From eaa1f623315c9a14277cf6d9ee52a208ac9a357e Mon Sep 17 00:00:00 2001 From: Steven Liu Date: Wed, 14 Dec 2022 15:27:09 +0000 Subject: Add lib used for UWB. Bug: 200678121 Test: build and atest com.android.server.uwb Change-Id: I740f4501e6dadb0236ea71a0d2cb87c9c2e071cd Merged-In: I740f4501e6dadb0236ea71a0d2cb87c9c2e071cd --- Android.bp | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/Android.bp b/Android.bp index e5fb32f6..b4d7f1a1 100644 --- a/Android.bp +++ b/Android.bp @@ -280,3 +280,28 @@ java_library { ], sdk_version: "core_current", } + +// Bouncycastle for use by packages/modules/Uwb project. +// +//Excludes directories not needed. +java_library { + name: "bouncycastle-uwb", + visibility: [ + "//packages/modules/Uwb/service", + ], + apex_available: [ + "com.android.uwb", + ], + srcs: [ + "bcprov/src/main/java/org/bouncycastle/**/*.java", + "bcpkix/src/main/java/org/bouncycastle/cert/**/*.java", + "bcpkix/src/main/java/org/bouncycastle/cms/**/*.java", + "bcpkix/src/main/java/org/bouncycastle/operator/**/*.java", + ], + + exclude_srcs: [ + "bcprov/src/main/java/org/bouncycastle/iana/**/*.java", + "bcprov/src/main/java/org/bouncycastle/its/**/*.java", + ], + sdk_version: "core_current", +} -- cgit v1.2.3 From 3cc0c653e8ff96fa2d2fa527d3e4a9c83cb663f7 Mon Sep 17 00:00:00 2001 From: Steven Liu Date: Thu, 15 Dec 2022 23:41:51 +0000 Subject: Downgrade SuspiciousIndentation lint to a warning for uwb module. Bug: 200678121 Test: Build Change-Id: Icb953c649ae56e4ab62dbd98e01f6146ef9d2fc2 Merged-In: Icb953c649ae56e4ab62dbd98e01f6146ef9d2fc2 --- Android.bp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Android.bp b/Android.bp index b4d7f1a1..bdb67e02 100644 --- a/Android.bp +++ b/Android.bp @@ -304,4 +304,7 @@ java_library { "bcprov/src/main/java/org/bouncycastle/its/**/*.java", ], sdk_version: "core_current", + lint: { + warning_checks: ["SuspiciousIndentation"], + }, } -- cgit v1.2.3 From eba842c55acd40226542e7c1b8d6107ec38a6aff Mon Sep 17 00:00:00 2001 From: Pete Bentley Date: Mon, 9 Jan 2023 15:21:28 +0000 Subject: Bouncy Castle: Add support for PBES2 encrypted KeyStores. Cherry-pick notes: Will also be cherry-picking https://android-review.git.corp.google.com/q/topic:%22bcprivate_exceptions%22 which hides exceptions from the private provider better. Aim is to get both topics into the April mainline train. Adds a private sub-Provider to BouncyCastleProvider which allows BC's PKCS12 implementation to continue using its own implementations of some Macs and Ciphers which support PBES2. These implementions are not exposed to apps and are only used from BC internals. Bug: 230750823 Test: atest CtsLibcoreTestCases:tests.targets.security.KeyStorePkcs7FormatTest Change-Id: Ic505d0259d16cdc66f9776e818efa20ed97aa32b Merged-In: Ic505d0259d16cdc66f9776e818efa20ed97aa32b (cherry picked from commit 4fae1c6cb82e4b3e7d51e38ce0e3d7a4f22a0939) --- .../provider/config/ConfigurableProvider.java | 7 ++++ .../jcajce/provider/digest/SHA224.java | 2 + .../jcajce/provider/digest/SHA256.java | 2 + .../jcajce/provider/digest/SHA384.java | 2 + .../jcajce/provider/digest/SHA512.java | 2 + .../keystore/pkcs12/PKCS12KeyStoreSpi.java | 17 ++++++-- .../jcajce/provider/symmetric/AES.java | 5 +++ .../jcajce/provider/symmetric/PBEPBKDF2.java | 17 ++++---- .../bouncycastle/jcajce/util/BCJcaJceHelper.java | 46 ++++++++++++++++++++++ .../jce/provider/BouncyCastleProvider.java | 33 ++++++++++++++++ .../provider/config/ConfigurableProvider.java | 7 ++++ .../jcajce/provider/digest/SHA224.java | 2 + .../jcajce/provider/digest/SHA256.java | 2 + .../jcajce/provider/digest/SHA384.java | 2 + .../jcajce/provider/digest/SHA512.java | 2 + .../keystore/pkcs12/PKCS12KeyStoreSpi.java | 17 ++++++-- .../jcajce/provider/symmetric/AES.java | 5 +++ .../jcajce/provider/symmetric/PBEPBKDF2.java | 23 ++++++----- .../bouncycastle/jcajce/util/BCJcaJceHelper.java | 46 ++++++++++++++++++++++ .../jce/provider/BouncyCastleProvider.java | 33 ++++++++++++++++ .../provider/config/ConfigurableProvider.java | 7 ++++ .../jcajce/provider/digest/SHA224.java | 2 + .../jcajce/provider/digest/SHA256.java | 2 + .../jcajce/provider/digest/SHA384.java | 2 + .../jcajce/provider/digest/SHA512.java | 2 + .../keystore/pkcs12/PKCS12KeyStoreSpi.java | 17 ++++++-- .../jcajce/provider/symmetric/AES.java | 5 +++ .../jcajce/provider/symmetric/PBEPBKDF2.java | 23 ++++++----- .../bouncycastle/jcajce/util/BCJcaJceHelper.java | 46 ++++++++++++++++++++++ .../jce/provider/BouncyCastleProvider.java | 33 ++++++++++++++++ 30 files changed, 372 insertions(+), 39 deletions(-) diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/config/ConfigurableProvider.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/config/ConfigurableProvider.java index 9818f864..831b497e 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/config/ConfigurableProvider.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/config/ConfigurableProvider.java @@ -54,4 +54,11 @@ public interface ConfigurableProvider AsymmetricKeyInfoConverter getKeyInfoConverter(ASN1ObjectIdentifier oid); void addAttributes(String key, Map attributeMap); + + // BEGIN Android-added: Allow algorithms to be added privately. + // See BouncyCastleProvider for details. + void addPrivateAlgorithm(String key, String value); + + void addPrivateAlgorithm(String type, ASN1ObjectIdentifier oid, String className); + // END Android-added: Allow algorithms to be added privately. } diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/digest/SHA224.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/digest/SHA224.java index 5c6b699d..dd25b0c4 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/digest/SHA224.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/digest/SHA224.java @@ -76,6 +76,8 @@ public class SHA224 addHMACAlias(provider, "SHA224", PKCSObjectIdentifiers.id_hmacWithSHA224); */ // END Android-removed: Unsupported algorithms + // Android-added: Private implementation needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("Mac", NISTObjectIdentifiers.id_sha224, PREFIX + "$HashMac"); } } } diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/digest/SHA256.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/digest/SHA256.java index 48f99b4d..ae4c82fd 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/digest/SHA256.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/digest/SHA256.java @@ -101,6 +101,8 @@ public class SHA256 addHMACAlias(provider, "SHA256", NISTObjectIdentifiers.id_sha256); */ // END Android-removed: Unsupported algorithms + // Android-added: Private implementation needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("Mac", NISTObjectIdentifiers.id_sha256, PREFIX + "$HashMac"); } } } diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/digest/SHA384.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/digest/SHA384.java index 8f083748..b5f269ee 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/digest/SHA384.