commit 52f017ff19d2b55df515f16208e19f59f36bda14
author Paul Crowley <paulcrowley@google.com> Tue Jun 22 08:16:01 2021 -0700
committer Paul Crowley <paulcrowley@google.com> Thu Jul 01 11:21:19 2021 -0700
tree 44ab9d54c5ddde20ab483779412bbd6071bcdb41
parent f2fa29c5558f2bbec638ab44a135350fc7d6ba49

Use P521 curve instead of P256

Certification may require the use of a larger elliptic curve.

Devices that took a dogfood/beta version of Android S without this
change will experience two problems:

* old P256 keys will be present unused in the database
* in the unlikely event that a screen-lock bound key was created
  while the device was locked before taking the update with this change
  and then not used until after, the key won't be decryptable.

Since these problems don't affect production users, I don't think
the significant complexity that would be needed to fix them is worth it.

Bug: 191759985
Test: keystore2_test
Test: atest android.keystore.cts.CipherTest#
    testEmptyPlaintextEncryptsAndDecryptsWhenUnlockedRequired
Merged-In: If1938bb8eddc148c7f8888006e7eb7c8e9a5a806
Change-Id: If1938bb8eddc148c7f8888006e7eb7c8e9a5a806

keystore2/src/crypto/crypto.cpp

diff --git a/keystore2/src/crypto/crypto.cpp b/keystore2/src/crypto/crypto.cpp
index e4a1ac3..5d360a1 100644
--- a/keystore2/src/crypto/crypto.cpp
+++ b/keystore2/src/crypto/crypto.cpp
@@ -225,7 +225,7 @@
 
 EC_KEY* ECKEYGenerateKey() {
     EC_KEY* key = EC_KEY_new();
-    EC_GROUP* group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
+    EC_GROUP* group = EC_GROUP_new_by_curve_name(NID_secp521r1);
     EC_KEY_set_group(key, group);
     auto result = EC_KEY_generate_key(key);
     if (result == 0) {
@@ -251,7 +251,7 @@
 EC_KEY* ECKEYParsePrivateKey(const uint8_t* buf, size_t len) {
     CBS cbs;
     CBS_init(&cbs, buf, len);
-    EC_GROUP* group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
+    EC_GROUP* group = EC_GROUP_new_by_curve_name(NID_secp521r1);
     auto result = EC_KEY_parse_private_key(&cbs, group);
     EC_GROUP_free(group);
     if (result != nullptr && CBS_len(&cbs) != 0) {
@@ -262,7 +262,7 @@
 }
 
 size_t ECPOINTPoint2Oct(const EC_POINT* point, uint8_t* buf, size_t len) {
-    EC_GROUP* group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
+    EC_GROUP* group = EC_GROUP_new_by_curve_name(NID_secp521r1);
     point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
     auto result = EC_POINT_point2oct(group, point, form, buf, len, nullptr);
     EC_GROUP_free(group);
@@ -270,7 +270,7 @@
 }
 
 EC_POINT* ECPOINTOct2Point(const uint8_t* buf, size_t len) {
-    EC_GROUP* group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
+    EC_GROUP* group = EC_GROUP_new_by_curve_name(NID_secp521r1);
     EC_POINT* point = EC_POINT_new(group);
     auto result = EC_POINT_oct2point(group, point, buf, len, nullptr);
     EC_GROUP_free(group);