diff options
author | Janis Danisevskis <jdanis@google.com> | 2018-08-03 13:46:37 -0700 |
---|---|---|
committer | Michael Bestas <mkbestas@lineageos.org> | 2019-07-22 02:05:48 +0300 |
commit | ce87b6dd505336500ff11d344566d0adf8f6d69d (patch) | |
tree | 1e646b831842f9bad290039d875b8c43c9a46061 | |
parent | 62200f3582b3131dcf26c8292a92882ce5172735 (diff) | |
download | android_system_keymaster-lineage-16.0.tar.gz android_system_keymaster-lineage-16.0.tar.bz2 android_system_keymaster-lineage-16.0.zip |
Allow no digest given to imply KM_DIGEST_NONE if it was authorizedlineage-16.0
The KM1 legacy support wrapper was to strict in requiring a digest to be
specified whey the requested purpose and padding combination did not
require a digest.
This patch allows no digest given to imply KM_DIGEST_NONE if
KM_DIGEST_NONE was authorized.
Also fixes a bug where key data was not correctly initialized in the
rsa_keymaster1_operation when KM_PAD_NONE was requested.
Bug: 77228204
Test: atest android.keystore.cts.KeyPairGeneratorTest#testGenerate_RSA_ModernSpec_UsableForTLSPeerAuth
Merged-In: Ia3278a5afb751d5be191b73c4bb04e3fe1f5586a
Change-Id: Ia3278a5afb751d5be191b73c4bb04e3fe1f5586a
(cherry picked from commit f73092fa0228f4efabca948c7c7ce92579384424)
-rw-r--r-- | android_keymaster/operation.cpp | 9 | ||||
-rw-r--r-- | legacy_support/rsa_keymaster1_operation.cpp | 13 |
2 files changed, 16 insertions, 6 deletions
diff --git a/android_keymaster/operation.cpp b/android_keymaster/operation.cpp index 0edc70f..127aeb6 100644 --- a/android_keymaster/operation.cpp +++ b/android_keymaster/operation.cpp @@ -116,8 +116,13 @@ bool OperationFactory::GetAndValidateDigest(const AuthorizationSet& begin_params keymaster_error_t* error) const { *error = KM_ERROR_UNSUPPORTED_DIGEST; if (!begin_params.GetTagValue(TAG_DIGEST, digest)) { - LOG_E("%d digests specified in begin params", begin_params.GetTagCount(TAG_DIGEST)); - return false; + if (key.authorizations().Contains(TAG_DIGEST, KM_DIGEST_NONE)) { + *digest = KM_DIGEST_NONE; + } else { + LOG_E("%d digests specified in begin params and NONE not authorized", + begin_params.GetTagCount(TAG_DIGEST)); + return false; + } } else if (!supported(*digest)) { LOG_E("Digest %d not supported", *digest); return false; diff --git a/legacy_support/rsa_keymaster1_operation.cpp b/legacy_support/rsa_keymaster1_operation.cpp index f8241d6..dd2c094 100644 --- a/legacy_support/rsa_keymaster1_operation.cpp +++ b/legacy_support/rsa_keymaster1_operation.cpp @@ -47,15 +47,20 @@ keymaster_error_t RsaKeymaster1WrappedOperation::Begin(EVP_PKEY* rsa_key, // that layer. AuthorizationSet begin_params(input_params); int pos = begin_params.find(TAG_DIGEST); - if (pos == -1) - return KM_ERROR_UNSUPPORTED_DIGEST; - begin_params[pos].enumerated = KM_DIGEST_NONE; + if (pos == -1) { + // If we reach this point with no digest given. It was verified that KM_DIGEST_NONE was + // authorized by OperationFactory::GetAndValidateDigest. So no DIGEST given may imply + // KM_DIGEST_NONE. + begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); + } else { + begin_params[pos].enumerated = KM_DIGEST_NONE; + } pos = begin_params.find(TAG_PADDING); if (pos == -1) return KM_ERROR_UNSUPPORTED_PADDING_MODE; switch (begin_params[pos].enumerated) { - + case KM_PAD_NONE: case KM_PAD_RSA_PSS: case KM_PAD_RSA_OAEP: key_data->expected_openssl_padding = RSA_NO_PADDING; |