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/digest/SHA384.java @@ -95,6 +95,8 @@ public class SHA384 addHMACAlias(provider, "SHA384", PKCSObjectIdentifiers.id_hmacWithSHA384); */ // END Android-removed: Unsupported algorithms + // Android-added: Private implementation needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("Mac", NISTObjectIdentifiers.id_sha384, PREFIX + "$HashMac"); } } } diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/digest/SHA512.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/digest/SHA512.java index e227620e..335d0d60 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/digest/SHA512.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/digest/SHA512.java @@ -193,6 +193,8 @@ public class SHA512 addHMACAlgorithm(provider, "SHA512/256", PREFIX + "$HashMacT256", PREFIX + "$KeyGeneratorT256"); */ // END Android-removed: Unsupported algorithms + // Android-added: Private implementation needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("Mac", NISTObjectIdentifiers.id_sha512, PREFIX + "$HashMac"); } } diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/keystore/pkcs12/PKCS12KeyStoreSpi.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/keystore/pkcs12/PKCS12KeyStoreSpi.java index 4c3e480d..263c63d2 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/keystore/pkcs12/PKCS12KeyStoreSpi.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/keystore/pkcs12/PKCS12KeyStoreSpi.java @@ -116,9 +116,12 @@ public class PKCS12KeyStoreSpi { static final String PKCS12_MAX_IT_COUNT_PROPERTY = "org.bouncycastle.pkcs12.max_it_count"; - // Android-changed: Use default provider for JCA algorithms instead of BC + // Android-changed: Use default provider for most JCA algorithms instead of BC. + // For the case where we need BC implementations, the BCJcaJceHelper will also search + // the list of private implementations help by BouncyCastleProvider. // Was: private final JcaJceHelper helper = new BCJcaJceHelper(); private final JcaJceHelper helper = new DefaultJcaJceHelper(); + private final JcaJceHelper selfHelper = new BCJcaJceHelper(); private static final int SALT_SIZE = 20; private static final int MIN_ITERATIONS = 50 * 1024; @@ -727,7 +730,9 @@ public class PKCS12KeyStoreSpi PBKDF2Params func = PBKDF2Params.getInstance(alg.getKeyDerivationFunc().getParameters()); AlgorithmIdentifier encScheme = AlgorithmIdentifier.getInstance(alg.getEncryptionScheme()); - SecretKeyFactory keyFact = helper.createSecretKeyFactory(alg.getKeyDerivationFunc().getAlgorithm().getId()); + // Android-Changed: SecretKeyFactory must be from BC due to instanceof logic. + // SecretKeyFactory keyFact = helper.createSecretKeyFactory(alg.getKeyDerivationFunc().getAlgorithm().getId()); + SecretKeyFactory keyFact = selfHelper.createSecretKeyFactory(alg.getKeyDerivationFunc().getAlgorithm().getId()); SecretKey key; if (func.isDefaultPrf()) @@ -739,7 +744,9 @@ public class PKCS12KeyStoreSpi key = keyFact.generateSecret(new PBKDF2KeySpec(password, func.getSalt(), validateIterationCount(func.getIterationCount()), keySizeProvider.getKeySize(encScheme), func.getPrf())); } - Cipher cipher = Cipher.getInstance(alg.getEncryptionScheme().getAlgorithm().getId()); + // Android-Changed: Cipher must be from BC due to use of internal PKCS12Key tyoe. + // Cipher cipher = Cipher.getInstance(alg.getEncryptionScheme().getAlgorithm().getId()); + Cipher cipher = selfHelper.createCipher(alg.getEncryptionScheme().getAlgorithm().getId()); ASN1Encodable encParams = alg.getEncryptionScheme().getParameters(); if (encParams instanceof ASN1OctetString) @@ -1781,7 +1788,9 @@ public class PKCS12KeyStoreSpi { PBEParameterSpec defParams = new PBEParameterSpec(salt, itCount); - Mac mac = helper.createMac(oid.getId()); + // Android-Changed: Mac must be from BC due to use of internal PKCS12Key tyoe. + // Mac mac = helper.createMac(oid.getId()); + Mac mac = selfHelper.createMac(oid.getId()); mac.init(new PKCS12Key(password, wrongPkcs12Zero), defParams); mac.update(data); diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/AES.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/AES.java index e7d3ec24..d25ed90c 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/AES.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/AES.java @@ -1088,6 +1088,11 @@ public final class AES // addGMacAlgorithm(provider, "AES", PREFIX + "$AESGMAC", PREFIX + "$KeyGen128"); // addPoly1305Algorithm(provider, "AES", PREFIX + "$Poly1305", PREFIX + "$Poly1305KeyGen"); // END Android-removed: Unsupported algorithms + + // Android-added: Private implementations needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("Cipher", NISTObjectIdentifiers.id_aes128_CBC, PREFIX + "$CBC"); + provider.addPrivateAlgorithm("Cipher", NISTObjectIdentifiers.id_aes192_CBC, PREFIX + "$CBC"); + provider.addPrivateAlgorithm("Cipher", NISTObjectIdentifiers.id_aes256_CBC, PREFIX + "$CBC"); } } } diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/PBEPBKDF2.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/PBEPBKDF2.java index 1af79b80..e384134b 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/PBEPBKDF2.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/PBEPBKDF2.java @@ -40,14 +40,14 @@ public class PBEPBKDF2 static { - // BEGIN Android-removed: Unsupported algorithm - /* - prfCodes.put(CryptoProObjectIdentifiers.gostR3411Hmac, Integers.valueOf(PBE.GOST3411)); prfCodes.put(PKCSObjectIdentifiers.id_hmacWithSHA1, Integers.valueOf(PBE.SHA1)); prfCodes.put(PKCSObjectIdentifiers.id_hmacWithSHA256, Integers.valueOf(PBE.SHA256)); prfCodes.put(PKCSObjectIdentifiers.id_hmacWithSHA224, Integers.valueOf(PBE.SHA224)); prfCodes.put(PKCSObjectIdentifiers.id_hmacWithSHA384, Integers.valueOf(PBE.SHA384)); prfCodes.put(PKCSObjectIdentifiers.id_hmacWithSHA512, Integers.valueOf(PBE.SHA512)); + // BEGIN Android-removed: Unsupported algorithms + /* + prfCodes.put(CryptoProObjectIdentifiers.gostR3411Hmac, Integers.valueOf(PBE.GOST3411)); prfCodes.put(NISTObjectIdentifiers.id_hmacWithSHA3_256, Integers.valueOf(PBE.SHA3_256)); prfCodes.put(NISTObjectIdentifiers.id_hmacWithSHA3_224, Integers.valueOf(PBE.SHA3_224)); prfCodes.put(NISTObjectIdentifiers.id_hmacWithSHA3_384, Integers.valueOf(PBE.SHA3_384)); @@ -62,8 +62,6 @@ public class PBEPBKDF2 } - // BEGIN Android-removed: Unsupported algorithms - /* public static class AlgParams extends BaseAlgorithmParameters { @@ -146,8 +144,6 @@ public class PBEPBKDF2 return "PBKDF2 Parameters"; } } - */ - // END Android-removed: Unsupported algorithms public static class BasePBKDF2 extends BaseSecretKeyFactory @@ -273,8 +269,6 @@ public class PBEPBKDF2 } } - // BEGIN Android-removed: Unsupported algorithms - /* public static class PBKDF2withUTF8 extends BasePBKDF2 { @@ -284,6 +278,8 @@ public class PBEPBKDF2 } } + // BEGIN Android-removed: Unsupported algorithms + /* public static class PBKDF2withSHA224 extends BasePBKDF2 { @@ -614,6 +610,9 @@ public class PBEPBKDF2 provider.addAlgorithm("SecretKeyFactory.PBEWithHmacSHA512AndAES_256", PREFIX + "$PBEWithHmacSHA512AndAES_256"); provider.addAlgorithm("SecretKeyFactory.PBKDF2WithHmacSHA1And8BIT", PREFIX + "$PBKDF2WithHmacSHA18BIT"); // END Android-added: Android versions of algorithms. + // Android-added: Private implementations needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("SecretKeyFactory.PBKDF2", PREFIX + "$PBKDF2withUTF8"); + provider.addPrivateAlgorithm("Alg.Alias.SecretKeyFactory.1.2.840.113549.1.5.12", "PBKDF2"); } } } diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/util/BCJcaJceHelper.java b/bcprov/src/main/java/org/bouncycastle/jcajce/util/BCJcaJceHelper.java index 6c384585..9a41d31c 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/util/BCJcaJceHelper.