diff options
| author | Alex Klyubin <klyubin@google.com> | 2015-05-12 19:57:09 +0000 |
|---|---|---|
| committer | Android (Google) Code Review <android-gerrit@google.com> | 2015-05-12 19:57:10 +0000 |
| commit | c5a142f82b85aef4d740af4e8fefedf1cd0333fe (patch) | |
| tree | a2e9a554bcbb1f978ab699e095d6b05ac9179ab6 | |
| parent | e66ba4736667afb9ff3b1d3ebc487d024531f2a3 (diff) | |
| parent | 622fd932fd33c6e86c86c8a24082674ad077a810 (diff) | |
| download | frameworks_base-c5a142f82b85aef4d740af4e8fefedf1cd0333fe.zip frameworks_base-c5a142f82b85aef4d740af4e8fefedf1cd0333fe.tar.gz frameworks_base-c5a142f82b85aef4d740af4e8fefedf1cd0333fe.tar.bz2 | |
Merge "Flatten KeyStoreKeyProperties constants." into mnc-dev
| -rw-r--r-- | api/current.txt | 85 | ||||
| -rw-r--r-- | api/system-current.txt | 85 | ||||
| -rw-r--r-- | keystore/java/android/security/AndroidKeyPairGenerator.java | 21 | ||||
| -rw-r--r-- | keystore/java/android/security/AndroidKeyStore.java | 12 | ||||
| -rw-r--r-- | keystore/java/android/security/KeyChain.java | 12 | ||||
| -rw-r--r-- | keystore/java/android/security/KeyGeneratorSpec.java | 35 | ||||
| -rw-r--r-- | keystore/java/android/security/KeyPairGeneratorSpec.java | 105 | ||||
| -rw-r--r-- | keystore/java/android/security/KeyStore.java | 6 | ||||
| -rw-r--r-- | keystore/java/android/security/KeyStoreCipherSpi.java | 2 | ||||
| -rw-r--r-- | keystore/java/android/security/KeyStoreKeyGeneratorSpi.java | 8 | ||||
| -rw-r--r-- | keystore/java/android/security/KeyStoreKeyProperties.java | 499 | ||||
| -rw-r--r-- | keystore/java/android/security/KeyStoreKeySpec.java | 28 | ||||
| -rw-r--r-- | keystore/java/android/security/KeyStoreParameter.java | 92 |
13 files changed, 439 insertions, 551 deletions
diff --git a/api/current.txt b/api/current.txt index 46f38ca..8a9e7ef 100644 --- a/api/current.txt +++ b/api/current.txt @@ -28455,59 +28455,38 @@ package android.security { } public abstract class KeyStoreKeyProperties { - } - - public static abstract class KeyStoreKeyProperties.Algorithm { - field public static final java.lang.String AES = "AES"; - field public static final java.lang.String EC = "EC"; - field public static final java.lang.String HMAC_SHA1 = "HmacSHA1"; - field public static final java.lang.String HMAC_SHA224 = "HmacSHA224"; - field public static final java.lang.String HMAC_SHA256 = "HmacSHA256"; - field public static final java.lang.String HMAC_SHA384 = "HmacSHA384"; - field public static final java.lang.String HMAC_SHA512 = "HmacSHA512"; - field public static final java.lang.String RSA = "RSA"; - } - - public static abstract class KeyStoreKeyProperties.BlockMode { - field public static final java.lang.String CBC = "CBC"; - field public static final java.lang.String CTR = "CTR"; - field public static final java.lang.String ECB = "ECB"; - field public static final java.lang.String GCM = "GCM"; - } - - public static abstract class KeyStoreKeyProperties.Digest { - field public static final java.lang.String MD5 = "MD5"; - field public static final java.lang.String NONE = "NONE"; - field public static final java.lang.String SHA1 = "SHA-1"; - field public static final java.lang.String SHA224 = "SHA-224"; - field public static final java.lang.String SHA256 = "SHA-256"; - field public static final java.lang.String SHA384 = "SHA-384"; - field public static final java.lang.String SHA512 = "SHA-512"; - } - - public static abstract class KeyStoreKeyProperties.EncryptionPadding { - field public static final java.lang.String NONE = "NoPadding"; - field public static final java.lang.String PKCS7 = "PKCS7Padding"; - field public static final java.lang.String RSA_OAEP = "OAEPPadding"; - field public static final java.lang.String RSA_PKCS1 = "PKCS1Padding"; - } - - public static abstract class KeyStoreKeyProperties.Origin { - field public static final int GENERATED = 1; // 0x1 - field public static final int IMPORTED = 2; // 0x2 - field public static final int UNKNOWN = 4; // 0x4 - } - - public static abstract class KeyStoreKeyProperties.Purpose { - field public static final int DECRYPT = 2; // 0x2 - field public static final int ENCRYPT = 1; // 0x1 - field public static final int SIGN = 4; // 0x4 - field public static final int VERIFY = 8; // 0x8 - } - - public static abstract class KeyStoreKeyProperties.SignaturePadding { - field public static final java.lang.String RSA_PKCS1 = "PKCS1"; - field public static final java.lang.String RSA_PSS = "PSS"; + field public static final java.lang.String BLOCK_MODE_CBC = "CBC"; + field public static final java.lang.String BLOCK_MODE_CTR = "CTR"; + field public static final java.lang.String BLOCK_MODE_ECB = "ECB"; + field public static final java.lang.String BLOCK_MODE_GCM = "GCM"; + field public static final java.lang.String DIGEST_MD5 = "MD5"; + field public static final java.lang.String DIGEST_NONE = "NONE"; + field public static final java.lang.String DIGEST_SHA1 = "SHA-1"; + field public static final java.lang.String DIGEST_SHA224 = "SHA-224"; + field public static final java.lang.String DIGEST_SHA256 = "SHA-256"; + field public static final java.lang.String DIGEST_SHA384 = "SHA-384"; + field public static final java.lang.String DIGEST_SHA512 = "SHA-512"; + field public static final java.lang.String ENCRYPTION_PADDING_NONE = "NoPadding"; + field public static final java.lang.String ENCRYPTION_PADDING_PKCS7 = "PKCS7Padding"; + field public static final java.lang.String ENCRYPTION_PADDING_RSA_OAEP = "OAEPPadding"; + field public static final java.lang.String ENCRYPTION_PADDING_RSA_PKCS1 = "PKCS1Padding"; + field public static final java.lang.String KEY_ALGORITHM_AES = "AES"; + field public static final java.lang.String KEY_ALGORITHM_EC = "EC"; + field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA1 = "HmacSHA1"; + field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA224 = "HmacSHA224"; + field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA256 = "HmacSHA256"; + field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA384 = "HmacSHA384"; + field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA512 = "HmacSHA512"; + field public static final java.lang.String KEY_ALGORITHM_RSA = "RSA"; + field public static final int ORIGIN_GENERATED = 1; // 0x1 + field public static final int ORIGIN_IMPORTED = 2; // 0x2 + field public static final int ORIGIN_UNKNOWN = 4; // 0x4 + field public static final int PURPOSE_DECRYPT = 2; // 0x2 + field public static final int PURPOSE_ENCRYPT = 1; // 0x1 + field public static final int PURPOSE_SIGN = 4; // 0x4 + field public static final int PURPOSE_VERIFY = 8; // 0x8 + field public static final java.lang.String SIGNATURE_PADDING_RSA_PKCS1 = "PKCS1"; + field public static final java.lang.String SIGNATURE_PADDING_RSA_PSS = "PSS"; } public class KeyStoreKeySpec implements java.security.spec.KeySpec { diff --git a/api/system-current.txt b/api/system-current.txt index b2a6f65..693c515 100644 --- a/api/system-current.txt +++ b/api/system-current.txt @@ -30478,59 +30478,38 @@ package android.security { } public abstract class KeyStoreKeyProperties { - } - - public static abstract class KeyStoreKeyProperties.Algorithm { - field public static final java.lang.String AES = "AES"; - field public static final java.lang.String EC = "EC"; - field public static final java.lang.String HMAC_SHA1 = "HmacSHA1"; - field public static final java.lang.String HMAC_SHA224 = "HmacSHA224"; - field public static final java.lang.String HMAC_SHA256 = "HmacSHA256"; - field public static final java.lang.String HMAC_SHA384 = "HmacSHA384"; - field public static final java.lang.String HMAC_SHA512 = "HmacSHA512"; - field public static final java.lang.String RSA = "RSA"; - } - - public static abstract class KeyStoreKeyProperties.BlockMode { - field public static final java.lang.String CBC = "CBC"; - field public static final java.lang.String CTR = "CTR"; - field public static final java.lang.String ECB = "ECB"; - field public static final java.lang.String GCM = "GCM"; - } - - public static abstract class KeyStoreKeyProperties.Digest { - field public static final java.lang.String MD5 = "MD5"; - field public static final java.lang.String NONE = "NONE"; - field public static final java.lang.String SHA1 = "SHA-1"; - field public static final java.lang.String SHA224 = "SHA-224"; - field public static final java.lang.String SHA256 = "SHA-256"; - field public static final java.lang.String SHA384 = "SHA-384"; - field public static final java.lang.String SHA512 = "SHA-512"; - } - - public static abstract class KeyStoreKeyProperties.EncryptionPadding { - field public static final java.lang.String NONE = "NoPadding"; - field public static final java.lang.String PKCS7 = "PKCS7Padding"; - field public static final java.lang.String RSA_OAEP = "OAEPPadding"; - field public static final java.lang.String RSA_PKCS1 = "PKCS1Padding"; - } - - public static abstract class KeyStoreKeyProperties.Origin { - field public static final int GENERATED = 1; // 0x1 - field public static final int IMPORTED = 2; // 0x2 - field public static final int UNKNOWN = 4; // 0x4 - } - - public static abstract class KeyStoreKeyProperties.Purpose { - field public static final int DECRYPT = 2; // 0x2 - field public static final int ENCRYPT = 1; // 0x1 - field public static final int SIGN = 4; // 0x4 - field public static final int VERIFY = 8; // 0x8 - } - - public static abstract class KeyStoreKeyProperties.SignaturePadding { - field public static final java.lang.String RSA_PKCS1 = "PKCS1"; - field public static final java.lang.String RSA_PSS = "PSS"; + field public static final java.lang.String BLOCK_MODE_CBC = "CBC"; + field public static final java.lang.String BLOCK_MODE_CTR = "CTR"; + field public static final java.lang.String BLOCK_MODE_ECB = "ECB"; + field public static final java.lang.String BLOCK_MODE_GCM = "GCM"; + field public static final java.lang.String DIGEST_MD5 = "MD5"; + field public static final java.lang.String DIGEST_NONE = "NONE"; + field public static final java.lang.String DIGEST_SHA1 = "SHA-1"; + field public static final java.lang.String DIGEST_SHA224 = "SHA-224"; + field public static final java.lang.String DIGEST_SHA256 = "SHA-256"; + field public static final java.lang.String DIGEST_SHA384 = "SHA-384"; + field public static final java.lang.String DIGEST_SHA512 = "SHA-512"; + field public static final java.lang.String ENCRYPTION_PADDING_NONE = "NoPadding"; + field public static final java.lang.String ENCRYPTION_PADDING_PKCS7 = "PKCS7Padding"; + field public static final java.lang.String ENCRYPTION_PADDING_RSA_OAEP = "OAEPPadding"; + field public static final java.lang.String ENCRYPTION_PADDING_RSA_PKCS1 = "PKCS1Padding"; + field public static final java.lang.String KEY_ALGORITHM_AES = "AES"; + field public static final java.lang.String KEY_ALGORITHM_EC = "EC"; + field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA1 = "HmacSHA1"; + field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA224 = "HmacSHA224"; + field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA256 = "HmacSHA256"; + field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA384 = "HmacSHA384"; + field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA512 = "HmacSHA512"; + field public static final java.lang.String KEY_ALGORITHM_RSA = "RSA"; + field public static final int ORIGIN_GENERATED = 1; // 0x1 + field public static final int ORIGIN_IMPORTED = 2; // 0x2 + field public static final int ORIGIN_UNKNOWN = 4; // 0x4 + field public static final int PURPOSE_DECRYPT = 2; // 0x2 + field public static final int PURPOSE_ENCRYPT = 1; // 0x1 + field public static final int PURPOSE_SIGN = 4; // 0x4 + field public static final int PURPOSE_VERIFY = 8; // 0x8 + field public static final java.lang.String SIGNATURE_PADDING_RSA_PKCS1 = "PKCS1"; + field public static final java.lang.String SIGNATURE_PADDING_RSA_PSS = "PSS"; } public class KeyStoreKeySpec implements java.security.spec.KeySpec { diff --git a/keystore/java/android/security/AndroidKeyPairGenerator.java b/keystore/java/android/security/AndroidKeyPairGenerator.java index 3f29c6a..ea90ca3 100644 --- a/keystore/java/android/security/AndroidKeyPairGenerator.java +++ b/keystore/java/android/security/AndroidKeyPairGenerator.java @@ -54,13 +54,13 @@ public abstract class AndroidKeyPairGenerator extends KeyPairGeneratorSpi { public static class RSA extends AndroidKeyPairGenerator { public RSA() { - super(KeyStoreKeyProperties.Algorithm.RSA); + super(KeyStoreKeyProperties.KEY_ALGORITHM_RSA); } } public static class EC extends AndroidKeyPairGenerator { public EC() { - super(KeyStoreKeyProperties.Algorithm.EC); + super(KeyStoreKeyProperties.KEY_ALGORITHM_EC); } } @@ -83,15 +83,15 @@ public abstract class AndroidKeyPairGenerator extends KeyPairGeneratorSpi { private android.security.KeyStore mKeyStore; private KeyPairGeneratorSpec mSpec; - private @KeyStoreKeyProperties.AlgorithmEnum String mKeyAlgorithm; + private @KeyStoreKeyProperties.KeyAlgorithmEnum String mKeyAlgorithm; private int mKeyType; private int mKeySize; - protected AndroidKeyPairGenerator(@KeyStoreKeyProperties.AlgorithmEnum String algorithm) { + protected AndroidKeyPairGenerator(@KeyStoreKeyProperties.KeyAlgorithmEnum String algorithm) { mAlgorithm = algorithm; } - public @KeyStoreKeyProperties.AlgorithmEnum String getAlgorithm() { + @KeyStoreKeyProperties.KeyAlgorithmEnum String getAlgorithm() { return mAlgorithm; } @@ -197,7 +197,8 @@ public abstract class AndroidKeyPairGenerator extends KeyPairGeneratorSpi { return certGen.generate(privateKey); } - private @KeyStoreKeyProperties.AlgorithmEnum String getKeyAlgorithm(KeyPairGeneratorSpec spec) { + private @KeyStoreKeyProperties.KeyAlgorithmEnum String getKeyAlgorithm( + KeyPairGeneratorSpec spec) { String result = spec.getKeyType(); if (result != null) { return result; @@ -249,10 +250,10 @@ public abstract class AndroidKeyPairGenerator extends KeyPairGeneratorSpi { } private static String getDefaultSignatureAlgorithmForKeyAlgorithm( - @KeyStoreKeyProperties.AlgorithmEnum String algorithm) { - if (KeyStoreKeyProperties.Algorithm.RSA.equalsIgnoreCase(algorithm)) { + @KeyStoreKeyProperties.KeyAlgorithmEnum String algorithm) { + if (KeyStoreKeyProperties.KEY_ALGORITHM_RSA.equalsIgnoreCase(algorithm)) { return "sha256WithRSA"; - } else if (KeyStoreKeyProperties.Algorithm.EC.equalsIgnoreCase(algorithm)) { + } else if (KeyStoreKeyProperties.KEY_ALGORITHM_EC.equalsIgnoreCase(algorithm)) { return "sha256WithECDSA"; } else { throw new IllegalArgumentException("Unsupported key type " + algorithm); @@ -288,7 +289,7 @@ public abstract class AndroidKeyPairGenerator extends KeyPairGeneratorSpi { } KeyPairGeneratorSpec spec = (KeyPairGeneratorSpec) params; - @KeyStoreKeyProperties.AlgorithmEnum String keyAlgorithm = getKeyAlgorithm(spec); + @KeyStoreKeyProperties.KeyAlgorithmEnum String keyAlgorithm = getKeyAlgorithm(spec); int keyType = KeyStore.getKeyTypeForAlgorithm(keyAlgorithm); if (keyType == -1) { throw new InvalidAlgorithmParameterException( diff --git a/keystore/java/android/security/AndroidKeyStore.java b/keystore/java/android/security/AndroidKeyStore.java index 69d80e6..7ac236a 100644 --- a/keystore/java/android/security/AndroidKeyStore.java +++ b/keystore/java/android/security/AndroidKeyStore.java @@ -129,10 +129,10 @@ public class AndroidKeyStore extends KeyStoreSpi { keymasterDigest = keymasterDigests.get(0); } - @KeyStoreKeyProperties.AlgorithmEnum String keyAlgorithmString; + @KeyStoreKeyProperties.KeyAlgorithmEnum String keyAlgorithmString; try { keyAlgorithmString = - KeyStoreKeyProperties.Algorithm.fromKeymasterSecretKeyAlgorithm( + KeyStoreKeyProperties.KeyAlgorithm.fromKeymasterSecretKeyAlgorithm( keymasterAlgorithm, keymasterDigest); } catch (IllegalArgumentException e) { throw (UnrecoverableKeyException) @@ -453,10 +453,10 @@ public class AndroidKeyStore extends KeyStoreSpi { int keymasterAlgorithm; int keymasterDigest; try { - keymasterAlgorithm = KeyStoreKeyProperties.Algorithm.toKeymasterSecretKeyAlgorithm( + keymasterAlgorithm = KeyStoreKeyProperties.KeyAlgorithm.toKeymasterSecretKeyAlgorithm( keyAlgorithmString); keymasterDigest = - KeyStoreKeyProperties.Algorithm.toKeymasterDigest(keyAlgorithmString); + KeyStoreKeyProperties.KeyAlgorithm.toKeymasterDigest(keyAlgorithmString); } catch (IllegalArgumentException e) { throw new KeyStoreException("Unsupported secret key algorithm: " + keyAlgorithmString); } @@ -497,7 +497,7 @@ public class AndroidKeyStore extends KeyStoreSpi { @KeyStoreKeyProperties.PurposeEnum int purposes = params.getPurposes(); int[] keymasterBlockModes = KeyStoreKeyProperties.BlockMode.allToKeymaster(params.getBlockModes()); - if (((purposes & KeyStoreKeyProperties.Purpose.ENCRYPT) != 0) + if (((purposes & KeyStoreKeyProperties.PURPOSE_ENCRYPT) != 0) && (params.isRandomizedEncryptionRequired())) { for (int keymasterBlockMode : keymasterBlockModes) { if (!KeymasterUtils.isKeymasterBlockModeIndCpaCompatible(keymasterBlockMode)) { @@ -536,7 +536,7 @@ public class AndroidKeyStore extends KeyStoreSpi { // TODO: Remove this once keymaster does not require us to specify the size of imported key. args.addInt(KeymasterDefs.KM_TAG_KEY_SIZE, keyMaterial.length * 8); - if (((purposes & KeyStoreKeyProperties.Purpose.ENCRYPT) != 0) + if (((purposes & KeyStoreKeyProperties.PURPOSE_ENCRYPT) != 0) && (!params.isRandomizedEncryptionRequired())) { // Permit caller-provided IV when encrypting with this key args.addBoolean(KeymasterDefs.KM_TAG_CALLER_NONCE); diff --git a/keystore/java/android/security/KeyChain.java b/keystore/java/android/security/KeyChain.java index d3dbebf..3853eca 100644 --- a/keystore/java/android/security/KeyChain.java +++ b/keystore/java/android/security/KeyChain.java @@ -266,7 +266,7 @@ public final class KeyChain { */ public static void choosePrivateKeyAlias(@NonNull Activity activity, @NonNull KeyChainAliasCallback response, - @KeyStoreKeyProperties.AlgorithmEnum String[] keyTypes, Principal[] issuers, + @KeyStoreKeyProperties.KeyAlgorithmEnum String[] keyTypes, Principal[] issuers, @Nullable String host, int port, @Nullable String alias) { choosePrivateKeyAlias(activity, response, keyTypes, issuers, host, port, null, alias); } @@ -312,7 +312,7 @@ public final class KeyChain { */ public static void choosePrivateKeyAlias(@NonNull Activity activity, @NonNull KeyChainAliasCallback response, - @KeyStoreKeyProperties.AlgorithmEnum