Keystore 2.0: Legacy support: Tweak to certificate generation.
The legacy wrapper would attempt to self sign certificates based on key
purpose and authorization requirements. But there are keys that meet
those but still fail due to impossible parameter combinations such as
PKCS 1.5 padding with no digest.
With this patch we perform a ephemeral key signature when the self
signing attempt fails so that the key generation can still commence
successfully.
This patch also adds some error logging and revisits some of the error
handling code in the legacy wrapper.
Test: atest android.keystore.cts.SignatureTest\
#testAndroidKeyStoreKeysHandledByAndroidKeyStoreProviderWhenSigning
Change-Id: I3be017636ae9fc61374e47f47a1e1fc5b266f6e2
diff --git a/keystore2/src/crypto/certificate_utils.cpp b/keystore2/src/crypto/certificate_utils.cpp
index 500600f..4b0dca4 100644
--- a/keystore2/src/crypto/certificate_utils.cpp
+++ b/keystore2/src/crypto/certificate_utils.cpp
@@ -544,6 +544,9 @@
bssl::UniquePtr<uint8_t> free_cert_buf(cert_buf);
auto signature = sign(cert_buf, buf_len);
+ if (signature.empty()) {
+ return CertUtilsError::SignatureFailed;
+ }
if (!ASN1_STRING_set(certificate->signature, signature.data(), signature.size())) {
return CertUtilsError::BoringSsl;