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/util/BCJcaJceHelper.java @@ -1,8 +1,13 @@ package org.bouncycastle.jcajce.util; +import java.security.NoSuchAlgorithmException; import java.security.Provider; import java.security.Security; +import javax.crypto.Cipher; +import javax.crypto.Mac; +import javax.crypto.NoSuchPaddingException; +import javax.crypto.SecretKeyFactory; import org.bouncycastle.jce.provider.BouncyCastleProvider; /** @@ -38,4 +43,45 @@ public class BCJcaJceHelper { super(getBouncyCastleProvider()); } + + // BEGIN Android-added: Look up algorithms in private provider if not found in main Provider. + // + // If code is using a BCJcajceHelper to ensure it gets its implementation from BC, then + // also search in the privately provided algorithms if not found in the main set. + @Override + public Cipher createCipher(String algorithm) + throws NoSuchAlgorithmException, NoSuchPaddingException { + try { + return super.createCipher(algorithm); + } catch (NoSuchAlgorithmException e) { + return Cipher.getInstance(algorithm, getPrivateProvider()); + } + } + + @Override + public SecretKeyFactory createSecretKeyFactory(String algorithm) + throws NoSuchAlgorithmException { + try { + return super.createSecretKeyFactory(algorithm); + } catch (NoSuchAlgorithmException e) { + return SecretKeyFactory.getInstance(algorithm, getPrivateProvider()); + } + } + + @Override + public Mac createMac(String algorithm) throws NoSuchAlgorithmException { + try { + return super.createMac(algorithm); + } catch (NoSuchAlgorithmException e) { + return Mac.getInstance(algorithm, getPrivateProvider()); + } + } + + private Provider getPrivateProvider() { + if (provider instanceof BouncyCastleProvider) { + return ((BouncyCastleProvider) provider).getPrivateProvider(); + } + throw new IllegalStateException(); // XXX + } + // END Android-added: Look up algorithms in private provider if not found in main Provider. } diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/BouncyCastleProvider.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/BouncyCastleProvider.java index bb12aecf..7f9285b1 100644 --- a/bcprov/src/main/java/org/bouncycastle/jce/provider/BouncyCastleProvider.java +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/BouncyCastleProvider.java @@ -426,4 +426,37 @@ public final class BouncyCastleProvider extends Provider return converter.generatePrivate(privateKeyInfo); */ } + + // BEGIN Android-added: Allow algorithms to be provided privately for BC internals. + // + // Algorithms added via these methods are stored in a private instance of PrivateProvider, + // which is never added to the system-wide list of installed Providers, and is only + // ever searched by BC internal classes which search for algorithms using an instance + // of BCJcajceHelper. + private static final class PrivateProvider extends Provider { + public PrivateProvider() { + super("BCPrivate", 1.0, "Android BC private use only"); + } + } + + private final Provider privateProvider = new PrivateProvider(); + + public void addPrivateAlgorithm(String key, String value) + { + if (privateProvider.containsKey(key)) + { + throw new IllegalStateException("duplicate provider key (" + key + ") found"); + } + privateProvider.put(key, value); + } + + public void addPrivateAlgorithm(String type, ASN1ObjectIdentifier oid, String className) + { + addPrivateAlgorithm(type + "." + oid, className); + } + + public Provider getPrivateProvider() { + return privateProvider; + } + // END Android-added: Allow algorithms to be provided privately for BC internals. } diff --git a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/config/ConfigurableProvider.java b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/config/ConfigurableProvider.java index da69af72..d6dc21ea 100644 --- a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/config/ConfigurableProvider.java +++ b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/config/ConfigurableProvider.java @@ -56,4 +56,11 @@ public interface ConfigurableProvider AsymmetricKeyInfoConverter getKeyInfoConverter(ASN1ObjectIdentifier oid); void addAttributes(String key, Map attributeMap); + + // BEGIN Android-added: Allow algorithms to be added privately. + // See BouncyCastleProvider for details. + void addPrivateAlgorithm(String key, String value); + + void addPrivateAlgorithm(String type, ASN1ObjectIdentifier oid, String className); + // END Android-added: Allow algorithms to be added privately. } diff --git a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/digest/SHA224.java b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/digest/SHA224.java index e9f436a8..ff4fde85 100644 --- a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/digest/SHA224.java +++ b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/digest/SHA224.java @@ -92,6 +92,8 @@ public class SHA224 addHMACAlias(provider, "SHA224", PKCSObjectIdentifiers.id_hmacWithSHA224); */ // END Android-removed: Unsupported algorithms + // Android-added: Private implementation needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("Mac", NISTObjectIdentifiers.id_sha224, PREFIX + "$HashMac"); } } } diff --git a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/digest/SHA256.java b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/digest/SHA256.java index 706d4ab3..a4e8a762 100644 --- a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/digest/SHA256.java +++ b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/digest/SHA256.java @@ -115,6 +115,8 @@ public class SHA256 addHMACAlias(provider, "SHA256", NISTObjectIdentifiers.id_sha256); */ // END Android-removed: Unsupported algorithms + // Android-added: Private implementation needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("Mac", NISTObjectIdentifiers.id_sha256, PREFIX + "$HashMac"); } } } diff --git a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/digest/SHA384.java b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/digest/SHA384.java index b7d97164..7ff261e0 100644 --- a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/digest/SHA384.java +++ b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/digest/SHA384.java @@ -109,6 +109,8 @@ public class SHA384 addHMACAlias(provider, "SHA384", PKCSObjectIdentifiers.id_hmacWithSHA384); */ // END Android-removed: Unsupported algorithms + // Android-added: Private implementation needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("Mac", NISTObjectIdentifiers.id_sha384, PREFIX + "$HashMac"); } } } diff --git