String[] keyTypes, Principal[] issuers, + @KeyStoreKeyProperties.KeyAlgorithmEnum String[] keyTypes, Principal[] issuers, @Nullable String host, int port, @Nullable String url, @Nullable String alias) { /* * TODO currently keyTypes, issuers are unused. They are meant @@ -439,10 +439,10 @@ public final class KeyChain { * "RSA"). */ public static boolean isKeyAlgorithmSupported( - @NonNull @KeyStoreKeyProperties.AlgorithmEnum String algorithm) { + @NonNull @KeyStoreKeyProperties.KeyAlgorithmEnum String algorithm) { final String algUpper = algorithm.toUpperCase(Locale.US); - return KeyStoreKeyProperties.Algorithm.EC.equals(algUpper) - || KeyStoreKeyProperties.Algorithm.RSA.equals(algUpper); + return KeyStoreKeyProperties.KEY_ALGORITHM_EC.equals(algUpper) + || KeyStoreKeyProperties.KEY_ALGORITHM_RSA.equals(algUpper); } /** @@ -453,7 +453,7 @@ public final class KeyChain { * that makes it non-exportable. */ public static boolean isBoundKeyAlgorithm( - @NonNull @KeyStoreKeyProperties.AlgorithmEnum String algorithm) { + @NonNull @KeyStoreKeyProperties.KeyAlgorithmEnum String algorithm) { if (!isKeyAlgorithmSupported(algorithm)) { return false; } diff --git a/keystore/java/android/security/KeyGeneratorSpec.java b/keystore/java/android/security/KeyGeneratorSpec.java index 3849fae..e63566b 100644 --- a/keystore/java/android/security/KeyGeneratorSpec.java +++ b/keystore/java/android/security/KeyGeneratorSpec.java @@ -56,13 +56,13 @@ import javax.crypto.KeyGenerator; * been authenticated within the last five minutes. * <pre> {@code * KeyGenerator keyGenerator = KeyGenerator.getInstance( - * KeyStoreKeyProperties.Algorithm.HMAC_SHA256, + * KeyStoreKeyProperties.KEY_ALGORITHM_HMAC_SHA256, * "AndroidKeyStore"); * keyGenerator.initialize( * new KeyGeneratorSpec.Builder(context) * .setAlias("key1") - * .setPurposes(KeyStoreKeyProperties.Purpose.SIGN - * | KeyStoreKeyProperties.Purpose.VERIFY) + * .setPurposes(KeyStoreKeyProperties.PURPOSE_SIGN + * | KeyStoreKeyProperties.PURPOSE_VERIFY) * // Only permit this key to be used if the user authenticated * // within the last five minutes. * .setUserAuthenticationRequired(true) @@ -192,20 +192,21 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec { } /** - * Gets the set of purposes (e.g., {@code ENCRYPT}, {@code DECRYPT}, {@code SIGN}) for which the - * key can be used. + * Gets the set of purposes (e.g., encrypt, decrypt, sign) for which the key can be used. + * Attempts to use the key for any other purpose will be rejected. * - * @see KeyStoreKeyProperties.Purpose + * <p>See {@link KeyStoreKeyProperties}.{@code PURPOSE} flags. */ public @KeyStoreKeyProperties.PurposeEnum int getPurposes() { return mPurposes; } /** - * Gets the set of padding schemes (e.g., {@code PKCS7Padding}, {@code NoPadding}) with which - * the key can be used when encrypting/decrypting. + * Gets the set of padding schemes (e.g., {@code PKCS7Padding}, {@code NoPadding}) with + * which the key can be used when encrypting/decrypting. Attempts to use the key with any + * other padding scheme will be rejected. * - * @see KeyStoreKeyProperties.EncryptionPadding + * <p>See {@link KeyStoreKeyProperties}.{@code ENCRYPTION_PADDING} constants. */ @NonNull public @KeyStoreKeyProperties.EncryptionPaddingEnum String[] getEncryptionPaddings() { @@ -213,9 +214,11 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec { } /** - * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used. + * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used + * when encrypting/decrypting. Attempts to use the key with any other block modes will be + * rejected. * - * @see KeyStoreKeyProperties.BlockMode + * <p>See {@link KeyStoreKeyProperties}.{@code BLOCK_MODE} constants. */ @NonNull public @KeyStoreKeyProperties.BlockModeEnum String[] getBlockModes() { @@ -394,12 +397,12 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec { } /** - * Sets the set of purposes (e.g., {@code ENCRYPT}, {@code DECRYPT}, {@code SIGN}) for which - * the key can be used. + * Sets the set of purposes (e.g., encrypt, decrypt, sign) for which the key can be used. + * Attempts to use the key for any other purpose will be rejected. * * <p>This must be specified for all keys. There is no default. * - * @see KeyStoreKeyProperties.Purpose + * <p>See {@link KeyStoreKeyProperties}.{@code PURPOSE} flags. */ @NonNull public Builder setPurposes(@KeyStoreKeyProperties.PurposeEnum int purposes) { @@ -414,7 +417,7 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec { * * <p>This must be specified for keys which are used for encryption/decryption. * - * @see KeyStoreKeyProperties.EncryptionPadding + * <p>See {@link KeyStoreKeyProperties}.{@code ENCRYPTION_PADDING} constants. */ @NonNull public Builder setEncryptionPaddings( @@ -430,7 +433,7 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec { * * <p>This must be specified for encryption/decryption keys. * - * @see KeyStoreKeyProperties.BlockMode + * <p>See {@link KeyStoreKeyProperties}.{@code BLOCK_MODE} constants. */ @NonNull public Builder setBlockModes(@KeyStoreKeyProperties.BlockModeEnum String... blockModes) { diff --git a/keystore/java/android/security/KeyPairGeneratorSpec.java b/keystore/java/android/security/KeyPairGeneratorSpec.java index 08af16c..b07c052 100644 --- a/keystore/java/android/security/KeyPairGeneratorSpec.java +++ b/keystore/java/android/security/KeyPairGeneratorSpec.java @@ -69,16 +69,16 @@ import javax.security.auth.x500.X500Principal; * digest and only if the user has been authenticated within the last five minutes. * <pre> {@code * KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance( - * KeyStoreKeyProperties.Algorithm.EC, + * KeyStoreKeyProperties.KEY_ALGORITHM_EC, * "AndroidKeyStore"); * keyPairGenerator.initialize( * new KeyGeneratorSpec.Builder(context) * .setAlias("key2") - * .setPurposes(KeyStoreKeyProperties.Purpose.SIGN - * | KeyStoreKeyProperties.Purpose.VERIFY) - * .setDigests(KeyStoreKeyProperties.Digest.SHA256 - * | KeyStoreKeyProperties.Digest.SHA384 - * | KeyStoreKeyProperties.Digest.SHA512) + * .setPurposes(KeyStoreKeyProperties.PURPOSE_SIGN + * | KeyStoreKeyProperties.PURPOSE_VERIFY) + * .setDigests(KeyStoreKeyProperties.DIGEST_SHA256 + * | KeyStoreKeyProperties.DIGEST_SHA384 + * | KeyStoreKeyProperties.DIGEST_SHA512) * // Only permit this key to be used if the user authenticated * // within the last five minutes. * .setUserAuthenticationRequired(true) @@ -287,10 +287,11 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { } /** - * Returns the key type (e.g., "EC", "RSA") specified by this parameter. + * Returns the type of key pair (e.g., {@code EC}, {@code RSA}) to be generated. See + * {@link KeyStoreKeyProperties}.{@code KEY_ALGORITHM} constants. */ @Nullable - public @KeyStoreKeyProperties.AlgorithmEnum String getKeyType() { + public @KeyStoreKeyProperties.KeyAlgorithmEnum String getKeyType() { return mKeyType; } @@ -395,10 +396,10 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { } /** - * Gets the set of purposes (e.g., {@code ENCRYPT}, {@code DECRYPT}, {@code SIGN}) for which the - * key can be used. + * Gets the set of purposes (e.g., encrypt, decrypt, sign) for which the key can be used. + * Attempts to use the key for any other purpose will be rejected. * - * @see KeyStoreKeyProperties.Purpose + * <p>See {@link KeyStoreKeyProperties}.{@code PURPOSE} flags. */ public @KeyStoreKeyProperties.PurposeEnum int getPurposes() { return mPurposes; @@ -416,10 +417,11 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { } /** - * Gets the set of padding schemes (e.g., {@code PKCS1Padding}, {@code NoPadding}) with which - * the key can be used when encrypting/decrypting. + * Gets the set of padding schemes (e.g., {@code OEAPPadding}, {@code PKCS1Padding}, + * {@code NoPadding}) with which the key can be used when encrypting/decrypting. Attempts to use + * the key with any other padding scheme will be rejected. * - * @see KeyStoreKeyProperties.EncryptionPadding + * <p>See {@link KeyStoreKeyProperties}.{@code ENCRYPTION_PADDING} constants. */ @NonNull public @KeyStoreKeyProperties.EncryptionPaddingEnum String[] getEncryptionPaddings() { @@ -427,10 +429,11 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { } /** - * Gets the set of padding schemes (e.g., {@code PSS}) with which the key can be used when - * signing/verifying. + * Gets the set of padding schemes (e.g., {@code PSS}, {@code PKCS#1}) with which the key + * can be used when signing/verifying. Attempts to use the key with any other padding scheme + * will be rejected. * - * @see KeyStoreKeyProperties.SignaturePadding + * <p>See {@link KeyStoreKeyProperties}.{@code SIGNATURE_PADDING} constants. */ @NonNull public @KeyStoreKeyProperties.SignaturePaddingEnum String[] getSignaturePaddings() { @@ -438,9 +441,11 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { } /** - * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used. + * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used + * when encrypting/decrypting. Attempts to use the key with any other block modes will be + * rejected. * - * @see KeyStoreKeyProperties.BlockMode + * <p>See {@link KeyStoreKeyProperties}.