commit f3caf2698b239bf3bb33227941fca867231be1d5
author Treehugger Robot <treehugger-gerrit@google.com> Thu Jan 28 13:08:43 2021 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Jan 28 13:08:43 2021 +0000
tree 373c1c53a607f19b601bb72fb0602dcf5739616b
parent 13ffc595536b18d979d55a0849bc8a4cd6955349
parent a6b83824ac997b7095a61304bd1e103bc07c974f

Merge "Add AGREE_KEY operation for EC keys."

keystore2/src/enforcements.rs

diff --git a/keystore2/src/enforcements.rs b/keystore2/src/enforcements.rs
index 3fd2b19..3195ee0 100644
--- a/keystore2/src/enforcements.rs
+++ b/keystore2/src/enforcements.rs
@@ -384,6 +384,18 @@
                 return Err(Error::Km(Ec::INCOMPATIBLE_PURPOSE))
                     .context("In authorize_create: WRAP_KEY purpose is not allowed here.");
             }
+            // Allow AGREE_KEY for EC keys only.
+            KeyPurpose::AGREE_KEY => {
+                for kp in key_params.iter() {
+                    if kp.get_tag() == Tag::ALGORITHM
+                        && *kp.key_parameter_value() != KeyParameterValue::Algorithm(Algorithm::EC)
+                    {
+                        return Err(Error::Km(Ec::UNSUPPORTED_PURPOSE)).context(
+                            "In authorize_create: key agreement is only supported for EC keys.",
+                        );
+                    }
+                }
+            }
             KeyPurpose::VERIFY | KeyPurpose::ENCRYPT => {
                 // We do not support ENCRYPT and VERIFY (the remaining two options of purpose) for
                 // asymmetric keys.