a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/digest/SHA512.java b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/digest/SHA512.java index dbd513c7..cdc70186 100644 --- a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/digest/SHA512.java +++ b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/digest/SHA512.java @@ -207,6 +207,8 @@ public class SHA512 addHMACAlgorithm(provider, "SHA512/256", PREFIX + "$HashMacT256", PREFIX + "$KeyGeneratorT256"); */ // END Android-removed: Unsupported algorithms + // Android-added: Private implementation needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("Mac", NISTObjectIdentifiers.id_sha512, PREFIX + "$HashMac"); } } diff --git a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/keystore/pkcs12/PKCS12KeyStoreSpi.java b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/keystore/pkcs12/PKCS12KeyStoreSpi.java index fb5f2fdd..06fbb963 100644 --- a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/keystore/pkcs12/PKCS12KeyStoreSpi.java +++ b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/keystore/pkcs12/PKCS12KeyStoreSpi.java @@ -120,9 +120,12 @@ public class PKCS12KeyStoreSpi { static final String PKCS12_MAX_IT_COUNT_PROPERTY = "com.android.org.bouncycastle.pkcs12.max_it_count"; - // Android-changed: Use default provider for JCA algorithms instead of BC + // Android-changed: Use default provider for most JCA algorithms instead of BC. + // For the case where we need BC implementations, the BCJcaJceHelper will also search + // the list of private implementations help by BouncyCastleProvider. // Was: private final JcaJceHelper helper = new BCJcaJceHelper(); private final JcaJceHelper helper = new DefaultJcaJceHelper(); + private final JcaJceHelper selfHelper = new BCJcaJceHelper(); private static final int SALT_SIZE = 20; private static final int MIN_ITERATIONS = 50 * 1024; @@ -731,7 +734,9 @@ public class PKCS12KeyStoreSpi PBKDF2Params func = PBKDF2Params.getInstance(alg.getKeyDerivationFunc().getParameters()); AlgorithmIdentifier encScheme = AlgorithmIdentifier.getInstance(alg.getEncryptionScheme()); - SecretKeyFactory keyFact = helper.createSecretKeyFactory(alg.getKeyDerivationFunc().getAlgorithm().getId()); + // Android-Changed: SecretKeyFactory must be from BC due to instanceof logic. + // SecretKeyFactory keyFact = helper.createSecretKeyFactory(alg.getKeyDerivationFunc().getAlgorithm().getId()); + SecretKeyFactory keyFact = selfHelper.createSecretKeyFactory(alg.getKeyDerivationFunc().getAlgorithm().getId()); SecretKey key; if (func.isDefaultPrf()) @@ -743,7 +748,9 @@ public class PKCS12KeyStoreSpi key = keyFact.generateSecret(new PBKDF2KeySpec(password, func.getSalt(), validateIterationCount(func.getIterationCount()), keySizeProvider.getKeySize(encScheme), func.getPrf())); } - Cipher cipher = Cipher.getInstance(alg.getEncryptionScheme().getAlgorithm().getId()); + // Android-Changed: Cipher must be from BC due to use of internal PKCS12Key tyoe. + // Cipher cipher = Cipher.getInstance(alg.getEncryptionScheme().getAlgorithm().getId()); + Cipher cipher = selfHelper.createCipher(alg.getEncryptionScheme().getAlgorithm().getId()); ASN1Encodable encParams = alg.getEncryptionScheme().getParameters(); if (encParams instanceof ASN1OctetString) @@ -1785,7 +1792,9 @@ public class PKCS12KeyStoreSpi { PBEParameterSpec defParams = new PBEParameterSpec(salt, itCount); - Mac mac = helper.createMac(oid.getId()); + // Android-Changed: Mac must be from BC due to use of internal PKCS12Key tyoe. + // Mac mac = helper.createMac(oid.getId()); + Mac mac = selfHelper.createMac(oid.getId()); mac.init(new PKCS12Key(password, wrongPkcs12Zero), defParams); mac.update(data); diff --git a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/symmetric/AES.java b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/symmetric/AES.java index 9e2a493d..9684f351 100644 --- a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/symmetric/AES.java +++ b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/symmetric/AES.java @@ -1146,6 +1146,11 @@ public final class AES // addGMacAlgorithm(provider, "AES", PREFIX + "$AESGMAC", PREFIX + "$KeyGen128"); // addPoly1305Algorithm(provider, "AES", PREFIX + "$Poly1305", PREFIX + "$Poly1305KeyGen"); // END Android-removed: Unsupported algorithms + + // Android-added: Private implementations needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("Cipher", NISTObjectIdentifiers.id_aes128_CBC, PREFIX + "$CBC"); + provider.addPrivateAlgorithm("Cipher", NISTObjectIdentifiers.id_aes192_CBC, PREFIX + "$CBC"); + provider.addPrivateAlgorithm("Cipher", NISTObjectIdentifiers.id_aes256_CBC, PREFIX + "$CBC"); } } } diff --git a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/symmetric/PBEPBKDF2.java b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/symmetric/PBEPBKDF2.java index 2109104c..15880ad9 100644 --- a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/symmetric/PBEPBKDF2.java +++ b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/provider/symmetric/PBEPBKDF2.java @@ -44,14 +44,14 @@ public class PBEPBKDF2 static { - // BEGIN Android-removed: Unsupported algorithm - /* - prfCodes.put(CryptoProObjectIdentifiers.gostR3411Hmac, Integers.valueOf(PBE.GOST3411)); prfCodes.put(PKCSObjectIdentifiers.id_hmacWithSHA1, Integers.valueOf(PBE.SHA1)); prfCodes.put(PKCSObjectIdentifiers.id_hmacWithSHA256, Integers.valueOf(PBE.SHA256)); prfCodes.put(PKCSObjectIdentifiers.id_hmacWithSHA224, Integers.valueOf(PBE.SHA224)); prfCodes.put(PKCSObjectIdentifiers.id_hmacWithSHA384, Integers.valueOf(PBE.SHA384)); prfCodes.put(PKCSObjectIdentifiers.id_hmacWithSHA512, Integers.valueOf(PBE.SHA512)); + // BEGIN Android-removed: Unsupported algorithms + /* + prfCodes.put(CryptoProObjectIdentifiers.gostR3411Hmac, Integers.valueOf(PBE.GOST3411)); prfCodes.put(NISTObjectIdentifiers.id_hmacWithSHA3_256, Integers.valueOf(PBE.SHA3_256)); prfCodes.put(NISTObjectIdentifiers.id_hmacWithSHA3_224, Integers.valueOf(PBE.SHA3_224)); prfCodes.put(NISTObjectIdentifiers.id_hmacWithSHA3_384, Integers.valueOf(PBE.SHA3_384)); @@ -66,8 +66,9 @@ public class PBEPBKDF2 } - // BEGIN Android-removed: Unsupported algorithms - /* + /** + * @hide This class is not part of the Android public SDK API + */ public static class AlgParams extends BaseAlgorithmParameters { @@ -150,8 +151,6 @@ public class PBEPBKDF2 return "PBKDF2 Parameters"; } } - */ - // END Android-removed: Unsupported algorithms /** * @hide This class is not part of the Android public SDK API @@ -280,8 +279,9 @@ public class PBEPBKDF2 } } - // BEGIN Android-removed: Unsupported algorithms - /* + /** + * @hide This class is not part of the Android public SDK API + */ public static class PBKDF2withUTF8 extends BasePBKDF2 { @@ -291,6 +291,8 @@ public class PBEPBKDF2 } } + // BEGIN Android-removed: Unsupported algorithms + /* public static class PBKDF2withSHA224 extends BasePBKDF2 { @@ -687,6 +689,9 @@ public class PBEPBKDF2 provider.addAlgorithm("SecretKeyFactory.PBEWithHmacSHA512AndAES_256", PREFIX + "$PBEWithHmacSHA512AndAES_256"); provider.addAlgorithm("SecretKeyFactory.PBKDF2WithHmacSHA1And8BIT", PREFIX + "$PBKDF2WithHmacSHA18BIT"); // END Android-added: Android versions of algorithms. + // Android-added: Private implementations needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("SecretKeyFactory.PBKDF2", PREFIX + "$PBKDF2withUTF8"); + provider.addPrivateAlgorithm("Alg.Alias.SecretKeyFactory.1.2.840.113549.1.5.12", "PBKDF2"); } } } diff --git a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/util/BCJcaJceHelper.java b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/util/BCJcaJceHelper.java index 65523d84..b444878f 100644 --- a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/util/BCJcaJceHelper.java +++ b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/util/BCJcaJceHelper.java @@ -1,9 +1,14 @@ /* GENERATED SOURCE. DO NOT MODIFY. */ package com.android.org.bouncycastle.jcajce.util; +import java.security.NoSuchAlgorithmException; import java.security.Provider; import java.security.Security; +import javax.crypto.Cipher; +import javax.crypto.Mac; +import javax.crypto.NoSuchPaddingException; +import javax.crypto.SecretKeyFactory; import com.android.org.bouncycastle.jce.provider.BouncyCastleProvider; /** @@ -40,4 +45,45 @@ public class BCJcaJceHelper { super(getBouncyCastleProvider()); } + + // BEGIN Android-added: Look up algorithms in private provider if not found in main Provider. + // + // If code is using a BCJcajceHelper to ensure it gets its implementation from BC, then + // also search in the privately provided algorithms if not found in the main set. + @Override + public Cipher createCipher(String algorithm) + throws NoSuchAlgorithmException, NoSuchPaddingException { + try { + return super.createCipher(algorithm); + } catch (NoSuchAlgorithmException e) { + return Cipher.getInstance(algorithm, getPrivateProvider()); + } + } + + @Override + public SecretKeyFactory createSecretKeyFactory(String algorithm) + throws NoSuchAlgorithmException { + try { + return super.createSecretKeyFactory(algorithm); + } catch (NoSuchAlgorithmException e) { + return SecretKeyFactory.getInstance(algorithm, getPrivateProvider()); + } + } + + @Override + public Mac createMac(String algorithm) throws NoSuchAlgorithmException { + try { + return super.createMac(algorithm); + } catch (NoSuchAlgorithmException e) { + return Mac.getInstance(algorithm, getPrivateProvider()); + } + } + + private Provider getPrivateProvider() { + if (provider instanceof BouncyCastleProvider) { + return ((BouncyCastleProvider) provider).getPrivateProvider(); + } + throw new IllegalStateException(); // XXX + } + // END Android-added: Look up algorithms in private provider if not found in main Provider. } diff --git a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jce/provider/BouncyCastleProvider.java b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jce/provider/BouncyCastleProvider.java index 61383ce7..798bb8ed 100644 --- a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jce/provider/BouncyCastleProvider.java +++ b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jce/provider/BouncyCastleProvider.java @@ -429,4 +429,37 @@ public final class BouncyCastleProvider extends Provider return converter.generatePrivate(privateKeyInfo); */ } + + // BEGIN Android-added: Allow algorithms to be provided privately for BC internals. + // + // Algorithms added via these methods are stored in a private instance of PrivateProvider, + // which is never added to the system-wide list of installed Providers, and is only + // ever searched by BC internal classes which search for algorithms using an instance + // of BCJcajceHelper. + private static final class PrivateProvider extends Provider { + public PrivateProvider() { + super("BCPrivate", 1.0, "Android BC private use only"); + } + } + + private final Provider privateProvider = new PrivateProvider(); + + public void addPrivateAlgorithm(String key, String value) + { + if (privateProvider.containsKey(key)) + { + throw new IllegalStateException("duplicate provider key (" + key + ") found"); + } + privateProvider.put(key, value); + } + + public void addPrivateAlgorithm(String type, ASN1ObjectIdentifier oid, String className) + { + addPrivateAlgorithm(type + "." + oid, className); + } + + public Provider getPrivateProvider() { + return privateProvider; + } + // END Android-added: Allow algorithms to be provided privately for BC internals. } diff --git a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/config/ConfigurableProvider.java b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/config/ConfigurableProvider.java index 8f8787f7..cd76b860 100644 --- a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/config/ConfigurableProvider.java +++ b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/config/ConfigurableProvider.java @@ -56,4 +56,11 @@ public interface ConfigurableProvider AsymmetricKeyInfoConverter getKeyInfoConverter(ASN1ObjectIdentifier oid); void addAttributes(String key, Map attributeMap); + + // BEGIN Android-added: Allow algorithms to be added privately. + // See BouncyCastleProvider for details. + void addPrivateAlgorithm(String key, String value); + + void addPrivateAlgorithm(String type, ASN1ObjectIdentifier oid, String className); + // END Android-added: Allow algorithms to be added privately. } diff --git a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/digest/SHA224.java b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/digest/SHA224.java index 5b5d9511..bac8e723 100644 --- a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/digest/SHA224.java +++ b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/digest/SHA224.java @@ -92,6 +92,8 @@ public class SHA224 addHMACAlias(provider, "SHA224", PKCSObjectIdentifiers.id_hmacWithSHA224); */ // END Android-removed: Unsupported algorithms + // Android-added: Private implementation needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("Mac", NISTObjectIdentifiers.id_sha224, PREFIX + "$HashMac"); } } } diff --git a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/digest/SHA256.java b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/digest/SHA256.java index 929364f5..a7ab4097 100644 --- a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/digest/SHA256.java +++ b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/digest/SHA256.java @@ -115,6 +115,8 @@ public class SHA256 addHMACAlias(provider, "SHA256", NISTObjectIdentifiers.id_sha256); */ // END Android-removed: Unsupported algorithms + // Android-added: Private implementation needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("Mac", NISTObjectIdentifiers.id_sha256, PREFIX + "$HashMac"); } } } diff --git a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/digest/SHA384.java b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/digest/SHA384.java index 89d14437..5d209512 100644 --- a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/digest/SHA384.java +++ b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/digest/SHA384.java @@ -109,6 +109,8 @@ public class SHA384 addHMACAlias(provider, "SHA384", PKCSObjectIdentifiers.id_hmacWithSHA384); */ // END Android-removed: Unsupported algorithms + // Android-added: Private implementation needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("Mac", NISTObjectIdentifiers.id_sha384, PREFIX + "$HashMac"); } } } diff --git a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/digest/SHA512.java b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/digest/SHA512.java index b726dbf8..243a3064 100644 --- a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/digest/SHA512.java +++ b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/digest/SHA512.java @@ -207,6 +207,8 @@ public class SHA512 addHMACAlgorithm(provider, "SHA512/256", PREFIX + "$HashMacT256", PREFIX + "$KeyGeneratorT256"); */ // END Android-removed: Unsupported algorithms + // Android-added: Private implementation needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("Mac", NISTObjectIdentifiers.id_sha512, PREFIX + "$HashMac"); } } diff --git a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/keystore/pkcs12/PKCS12KeyStoreSpi.java b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/keystore/pkcs12/PKCS12KeyStoreSpi.java index d5897959..745534da 100644 --- a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/keystore/pkcs12/PKCS12KeyStoreSpi.java +++ b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/keystore/pkcs12/PKCS12KeyStoreSpi.java @@ -120,9 +120,12 @@ public class PKCS12KeyStoreSpi { static final String PKCS12_MAX_IT_COUNT_PROPERTY = "com.android.internal.org.bouncycastle.pkcs12.max_it_count"; - // Android-changed: Use default provider for JCA algorithms instead of BC + // Android-changed: Use default provider for most JCA algorithms instead of BC. + // For the case where we need BC implementations, the BCJcaJceHelper will also search + // the list of private implementations help by BouncyCastleProvider. // Was: private final JcaJceHelper helper = new BCJcaJceHelper(); private final JcaJceHelper helper = new DefaultJcaJceHelper(); + private final JcaJceHelper selfHelper = new BCJcaJceHelper(); private static final int SALT_SIZE = 20; private static final int MIN_ITERATIONS = 50 * 1024; @@ -731,7 +734,9 @@ public class PKCS12KeyStoreSpi PBKDF2Params func = PBKDF2Params.getInstance(alg.getKeyDerivationFunc().getParameters()); AlgorithmIdentifier encScheme = AlgorithmIdentifier.getInstance(alg.getEncryptionScheme()); - SecretKeyFactory keyFact = helper.createSecretKeyFactory(alg.getKeyDerivationFunc().getAlgorithm().getId()); + // Android-Changed: SecretKeyFactory must be from BC due to instanceof logic. + // SecretKeyFactory keyFact = helper.createSecretKeyFactory(alg.getKeyDerivationFunc().getAlgorithm().getId()); + SecretKeyFactory keyFact = selfHelper.createSecretKeyFactory(alg.getKeyDerivationFunc().getAlgorithm().getId()); SecretKey key; if (func.isDefaultPrf()) @@ -743,7 +748,9 @@ public class PKCS12KeyStoreSpi key = keyFact.generateSecret(new PBKDF2KeySpec(password, func.getSalt(), validateIterationCount(func.getIterationCount()), keySizeProvider.getKeySize(encScheme), func.getPrf())); } - Cipher cipher = Cipher.getInstance(alg.getEncryptionScheme().getAlgorithm().getId()); + // Android-Changed: Cipher must be from BC due to use of internal PKCS12Key tyoe. + // Cipher cipher = Cipher.getInstance(alg.getEncryptionScheme().getAlgorithm().getId()); + Cipher cipher = selfHelper.createCipher(alg.getEncryptionScheme().getAlgorithm().getId()); ASN1Encodable encParams = alg.getEncryptionScheme().getParameters(); if (encParams instanceof ASN1OctetString) @@ -1785,7 +1792,9 @@ public class PKCS12KeyStoreSpi { PBEParameterSpec defParams = new PBEParameterSpec(salt, itCount); - Mac mac = helper.createMac(oid.getId()); + // Android-Changed: Mac must be from BC due to use of internal PKCS12Key tyoe. + // Mac mac = helper.createMac(oid.getId()); + Mac mac = selfHelper.createMac(oid.getId()); mac.init(new PKCS12Key(password, wrongPkcs12Zero), defParams); mac.update(data); diff --git a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/symmetric/AES.java b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/symmetric/AES.java index 55510fd2..056faae1 100644 --- a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/symmetric/AES.java +++ b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/symmetric/AES.java @@ -1146,6 +1146,11 @@ public final class AES // addGMacAlgorithm(provider, "AES", PREFIX + "$AESGMAC", PREFIX + "$KeyGen128"); // addPoly1305Algorithm(provider, "AES", PREFIX + "$Poly1305", PREFIX + "$Poly1305KeyGen"); // END Android-removed: Unsupported algorithms + + // Android-added: Private implementations needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("Cipher", NISTObjectIdentifiers.id_aes128_CBC, PREFIX + "$CBC"); + provider.addPrivateAlgorithm("Cipher", NISTObjectIdentifiers.id_aes192_CBC, PREFIX + "$CBC"); + provider.addPrivateAlgorithm("Cipher", NISTObjectIdentifiers.id_aes256_CBC, PREFIX + "$CBC"); } } } diff --git a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/symmetric/PBEPBKDF2.java b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/symmetric/PBEPBKDF2.java index ab218e1f..63824db6 100644 --- a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/symmetric/PBEPBKDF2.java +++ b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/provider/symmetric/PBEPBKDF2.java @@ -44,14 +44,14 @@ public class PBEPBKDF2 static { - // BEGIN Android-removed: Unsupported algorithm - /* - prfCodes.put(CryptoProObjectIdentifiers.gostR3411Hmac, Integers.valueOf(PBE.GOST3411)); prfCodes.put(PKCSObjectIdentifiers.id_hmacWithSHA1, Integers.valueOf(PBE.SHA1)); prfCodes.put(PKCSObjectIdentifiers.id_hmacWithSHA256, Integers.valueOf(PBE.SHA256)); prfCodes.put(PKCSObjectIdentifiers.id_hmacWithSHA224, Integers.valueOf(PBE.SHA224)); prfCodes.put(PKCSObjectIdentifiers.id_hmacWithSHA384, Integers.valueOf(PBE.SHA384)); prfCodes.put(PKCSObjectIdentifiers.id_hmacWithSHA512, Integers.valueOf(PBE.SHA512)); + // BEGIN Android-removed: Unsupported algorithms + /* + prfCodes.put(CryptoProObjectIdentifiers.gostR3411Hmac, Integers.valueOf(PBE.GOST3411)); prfCodes.put(NISTObjectIdentifiers.id_hmacWithSHA3_256, Integers.valueOf(PBE.SHA3_256)); prfCodes.put(NISTObjectIdentifiers.id_hmacWithSHA3_224, Integers.valueOf(PBE.SHA3_224)); prfCodes.put(NISTObjectIdentifiers.id_hmacWithSHA3_384, Integers.valueOf(PBE.SHA3_384)); @@ -66,8 +66,9 @@ public class PBEPBKDF2 } - // BEGIN Android-removed: Unsupported algorithms - /* + /** + * @hide This class is not part of the Android public SDK API + */ public static class AlgParams extends BaseAlgorithmParameters { @@ -150,8 +151,6 @@ public class PBEPBKDF2 return "PBKDF2 Parameters"; } } - */ - // END Android-removed: Unsupported algorithms /** * @hide This class is not part of the Android public SDK API @@ -280,8 +279,9 @@ public class PBEPBKDF2 } } - // BEGIN Android-removed: Unsupported algorithms - /* + /** + * @hide This class is not part of the Android public SDK API + */ public static class PBKDF2withUTF8 extends BasePBKDF2 { @@ -291,6 +291,8 @@ public class PBEPBKDF2 } } + // BEGIN