{@code BLOCK_MODE} constants. */ @NonNull public @KeyStoreKeyProperties.BlockModeEnum String[] getBlockModes() { @@ -580,10 +585,12 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { } /** - * Sets the key type (e.g., EC, RSA) of the keypair to be created. + * Sets the type of key pair (e.g., {@code EC}, {@code RSA}) of the key pair to be + * generated. See {@link KeyStoreKeyProperties}.{@code KEY_ALGORITHM} constants. + * */ @NonNull - public Builder setKeyType(@NonNull @KeyStoreKeyProperties.AlgorithmEnum String keyType) + public Builder setKeyType(@NonNull @KeyStoreKeyProperties.KeyAlgorithmEnum String keyType) throws NoSuchAlgorithmException { if (keyType == null) { throw new NullPointerException("keyType == null"); @@ -713,7 +720,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { * * <p>By default, the key is valid at any instant. * - * <p><b>NOTE: This has currently no effect. + * <p><b>NOTE: This has currently no effect.</b> * * @see #setKeyValidityEnd(Date) */ @@ -728,7 +735,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { * * <p>By default, the key is valid at any instant. * - * <p><b>NOTE: This has currently no effect. + * <p><b>NOTE: This has currently no effect.</b> * * @see #setKeyValidityStart(Date) * @see #setKeyValidityForConsumptionEnd(Date) @@ -746,7 +753,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { * * <p>By default, the key is valid at any instant. * - * <p><b>NOTE: This has currently no effect. + * <p><b>NOTE: This has currently no effect.</b> * * @see #setKeyValidityForConsumptionEnd(Date) */ @@ -762,7 +769,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { * * <p>By default, the key is valid at any instant. * - * <p><b>NOTE: This has currently no effect. + * <p><b>NOTE: This has currently no effect.</b> * * @see #setKeyValidityForOriginationEnd(Date) */ @@ -773,20 +780,20 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { } /** - * Sets the set of purposes (e.g., {@code ENCRYPT}, {@code DECRYPT}, {@code SIGN}) for which - * the key can be used. + * Sets the set of purposes (e.g., encrypt, decrypt, sign) for which the key can be used. + * Attempts to use the key for any other purpose will be rejected. * * <p>This must be specified for all keys. There is no default. * * <p>If the set of purposes for which the key can be used does not contain - * {@link KeyStoreKeyProperties.Purpose#SIGN}, the self-signed certificate generated by + * {@link KeyStoreKeyProperties#PURPOSE_SIGN}, the self-signed certificate generated by * {@link KeyPairGenerator} of {@code AndroidKeyStore} provider will contain an invalid * signature. This is OK if the certificate is only used for obtaining the public key from * Android KeyStore. * - * <p><b>NOTE: This has currently no effect. + * <p><b>NOTE: This has currently no effect.</b> * - * @see KeyStoreKeyProperties.Purpose + * <p>See {@link KeyStoreKeyProperties}.{@code PURPOSE} flags. */ @NonNull public Builder setPurposes(@KeyStoreKeyProperties.PurposeEnum int purposes) { @@ -801,7 +808,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { * * <p>This must be specified for keys which are used for signing/verification. * - * <p><b>NOTE: This has currently no effect. + * <p><b>NOTE: This has currently no effect.</b> * * @see KeyStoreKeyProperties.Digest */ @@ -812,15 +819,15 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { } /** - * Sets the set of padding schemes (e.g., {@code PKCS1Padding}, {@code NoPadding}) with - * which the key can be used when encrypting/decrypting. Attempts to use the key with any - * other padding scheme will be rejected. + * Sets the set of padding schemes (e.g., {@code OAEPPadding}, {@code PKCS1Padding}, + * {@code NoPadding}) with which the key can be used when encrypting/decrypting. Attempts to + * use the key with any other padding scheme will be rejected. * * <p>This must be specified for keys which are used for encryption/decryption. * - * <p><b>NOTE: This has currently no effect. + * <p><b>NOTE: This has currently no effect.</b> * - * @see KeyStoreKeyProperties.EncryptionPadding + * <p>See {@link KeyStoreKeyProperties}.{@code ENCRYPTION_PADDING} constants. */ @NonNull public Builder setEncryptionPaddings( @@ -830,15 +837,15 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { } /** - * Sets the set of padding schemes (e.g., {@code PSS}) with which the key can be used when - * signing/verifying. Attempts to use the key with any other padding scheme will be - * rejected. + * Sets the set of padding schemes (e.g., {@code PSS}, {@code PKCS#1}) with which the key + * can be used when signing/verifying. Attempts to use the key with any other padding scheme + * will be rejected. * * <p>This must be specified for RSA keys which are used for signing/verification. * - * <p><b>NOTE: This has currently no effect. + * <p><b>NOTE: This has currently no effect.</b> * - * @see KeyStoreKeyProperties.SignaturePadding + * <p>See {@link KeyStoreKeyProperties}.{@code SIGNATURE_PADDING} constants. */ @NonNull public Builder setSignaturePaddings( @@ -848,15 +855,15 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { } /** - * Sets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be - * used when encrypting/decrypting. Attempts to use the key with any other block modes will - * be rejected. + * Sets the set of block modes (e.g., {@code ECB}, {@code CBC}, {@code CTR}) with which the + * key can be used when encrypting/decrypting. Attempts to use the key with any other block + * modes will be rejected. * * <p>This must be specified for encryption/decryption keys. * - * <p><b>NOTE: This has currently no effect. + * <p><b>NOTE: This has currently no effect.</b> * - * @see KeyStoreKeyProperties.BlockMode + * <p>See {@link KeyStoreKeyProperties}.{@code BLOCK_MODE} constants. */ @NonNull public Builder setBlockModes(@KeyStoreKeyProperties.BlockModeEnum String... blockModes) { @@ -884,7 +891,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { * schemes which offer {@code IND-CPA}, such as PKCS#1 or OAEP.</li> * </ul> * - * <p><b>NOTE: This has currently no effect. + * <p><b>NOTE: This has currently no effect.</b> */ @NonNull public Builder setRandomizedEncryptionRequired(boolean required) { @@ -908,7 +915,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { * <p>This restriction applies only to private key operations. Public key operations are not * restricted. * - * <p><b>NOTE: This has currently no effect. + * <p><b>NOTE: This has currently no effect.</b> * * @see #setUserAuthenticationValidityDurationSeconds(int) */ @@ -927,7 +934,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { * <p>This restriction applies only to private key operations. Public key operations are not * restricted. * - * <p><b>NOTE: This has currently no effect. + * <p><b>NOTE: This has currently no effect.</b> * * @param seconds duration in seconds or {@code -1} if the user needs to authenticate for * every use of the key. diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java index 3ed8899..7e3193d 100644 --- a/keystore/java/android/security/KeyStore.java +++ b/keystore/java/android/security/KeyStore.java @@ -131,10 +131,10 @@ public class KeyStore { return mToken; } - static int getKeyTypeForAlgorithm(@KeyStoreKeyProperties.AlgorithmEnum String keyType) { - if (KeyStoreKeyProperties.Algorithm.RSA.equalsIgnoreCase(keyType)) { + static int getKeyTypeForAlgorithm(@KeyStoreKeyProperties.KeyAlgorithmEnum String keyType) { + if (KeyStoreKeyProperties.KEY_ALGORITHM_RSA.equalsIgnoreCase(keyType)) { return NativeConstants.EVP_PKEY_RSA; - } else if (KeyStoreKeyProperties.Algorithm.EC.equalsIgnoreCase(keyType)) { + } else if (KeyStoreKeyProperties.KEY_ALGORITHM_EC.equalsIgnoreCase(keyType)) { return NativeConstants.EVP_PKEY_EC; } else { return -1; diff --git a/keystore/java/android/security/KeyStoreCipherSpi.java b/keystore/java/android/security/KeyStoreCipherSpi.java index bd601bc..4eeca47 100644 --- a/keystore/java/android/security/KeyStoreCipherSpi.java +++ b/keystore/java/android/security/KeyStoreCipherSpi.java @@ -496,7 +496,7 @@ public abstract class KeyStoreCipherSpi extends CipherSpi implements KeyStoreCry if ((mIv != null) && (mIv.length > 0)) { try { AlgorithmParameters params = - AlgorithmParameters.getInstance(KeyStoreKeyProperties.Algorithm.AES); + AlgorithmParameters.getInstance(KeyStoreKeyProperties.KEY_ALGORITHM_AES); params.init(new IvParameterSpec(mIv)); return params; } catch (NoSuchAlgorithmException e) { diff --git a/keystore/java/android/security/KeyStoreKeyGeneratorSpi.java b/keystore/java/android/security/KeyStoreKeyGeneratorSpi.java index 4b914c2..d734d66 100644 --- a/keystore/java/android/security/KeyStoreKeyGeneratorSpi.java +++ b/keystore/java/android/security/KeyStoreKeyGeneratorSpi.java @@ -174,7 +174,7 @@ public abstract class KeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { spec.getEncryptionPaddings()); mKeymasterBlockModes = KeyStoreKeyProperties.BlockMode.allToKeymaster(spec.getBlockModes()); - if (((spec.getPurposes() & KeyStoreKeyProperties.Purpose.ENCRYPT) != 0) + if (((spec.getPurposes() & KeyStoreKeyProperties.PURPOSE_ENCRYPT) != 0) && (spec.isRandomizedEncryptionRequired())) { for (int keymasterBlockMode : mKeymasterBlockModes) { if (!KeymasterUtils.isKeymasterBlockModeIndCpaCompatible( @@ -247,7 +247,7 @@ public abstract class KeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { (spec.getKeyValidityForConsumptionEnd() != null) ? spec.getKeyValidityForConsumptionEnd() : new Date(Long.MAX_VALUE)); - if (((spec.getPurposes() & KeyStoreKeyProperties.Purpose.ENCRYPT) != 0) + if (((spec.getPurposes() & KeyStoreKeyProperties.PURPOSE_ENCRYPT) != 0) && (!spec.isRandomizedEncryptionRequired())) { // Permit caller-provided IV when encrypting with this key args.addBoolean(KeymasterDefs.KM_TAG_CALLER_NONCE); @@ -265,9 +265,9 @@ public abstract class KeyStoreKeyGeneratorSpi extends KeyGeneratorSpi { throw new ProviderException( "Keystore operation failed", KeyStore.getKeyStoreException(errorCode)); } - String keyAlgorithmJCA; + @KeyStoreKeyProperties.KeyAlgorithmEnum String keyAlgorithmJCA; try { - keyAlgorithmJCA = KeyStoreKeyProperties.Algorithm.fromKeymasterSecretKeyAlgorithm( + keyAlgorithmJCA = KeyStoreKeyProperties.KeyAlgorithm.fromKeymasterSecretKeyAlgorithm( mKeymasterAlgorithm, mKeymasterDigest); } catch (IllegalArgumentException e) { throw new ProviderException("Failed to obtain JCA secret key algorithm name", e); diff --git a/keystore/java/android/security/KeyStoreKeyProperties.java b/keystore/java/android/security/KeyStoreKeyProperties.java index 021c6dd..b58a7dd 100644 --- a/keystore/java/android/security/KeyStoreKeyProperties.java +++ b/keystore/java/android/security/KeyStoreKeyProperties.java @@ -26,17 +26,9 @@ import libcore.util.EmptyArray; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; -import java.security.Key; -import java.security.KeyFactory; -import java.security.KeyPairGenerator; import java.util.Collection; import java.util.Locale; -import javax.crypto.Cipher; -import javax.crypto.KeyGenerator; -import javax.crypto.Mac; -import javax.crypto.SecretKeyFactory; - /** * Properties of {@code AndroidKeyStore} keys. */ @@ -48,76 +40,69 @@ public abstract class KeyStoreKeyProperties { */ @Retention(RetentionPolicy.SOURCE) @IntDef(flag = true, - value = {Purpose.ENCRYPT, Purpose.DECRYPT, Purpose.SIGN, Purpose.VERIFY}) + value = { + PURPOSE_ENCRYPT, + PURPOSE_DECRYPT, + PURPOSE_SIGN, + PURPOSE_VERIFY, + }) public @interface PurposeEnum {} /** - * Purposes of key. + * Purpose of key: encryption. */ - public static abstract class Purpose { - private Purpose() {} + public static final int PURPOSE_ENCRYPT = 1 << 0; - /** - * Purpose: encryption. - */ - public static final int ENCRYPT = 1 << 0; + /** + * Purpose of key: decryption. + */ + public static final int PURPOSE_DECRYPT = 1 << 1; - /** - * Purpose: decryption. - */ - public static final int DECRYPT = 1 << 1; + /** + * Purpose of key: signing or generating a Message Authentication Code (MAC). + */ + public static final int PURPOSE_SIGN = 1 << 2; - /** - * Purpose: signing. - */ - public static final int SIGN = 1 << 2; + /** + * Purpose of key: signature or Message Authentication Code (MAC) verification. + */ + public static final int PURPOSE_VERIFY = 1 << 3; - /** - * Purpose: signature verification. - */ - public static final int VERIFY = 1 << 3; + static abstract class Purpose { + private Purpose() {} - /** - * @hide - */ - public static int toKeymaster(@PurposeEnum int purpose) { + static int toKeymaster(@PurposeEnum int purpose) { switch (purpose) { - case ENCRYPT: + case PURPOSE_ENCRYPT: return KeymasterDefs.KM_PURPOSE_ENCRYPT; - case DECRYPT: + case PURPOSE_DECRYPT: return KeymasterDefs.KM_PURPOSE_DECRYPT; - case SIGN: + case PURPOSE_SIGN: return KeymasterDefs.KM_PURPOSE_SIGN; - case VERIFY: + case PURPOSE_VERIFY: return KeymasterDefs.KM_PURPOSE_VERIFY; default: throw new IllegalArgumentException("Unknown purpose: " + purpose); } } - /** - * @hide - */ - public static @PurposeEnum int fromKeymaster(int purpose) { + static @PurposeEnum int fromKeymaster(int purpose) { switch (purpose) { case KeymasterDefs.KM_PURPOSE_ENCRYPT: - return ENCRYPT; + return PURPOSE_ENCRYPT; case KeymasterDefs.KM_PURPOSE_DECRYPT: - return DECRYPT; + return PURPOSE_DECRYPT; case KeymasterDefs.KM_PURPOSE_SIGN: - return SIGN; + return PURPOSE_SIGN; case KeymasterDefs.KM_PURPOSE_VERIFY: - return VERIFY; + return PURPOSE_VERIFY; default: throw new IllegalArgumentException("Unknown purpose: " + purpose); } } - /** - * @hide - */ @NonNull - public static int[] allToKeymaster(@PurposeEnum int purposes) { + static int[] allToKeymaster(@PurposeEnum int purposes) { int[] result = getSetFlags(purposes); for (int i = 0; i < result.length; i++) { result[i] = toKeymaster(result[i]); @@ -125,10 +110,7 @@ public abstract class KeyStoreKeyProperties { return result; } - /** - * @hide - */ - public static @PurposeEnum int allFromKeymaster(@NonNull Collection<Integer> purposes) { + static @PurposeEnum int allFromKeymaster(@NonNull Collection<Integer> purposes) { @PurposeEnum int result = 0; for (int keymasterPurpose : purposes) { result |= fromKeymaster(keymasterPurpose); @@ -142,57 +124,46 @@ public abstract class KeyStoreKeyProperties { */ @Retention(RetentionPolicy.SOURCE) @StringDef({ - Algorithm.RSA, - Algorithm.EC, - Algorithm.AES, - Algorithm.HMAC_SHA1, - Algorithm.HMAC_SHA224, - Algorithm.HMAC_SHA256, - Algorithm.HMAC_SHA384, - Algorithm.HMAC_SHA512, + KEY_ALGORITHM_RSA, + KEY_ALGORITHM_EC, + KEY_ALGORITHM_AES, + KEY_ALGORITHM_HMAC_SHA1, + KEY_ALGORITHM_HMAC_SHA224, + KEY_ALGORITHM_HMAC_SHA256, + KEY_ALGORITHM_HMAC_SHA384, + KEY_ALGORITHM_HMAC_SHA512, }) - public @interface AlgorithmEnum {} + public @interface KeyAlgorithmEnum {} - /** - * Key algorithms. - * - * <p>These are standard names which can be used to obtain instances of {@link KeyGenerator}, - * {@link KeyPairGenerator}, {@link Cipher} (as part of the transformation string), {@link Mac}, - * {@link KeyFactory}, {@link SecretKeyFactory}. These are also the names used by - * {@link Key#getAlgorithm()}. - */ - public static abstract class Algorithm { - private Algorithm() {} + /** Rivest Shamir Adleman (RSA) key. */ + public static final String KEY_ALGORITHM_RSA = "RSA"; - /** Rivest Shamir Adleman (RSA) key. */ - public static final String RSA = "RSA"; + /** Elliptic Curve (EC) Cryptography key. */ + public static final String KEY_ALGORITHM_EC = "EC"; - /** Elliptic Curve (EC) key. */ - public static final String EC = "EC"; + /** Advanced Encryption Standard (AES) key. */ + public static final String KEY_ALGORITHM_AES = "AES"; - /** Advanced Encryption Standard (AES) key. */ - public static final String AES = "AES"; + /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-1 as the hash. */ + public static final String KEY_ALGORITHM_HMAC_SHA1 = "HmacSHA1"; - /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-1 as the hash. */ - public static final String HMAC_SHA1 = "HmacSHA1"; + /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-224 as the hash. */ + public static final String KEY_ALGORITHM_HMAC_SHA224 = "HmacSHA224"; - /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-224 as the hash. */ - public static final String HMAC_SHA224 = "HmacSHA224"; + /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-256 as the hash. */ + public static final String KEY_ALGORITHM_HMAC_SHA256 = "HmacSHA256"; - /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-256 as the hash. */ - public static final String HMAC_SHA256 = "HmacSHA256"; + /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-384 as the hash. */ + public static final String KEY_ALGORITHM_HMAC_SHA384 = "HmacSHA384"; - /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-384 as the hash. */ - public static final String HMAC_SHA384 = "HmacSHA384"; + /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-512 as the hash. */ + public static final String KEY_ALGORITHM_HMAC_SHA512 = "HmacSHA512"; - /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-512 as the hash. */ - public static final String HMAC_SHA512 = "HmacSHA512"; + static abstract class KeyAlgorithm { + private KeyAlgorithm() {} - /** - * @hide - */ - static int toKeymasterSecretKeyAlgorithm(@NonNull @AlgorithmEnum String algorithm) { - if (AES.equalsIgnoreCase(algorithm)) { + static int toKeymasterSecretKeyAlgorithm(@NonNull @KeyAlgorithmEnum String algorithm) { + if (KEY_ALGORITHM_AES.equalsIgnoreCase(algorithm)) { return KeymasterDefs.KM_ALGORITHM_AES; } else if (algorithm.toUpperCase(Locale.US).startsWith("HMAC")) { return KeymasterDefs.KM_ALGORITHM_HMAC; @@ -202,11 +173,8 @@ public abstract class KeyStoreKeyProperties { } } - /** - * @hide - */ @NonNull - static @AlgorithmEnum String fromKeymasterSecretKeyAlgorithm( + static @KeyAlgorithmEnum String fromKeymasterSecretKeyAlgorithm( int keymasterAlgorithm, int keymasterDigest) { switch (keymasterAlgorithm) { case KeymasterDefs.KM_ALGORITHM_AES: @@ -214,26 +182,26 @@ public abstract class KeyStoreKeyProperties { throw new IllegalArgumentException("Digest not supported for AES key: " + Digest.fromKeymaster(keymasterDigest)); } - return AES; + return KEY_ALGORITHM_AES; case KeymasterDefs.KM_ALGORITHM_HMAC: switch (keymasterDigest) { case KeymasterDefs.KM_DIGEST_SHA1: - return HMAC_SHA1; + return KEY_ALGORITHM_HMAC_SHA1; case KeymasterDefs.KM_DIGEST_SHA_2_224: - return HMAC_SHA224; + return KEY_ALGORITHM_HMAC_SHA224; case KeymasterDefs.KM_DIGEST_SHA_2_256: - return HMAC_SHA256; + return KEY_ALGORITHM_HMAC_SHA256; case KeymasterDefs.KM_DIGEST_SHA_2_384: - return HMAC_SHA384; + return KEY_ALGORITHM_HMAC_SHA384; case KeymasterDefs.KM_DIGEST_SHA_2_512: - return HMAC_SHA512; + return KEY_ALGORITHM_HMAC_SHA512; default: throw new IllegalArgumentException("Unsupported HMAC digest: " + Digest.fromKeymaster(keymasterDigest)); } default: throw new IllegalArgumentException( - "Unsupported algorithm: " + keymasterAlgorithm); + "Unsupported key algorithm: " + keymasterAlgorithm); } } @@ -242,7 +210,7 @@ public abstract class KeyStoreKeyProperties { * * @return keymaster digest or {@code -1} if the algorithm does not involve a digest. */ - static int toKeymasterDigest(@NonNull @AlgorithmEnum String algorithm) { + static int toKeymasterDigest(@NonNull @KeyAlgorithmEnum String algorithm) { String algorithmUpper = algorithm.toUpperCase(Locale.US); if (algorithmUpper.startsWith("HMAC")) { String digestUpper = algorithmUpper.substring("HMAC".length()); @@ -272,70 +240,58 @@ public abstract class KeyStoreKeyProperties { */ @Retention(RetentionPolicy.SOURCE) @StringDef({ - BlockMode.ECB, - BlockMode.CBC, - BlockMode.CTR, - BlockMode.GCM, + BLOCK_MODE_ECB, + BLOCK_MODE_CBC, + BLOCK_MODE_CTR, + BLOCK_MODE_GCM, }) public @interface BlockModeEnum {} - /** - * Block modes that can be used when encrypting/decrypting using a key. - */ - public static abstract class BlockMode { - private BlockMode() {} + /** Electronic Codebook (ECB) block mode. */ + public static final String BLOCK_MODE_ECB = "ECB"; - /** Electronic Codebook (ECB) block mode. */ - public static final String ECB = "ECB"; + /** Cipher Block Chaining (CBC) block mode. */ + public static final String BLOCK_MODE_CBC = "CBC"; - /** Cipher Block Chaining (CBC) block mode. */ - public static final String CBC = "CBC"; + /** Counter (CTR) block mode. */ + public static final String BLOCK_MODE_CTR = "CTR"; - /** Counter (CTR) block mode. */ - public static final String CTR = "CTR"; + /** Galois/Counter Mode (GCM) block mode. */ + public static final String BLOCK_MODE_GCM = "GCM"; - /** Galois/Counter Mode (GCM) block mode. */ - public static final String GCM = "GCM"; + static abstract class BlockMode { + private BlockMode() {} - /** - * @hide - */ static int toKeymaster(@NonNull @BlockModeEnum String blockMode) { - if (ECB.equalsIgnoreCase(blockMode)) { + if (BLOCK_MODE_ECB.equalsIgnoreCase(blockMode)) { return KeymasterDefs.KM_MODE_ECB; - } else if (CBC.equalsIgnoreCase(blockMode)) { + } else if (BLOCK_MODE_CBC.equalsIgnoreCase(blockMode)) { return KeymasterDefs.KM_MODE_CBC; - } else if (CTR.equalsIgnoreCase(blockMode)) { + } else if (BLOCK_MODE_CTR.equalsIgnoreCase(blockMode)) { return KeymasterDefs.KM_MODE_CTR; - } else if (GCM.equalsIgnoreCase(blockMode)) { + } else if (BLOCK_MODE_GCM.equalsIgnoreCase(blockMode)) { return KeymasterDefs.KM_MODE_GCM; } else { throw new IllegalArgumentException("Unsupported block mode: " + blockMode); } } - /** - * @hide - */ @NonNull static @BlockModeEnum String fromKeymaster(int blockMode) { switch (blockMode) { case KeymasterDefs.KM_MODE_ECB: - return ECB; + return BLOCK_MODE_ECB; case KeymasterDefs.KM_MODE_CBC: - return CBC; + return BLOCK_MODE_CBC; case KeymasterDefs.KM_MODE_CTR: - return CTR; + return BLOCK_MODE_CTR; case KeymasterDefs.KM_MODE_GCM: - return GCM; + return BLOCK_MODE_GCM; default: throw new IllegalArgumentException("Unsupported block mode: " + blockMode); } } - /** - * @hide - */ @NonNull static @BlockModeEnum String[] allFromKeymaster(@NonNull Collection<Integer> blockModes) { if ((blockModes == null) || (blockModes.isEmpty())) { @@ -350,9 +306,6 @@ public abstract class KeyStoreKeyProperties { return result; } - /** - * @hide - */ static int[] allToKeymaster(@Nullable @BlockModeEnum String[] blockModes) { if ((blockModes == null) || (blockModes.length == 0)) { return EmptyArray.INT; @@ -370,50 +323,44 @@ public abstract class KeyStoreKeyProperties { */ @Retention(RetentionPolicy.SOURCE) @StringDef({ - EncryptionPadding.NONE, - EncryptionPadding.PKCS7, - EncryptionPadding.RSA_PKCS1, - EncryptionPadding.RSA_OAEP, + ENCRYPTION_PADDING_NONE, + ENCRYPTION_PADDING_PKCS7, + ENCRYPTION_PADDING_RSA_PKCS1, + ENCRYPTION_PADDING_RSA_OAEP, }) public @interface EncryptionPaddingEnum {} /** - * Padding schemes for encryption/decryption. + * No encryption padding. */ - public static abstract class EncryptionPadding { - private EncryptionPadding() {} + public static final String ENCRYPTION_PADDING_NONE = "NoPadding"; - /** - * No padding. - */ - public static final String NONE = "NoPadding"; + /** + * PKCS#7 encryption padding scheme. + */ + public static final String ENCRYPTION_PADDING_PKCS7 = "PKCS7Padding"; - /** - * PKCS#7 padding. - */ - public static final String PKCS7 = "PKCS7Padding"; + /** + * RSA PKCS#1 v1.5 padding scheme for encryption. + */ + public static final String ENCRYPTION_PADDING_RSA_PKCS1 = "PKCS1Padding"; - /** - * RSA PKCS#1 v1.5 padding for encryption/decryption. - */ - public static final String RSA_PKCS1 = "PKCS1Padding"; + /** + * RSA Optimal Asymmetric Encryption Padding (OAEP) scheme. + */ + public static final String ENCRYPTION_PADDING_RSA_OAEP = "OAEPPadding"; - /** - * RSA Optimal Asymmetric Encryption Padding (OAEP). - */ - public static final String RSA_OAEP = "OAEPPadding"; + static abstract class EncryptionPadding { + private EncryptionPadding() {} - /** - * @hide - */ static int toKeymaster(@NonNull @EncryptionPaddingEnum String padding) { - if (NONE.equalsIgnoreCase(padding)) { + if (ENCRYPTION_PADDING_NONE.equalsIgnoreCase(padding)) { return KeymasterDefs.KM_PAD_NONE; - } else if (PKCS7.equalsIgnoreCase(padding)) { + } else if (ENCRYPTION_PADDING_PKCS7.equalsIgnoreCase(padding)) { return KeymasterDefs.KM_PAD_PKCS7; - } else if (RSA_PKCS1.equalsIgnoreCase(padding)) { + } else if (ENCRYPTION_PADDING_RSA_PKCS1.equalsIgnoreCase(padding)) { return KeymasterDefs.KM_PAD_RSA_PKCS1_1_5_ENCRYPT; - } else if (RSA_OAEP.equalsIgnoreCase(padding)) { + } else if (ENCRYPTION_PADDING_RSA_OAEP.equalsIgnoreCase(padding)) { return KeymasterDefs.KM_PAD_RSA_OAEP; } else { throw new IllegalArgumentException( @@ -421,29 +368,23 @@ public abstract class KeyStoreKeyProperties { } } - /** - * @hide - */ @NonNull static @EncryptionPaddingEnum String fromKeymaster(int padding) { switch (padding) { case KeymasterDefs.KM_PAD_NONE: - return NONE; + return ENCRYPTION_PADDING_NONE; case KeymasterDefs.KM_PAD_PKCS7: - return PKCS7; + return ENCRYPTION_PADDING_PKCS7; case KeymasterDefs.KM_PAD_RSA_PKCS1_1_5_ENCRYPT: - return RSA_PKCS1; + return ENCRYPTION_PADDING_RSA_PKCS1; case KeymasterDefs.KM_PAD_RSA_OAEP: - return RSA_OAEP; + return ENCRYPTION_PADDING_RSA_OAEP; default: throw new IllegalArgumentException( "Unsupported encryption padding: " + padding); } } - /** - * @hide - */ @NonNull static int[] allToKeymaster(@Nullable @EncryptionPaddingEnum String[] paddings) { if ((paddings == null) || (paddings.length == 0)) { @@ -462,35 +403,29 @@ public abstract class KeyStoreKeyProperties { */ @Retention(RetentionPolicy.SOURCE) @StringDef({ - SignaturePadding.RSA_PKCS1, - SignaturePadding.RSA_PSS, + SIGNATURE_PADDING_RSA_PKCS1, + SIGNATURE_PADDING_RSA_PSS, }) public @interface SignaturePaddingEnum {} /** - * Padding schemes for signing/verification. + * RSA PKCS#1 v1.5 padding for signatures. */ - public static abstract class SignaturePadding { - private SignaturePadding() {} + public static final String SIGNATURE_PADDING_RSA_PKCS1 = "PKCS1"; - /** - * RSA PKCS#1 v1.5 padding for signatures. - */ - public static final String RSA_PKCS1 = "PKCS1"; + /** + * RSA PKCS#1 v2.1 Probabilistic Signature Scheme (PSS) padding. + */ + public static final String SIGNATURE_PADDING_RSA_PSS = "PSS"; - /** - * RSA PKCS#1 v2.1 Probabilistic Signature Scheme (PSS) padding. - */ - public static final String RSA_PSS = "PSS"; + static abstract class SignaturePadding { + private SignaturePadding() {} - /** - * @hide - */ static int toKeymaster(@NonNull @SignaturePaddingEnum String padding) { switch (padding.toUpperCase(Locale.US)) { - case RSA_PKCS1: + case SIGNATURE_PADDING_RSA_PKCS1: return KeymasterDefs.KM_PAD_RSA_PKCS1_1_5_SIGN; - case RSA_PSS: + case SIGNATURE_PADDING_RSA_PSS: return KeymasterDefs.KM_PAD_RSA_PSS; default: throw new IllegalArgumentException( @@ -498,24 +433,18 @@ public abstract class KeyStoreKeyProperties { } } - /** - * @hide - */ @NonNull static @SignaturePaddingEnum String fromKeymaster(int padding) { switch (padding) { case KeymasterDefs.KM_PAD_RSA_PKCS1_1_5_SIGN: - return RSA_PKCS1; + return SIGNATURE_PADDING_RSA_PKCS1; case KeymasterDefs.KM_PAD_RSA_PSS: - return RSA_PSS; + return SIGNATURE_PADDING_RSA_PSS; default: throw new IllegalArgumentException("Unsupported signature padding: " + padding); } } - /** - * @hide - */ @NonNull static int[] allToKeymaster(@Nullable @SignaturePaddingEnum String[] paddings) { if ((paddings == null) || (paddings.length == 0)) { @@ -534,110 +463,97 @@ public abstract class KeyStoreKeyProperties { */ @Retention(RetentionPolicy.SOURCE) @StringDef({ - Digest.NONE, - Digest.MD5, - Digest.SHA1, - Digest.SHA224, - Digest.SHA256, - Digest.SHA384, - Digest.SHA512, + DIGEST_NONE, + DIGEST_MD5, + DIGEST_SHA1, + DIGEST_SHA224, + DIGEST_SHA256, + DIGEST_SHA384, + DIGEST_SHA512, }) public @interface DigestEnum {} /** - * Digests that can be used with a key when signing or generating Message Authentication - * Codes (MACs). + * No digest: sign/authenticate the raw message. */ - public static abstract class Digest { - private Digest() {} + public static final String DIGEST_NONE = "NONE"; - /** - * No digest: sign/authenticate the raw message. - */ - public static final String NONE = "NONE"; + /** + * MD5 digest. + */ + public static final String DIGEST_MD5 = "MD5"; - /** - * MD5 digest. - */ - public static final String MD5 = "MD5"; + /** + * SHA-1 digest. + */ + public static final String DIGEST_SHA1 = "SHA-1"; - /** - * SHA-1 digest. - */ - public static final String SHA1 = "SHA-1"; + /** + * SHA-2 224 (aka SHA-224) digest. + */ + public static final String DIGEST_SHA224 = "SHA-224"; - /** - * SHA-2 224 (aka SHA-224) digest. - */ - public static final String SHA224 = "SHA-224"; + /** + * SHA-2 256 (aka SHA-256) digest. + */ + public static final String DIGEST_SHA256 = "SHA-256"; - /** - * SHA-2 256 (aka SHA-256) digest. - */ - public static final String SHA256 = "SHA-256"; + /** + * SHA-2 384 (aka SHA-384) digest. + */ + public static final String DIGEST_SHA384 = "SHA-384"; - /** - * SHA-2 384 (aka SHA-384) digest. - */ - public static final String SHA384 = "SHA-384"; + /** + * SHA-2 512 (aka SHA-512) digest. + */ + public static final String DIGEST_SHA512 = "SHA-512"; - /** - * SHA-2 512 (aka SHA-512) digest. - */ - public static final String SHA512 = "SHA-512"; + static abstract class Digest { + private Digest() {} - /** - * @hide - */ static int toKeymaster(@NonNull @DigestEnum String digest) { switch (digest.toUpperCase(Locale.US)) { - case SHA1: + case DIGEST_SHA1: return KeymasterDefs.KM_DIGEST_SHA1; - case SHA224: + case DIGEST_SHA224: return KeymasterDefs.KM_DIGEST_SHA_2_224; - case SHA256: + case DIGEST_SHA256: return KeymasterDefs.KM_DIGEST_SHA_2_256; - case SHA384: + case DIGEST_SHA384: return KeymasterDefs.KM_DIGEST_SHA_2_384; - case SHA512: + case DIGEST_SHA512: return KeymasterDefs.KM_DIGEST_SHA_2_512; - case NONE: + case DIGEST_NONE: return KeymasterDefs.KM_DIGEST_NONE; - case MD5: + case DIGEST_MD5: return KeymasterDefs.KM_DIGEST_MD5; default: throw new IllegalArgumentException("Unsupported digest algorithm: " + digest); } } - /** - * @hide - */ @NonNull static @DigestEnum String fromKeymaster(int digest) { switch (digest) { case KeymasterDefs.KM_DIGEST_NONE: - return NONE; + return DIGEST_NONE; case KeymasterDefs.KM_DIGEST_MD5: - return MD5; + return DIGEST_MD5; case KeymasterDefs.KM_DIGEST_SHA1: - return SHA1; + return DIGEST_SHA1; case KeymasterDefs.KM_DIGEST_SHA_2_224: - return SHA224; + return DIGEST_SHA224; case KeymasterDefs.KM_DIGEST_SHA_2_256: - return SHA256; + return DIGEST_SHA256; case KeymasterDefs.KM_DIGEST_SHA_2_384: - return SHA384; + return DIGEST_SHA384; case KeymasterDefs.KM_DIGEST_SHA_2_512: - return SHA512; + return DIGEST_SHA512; default: throw new IllegalArgumentException("Unsupported digest algorithm: " + digest); } } - /** - * @hide - */ @NonNull static @DigestEnum String[] allFromKeymaster(@NonNull Collection<Integer> digests) { if (digests.isEmpty()) { @@ -652,9 +568,6 @@ public abstract class KeyStoreKeyProperties { return result; } - /** - * @hide - */ @NonNull static int[] allToKeymaster(@Nullable @DigestEnum String[] digests) { if ((digests == null) || (digests.length == 0)) { @@ -674,38 +587,36 @@ public abstract class KeyStoreKeyProperties { * @hide */ @Retention(RetentionPolicy.SOURCE) - @IntDef({Origin.GENERATED, Origin.IMPORTED, Origin.UNKNOWN}) + @IntDef({ + ORIGIN_GENERATED, + ORIGIN_IMPORTED, + ORIGIN_UNKNOWN, + }) public @interface OriginEnum {} - /** - * Origin of the key. - */ - public static abstract class Origin { - private Origin() {} + /** Key was generated inside AndroidKeyStore. */ + public static final int ORIGIN_GENERATED = 1 << 0; - /** Key was generated inside AndroidKeyStore. */ - public static final int GENERATED = 1 << 0; + /** Key was imported into AndroidKeyStore. */ + public static final int ORIGIN_IMPORTED = 1 << 1; - /** Key was imported into AndroidKeyStore. */ - public static final int IMPORTED = 1 << 1; + /** + * Origin of the key is unknown. This can occur only for keys backed by an old TEE-backed + * implementation which does not record origin information. + */ + public static final int ORIGIN_UNKNOWN = 1 << 2; - /** - * Origin of the key is unknown. This can occur only for keys backed by an old TEE-backed - * implementation which does not record origin information. - */ - public static final int UNKNOWN = 1 << 2; + static abstract class Origin { + private Origin() {} - /** - * @hide - */ - public static @OriginEnum int fromKeymaster(int origin) { + static @OriginEnum int fromKeymaster(int origin) { switch (origin) { case KeymasterDefs.KM_ORIGIN_GENERATED: - return GENERATED; + return ORIGIN_GENERATED; case KeymasterDefs.KM_ORIGIN_IMPORTED: - return IMPORTED; + return ORIGIN_IMPORTED; case KeymasterDefs.KM_ORIGIN_UNKNOWN: - return UNKNOWN; + return ORIGIN_UNKNOWN; default: throw new IllegalArgumentException("Unknown origin: " + origin); } diff --git a/keystore/java/android/security/KeyStoreKeySpec.java b/keystore/java/android/security/KeyStoreKeySpec.java index acd6404..4c43f89 100644 --- a/keystore/java/android/security/KeyStoreKeySpec.java +++ b/keystore/java/android/security/KeyStoreKeySpec.java @@ -135,7 +135,7 @@ public class KeyStoreKeySpec implements KeySpec { } /** - * Gets the origin of the key. + * Gets the origin of the key. See {@link KeyStoreKeyProperties}.{@code ORIGIN} constants. */ public @KeyStoreKeyProperties.OriginEnum int getOrigin() { return mOrigin; @@ -179,19 +179,21 @@ public class KeyStoreKeySpec implements KeySpec { } /** - * Gets the set of purposes (e.g., {@code ENCRYPT}, {@code DECRYPT}, {@code SIGN}) for which the - * key can be used. + * Gets the set of purposes (e.g., encrypt, decrypt, sign) for which the key can be used. + * Attempts to use the key for any other purpose will be rejected. * - * @see KeyStoreKeyProperties.Purpose + * <p>See {@link KeyStoreKeyProperties}.{@code PURPOSE} flags. */ public @KeyStoreKeyProperties.PurposeEnum int getPurposes() { return mPurposes; } /** - * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used. + * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used + * when encrypting/decrypting. Attempts to use the key with any other block modes will be + * rejected. * - * @see KeyStoreKeyProperties.BlockMode + * <p>See {@link KeyStoreKeyProperties}.{@code BLOCK_MODE} constants. */ @NonNull public @KeyStoreKeyProperties.BlockModeEnum String[] getBlockModes() { @@ -199,10 +201,11 @@ public class KeyStoreKeySpec implements KeySpec { } /** - * Gets the set of padding schemes (e.g., {@code PKCS7Padding}, {@code NoPadding}) with which - * the key can be used when encrypting/decrypting. + * Gets the set of padding schemes (e.g., {@code PKCS7Padding}, {@code PKCS1Padding}, + * {@code NoPadding}) with which the key can be used when encrypting/decrypting. Attempts to use + * the key with any other padding scheme will be rejected. * - * @see KeyStoreKeyProperties.EncryptionPadding + * <p>See {@link KeyStoreKeyProperties}.{@code ENCRYPTION_PADDING} constants. */ @NonNull public @KeyStoreKeyProperties.EncryptionPaddingEnum String[] getEncryptionPaddings() { @@ -210,10 +213,11 @@ public class KeyStoreKeySpec implements KeySpec { } /** - * Gets the set of padding schemes (e.g., {@code PSS}) with which the key can be used when - * signing/verifying. + * Gets the set of padding schemes (e.g., {@code PSS}, {@code PKCS#1}) with which the key + * can be used when signing/verifying. Attempts to use the key with any other padding scheme + * will be rejected. * - * @see KeyStoreKeyProperties.SignaturePadding + * <p>See {@link KeyStoreKeyProperties}.{@code SIGNATURE_PADDING} constants. */ @NonNull public @KeyStoreKeyProperties.SignaturePaddingEnum String[] getSignaturePaddings() { diff --git a/keystore/java/android/security/KeyStoreParameter.java b/keystore/java/android/security/KeyStoreParameter.java index 9369f5b..a7fab80 100644 --- a/keystore/java/android/security/KeyStoreParameter.java +++ b/keystore/java/android/security/KeyStoreParameter.java @@ -62,11 +62,11 @@ import javax.crypto.Cipher; * "key1", * new KeyStore.SecretKeyEntry(key), * new KeyStoreParameter.Builder(context) - * .setPurposes(KeyStoreKeyProperties.Purpose.ENCRYPT - * | KeyStoreKeyProperties.Purpose.DECRYPT) - * .setBlockMode(KeyStoreKeyProperties.BlockMode.CBC) + * .setPurposes(KeyStoreKeyProperties.PURPOSE_ENCRYPT + * | KeyStoreKeyProperties.PURPOSE_DECRYPT) + * .setBlockMode(KeyStoreKeyProperties.BLOCK_MODE_CBC) * .setEncryptionPaddings( - * KeyStoreKeyProperties.EncryptionPaddings.PKCS7) + * KeyStoreKeyProperties.ENCRYPTION_PADDING_PKCS7) * .build()); * // Key imported, obtain a reference to it. * SecretKey keyStoreKey = (SecretKey) keyStore.getKey("key1", null); @@ -90,8 +90,8 @@ import javax.crypto.Cipher; * "key2", * new KeyStore.PrivateKeyEntry(privateKey, certChain), * new KeyStoreParameter.Builder(context) - * .setPurposes(KeyStoreKeyProperties.Purpose.SIGN) - * .setDigests(KeyStoreKeyProperties.Digest.SHA256) + * .setPurposes(KeyStoreKeyProperties.PURPOSE_SIGN) + * .setDigests(KeyStoreKeyProperties.DIGEST_SHA256) * // Only permit this key to be used if the user * // authenticated within the last ten minutes. * .setUserAuthenticationRequired(true) @@ -211,20 +211,21 @@ public final class KeyStoreParameter implements ProtectionParameter { } /** - * Gets the set of purposes (e.g., {@code ENCRYPT}, {@code DECRYPT}, {@code SIGN}) for which the - * key can be used. + * Gets the set of purposes (e.g., encrypt, decrypt, sign) for which the key can be used. + * Attempts to use the key for any other purpose will be rejected. * - * @see KeyStoreKeyProperties.Purpose + * <p>See {@link KeyStoreKeyProperties}.