keystore: rename the PBKDF2 functions
Rename Password::derive_key() to Password::derive_key_pbkdf2(), and
rename generateKeyFromPassword() to PBKDF2(). This helps distinguish
these functions from the HKDF functions, including the existing ones as
well as the Password::derive_key_hkdf() added by the next CL.
Bug: 296464083
Bug: 314391626
Test: atest -p --include-subdirs system/security/keystore2
Change-Id: I76e5ee5a5c6452951727be6fce1a43a2322a3950
diff --git a/keystore2/src/crypto/Android.bp b/keystore2/src/crypto/Android.bp
index 35fc5a9..c78ae41 100644
--- a/keystore2/src/crypto/Android.bp
+++ b/keystore2/src/crypto/Android.bp
@@ -74,7 +74,7 @@
"--allowlist-function", "AES_gcm_encrypt",
"--allowlist-function", "AES_gcm_decrypt",
"--allowlist-function", "CreateKeyId",
- "--allowlist-function", "generateKeyFromPassword",
+ "--allowlist-function", "PBKDF2",
"--allowlist-function", "HKDFExtract",
"--allowlist-function", "HKDFExpand",
"--allowlist-function", "ECDHComputeKey",
diff --git a/keystore2/src/crypto/crypto.cpp b/keystore2/src/crypto/crypto.cpp
index 7feeaff..15079a1 100644
--- a/keystore2/src/crypto/crypto.cpp
+++ b/keystore2/src/crypto/crypto.cpp
@@ -191,8 +191,7 @@
// Copied from system/security/keystore/user_state.cpp.
-void generateKeyFromPassword(uint8_t* key, size_t key_len, const char* pw, size_t pw_len,
- const uint8_t* salt) {
+void PBKDF2(uint8_t* key, size_t key_len, const char* pw, size_t pw_len, const uint8_t* salt) {
const EVP_MD* digest = EVP_sha256();
// SHA1 was used prior to increasing the key size
diff --git a/keystore2/src/crypto/crypto.hpp b/keystore2/src/crypto/crypto.hpp
index 4a161e6..f67f640 100644
--- a/keystore2/src/crypto/crypto.hpp
+++ b/keystore2/src/crypto/crypto.hpp
@@ -37,8 +37,7 @@
bool CreateKeyId(const uint8_t* key_blob, size_t len, km_id_t* out_id);
// The salt parameter must be non-nullptr and point to 16 bytes of data.
- void generateKeyFromPassword(uint8_t* key, size_t key_len, const char* pw,
- size_t pw_len, const uint8_t* salt);
+ void PBKDF2(uint8_t* key, size_t key_len, const char* pw, size_t pw_len, const uint8_t* salt);
#include "openssl/digest.h"
#include "openssl/ec_key.h"
diff --git a/keystore2/src/crypto/lib.rs b/keystore2/src/crypto/lib.rs
index 8434651..234dede 100644
--- a/keystore2/src/crypto/lib.rs
+++ b/keystore2/src/crypto/lib.rs
@@ -19,10 +19,10 @@
pub mod zvec;
pub use error::Error;
use keystore2_crypto_bindgen::{
- extractSubjectFromCertificate, generateKeyFromPassword, hmacSha256, randomBytes,
- AES_gcm_decrypt, AES_gcm_encrypt, ECDHComputeKey, ECKEYGenerateKey, ECKEYMarshalPrivateKey,
- ECKEYParsePrivateKey, ECPOINTOct2Point, ECPOINTPoint2Oct, EC_KEY_free, EC_KEY_get0_public_key,
- EC_POINT_free, HKDFExpand, HKDFExtract, EC_KEY, EC_MAX_BYTES, EC_POINT, EVP_MAX_MD_SIZE,
+ extractSubjectFromCertificate, hmacSha256, randomBytes, AES_gcm_decrypt, AES_gcm_encrypt,
+ ECDHComputeKey, ECKEYGenerateKey, ECKEYMarshalPrivateKey, ECKEYParsePrivateKey,
+ ECPOINTOct2Point, ECPOINTPoint2Oct, EC_KEY_free, EC_KEY_get0_public_key, EC_POINT_free,
+ HKDFExpand, HKDFExtract, EC_KEY, EC_MAX_BYTES, EC_POINT, EVP_MAX_MD_SIZE, PBKDF2,
};
use std::convert::TryFrom;
use std::convert::TryInto;
@@ -197,7 +197,7 @@
/// Generate a key from the given password and salt.
/// The salt must be exactly 16 bytes long.
/// Two key sizes are accepted: 16 and 32 bytes.
- pub fn derive_key(&self, salt: &[u8], key_length: usize) -> Result<ZVec, Error> {
+ pub fn derive_key_pbkdf2(&self, salt: &[u8], key_length: usize) -> Result<ZVec, Error> {
if salt.len() != SALT_LENGTH {
return Err(Error::InvalidSaltLength);
}
@@ -212,7 +212,7 @@
// Safety: We checked that the salt is exactly 16 bytes long. The other pointers are valid,
// and have matching lengths.
unsafe {
- generateKeyFromPassword(
+ PBKDF2(
result.as_mut_ptr(),
result.len(),
pw.as_ptr() as *const std::os::raw::c_char,
@@ -471,9 +471,7 @@
mod tests {
use super::*;
- use keystore2_crypto_bindgen::{
- generateKeyFromPassword, AES_gcm_decrypt, AES_gcm_encrypt, CreateKeyId,
- };
+ use keystore2_crypto_bindgen::{AES_gcm_decrypt, AES_gcm_encrypt, CreateKeyId, PBKDF2};
#[test]
fn test_wrapper_roundtrip() {
@@ -535,21 +533,15 @@
}
#[test]
- fn test_generate_key_from_password() {
+ fn test_pbkdf2() {
let mut key = vec![0; 16];
let pw = [0; 16];
let salt = [0; 16];
// SAFETY: The pointers are obtained from references so they are valid, the salt is the
- // expected length, the other lengths match the lengths of the arrays, and
- // `generateKeyFromPassword` doesn't access them after it returns.
+ // expected length, the other lengths match the lengths of the arrays, and `PBKDF2` doesn't
+ // access them after it returns.
unsafe {
- generateKeyFromPassword(
- key.as_mut_ptr(),
- key.len(),
- pw.as_ptr(),
- pw.len(),
- salt.as_ptr(),
- );
+ PBKDF2(key.as_mut_ptr(), key.len(), pw.as_ptr(), pw.len(), salt.as_ptr());
}
assert_ne!(key, vec![0; 16]);
}