doFinal(byte[] input, int inputOffset, int inputLength, byte[] additionalEntropy) throws KeyStoreException { if (inputLength > 0) { mInputBuffer.write(input, inputOffset, inputLength); Loading @@ -165,7 +171,7 @@ abstract class AndroidKeyStoreRSACipherSpi extends AndroidKeyStoreCipherSpiBase "Message size (" + bufferedInput.length + " bytes) must be smaller than" + " modulus (" + mModulusSizeBytes + " bytes)"); } return mDelegate.doFinal(paddedInput, 0, paddedInput.length); return mDelegate.doFinal(paddedInput, 0, paddedInput.length, additionalEntropy); } } } Loading Loading @@ -207,6 +213,11 @@ abstract class AndroidKeyStoreRSACipherSpi extends AndroidKeyStoreCipherSpiBase @Override protected final int getAdditionalEntropyAmountForBegin() { return 0; } @Override protected final int getAdditionalEntropyAmountForFinish() { return (isEncrypting()) ? getModulusSizeBytes() : 0; } } Loading Loading @@ -361,6 +372,11 @@ abstract class AndroidKeyStoreRSACipherSpi extends AndroidKeyStoreCipherSpiBase @Override protected final int getAdditionalEntropyAmountForBegin() { return 0; } @Override protected final int getAdditionalEntropyAmountForFinish() { return (isEncrypting()) ? mDigestOutputSizeBytes : 0; } } Loading keystore/java/android/security/keystore/AndroidKeyStoreRSASignatureSpi.java +3 −3 Original line number Diff line number Diff line Loading @@ -36,7 +36,7 @@ abstract class AndroidKeyStoreRSASignatureSpi extends AndroidKeyStoreSignatureSp } @Override protected final int getAdditionalEntropyAmountForBegin() { protected final int getAdditionalEntropyAmountForSign() { // No entropy required for this deterministic signature scheme. return 0; } Loading Loading @@ -92,8 +92,8 @@ abstract class AndroidKeyStoreRSASignatureSpi extends AndroidKeyStoreSignatureSp } @Override protected final int getAdditionalEntropyAmountForBegin() { return (isSigning()) ? SALT_LENGTH_BYTES : 0; protected final int getAdditionalEntropyAmountForSign() { return SALT_LENGTH_BYTES; } } Loading Loading
keystore/java/android/security/keystore/AndroidKeyStoreCipherSpiBase.java +30 −11 Original line number Diff line number Diff line Loading @@ -368,7 +368,10 @@ abstract class AndroidKeyStoreCipherSpiBase extends CipherSpi implements KeyStor byte[] output; try { output = mMainDataStreamer.doFinal(input, inputOffset, inputLen); byte[] additionalEntropy = KeyStoreCryptoOperationUtils.getRandomBytesToMixIntoKeystoreRng( mRng, getAdditionalEntropyAmountForFinish()); output = mMainDataStreamer.doFinal(input, inputOffset, inputLen, additionalEntropy); } catch (KeyStoreException e) { switch (e.getErrorCode()) { case KeymasterDefs.KM_ERROR_INVALID_INPUT_LENGTH: Loading Loading @@ -667,20 +670,36 @@ abstract class AndroidKeyStoreCipherSpiBase extends CipherSpi implements KeyStor /** * Returns the amount of additional entropy (in bytes) to be provided to the KeyStore's * {@code begin} operation. * {@code begin} operation. This amount of entropy is typically what's consumed to generate * random parameters, such as IV. * * <p>For decryption, this should be {@code 0} because decryption should not be consuming any * entropy. For encryption, this value should match (or exceed) the amount of Shannon entropy of * the ciphertext produced by this cipher assuming the key, the plaintext, and all explicitly * provided parameters to {@code Cipher.init} are known. For example, for AES CBC encryption * with an explicitly provided IV this should be {@code 0}, whereas for the case where IV is * generated by the KeyStore's {@code begin} operation this should be {@code 16}. For RSA with * OAEP this should be the size of the OAEP hash output. For RSA with PKCS#1 padding this should * be the size of the padding string or could be raised (for simplicity) to the size of the * modulus. * <p>For decryption, the return value should be {@code 0} because decryption should not be * consuming any entropy. For encryption, the value combined with * {@link #getAdditionalEntropyAmountForFinish()} should match (or exceed) the amount of Shannon * entropy of the ciphertext produced by this cipher assuming the key, the plaintext, and all * explicitly provided parameters to {@code Cipher.init} are known. For example, for AES CBC * encryption with an explicitly provided IV the return value should be {@code 0}, whereas for * the case where IV is generated by the KeyStore's {@code begin} operation it should be * {@code 16}. */ protected abstract int getAdditionalEntropyAmountForBegin(); /** * Returns the amount of additional entropy (in bytes) to