summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlex Klyubin <klyubin@google.com>2015-05-12 19:57:09 +0000
committerAndroid (Google) Code Review <android-gerrit@google.com>2015-05-12 19:57:10 +0000
commitc5a142f82b85aef4d740af4e8fefedf1cd0333fe (patch)
treea2e9a554bcbb1f978ab699e095d6b05ac9179ab6
parente66ba4736667afb9ff3b1d3ebc487d024531f2a3 (diff)
parent622fd932fd33c6e86c86c8a24082674ad077a810 (diff)
downloadframeworks_base-c5a142f82b85aef4d740af4e8fefedf1cd0333fe.zip
frameworks_base-c5a142f82b85aef4d740af4e8fefedf1cd0333fe.tar.gz
frameworks_base-c5a142f82b85aef4d740af4e8fefedf1cd0333fe.tar.bz2
Merge "Flatten KeyStoreKeyProperties constants." into mnc-dev
-rw-r--r--api/current.txt85
-rw-r--r--api/system-current.txt85
-rw-r--r--keystore/java/android/security/AndroidKeyPairGenerator.java21
-rw-r--r--keystore/java/android/security/AndroidKeyStore.java12
-rw-r--r--keystore/java/android/security/KeyChain.java12
-rw-r--r--keystore/java/android/security/KeyGeneratorSpec.java35
-rw-r--r--keystore/java/android/security/KeyPairGeneratorSpec.java105
-rw-r--r--keystore/java/android/security/KeyStore.java6
-rw-r--r--keystore/java/android/security/KeyStoreCipherSpi.java2
-rw-r--r--keystore/java/android/security/KeyStoreKeyGeneratorSpi.java8
-rw-r--r--keystore/java/android/security/KeyStoreKeyProperties.java499
-rw-r--r--keystore/java/android/security/KeyStoreKeySpec.java28
-rw-r--r--keystore/java/android/security/KeyStoreParameter.java92
13 files changed, 439 insertions, 551 deletions
diff --git a/api/current.txt b/api/current.txt
index 46f38ca..8a9e7ef 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -28455,59 +28455,38 @@ package android.security {
}
public abstract class KeyStoreKeyProperties {
- }
-
- public static abstract class KeyStoreKeyProperties.Algorithm {
- field public static final java.lang.String AES = "AES";
- field public static final java.lang.String EC = "EC";
- field public static final java.lang.String HMAC_SHA1 = "HmacSHA1";
- field public static final java.lang.String HMAC_SHA224 = "HmacSHA224";
- field public static final java.lang.String HMAC_SHA256 = "HmacSHA256";
- field public static final java.lang.String HMAC_SHA384 = "HmacSHA384";
- field public static final java.lang.String HMAC_SHA512 = "HmacSHA512";
- field public static final java.lang.String RSA = "RSA";
- }
-
- public static abstract class KeyStoreKeyProperties.BlockMode {
- field public static final java.lang.String CBC = "CBC";
- field public static final java.lang.String CTR = "CTR";
- field public static final java.lang.String ECB = "ECB";
- field public static final java.lang.String GCM = "GCM";
- }
-
- public static abstract class KeyStoreKeyProperties.Digest {
- field public static final java.lang.String MD5 = "MD5";
- field public static final java.lang.String NONE = "NONE";
- field public static final java.lang.String SHA1 = "SHA-1";
- field public static final java.lang.String SHA224 = "SHA-224";
- field public static final java.lang.String SHA256 = "SHA-256";
- field public static final java.lang.String SHA384 = "SHA-384";
- field public static final java.lang.String SHA512 = "SHA-512";
- }
-
- public static abstract class KeyStoreKeyProperties.EncryptionPadding {
- field public static final java.lang.String NONE = "NoPadding";
- field public static final java.lang.String PKCS7 = "PKCS7Padding";