Android-removed: Unsupported algorithms + /* public static class PBKDF2withSHA224 extends BasePBKDF2 { @@ -687,6 +689,9 @@ public class PBEPBKDF2 provider.addAlgorithm("SecretKeyFactory.PBEWithHmacSHA512AndAES_256", PREFIX + "$PBEWithHmacSHA512AndAES_256"); provider.addAlgorithm("SecretKeyFactory.PBKDF2WithHmacSHA1And8BIT", PREFIX + "$PBKDF2WithHmacSHA18BIT"); // END Android-added: Android versions of algorithms. + // Android-added: Private implementations needed to support PBKDF2 with PKCS#12 + provider.addPrivateAlgorithm("SecretKeyFactory.PBKDF2", PREFIX + "$PBKDF2withUTF8"); + provider.addPrivateAlgorithm("Alg.Alias.SecretKeyFactory.1.2.840.113549.1.5.12", "PBKDF2"); } } } diff --git a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/util/BCJcaJceHelper.java b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/util/BCJcaJceHelper.java index 15130f26..7b7c6cb3 100644 --- a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/util/BCJcaJceHelper.java +++ b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/util/BCJcaJceHelper.java @@ -1,9 +1,14 @@ /* GENERATED SOURCE. DO NOT MODIFY. */ package com.android.internal.org.bouncycastle.jcajce.util; +import java.security.NoSuchAlgorithmException; import java.security.Provider; import java.security.Security; +import javax.crypto.Cipher; +import javax.crypto.Mac; +import javax.crypto.NoSuchPaddingException; +import javax.crypto.SecretKeyFactory; import com.android.internal.org.bouncycastle.jce.provider.BouncyCastleProvider; /** @@ -40,4 +45,45 @@ public class BCJcaJceHelper { super(getBouncyCastleProvider()); } + + // BEGIN Android-added: Look up algorithms in private provider if not found in main Provider. + // + // If code is using a BCJcajceHelper to ensure it gets its implementation from BC, then + // also search in the privately provided algorithms if not found in the main set. + @Override + public Cipher createCipher(String algorithm) + throws NoSuchAlgorithmException, NoSuchPaddingException { + try { + return super.createCipher(algorithm); + } catch (NoSuchAlgorithmException e) { + return Cipher.getInstance(algorithm, getPrivateProvider()); + } + } + + @Override + public SecretKeyFactory createSecretKeyFactory(String algorithm) + throws NoSuchAlgorithmException { + try { + return super.createSecretKeyFactory(algorithm); + } catch (NoSuchAlgorithmException e) { + return SecretKeyFactory.getInstance(algorithm, getPrivateProvider()); + } + } + + @Override + public Mac createMac(String algorithm) throws NoSuchAlgorithmException { + try { + return super.createMac(algorithm); + } catch (NoSuchAlgorithmException e) { + return Mac.getInstance(algorithm, getPrivateProvider()); + } + } + + private Provider getPrivateProvider() { + if (provider instanceof BouncyCastleProvider) { + return ((BouncyCastleProvider) provider).getPrivateProvider(); + } + throw new IllegalStateException(); // XXX + } + // END Android-added: Look up algorithms in private provider if not found in main Provider. } diff --git a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jce/provider/BouncyCastleProvider.java b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jce/provider/BouncyCastleProvider.java index 2f3f1ea2..2689da81 100644 --- a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jce/provider/BouncyCastleProvider.java +++ b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jce/provider/BouncyCastleProvider.java @@ -428,4 +428,37 @@ public final class BouncyCastleProvider extends Provider return converter.generatePrivate(privateKeyInfo); */ } + + // BEGIN Android-added: Allow algorithms to be provided privately for BC internals. + // + // Algorithms added via these methods are stored in a private instance of PrivateProvider, + // which is never added to the system-wide list of installed Providers, and is only + // ever searched by BC internal classes which search for algorithms using an instance + // of BCJcajceHelper. + private static final class PrivateProvider extends Provider { + public PrivateProvider() { + super("BCPrivate", 1.0, "Android BC private use only"); + } + } + + private final Provider privateProvider = new PrivateProvider(); + + public void addPrivateAlgorithm(String key, String value) + { + if (privateProvider.containsKey(key)) + { + throw new IllegalStateException("duplicate provider key (" + key + ") found"); + } + privateProvider.put(key, value); + } + + public void addPrivateAlgorithm(String type, ASN1ObjectIdentifier oid, String className) + { + addPrivateAlgorithm(type + "." + oid, className); + } + + public Provider getPrivateProvider() { + return privateProvider; + } + // END Android-added: Allow algorithms to be provided privately for BC internals. } -- cgit v1.2.3 From cd099782f51919a96ec575d5423f17189a1d9a18 Mon Sep 17 00:00:00 2001 From: Pete Bentley Date: Tue, 10 Jan 2023 12:43:08 +0000 Subject: Don't throw exceptions from BCPrivate provider. I originally thought this was fine, but it could cause confusion for developers encountering a PKCS#12 file using an unknown algorithm. Instead, throw the original NoSuchAlgorithmException from the BC Provider. Bug: 230750823 Test: atest CtsLibcoreTestCases:tests.targets.security.KeyStorePkcs7FormatTest Change-Id: I8a6d44d0e59bf0fb029ced4b8aa47908194bc161 Merged-In: I8a6d44d0e59bf0fb029ced4b8aa47908194bc161 (cherry picked from commit 10942f23a051f9089baa013e2201f41b4d17a6ea) --- .../bouncycastle/jcajce/util/BCJcaJceHelper.java | 30 +++++++++++++++++----- .../bouncycastle/jcajce/util/BCJcaJceHelper.java | 30 +++++++++++++++++----- .../bouncycastle/jcajce/util/BCJcaJceHelper.java | 30 +++++++++++++++++----- 3 files changed, 69 insertions(+), 21 deletions(-) diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/util/BCJcaJceHelper.java b/bcprov/src/main/java/org/bouncycastle/jcajce/util/BCJcaJceHelper.java index 9a41d31c..13205ec2 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/util/BCJcaJceHelper.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/util/BCJcaJceHelper.java @@ -48,13 +48,21 @@ public class BCJcaJceHelper // // If code is using a BCJcajceHelper to ensure it gets its implementation from BC, then // also search in the privately provided algorithms if not found in the main set. + // + // If any error occurs while searching the private Provider, typically a + // NoSuchAlgorithmException being thrown, then the original NoSuchAlgorithmException + // from the BC Provider is thrown for consistency. @Override public Cipher createCipher(String algorithm) throws NoSuchAlgorithmException, NoSuchPaddingException { try { return super.createCipher(algorithm); - } catch (NoSuchAlgorithmException e) { - return Cipher.getInstance(algorithm, getPrivateProvider()); + } catch (NoSuchAlgorithmException originalException) { + try { + return Cipher.getInstance(algorithm, getPrivateProvider()); + } catch (Throwable throwable) { + throw originalException; + } } } @@ -63,8 +71,12 @@ public class BCJcaJceHelper throws NoSuchAlgorithmException { try { return super.createSecretKeyFactory(algorithm); - } catch (NoSuchAlgorithmException e) { - return