Support generating and using ECDSA keys

Add support for generating ECDSA keys when generating keys directly in
KeyChain (the only option used to be RSA keys).

Additionally, when testing use of a key, invoke the right algorithm based
on key type so that EC keys would be supported.

Bug: 132435000
Test: Manual, generated EC key then tested its use.
Change-Id: Id8fc69909d00396f16d8ce41f93db630eac43b7a

Author: eranmes

app/src/main/java/com/afwsamples/testdpc/policy/PolicyManagementFragment.java

@@ -987,7 +987,7 @@ public void onPositiveButtonClicked(String[] lockTaskArray) {
                 choosePrivateKeyForRemoval();
                 return true;
             case GENERATE_KEY_CERTIFICATE_KEY:
-                showPromptForGeneratedKeyAlias("generated-rsa-testdpc-1");
+                showPromptForGeneratedKeyAlias("generated-key-testdpc-1");
                 return true;
             case TEST_KEY_USABILITY_KEY:
                 testKeyCanBeUsedForSigning();
@@ -1440,10 +1440,11 @@ private boolean installKeyPair(final PrivateKey key, final Certificate cert, fin
     private void generateKeyPair(final String alias, boolean isUserSelectable,
                                  byte[] attestationChallenge,
                                  int idAttestationFlags,
-                                 boolean useStrongBox) {
+                                 boolean useStrongBox,
+                                 boolean generateEcKey) {
         new GenerateKeyAndCertificateTask(
                 alias, isUserSelectable, attestationChallenge, idAttestationFlags,
-                useStrongBox, getActivity(), mAdminComponentName).execute();
+                useStrongBox, generateEcKey, getActivity(), mAdminComponentName).execute();
     }
 
     /**
@@ -2477,6 +2478,9 @@ private void showPromptForGeneratedKeyAlias(String alias) {
                 R.id.alias_user_selectable);
         userSelectableCheckbox.setChecked(!BuildCompat.isAtLeastP());
 
+        final CheckBox ecKeyCheckbox = aliasNamingView.findViewById(
+                R.id.generate_ec_key);
+
         // Attestation check-boxes
         final CheckBox includeAttestationChallengeCheckbox = aliasNamingView.findViewById(
                 R.id.include_key_attestation_challenge);
@@ -2520,7 +2524,8 @@ public void onClick(DialogInterface dialog, int which) {
                         }
 
                         generateKeyPair(alias, isUserSelectable, attestationChallenge,
-                                idAttestationFlags, useStrongBoxCheckbox.isChecked());
+                                idAttestationFlags, useStrongBoxCheckbox.isChecked(),
+                                ecKeyCheckbox.isChecked());
                     }
                 })
                 .setNegativeButton(android.R.string.cancel, null)

app/src/main/java/com/afwsamples/testdpc/policy/keymanagement/GenerateKeyAndCertificateTask.java

@@ -58,6 +58,7 @@ public class GenerateKeyAndCertificateTask extends AsyncTask<Void, Integer, Atte
     private final byte[] mAttestationChallenge;
     private final int mIdAttestationFlags;
     private final boolean mUseStrongBox;
+    private final boolean mGenerateEcKey;
     private final ComponentName mAdminComponentName;
     private final DevicePolicyManager mDevicePolicyManager;
     private final Activity mActivity;
@@ -68,13 +69,15 @@ public GenerateKeyAndCertificateTask(
             byte[] attestationChallenge,
             int idAttestationFlags,
             boolean useStrongBox,
+            boolean generateEcKey,
             Activity activity,
             ComponentName admin) {
         mAlias = alias;
         mIsUserSelectable = isUserSelectable;
         mAttestationChallenge = attestationChallenge;
         mIdAttestationFlags = idAttestationFlags;
         mUseStrongBox = useStrongBox;
+        mGenerateEcKey = generateEcKey;
         mActivity = activity;
         mAdminComponentName = admin;
         mDevicePolicyManager =
@@ -89,21 +92,34 @@ protected AttestedKeyPair doInBackground(Void... voids) {
                     new KeyGenParameterSpec.Builder(
                                     mAlias,
                                     KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY)
-                            .setKeySize(2048)
                             .setDigests(KeyProperties.DIGEST_SHA256)
-                            .setSignaturePaddings(
-                                    KeyProperties.SIGNATURE_PADDING_RSA_PSS,
-                                    KeyProperties.SIGNATURE_PADDING_RSA_PKCS1)
                             .setIsStrongBoxBacked(mUseStrongBox);
 