- field public static final java.lang.String RSA_OAEP = "OAEPPadding";
- field public static final java.lang.String RSA_PKCS1 = "PKCS1Padding";
- }
-
- public static abstract class KeyStoreKeyProperties.Origin {
- field public static final int GENERATED = 1; // 0x1
- field public static final int IMPORTED = 2; // 0x2
- field public static final int UNKNOWN = 4; // 0x4
- }
-
- public static abstract class KeyStoreKeyProperties.Purpose {
- field public static final int DECRYPT = 2; // 0x2
- field public static final int ENCRYPT = 1; // 0x1
- field public static final int SIGN = 4; // 0x4
- field public static final int VERIFY = 8; // 0x8
- }
-
- public static abstract class KeyStoreKeyProperties.SignaturePadding {
- field public static final java.lang.String RSA_PKCS1 = "PKCS1";
- field public static final java.lang.String RSA_PSS = "PSS";
+ field public static final java.lang.String BLOCK_MODE_CBC = "CBC";
+ field public static final java.lang.String BLOCK_MODE_CTR = "CTR";
+ field public static final java.lang.String BLOCK_MODE_ECB = "ECB";
+ field public static final java.lang.String BLOCK_MODE_GCM = "GCM";
+ field public static final java.lang.String DIGEST_MD5 = "MD5";
+ field public static final java.lang.String DIGEST_NONE = "NONE";
+ field public static final java.lang.String DIGEST_SHA1 = "SHA-1";
+ field public static final java.lang.String DIGEST_SHA224 = "SHA-224";
+ field public static final java.lang.String DIGEST_SHA256 = "SHA-256";
+ field public static final java.lang.String DIGEST_SHA384 = "SHA-384";
+ field public static final java.lang.String DIGEST_SHA512 = "SHA-512";
+ field public static final java.lang.String ENCRYPTION_PADDING_NONE = "NoPadding";
+ field public static final java.lang.String ENCRYPTION_PADDING_PKCS7 = "PKCS7Padding";
+ field public static final java.lang.String ENCRYPTION_PADDING_RSA_OAEP = "OAEPPadding";
+ field public static final java.lang.String ENCRYPTION_PADDING_RSA_PKCS1 = "PKCS1Padding";
+ field public static final java.lang.String KEY_ALGORITHM_AES = "AES";
+ field public static final java.lang.String KEY_ALGORITHM_EC = "EC";
+ field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA1 = "HmacSHA1";
+ field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA224 = "HmacSHA224";
+ field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA256 = "HmacSHA256";
+ field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA384 = "HmacSHA384";
+ field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA512 = "HmacSHA512";
+ field public static final java.lang.String KEY_ALGORITHM_RSA = "RSA";
+ field public static final int ORIGIN_GENERATED = 1; // 0x1
+ field public static final int ORIGIN_IMPORTED = 2; // 0x2
+ field public static final int ORIGIN_UNKNOWN = 4; // 0x4
+ field public static final int PURPOSE_DECRYPT = 2; // 0x2
+ field public static final int PURPOSE_ENCRYPT = 1; // 0x1
+ field public static final int PURPOSE_SIGN = 4; // 0x4
+ field public static final int PURPOSE_VERIFY = 8; // 0x8
+ field public static final java.lang.String SIGNATURE_PADDING_RSA_PKCS1 = "PKCS1";
+ field public static final java.lang.String SIGNATURE_PADDING_RSA_PSS = "PSS";
}
public class KeyStoreKeySpec implements java.security.spec.KeySpec {
diff --git a/api/system-current.txt b/api/system-current.txt
index b2a6f65..693c515 100644
