Use P521 curve instead of P256
Certification may require the use of a larger elliptic curve.
Devices that took a dogfood/beta version of Android S without this
change will experience two problems:
* old P256 keys will be present unused in the database
* in the unlikely event that a screen-lock bound key was created
while the device was locked before taking the update with this change
and then not used until after, the key won't be decryptable.
Since these problems don't affect production users, I don't think
the significant complexity that would be needed to fix them is worth it.
Bug: 191759985
Test: keystore2_test
Test: atest android.keystore.cts.CipherTest#
testEmptyPlaintextEncryptsAndDecryptsWhenUnlockedRequired
Merged-In: If1938bb8eddc148c7f8888006e7eb7c8e9a5a806
Change-Id: If1938bb8eddc148c7f8888006e7eb7c8e9a5a806
diff --git a/keystore2/src/crypto/lib.rs b/keystore2/src/crypto/lib.rs
index db23d1f..5f8a2ef 100644
--- a/keystore2/src/crypto/lib.rs
+++ b/keystore2/src/crypto/lib.rs
@@ -346,7 +346,7 @@
/// Calls the boringssl EC_KEY_marshal_private_key function.
pub fn ec_key_marshal_private_key(key: &ECKey) -> Result<ZVec, Error> {
- let len = 39; // Empirically observed length of private key
+ let len = 73; // Empirically observed length of private key
let mut buf = ZVec::new(len)?;
// Safety: the key is valid.
// This will not write past the specified length of the buffer; if the
@@ -381,8 +381,8 @@
/// Calls the boringssl EC_POINT_point2oct.
pub fn ec_point_point_to_oct(point: &EC_POINT) -> Result<Vec<u8>, Error> {
- // We fix the length to 65 (1 + 2 * field_elem_size), as we get an error if it's too small.
- let len = 65;
+ // We fix the length to 133 (1 + 2 * field_elem_size), as we get an error if it's too small.
+ let len = 133;
let mut buf = vec![0; len];
// Safety: EC_POINT_point2oct writes at most len bytes. The point is valid.
let result = unsafe { ECPOINTPoint2Oct(point, buf.as_mut_ptr(), len) };