{@code PURPOSE} flags. */ public @KeyStoreKeyProperties.PurposeEnum int getPurposes() { return mPurposes; } /** - * Gets the set of padding schemes (e.g., {@code PKCS7Padding}, {@code NoPadding}) with which - * the key can be used when encrypting/decrypting. + * Gets the set of padding schemes (e.g., {@code PKCS7Padding}, {@code PKCS1Padding}, + * {@code NoPadding}) with which the key can be used when encrypting/decrypting. Attempts to use + * the key with any other padding scheme will be rejected. * - * @see KeyStoreKeyProperties.EncryptionPadding + * <p>See {@link KeyStoreKeyProperties}.{@code ENCRYPTION_PADDING} constants. */ @NonNull public @KeyStoreKeyProperties.EncryptionPaddingEnum String[] getEncryptionPaddings() { @@ -232,10 +233,11 @@ public final class KeyStoreParameter implements ProtectionParameter { } /** - * Gets the set of padding schemes (e.g., {@code PSS}) with which the key can be used when - * signing or verifying signatures. + * Gets the set of padding schemes (e.g., {@code PSS}, {@code PKCS#1}) with which the key + * can be used when signing/verifying. Attempts to use the key with any other padding scheme + * will be rejected. * - * @see KeyStoreKeyProperties.SignaturePadding + * <p>See {@link KeyStoreKeyProperties}.{@code SIGNATURE_PADDING} constants. */ @NonNull public @KeyStoreKeyProperties.SignaturePaddingEnum String[] getSignaturePaddings() { @@ -271,9 +273,11 @@ public final class KeyStoreParameter implements ProtectionParameter { } /** - * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used. + * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used + * when encrypting/decrypting. Attempts to use the key with any other block modes will be + * rejected. * - * @see KeyStoreKeyProperties.BlockMode + * <p>See {@link KeyStoreKeyProperties}.{@code BLOCK_MODE} constants. */ @NonNull public @KeyStoreKeyProperties.BlockModeEnum String[] getBlockModes() { @@ -388,7 +392,7 @@ public final class KeyStoreParameter implements ProtectionParameter { * * <p>By default, the key is valid at any instant. * - * <p><b>NOTE: This has currently no effect on asymmetric key pairs. + * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b> * * @see #setKeyValidityEnd(Date) */ @@ -403,7 +407,7 @@ public final class KeyStoreParameter implements ProtectionParameter { * * <p>By default, the key is valid at any instant. * - * <p><b>NOTE: This has currently no effect on asymmetric key pairs. + * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b> * * @see #setKeyValidityStart(Date) * @see #setKeyValidityForConsumptionEnd(Date) @@ -421,7 +425,7 @@ public final class KeyStoreParameter implements ProtectionParameter { * * <p>By default, the key is valid at any instant. * - * <p><b>NOTE: This has currently no effect on asymmetric key pairs. + * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b> * * @see #setKeyValidityForConsumptionEnd(Date) */ @@ -437,7 +441,7 @@ public final class KeyStoreParameter implements ProtectionParameter { * * <p>By default, the key is valid at any instant. * - * <p><b>NOTE: This has currently no effect on asymmetric key pairs. + * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b> * * @see #setKeyValidityForOriginationEnd(Date) */ @@ -448,14 +452,14 @@ public final class KeyStoreParameter implements ProtectionParameter { } /** - * Sets the set of purposes (e.g., {@code ENCRYPT}, {@code DECRYPT}, {@code SIGN}) for which - * the key can be used. + * Sets the set of purposes (e.g., encrypt, decrypt, sign) for which the key can be used. + * Attempts to use the key for any other purpose will be rejected. * * <p>This must be specified for all keys. There is no default. * - * <p><b>NOTE: This has currently no effect on asymmetric key pairs. + * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b> * - * @see KeyStoreKeyProperties.Purpose + * <p>See {@link KeyStoreKeyProperties}.{@code PURPOSE} flags. */ @NonNull public Builder setPurposes(@KeyStoreKeyProperties.PurposeEnum int purposes) { @@ -464,15 +468,15 @@ public final class KeyStoreParameter implements ProtectionParameter { } /** - * Sets the set of padding schemes (e.g., {@code PKCS7Padding}, {@code NoPadding}) with - * which the key can be used when encrypting/decrypting. Attempts to use the key with any - * other padding scheme will be rejected. + * Sets the set of padding schemes (e.g., {@code OAEPPadding}, {@code PKCS7Padding}, + * {@code NoPadding}) with which the key can be used when encrypting/decrypting. Attempts to + * use the key with any other padding scheme will be rejected. * * <p>This must be specified for keys which are used for encryption/decryption. * - * <p><b>NOTE: This has currently no effect on asymmetric key pairs. + * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b> * - * @see KeyStoreKeyProperties.EncryptionPadding + * <p>See {@link KeyStoreKeyProperties}.{@code ENCRYPTION_PADDING} constants. */ @NonNull public Builder setEncryptionPaddings( @@ -482,15 +486,15 @@ public final class KeyStoreParameter implements ProtectionParameter { } /** - * Sets the set of padding schemes (e.g., {@code PSS}) with which the key can be used when - * signing/verifying. Attempts to use the key with any other padding scheme will be - * rejected. + * Sets the set of padding schemes (e.g., {@code PSS}, {@code PKCS#1}) with which the key + * can be used when signing/verifying. Attempts to use the key with any other padding scheme + * will be rejected. * * <p>This must be specified for RSA keys which are used for signing/verification. * - * <p><b>NOTE: This has currently no effect on asymmetric key pairs. + * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b> * - * @see KeyStoreKeyProperties.SignaturePadding + * <p>See {@link KeyStoreKeyProperties}.{@code SIGNATURE_PADDING} constants. */ @NonNull public Builder setSignaturePaddings( @@ -509,7 +513,7 @@ public final class KeyStoreParameter implements ProtectionParameter { * {@link Key#getAlgorithm()}. For asymmetric signing keys the set of digest algorithms * must be specified. * - * <p><b>NOTE: This has currently no effect on asymmetric key pairs. + * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b> * * @see KeyStoreKeyProperties.Digest */ @@ -520,15 +524,15 @@ public final class KeyStoreParameter implements ProtectionParameter { } /** - * Sets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be - * used when encrypting/decrypting. Attempts to use the key with any other block modes will - * be rejected. + * Sets the set of block modes (e.g., {@code CBC}, {@code CTR}, {@code ECB}) with which the + * key can be used when encrypting/decrypting. Attempts to use the key with any other block + * modes will be rejected. * * <p>This must be specified for encryption/decryption keys. * - * <p><b>NOTE: This has currently no effect on asymmetric key pairs. + * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b> * - * @see KeyStoreKeyProperties.BlockMode + * <p>See {@link KeyStoreKeyProperties}.{@code BLOCK_MODE} constants. */ @NonNull public Builder setBlockModes(@KeyStoreKeyProperties.BlockModeEnum String... blockModes) { @@ -570,7 +574,7 @@ public final class KeyStoreParameter implements ProtectionParameter { * schemes which offer {@code IND-CPA}, such as PKCS#1 or OAEP.</li> * </ul> * - * <p><b>NOTE: This has currently no effect on asymmetric key pairs. + * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b> */ @NonNull public Builder setRandomizedEncryptionRequired(boolean required) { @@ -591,7 +595,7 @@ public final class KeyStoreParameter implements ProtectionParameter { * <a href="{@docRoot}training/articles/keystore.html#UserAuthentication">More * information</a>. * - * <p><b>NOTE: This has currently no effect on asymmetric key pairs. + * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b> * * @see #setUserAuthenticationValidityDurationSeconds(int) */ @@ -607,7 +611,7 @@ public final class KeyStoreParameter implements ProtectionParameter { * * <p>By default, the user needs to authenticate for every use of the key. * - * <p><b>NOTE: This has currently no effect on asymmetric key pairs. + * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b> * * @param seconds duration in seconds or {@code -1} if the user needs to authenticate for * every use of the key. |