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -30478,59 +30478,38 @@ package android.security {
}
public abstract class KeyStoreKeyProperties {
- }
-
- public static abstract class KeyStoreKeyProperties.Algorithm {
- field public static final java.lang.String AES = "AES";
- field public static final java.lang.String EC = "EC";
- field public static final java.lang.String HMAC_SHA1 = "HmacSHA1";
- field public static final java.lang.String HMAC_SHA224 = "HmacSHA224";
- field public static final java.lang.String HMAC_SHA256 = "HmacSHA256";
- field public static final java.lang.String HMAC_SHA384 = "HmacSHA384";
- field public static final java.lang.String HMAC_SHA512 = "HmacSHA512";
- field public static final java.lang.String RSA = "RSA";
- }
-
- public static abstract class KeyStoreKeyProperties.BlockMode {
- field public static final java.lang.String CBC = "CBC";
- field public static final java.lang.String CTR = "CTR";
- field public static final java.lang.String ECB = "ECB";
- field public static final java.lang.String GCM = "GCM";
- }
-
- public static abstract class KeyStoreKeyProperties.Digest {
- field public static final java.lang.String MD5 = "MD5";
- field public static final java.lang.String NONE = "NONE";
- field public static final java.lang.String SHA1 = "SHA-1";
- field public static final java.lang.String SHA224 = "SHA-224";
- field public static final java.lang.String SHA256 = "SHA-256";
- field public static final java.lang.String SHA384 = "SHA-384";
- field public static final java.lang.String SHA512 = "SHA-512";
- }
-
- public static abstract class KeyStoreKeyProperties.EncryptionPadding {
- field public static final java.lang.String NONE = "NoPadding";
- field public static final java.lang.String PKCS7 = "PKCS7Padding";
- field public static final java.lang.String RSA_OAEP = "OAEPPadding";
- field public static final java.lang.String RSA_PKCS1 = "PKCS1Padding";
- }
-
- public static abstract class KeyStoreKeyProperties.Origin {
- field public static final int GENERATED = 1; // 0x1
- field public static final int IMPORTED = 2; // 0x2
- field public static final int UNKNOWN = 4; // 0x4
- }
-
- public static abstract class KeyStoreKeyProperties.Purpose {
- field public static final int DECRYPT = 2; // 0x2
- field public static final int ENCRYPT = 1; // 0x1
- field public static final int SIGN = 4; // 0x4
- field public static final int VERIFY = 8; // 0x8
- }
-
- public static abstract class KeyStoreKeyProperties.SignaturePadding {
- field public static final java.lang.String RSA_PKCS1 = "PKCS1";
- field public static final java.lang.String RSA_PSS = "PSS";
+ field public static final java.lang.String BLOCK_MODE_CBC = "CBC";
+ field public static final java.lang.String BLOCK_MODE_CTR = "CTR";
+ field public static final java.lang.String BLOCK_MODE_ECB = "ECB";
+ field public static final java.lang.String BLOCK_MODE_GCM = "GCM";
+ field public static final java.lang.String DIGEST_MD5 = "MD5";
+ field public static final java.lang.String DIGEST_NONE = "NONE";
+ field public static final java.lang.String DIGEST_SHA1 = "SHA-1";
+ field public static final java.lang.String DIGEST_SHA224 = "SHA-224";
+ field public static final java.lang.String DIGEST_SHA256 = "SHA-256";
+ field public static final java.lang.String DIGEST_SHA384 = "SHA-384";
+ field public static final java.lang.String DIGEST_SHA512 = "SHA-512";
