When Android KeyStore loads an HMAC key, it needs to compose the JCA
key algorithm name (e.g., HmacSHA256) based on the digests the key is
authorized for. A key can be authorized for multiple digests. Thus,
the approach is to use the first one for constructing the JCA key
algorithm name.
This CL ensures that when importing HMAC keys the first KM_TAG_DIGEST
tag is set to the digest of the JCA key algorithm name.
Bug:
18088752
Change-Id: I911ca7427b249ee823d06e988687af6146ebaff8
+ ". Key: " + keyAlgorithmString
+ ", parameter spec: " + Arrays.asList(params.getDigests()));
}
+ // When the key is read back from keystore we reconstruct the JCA key algorithm
+ // name from the KM_TAG_ALGORITHM and the first KM_TAG_DIGEST. Thus we need to
+ // ensure that the digest reflected in the JCA key algorithm name is the first
+ // KM_TAG_DIGEST tag.
+ if (keymasterDigests[0] != keymasterDigest) {
+ // The first digest is not the one implied by the JCA key algorithm name.
+ // Swap the implied digest with the first one.
+ for (int i = 0; i < keymasterDigests.length; i++) {
+ if (keymasterDigests[i] == keymasterDigest) {
+ keymasterDigests[i] = keymasterDigests[0];
+ keymasterDigests[0] = keymasterDigest;
+ break;
+ }
+ }
+ }
}
} else {
// No digest specified in parameters
OSDN Git Service