             if (mAttestationChallenge != null) {
                 keySpecBuilder.setAttestationChallenge(mAttestationChallenge);
             }
 
+            if (mGenerateEcKey) {
+                keySpecBuilder.setKeySize(256);
+            } else {
+                // RSA key
+                keySpecBuilder.setSignaturePaddings(
+                        KeyProperties.SIGNATURE_PADDING_RSA_PSS,
+                        KeyProperties.SIGNATURE_PADDING_RSA_PKCS1)
+                        .setKeySize(2048);
+            }
+
+            String keyAlgorithm;
+            if (mGenerateEcKey) {
+                keyAlgorithm = KeyProperties.KEY_ALGORITHM_EC;
+            } else {
+                keyAlgorithm = KeyProperties.KEY_ALGORITHM_RSA;
+            }
+
             KeyGenParameterSpec keySpec = keySpecBuilder.build();
             AttestedKeyPair keyPair =
                     mDevicePolicyManager.generateKeyPair(
-                            mAdminComponentName, "RSA", keySpec, mIdAttestationFlags);
+                            mAdminComponentName, keyAlgorithm, keySpec, mIdAttestationFlags);
 
             if (keyPair == null) {
                 return null;

app/src/main/java/com/afwsamples/testdpc/policy/keymanagement/SignAndVerifyTask.java

@@ -20,6 +20,7 @@
 import android.os.AsyncTask;
 import android.security.KeyChain;
 import android.security.KeyChainException;
+import android.security.keystore.KeyProperties;
 import android.util.Log;
 
 import com.afwsamples.testdpc.R;
@@ -46,9 +47,15 @@ public SignAndVerifyTask(Context context, ShowToastCallback callback) {
     protected String doInBackground(String... aliases) {
         String alias = aliases[0];
         try {
-            final String algorithmIdentifier = "SHA256withRSA";
             PrivateKey privateKey = KeyChain.getPrivateKey(mContext, alias);
 
+            final String algorithmIdentifier;
+            if (privateKey.getAlgorithm().equals(KeyProperties.KEY_ALGORITHM_RSA)) {
+                algorithmIdentifier = "SHA256withRSA";
+            } else {
+                algorithmIdentifier = "SHA256withECDSA";
+            }
+
             byte[] data = new String("hello").getBytes();
             Signature signer = Signature.getInstance(algorithmIdentifier);
             signer.initSign(privateKey);

app/src/main/res/layout/key_generation_prompt.xml

@@ -47,6 +47,12 @@
         android:layout_height="wrap_content"
         android:text="@string/user_selectability_checkbox"/>
 
+    <CheckBox
+        android:id="@+id/generate_ec_key"
+        android:layout_width="match_parent"
+        android:layout_height="wrap_content"
+        android:text="@string/ec_key_checkbox"/>
+
     <TextView
         android:layout_width="fill_parent"
         android:layout_height="wrap_content"

app/src/main/res/values/strings.xml

@@ -529,6 +529,7 @@
     <string name="all_ca_certificates_removed">All CA certificates have been removed.</string>
     <string name="user_selectability_description">User-selectability</string>
     <string name="user_selectability_checkbox">Make user-selectable</string>
+    <string name="ec_key_checkbox">Generate EC key (Default: RSA)</string>
     <string name="key_attestation_description">Key Attestation options</string>
     <string name="key_attestation_checkbox">Include key attestation challenge</string>
     <string name="device_id_attestation_description">Device ID attestation options</string>