+ field public static final java.lang.String ENCRYPTION_PADDING_NONE = "NoPadding";
+ field public static final java.lang.String ENCRYPTION_PADDING_PKCS7 = "PKCS7Padding";
+ field public static final java.lang.String ENCRYPTION_PADDING_RSA_OAEP = "OAEPPadding";
+ field public static final java.lang.String ENCRYPTION_PADDING_RSA_PKCS1 = "PKCS1Padding";
+ field public static final java.lang.String KEY_ALGORITHM_AES = "AES";
+ field public static final java.lang.String KEY_ALGORITHM_EC = "EC";
+ field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA1 = "HmacSHA1";
+ field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA224 = "HmacSHA224";
+ field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA256 = "HmacSHA256";
+ field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA384 = "HmacSHA384";
+ field public static final java.lang.String KEY_ALGORITHM_HMAC_SHA512 = "HmacSHA512";
+ field public static final java.lang.String KEY_ALGORITHM_RSA = "RSA";
+ field public static final int ORIGIN_GENERATED = 1; // 0x1
+ field public static final int ORIGIN_IMPORTED = 2; // 0x2
+ field public static final int ORIGIN_UNKNOWN = 4; // 0x4
+ field public static final int PURPOSE_DECRYPT = 2; // 0x2
+ field public static final int PURPOSE_ENCRYPT = 1; // 0x1
+ field public static final int PURPOSE_SIGN = 4; // 0x4
+ field public static final int PURPOSE_VERIFY = 8; // 0x8
+ field public static final java.lang.String SIGNATURE_PADDING_RSA_PKCS1 = "PKCS1";
+ field public static final java.lang.String SIGNATURE_PADDING_RSA_PSS = "PSS";
}
public class KeyStoreKeySpec implements java.security.spec.KeySpec {
diff --git a/keystore/java/android/security/AndroidKeyPairGenerator.java b/keystore/java/android/security/AndroidKeyPairGenerator.java
index 3f29c6a..ea90ca3 100644
--- a/keystore/java/android/security/AndroidKeyPairGenerator.java
+++ b/keystore/java/android/security/AndroidKeyPairGenerator.java
@@ -54,13 +54,13 @@ public abstract class AndroidKeyPairGenerator extends KeyPairGeneratorSpi {
public static class RSA extends AndroidKeyPairGenerator {
public RSA() {
- super(KeyStoreKeyProperties.Algorithm.RSA);
+ super(KeyStoreKeyProperties.KEY_ALGORITHM_RSA);
}
}
public static class EC extends AndroidKeyPairGenerator {
public EC() {
- super(KeyStoreKeyProperties.Algorithm.EC);
+ super(KeyStoreKeyProperties.KEY_ALGORITHM_EC);
}
}
@@ -83,15 +83,15 @@ public abstract class AndroidKeyPairGenerator extends KeyPairGeneratorSpi {
private android.security.KeyStore mKeyStore;
private KeyPairGeneratorSpec mSpec;
- private @KeyStoreKeyProperties.AlgorithmEnum String mKeyAlgorithm;
+ private @KeyStoreKeyProperties.KeyAlgorithmEnum String mKeyAlgorithm;
private int mKeyType;
private int mKeySize;
- protected AndroidKeyPairGenerator(@KeyStoreKeyProperties.AlgorithmEnum String algorithm) {
+ protected AndroidKeyPairGenerator(@KeyStoreKeyProperties.KeyAlgorithmEnum String algorithm) {
mAlgorithm = algorithm;
}
- public @KeyStoreKeyProperties.AlgorithmEnum String getAlgorithm() {
+ @KeyStoreKeyProperties.KeyAlgorithmEnum String getAlgorithm() {
return mAlgorithm;
}
@@ -197,7 +197,8 @@ public abstract class AndroidKeyPairGenerator extends KeyPairGeneratorSpi {
return certGen.generate(privateKey);
}
- private @KeyStoreKeyProperties.AlgorithmEnum String getKeyAlgorithm(KeyPairGeneratorSpec spec) {
