commit a6b83824ac997b7095a61304bd1e103bc07c974f
author Bram Bonné <brambonne@google.com> Wed Jan 20 11:10:05 2021 +0100
committer Bram Bonné <brambonne@google.com> Tue Jan 26 11:27:56 2021 +0100
tree bb7669fea4e4d934b691097e73968f993158b636
parent 2394a331e0ee8ea603baf8073014f45bb09b543c

Add AGREE_KEY operation for EC keys.

Bug: 177977728
Test: make
Change-Id: If3bc82db3d513f439e5817f5f1d233253ef13234

keystore2/src/enforcements.rs

diff --git a/keystore2/src/enforcements.rs b/keystore2/src/enforcements.rs
index 22b4bed..c56c9cc 100644
--- a/keystore2/src/enforcements.rs
+++ b/keystore2/src/enforcements.rs
@@ -343,6 +343,18 @@
                 return Err(Error::Km(Ec::INCOMPATIBLE_PURPOSE))
                     .context("In authorize_create: WRAP_KEY purpose is not allowed here.");
             }
+            // Allow AGREE_KEY for EC keys only.
+            KeyPurpose::AGREE_KEY => {
+                for kp in key_params.iter() {
+                    if kp.get_tag() == Tag::ALGORITHM
+                        && *kp.key_parameter_value() != KeyParameterValue::Algorithm(Algorithm::EC)
+                    {
+                        return Err(Error::Km(Ec::UNSUPPORTED_PURPOSE)).context(
+                            "In authorize_create: key agreement is only supported for EC keys.",
+                        );
+                    }
+                }
+            }
             KeyPurpose::VERIFY | KeyPurpose::ENCRYPT => {
                 // We do not support ENCRYPT and VERIFY (the remaining two options of purpose) for
                 // asymmetric keys.