From 4ab8ea4498aa25eafdbaadd238fed6eab3f6ee59 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Fri, 27 Mar 2015 16:53:44 -0700
Subject: Add HmacSHA256 backed by AndroidKeyStore.

This also adds the MAC length constraint on imported HMAC keys. HMAC
doesn't work without this constraint at the moment.

Bug: 18088752
Change-Id: I8613f58f5d2a84df00bcf6179d13e30619440330
---
 keystore/java/android/security/AndroidKeyStore.java | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'keystore/java/android/security/AndroidKeyStore.java')

diff --git a/keystore/java/android/security/AndroidKeyStore.java b/keystore/java/android/security/AndroidKeyStore.java
index f3eb317eb0fd..1d16ca1aafaf 100644
--- a/keystore/java/android/security/AndroidKeyStore.java
+++ b/keystore/java/android/security/AndroidKeyStore.java
@@ -494,6 +494,19 @@ public class AndroidKeyStore extends KeyStoreSpi {
             args.addInt(KeymasterDefs.KM_TAG_DIGEST,
                     KeyStoreKeyConstraints.Digest.toKeymaster(digest));
         }
+        if (keyAlgorithm == KeyStoreKeyConstraints.Algorithm.HMAC) {
+            if (digest == null) {
+                throw new IllegalStateException("Digest algorithm must be specified for key"
+                        + " algorithm " + keyAlgorithmString);
+            }
+            Integer digestOutputSizeBytes =
+                    KeyStoreKeyConstraints.Digest.getOutputSizeBytes(digest);
+            if (digestOutputSizeBytes != null) {
+                // TODO: Remove MAC length constraint once Keymaster API no longer requires it.
+                // TODO: Switch to bits instead of bytes, once this is fixed in Keymaster
+                args.addInt(KeymasterDefs.KM_TAG_MAC_LENGTH, digestOutputSizeBytes);
+            }
+        }
 
         @KeyStoreKeyConstraints.PurposeEnum int purposes = (params.getPurposes() != null)
                 ? params.getPurposes()
-- 
cgit v1.2.3