Merge "Reject HMAC keys smaller than 64 bits."

2017-02-14 15:58:28 +00:00
parent 02761acc67 7c3b65e9b1
commit 2c92e9daa4
1 changed files with 5 additions and 0 deletions
--- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java
+++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java
@@ -200,6 +200,11 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi {
                }

                if (mKeymasterAlgorithm == KeymasterDefs.KM_ALGORITHM_HMAC) {
+                    if (mKeySizeBits < 64) {
+                        throw new InvalidAlgorithmParameterException(
+                            "HMAC key size must be at least 64 bits.");
+                    }
+
                    // JCA HMAC key algorithm implies a digest (e.g., HmacSHA256 key algorithm
                    // implies SHA-256 digest). Because keymaster HMAC key is authorized only for
                    // one digest, we don't let algorithm parameter spec override the digest implied