From ce87b6dd505336500ff11d344566d0adf8f6d69d Mon Sep 17 00:00:00 2001 From: Janis Danisevskis Date: Fri, 3 Aug 2018 13:46:37 -0700 Subject: Allow no digest given to imply KM_DIGEST_NONE if it was authorized The KM1 legacy support wrapper was to strict in requiring a digest to be specified whey the requested purpose and padding combination did not require a digest. This patch allows no digest given to imply KM_DIGEST_NONE if KM_DIGEST_NONE was authorized. Also fixes a bug where key data was not correctly initialized in the rsa_keymaster1_operation when KM_PAD_NONE was requested. Bug: 77228204 Test: atest android.keystore.cts.KeyPairGeneratorTest#testGenerate_RSA_ModernSpec_UsableForTLSPeerAuth Merged-In: Ia3278a5afb751d5be191b73c4bb04e3fe1f5586a Change-Id: Ia3278a5afb751d5be191b73c4bb04e3fe1f5586a (cherry picked from commit f73092fa0228f4efabca948c7c7ce92579384424) --- android_keymaster/operation.cpp | 9 +++++++-- legacy_support/rsa_keymaster1_operation.cpp | 13 +++++++++---- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/android_keymaster/operation.cpp b/android_keymaster/operation.cpp index 0edc70f..127aeb6 100644 --- a/android_keymaster/operation.cpp +++ b/android_keymaster/operation.cpp @@ -116,8 +116,13 @@ bool OperationFactory::GetAndValidateDigest(const AuthorizationSet& begin_params keymaster_error_t* error) const { *error = KM_ERROR_UNSUPPORTED_DIGEST; if (!begin_params.GetTagValue(TAG_DIGEST, digest)) { - LOG_E("%d digests specified in begin params", begin_params.GetTagCount(TAG_DIGEST)); - return false; + if (key.authorizations().Contains(TAG_DIGEST, KM_DIGEST_NONE)) { + *digest = KM_DIGEST_NONE; + } else { + LOG_E("%d digests specified in begin params and NONE not authorized", + begin_params.GetTagCount(TAG_DIGEST)); + return false; + } } else if (!supported(*digest)) { LOG_E("Digest %d not supported", *digest); return false; diff --git a/legacy_support/rsa_keymaster1_operation.cpp b/legacy_support/rsa_keymaster1_operation.cpp index f8241d6..dd2c094 100644 --- a/legacy_support/rsa_keymaster1_operation.cpp +++ b/legacy_support/rsa_keymaster1_operation.cpp @@ -47,15 +47,20 @@ keymaster_error_t RsaKeymaster1WrappedOperation::Begin(EVP_PKEY* rsa_key, // that layer. AuthorizationSet begin_params(input_params); int pos = begin_params.find(TAG_DIGEST); - if (pos == -1) - return KM_ERROR_UNSUPPORTED_DIGEST; - begin_params[pos].enumerated = KM_DIGEST_NONE; + if (pos == -1) { + // If we reach this point with no digest given. It was verified that KM_DIGEST_NONE was + // authorized by OperationFactory::GetAndValidateDigest. So no DIGEST given may imply + // KM_DIGEST_NONE. + begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); + } else { + begin_params[pos].enumerated = KM_DIGEST_NONE; + } pos = begin_params.find(TAG_PADDING); if (pos == -1) return KM_ERROR_UNSUPPORTED_PADDING_MODE; switch (begin_params[pos].enumerated) { - + case KM_PAD_NONE: case KM_PAD_RSA_PSS: case KM_PAD_RSA_OAEP: key_data->expected_openssl_padding = RSA_NO_PADDING; -- cgit v1.2.3