From e0b93ab8a7f75773b7407ae3840227758bdbe3be Mon Sep 17 00:00:00 2001 From: Martin Stjernholm Date: Tue, 5 Dec 2023 16:44:06 +0000 Subject: Run R8 on bouncycastle with shrinking for the boot classpath. The list of classes to keep is taken from the list of services advertised by the BC security provider. This shrinks bouncycastle.jar in the ART APEX by 439 KB (from 1.4 to 1.0 MB). An additional 86 KB would be shaved off without the keeps for MtsLibcoreBouncyCastleTestCases Also clean up an unused visibility for wycheproof. Test: Check that the list of services in the BC provider stays the same before and after the change. Test: atest MtsLibcoreBouncyCastleTestCases \ MtsConscryptTestCases MtsConscryptFdSocketTestCases \ CtsLibcoreTestCases:libcore.java.security.cert \ CtsLibcoreTestCases:libcore.junit.util \ CtsLibcoreTestCases:org.apache.harmony.crypto.tests.javax.crypto.KeyAgreementTest \ CtsLibcoreTestCases:org.apache.harmony.tests.javax.net.ssl \ CtsLibcoreTestCases:tests.com.android.org.bouncycastle \ CtsLibcoreTestCases:tests.targets.security Bug: 317513933 Change-Id: I9eec7e83c0d9cdfb507123024b61e523f29b603f --- Android.bp | 11 +++- README.android | 11 +++- proguard.flags | 185 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 203 insertions(+), 4 deletions(-) create mode 100644 proguard.flags diff --git a/Android.bp b/Android.bp index 27d87e80..1e28e274 100644 --- a/Android.bp +++ b/Android.bp @@ -93,7 +93,6 @@ java_library { visibility: [ "//art/build/apex", "//art/build/sdk", - "//external/wycheproof", "//libcore:__subpackages__", "//packages/modules/ArtPrebuilt", ], @@ -109,6 +108,16 @@ java_library { libs: ["unsupportedappusage"], + optimize: { + enabled: true, + shrink: true, + optimize: true, + obfuscate: false, + proguard_compatibility: false, + ignore_warnings: false, + proguard_flags_files: ["proguard.flags"], + }, + sdk_version: "none", system_modules: "art-module-intra-core-api-stubs-system-modules", } diff --git a/README.android b/README.android index 2b6c07f2..da805c03 100644 --- a/README.android +++ b/README.android @@ -64,11 +64,16 @@ The following steps are recommended for porting new Bouncy Castle versions. * If upstream added a file to a directory we deleted, we probably don't need it - d) Confirm all changes + d) Update the list of exported APIs in proguard.flags, if necessary. + + Check this in particular if new algorithms are getting registered with + ConfigurableProvider.addAlgorithm or ConfigurableProvider.addPrivateAlgorithm. + + e) Confirm all changes git diff aosp/master - e) Run the tests, commonly at least + f) Run the tests, commonly at least cts -m CtsLibcoreTestCases cts -m CtsLibcoreFileIOTestCases @@ -77,6 +82,6 @@ The following steps are recommended for porting new Bouncy Castle versions. cts -m CtsLibcoreOkHttpTestCases cts -m CtsLibcoreWycheproofBCTestCases - e) Get the change reviewed + g) Get the change reviewed repo upload . diff --git a/proguard.flags b/proguard.flags new file mode 100644 index 00000000..4a4ff37a --- /dev/null +++ b/proguard.flags @@ -0,0 +1,185 @@ +-keep class com.android.org.bouncycastle.jce.provider.BouncyCastleProvider { public *; } + +# Keep classes for Android supported algorithms, and internal ones loaded +# through reflection (cf. calls to ConfigurableProvider.addAlgorithm and +# ConfigurableProvider.addPrivateAlgorithm). The *$Mappings classes are used +# internally through reflection to configure the algorithms. + +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$PBEWithHmacSHA1AndAES_128 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$PBEWithHmacSHA1AndAES_256 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$PBEWithHmacSHA224AndAES_128 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$PBEWithHmacSHA224AndAES_256 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$PBEWithHmacSHA256AndAES_128 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$PBEWithHmacSHA256AndAES_256 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$PBEWithHmacSHA384AndAES_128 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$PBEWithHmacSHA384AndAES_256 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$PBEWithHmacSHA512AndAES_128 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$PBEWithHmacSHA512AndAES_256 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$PBKDF2WithHmacSHA18BIT { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$PBKDF2WithHmacSHA1UTF8 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$PBKDF2WithHmacSHA224UTF8 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$PBKDF2WithHmacSHA256UTF8 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$PBKDF2WithHmacSHA384UTF8 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$PBKDF2WithHmacSHA512UTF8 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPBKDF2$PBKDF2withUTF8 { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPKCS12$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBEPKCS12$AlgParams { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBES2AlgorithmParameters$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBES2AlgorithmParameters$PBEWithHmacSHA1AES128AlgorithmParameters { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBES2AlgorithmParameters$PBEWithHmacSHA1AES256AlgorithmParameters { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBES2AlgorithmParameters$PBEWithHmacSHA224AES128AlgorithmParameters { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBES2AlgorithmParameters$PBEWithHmacSHA224AES256AlgorithmParameters { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBES2AlgorithmParameters$PBEWithHmacSHA256AES128AlgorithmParameters { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBES2AlgorithmParameters$PBEWithHmacSHA256AES256AlgorithmParameters { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBES2AlgorithmParameters$PBEWithHmacSHA384AES128AlgorithmParameters { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBES2AlgorithmParameters$PBEWithHmacSHA384AES256AlgorithmParameters { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBES2AlgorithmParameters$PBEWithHmacSHA512AES128AlgorithmParameters { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.PBES2AlgorithmParameters$PBEWithHmacSHA512AES256AlgorithmParameters { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$CBC { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$ECB { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithAESCBC { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithAESCBC { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithAESCBC { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithMD5And128BitAESCBCOpenSSL { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithMD5And192BitAESCBCOpenSSL { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithMD5And256BitAESCBCOpenSSL { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithSHA1AESCBC128 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithSHA1AESCBC192 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithSHA1AESCBC256 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithSHA256AESCBC128 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithSHA256AESCBC192 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithSHA256AESCBC256 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithSHA256And128BitAESBC { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithSHA256And192BitAESBC { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithSHA256And256BitAESBC { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithSHAAnd128BitAESBC { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithSHAAnd192BitAESBC { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$PBEWithSHAAnd256BitAESBC { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.AES$Wrap { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.ARC4$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.ARC4$KeyGen { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.ARC4$PBEWithSHAAnd128Bit { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.ARC4$PBEWithSHAAnd128BitKeyFactory { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.ARC4$PBEWithSHAAnd40Bit { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.ARC4$PBEWithSHAAnd40BitKeyFactory { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.Blowfish$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.Blowfish$AlgParams { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.Blowfish$ECB { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.Blowfish$KeyGen { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.DES$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.DES$ECB { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.DES$KeyFactory { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.DES$KeyGenerator { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.DES$PBEWithMD5 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.DES$PBEWithMD5KeyFactory { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.DES$PBEWithSHA1 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.DES$PBEWithSHA1KeyFactory { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.util.IvAlgorithmParameters { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.DESede$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.DESede$ECB { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.DESede$PBEWithSHAAndDES2Key { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.DESede$PBEWithSHAAndDES2KeyFactory { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.DESede$PBEWithSHAAndDES3Key { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.DESede$PBEWithSHAAndDES3KeyFactory { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.DESede$Wrap { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.RC2$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.RC2$PBEWithMD5AndRC2 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.RC2$PBEWithMD5KeyFactory { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.RC2$PBEWithSHA1AndRC2 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.RC2$PBEWithSHA1KeyFactory { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.RC2$PBEWithSHAAnd128BitKeyFactory { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.RC2$PBEWithSHAAnd128BitRC2 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.RC2$PBEWithSHAAnd40BitKeyFactory { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.RC2$PBEWithSHAAnd40BitRC2 { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.Twofish$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.Twofish$PBEWithSHA { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.symmetric.Twofish$PBEWithSHAKeyFactory { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.DSA$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.dsa.AlgorithmParameterGeneratorSpi { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.dsa.AlgorithmParametersSpi { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.dsa.DSASigner$dsa224 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.dsa.DSASigner$dsa256 { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.dsa.DSASigner$noneDSA { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.dsa.DSASigner$stdDSA { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.dsa.KeyFactorySpi { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.dsa.KeyPairGeneratorSpi { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.DH$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.dh.AlgorithmParameterGeneratorSpi { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.dh.AlgorithmParametersSpi { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.dh.KeyAgreementSpi { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.dh.KeyFactorySpi { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.dh.KeyPairGeneratorSpi { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.RSA$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.rsa.AlgorithmParametersSpi$PSS { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.rsa.CipherSpi$NoPadding { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyFactorySpi { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyPairGeneratorSpi { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.digest.SHA1$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.digest.SHA1$PBEWithMacKeyFactory { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.digest.SHA1$SHA1Mac { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.digest.SHA224$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.digest.SHA224$HashMac { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.digest.SHA256$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.digest.SHA256$HashMac { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.digest.SHA384$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.digest.SHA384$HashMac { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.digest.SHA512$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.digest.SHA512$HashMac { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.keystore.BC$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.keystore.bc.BcKeyStoreSpi$BouncyCastleStore { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.keystore.bc.BcKeyStoreSpi$Std { public *; } + +-keep class com.android.org.bouncycastle.jcajce.provider.keystore.PKCS12$Mappings { public *; } +-keep class com.android.org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi$BCPKCS12KeyStore { public *; } + +-keep class com.android.org.bouncycastle.jce.provider.CertStoreCollectionSpi { public *; } +-keep class com.android.org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi { public *; } +-keep class com.android.org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi { public *; } + +# Classes only accessed from tests in MtsLibcoreBouncyCastleTestCases +-keep class com.android.org.bouncycastle.asn1.x9.ECNamedCurveTable { public *; } +-keep class com.android.org.bouncycastle.asn1.x9.X962NamedCurves { public *; } +-keep class com.android.org.bouncycastle.asn1.x9.X9ECParameters { public *; } +-keep class com.android.org.bouncycastle.asn1.x9.X9ECPoint { public *; } +-keep class com.android.org.bouncycastle.crypto.ec.CustomNamedCurves { public *; } +-keep class com.android.org.bouncycastle.math.Primes { public *; } +-keep class com.android.org.bouncycastle.math.Primes$* { public *; } +-keep class com.android.org.bouncycastle.math.ec.ECAlgorithms { public *; } +-keep class com.android.org.bouncycastle.math.ec.ECCurve { public *; } +-keep class com.android.org.bouncycastle.math.ec.ECCurve$Config { public *; } +-keep class com.android.org.bouncycastle.math.ec.ECPoint { public *; } +-keep class com.android.org.bouncycastle.math.ec.FixedPointCombMultiplier { public *; } +-keep class com.android.org.bouncycastle.math.raw.Interleave { public *; } +-keep class com.android.org.bouncycastle.math.raw.Nat { public *; } +-keep class com.android.org.bouncycastle.math.raw.Nat256 { public *; } +-keep class com.android.org.bouncycastle.util.Arrays { public *; } +-keep class com.android.org.bouncycastle.util.Integers { public *; } +-keep class com.android.org.bouncycastle.util.encoders.Hex { public *; } + +# Classes only accessed from tests in CtsLibcoreTestCases +# tests.com.android.org.bouncycastle.jce.provider.CertBlocklistTest +-keep class com.android.org.bouncycastle.jce.provider.CertBlocklist { public *; } +-keep class com.android.org.bouncycastle.util.encoders.Base64 { public *; } +# tests.com.android.org.bouncycastle.crypto.digests +-keep class com.android.org.bouncycastle.crypto.digests.*Digest { public *; } +-keep class com.android.org.bouncycastle.crypto.digests.OpenSSLDigest$* { public *; } -- cgit v1.2.3