be provided to the KeyStore's * {@code finish} operation. This amount of entropy is typically what's consumed by encryption * padding scheme. * * <p>For decryption, the return value should be {@code 0} because decryption should not be * consuming any entropy. For encryption, the value combined with * {@link #getAdditionalEntropyAmountForBegin()} should match (or exceed) the amount of Shannon * entropy of the ciphertext produced by this cipher assuming the key, the plaintext, and all * explicitly provided parameters to {@code Cipher.init} are known. For example, for RSA with * OAEP the return value should be the size of the OAEP hash output. For RSA with PKCS#1 padding * the return value should be the size of the padding string or could be raised (for simplicity) * to the size of the modulus. */ protected abstract int getAdditionalEntropyAmountForFinish(); /** * Invoked to add algorithm-specific parameters for the KeyStore's {@code begin} operation. * Loading
keystore/java/android/security/keystore/AndroidKeyStoreECDSASignatureSpi.java +2 −2 Original line number Diff line number Diff line Loading @@ -117,7 +117,7 @@ abstract class AndroidKeyStoreECDSASignatureSpi extends AndroidKeyStoreSignature } @Override protected int getAdditionalEntropyAmountForBegin() { return (isSigning()) ? mGroupSizeBytes : 0; protected int getAdditionalEntropyAmountForSign() { return mGroupSizeBytes; } }
keystore/java/android/security/keystore/AndroidKeyStoreHmacSpi.java +4 −1 Original line number Diff line number Diff line Loading @@ -232,7 +232,10 @@ public abstract class AndroidKeyStoreHmacSpi extends MacSpi implements KeyStoreC byte[] result; try { result = mChunkedStreamer.doFinal(null, 0, 0); result = mChunkedStreamer.doFinal( null, 0, 0, null // no additional entropy needed -- HMAC is deterministic ); } catch (KeyStoreException e) { throw new ProviderException("Keystore operation failed", e); } Loading
keystore/java/android/security/keystore/AndroidKeyStoreRSACipherSpi.java +18 −2 Original line number Diff line number Diff line Loading @@ -98,6 +98,11 @@ abstract class AndroidKeyStoreRSACipherSpi extends AndroidKeyStoreCipherSpiBase return 0; } @Override protected final int getAdditionalEntropyAmountForFinish() { return 0; } @Override @NonNull protected KeyStoreCryptoOperationStreamer createMainDataStreamer( Loading Loading @@ -142,7 +147,8 @@ abstract class AndroidKeyStoreRSACipherSpi extends AndroidKeyStoreCipherSpiBase } @Override public byte[] doFinal(byte[] input, int inputOffset, int inputLength) public byte[] doFinal(byte[] input, int inputOffset, int inputLength, byte[] additionalEntropy) throws KeyStoreException { if (inputLength > 0) { mInputBuffer.write(input, inputOffset, inputLength); Loading @@ -165,7 +171,7 @@ abstract class AndroidKeyStoreRSACipherSpi extends AndroidKeyStoreCipherSpiBase "Message size (" + bufferedInput.length + " bytes) must be smaller than" + " modulus (" + mModulusSizeBytes + " bytes)"); } return mDelegate.doFinal(paddedInput, 0, paddedInput.length); return mDelegate.doFinal(paddedInput, 0, paddedInput.length, additionalEntropy); } } } Loading Loading @@ -207,6 +213,11 @@ abstract class AndroidKeyStoreRSACipherSpi extends AndroidKeyStoreCipherSpiBase @Override protected final int getAdditionalEntropyAmountForBegin() { return 0; } @Override protected final int getAdditionalEntropyAmountForFinish() { return (isEncrypting()) ? getModulusSizeBytes() : 0; } } Loading Loading @@ -361,6 +372,11 @@ abstract class AndroidKeyStoreRSACipherSpi extends AndroidKeyStoreCipherSpiBase @Override protected final int getAdditionalEntropyAmountForBegin() { return 0; } @Override protected final int getAdditionalEntropyAmountForFinish() { return (isEncrypting()) ? mDigestOutputSizeBytes : 0; } } Loading
keystore/java/android/security/keystore/AndroidKeyStoreRSASignatureSpi.java +3 −3 Original line number Diff line number Diff line Loading @@ -36,7 +36,7 @@ abstract class AndroidKeyStoreRSASignatureSpi extends AndroidKeyStoreSignatureSp } @Override protected final int getAdditionalEntropyAmountForBegin() { protected final int getAdditionalEntropyAmountForSign() { // No entropy required for this deterministic signature scheme. return 0; } Loading Loading @@ -92,8 +92,8 @@ abstract class AndroidKeyStoreRSASignatureSpi extends AndroidKeyStoreSignatureSp } @Override protected final int getAdditionalEntropyAmountForBegin() { return (isSigning()) ? SALT_LENGTH_BYTES : 0; protected final int getAdditionalEntropyAmountForSign() { return SALT_LENGTH_BYTES; } } Loading
