2 files changed, 16 insertions, 6 deletions

diff --git a/android_keymaster/operation.cpp b/android_keymaster/operation.cpp
index 0edc70f..127aeb6 100644
--- a/android_keymaster/operation.cpp
+++ b/android_keymaster/operation.cpp
@@ -116,8 +116,13 @@ bool OperationFactory::GetAndValidateDigest(const AuthorizationSet& begin_params
                                             keymaster_error_t* error) const {
     *error = KM_ERROR_UNSUPPORTED_DIGEST;
     if (!begin_params.GetTagValue(TAG_DIGEST, digest)) {
-        LOG_E("%d digests specified in begin params", begin_params.GetTagCount(TAG_DIGEST));
-        return false;
+        if (key.authorizations().Contains(TAG_DIGEST, KM_DIGEST_NONE)) {
+            *digest = KM_DIGEST_NONE;
+        } else {
+            LOG_E("%d digests specified in begin params and NONE not authorized",
+                    begin_params.GetTagCount(TAG_DIGEST));
+            return false;
+        }
     } else if (!supported(*digest)) {
         LOG_E("Digest %d not supported", *digest);
         return false;
diff --git a/legacy_support/rsa_keymaster1_operation.cpp b/legacy_support/rsa_keymaster1_operation.cpp
index f8241d6..dd2c094 100644
--- a/legacy_support/rsa_keymaster1_operation.cpp
+++ b/legacy_support/rsa_keymaster1_operation.cpp
@@ -47,15 +47,20 @@ keymaster_error_t RsaKeymaster1WrappedOperation::Begin(EVP_PKEY* rsa_key,
     // that layer.
     AuthorizationSet begin_params(input_params);
     int pos = begin_params.find(TAG_DIGEST);
-    if (pos == -1)
-        return KM_ERROR_UNSUPPORTED_DIGEST;
-    begin_params[pos].enumerated = KM_DIGEST_NONE;
+    if (pos == -1) {
+        // If we reach this point with no digest given. It was verified that KM_DIGEST_NONE was
+        // authorized by OperationFactory::GetAndValidateDigest. So no DIGEST given may imply
+        // KM_DIGEST_NONE.
+        begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
+    } else {
+        begin_params[pos].enumerated = KM_DIGEST_NONE;
+    }
 
     pos = begin_params.find(TAG_PADDING);
     if (pos == -1)
         return KM_ERROR_UNSUPPORTED_PADDING_MODE;
     switch (begin_params[pos].enumerated) {
-
+    case KM_PAD_NONE:
     case KM_PAD_RSA_PSS:
     case KM_PAD_RSA_OAEP:
         key_data->expected_openssl_padding = RSA_NO_PADDING;