SecretKeyFactory.getInstance(algorithm, getPrivateProvider()); + } catch (NoSuchAlgorithmException originalException) { + try { + return SecretKeyFactory.getInstance(algorithm, getPrivateProvider()); + } catch (Throwable throwable) { + throw originalException; + } } } @@ -72,8 +84,12 @@ public class BCJcaJceHelper public Mac createMac(String algorithm) throws NoSuchAlgorithmException { try { return super.createMac(algorithm); - } catch (NoSuchAlgorithmException e) { - return Mac.getInstance(algorithm, getPrivateProvider()); + } catch (NoSuchAlgorithmException originalException) { + try { + return Mac.getInstance(algorithm, getPrivateProvider()); + } catch (Throwable throwable) { + throw originalException; + } } } @@ -81,7 +97,7 @@ public class BCJcaJceHelper if (provider instanceof BouncyCastleProvider) { return ((BouncyCastleProvider) provider).getPrivateProvider(); } - throw new IllegalStateException(); // XXX + throw new IllegalStateException("Internal error in BCJcaJceHelper"); } // END Android-added: Look up algorithms in private provider if not found in main Provider. } diff --git a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/util/BCJcaJceHelper.java b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/util/BCJcaJceHelper.java index b444878f..69ab946c 100644 --- a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/util/BCJcaJceHelper.java +++ b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jcajce/util/BCJcaJceHelper.java @@ -50,13 +50,21 @@ public class BCJcaJceHelper // // If code is using a BCJcajceHelper to ensure it gets its implementation from BC, then // also search in the privately provided algorithms if not found in the main set. + // + // If any error occurs while searching the private Provider, typically a + // NoSuchAlgorithmException being thrown, then the original NoSuchAlgorithmException + // from the BC Provider is thrown for consistency. @Override public Cipher createCipher(String algorithm) throws NoSuchAlgorithmException, NoSuchPaddingException { try { return super.createCipher(algorithm); - } catch (NoSuchAlgorithmException e) { - return Cipher.getInstance(algorithm, getPrivateProvider()); + } catch (NoSuchAlgorithmException originalException) { + try { + return Cipher.getInstance(algorithm, getPrivateProvider()); + } catch (Throwable throwable) { + throw originalException; + } } } @@ -65,8 +73,12 @@ public class BCJcaJceHelper throws NoSuchAlgorithmException { try { return super.createSecretKeyFactory(algorithm); - } catch (NoSuchAlgorithmException e) { - return SecretKeyFactory.getInstance(algorithm, getPrivateProvider()); + } catch (NoSuchAlgorithmException originalException) { + try { + return SecretKeyFactory.getInstance(algorithm, getPrivateProvider()); + } catch (Throwable throwable) { + throw originalException; + } } } @@ -74,8 +86,12 @@ public class BCJcaJceHelper public Mac createMac(String algorithm) throws NoSuchAlgorithmException { try { return super.createMac(algorithm); - } catch (NoSuchAlgorithmException e) { - return Mac.getInstance(algorithm, getPrivateProvider()); + } catch (NoSuchAlgorithmException originalException) { + try { + return Mac.getInstance(algorithm, getPrivateProvider()); + } catch (Throwable throwable) { + throw originalException; + } } } @@ -83,7 +99,7 @@ public class BCJcaJceHelper if (provider instanceof BouncyCastleProvider) { return ((BouncyCastleProvider) provider).getPrivateProvider(); } - throw new IllegalStateException(); // XXX + throw new IllegalStateException("Internal error in BCJcaJceHelper"); } // END Android-added: Look up algorithms in private provider if not found in main Provider. } diff --git a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/util/BCJcaJceHelper.java b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/util/BCJcaJceHelper.java index 7b7c6cb3..507d225c 100644 --- a/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/util/BCJcaJceHelper.java +++ b/repackaged_platform/bcprov/src/main/java/com/android/internal/org/bouncycastle/jcajce/util/BCJcaJceHelper.java @@ -50,13 +50,21 @@ public class BCJcaJceHelper // // If code is using a BCJcajceHelper to ensure it gets its implementation from BC, then // also search in the privately provided algorithms if not found in the main set. + // + // If any error occurs while searching the private Provider, typically a + // NoSuchAlgorithmException being thrown, then the original NoSuchAlgorithmException + // from the BC Provider is thrown for consistency. @Override public Cipher createCipher(String algorithm) throws NoSuchAlgorithmException, NoSuchPaddingException { try { return super.createCipher(algorithm); - } catch (NoSuchAlgorithmException e) { - return Cipher.getInstance(algorithm, getPrivateProvider()); + } catch (NoSuchAlgorithmException originalException) { + try { + return Cipher.getInstance(algorithm, getPrivateProvider()); + } catch (Throwable throwable) { + throw originalException; + } } } @@ -65,8 +73,12 @@ public class BCJcaJceHelper throws NoSuchAlgorithmException { try { return super.createSecretKeyFactory(algorithm); - } catch (NoSuchAlgorithmException e) { - return SecretKeyFactory.getInstance(algorithm, getPrivateProvider()); + } catch (NoSuchAlgorithmException originalException) { + try { + return SecretKeyFactory.getInstance(algorithm, getPrivateProvider()); + } catch (Throwable throwable) { + throw originalException; + } } } @@ -74,8 +86,12 @@ public class BCJcaJceHelper public Mac createMac(String algorithm) throws NoSuchAlgorithmException { try { return super.createMac(algorithm); - } catch (NoSuchAlgorithmException e) { - return Mac.getInstance(algorithm, getPrivateProvider()); + } catch (NoSuchAlgorithmException originalException) { + try { + return Mac.getInstance(algorithm, getPrivateProvider()); + } catch (Throwable throwable) { + throw originalException; + } } } @@ -83,7 +99,7 @@ public class BCJcaJceHelper if (provider instanceof BouncyCastleProvider) { return ((BouncyCastleProvider) provider).getPrivateProvider(); } - throw new IllegalStateException(); // XXX + throw new IllegalStateException("Internal error in BCJcaJceHelper"); } // END Android-added: Look up algorithms in private provider if not found in main Provider. } -- cgit v1.2.3 From 1509f80931631e86d7182cdc6962c283e8d0e2db Mon Sep 17 00:00:00 2001 From: Orion Hodson Date: Fri, 13 Jan 2023 13:07:08 +0000 Subject: DO NOT MERGE Update bouncycastle OWNERS in tm-mainline-prod Narrow range of libcore team reviewers and add some ART module reviewers. Fix: 262796502 Test: build/make/tools/checkowners.py external/bouncycastle/OWNERS Ignore-AOSP-First: change for mainline IGNORE_COMPLIANCELINT=LicenseExists : existing problem Change-Id: I28bb5f6aa42cd603b440b7686f8202f3ebf8deeb --- OWNERS | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/OWNERS b/OWNERS index 73617ea1..c3b459cc 100644 --- a/OWNERS +++ b/OWNERS @@ -1,2 +1,7 @@ # Bug component: 684135 -include platform/libcore:/OWNERS +prb@google.com + +mast@google.com +miguelaranda@google.com +rpl@google.com +sorinbasca@google.com -- cgit v1.2.3