+ private @KeyStoreKeyProperties.KeyAlgorithmEnum String getKeyAlgorithm(
+ KeyPairGeneratorSpec spec) {
String result = spec.getKeyType();
if (result != null) {
return result;
@@ -249,10 +250,10 @@ public abstract class AndroidKeyPairGenerator extends KeyPairGeneratorSpi {
}
private static String getDefaultSignatureAlgorithmForKeyAlgorithm(
- @KeyStoreKeyProperties.AlgorithmEnum String algorithm) {
- if (KeyStoreKeyProperties.Algorithm.RSA.equalsIgnoreCase(algorithm)) {
+ @KeyStoreKeyProperties.KeyAlgorithmEnum String algorithm) {
+ if (KeyStoreKeyProperties.KEY_ALGORITHM_RSA.equalsIgnoreCase(algorithm)) {
return "sha256WithRSA";
- } else if (KeyStoreKeyProperties.Algorithm.EC.equalsIgnoreCase(algorithm)) {
+ } else if (KeyStoreKeyProperties.KEY_ALGORITHM_EC.equalsIgnoreCase(algorithm)) {
return "sha256WithECDSA";
} else {
throw new IllegalArgumentException("Unsupported key type " + algorithm);
@@ -288,7 +289,7 @@ public abstract class AndroidKeyPairGenerator extends KeyPairGeneratorSpi {
}
KeyPairGeneratorSpec spec = (KeyPairGeneratorSpec) params;
- @KeyStoreKeyProperties.AlgorithmEnum String keyAlgorithm = getKeyAlgorithm(spec);
+ @KeyStoreKeyProperties.KeyAlgorithmEnum String keyAlgorithm = getKeyAlgorithm(spec);
int keyType = KeyStore.getKeyTypeForAlgorithm(keyAlgorithm);
if (keyType == -1) {
throw new InvalidAlgorithmParameterException(
diff --git a/keystore/java/android/security/AndroidKeyStore.java b/keystore/java/android/security/AndroidKeyStore.java
index 69d80e6..7ac236a 100644
--- a/keystore/java/android/security/AndroidKeyStore.java
+++ b/keystore/java/android/security/AndroidKeyStore.java
@@ -129,10 +129,10 @@ public class AndroidKeyStore extends KeyStoreSpi {
keymasterDigest = keymasterDigests.get(0);
}
- @KeyStoreKeyProperties.AlgorithmEnum String keyAlgorithmString;
+ @KeyStoreKeyProperties.KeyAlgorithmEnum String keyAlgorithmString;
try {
keyAlgorithmString =
- KeyStoreKeyProperties.Algorithm.fromKeymasterSecretKeyAlgorithm(
+ KeyStoreKeyProperties.KeyAlgorithm.fromKeymasterSecretKeyAlgorithm(
keymasterAlgorithm, keymasterDigest);
} catch (IllegalArgumentException e) {
throw (UnrecoverableKeyException)
@@ -453,10 +453,10 @@ public class AndroidKeyStore extends KeyStoreSpi {
int keymasterAlgorithm;
int keymasterDigest;
try {
- keymasterAlgorithm = KeyStoreKeyProperties.Algorithm.toKeymasterSecretKeyAlgorithm(
+ keymasterAlgorithm = KeyStoreKeyProperties.KeyAlgorithm.toKeymasterSecretKeyAlgorithm(
keyAlgorithmString);
keymasterDigest =
- KeyStoreKeyProperties.Algorithm.toKeymasterDigest(keyAlgorithmString);
+ KeyStoreKeyProperties.KeyAlgorithm.toKeymasterDigest(keyAlgorithmString);
} catch (IllegalArgumentException e) {
throw new KeyStoreException("Unsupported secret key algorithm: " + keyAlgorithmString);
}
@@ -497,7 +497,7 @@ public class AndroidKeyStore extends KeyStoreSpi {
@KeyStoreKeyProperties.PurposeEnum int purposes = params.getPurposes();
int[] keymasterBlockModes =
KeyStoreKeyProperties.BlockMode.allToKeymaster(params.getBlockModes());
- if (((purposes & KeyStoreKeyProperties.Purpose.ENCRYPT) != 0)
+ if (((purposes & KeyStoreKeyProperties.PURPOSE_ENCRYPT) != 0)
&& (params.isRandomizedEncryptionRequired())) {
for (int keymasterBlockMode : keymasterBlockModes) {
if (!KeymasterUtils.isKeymasterBlockModeIndCpaCompatible(keymasterBlockMode)) {
@@ -536,7 +536,7 @@ public class AndroidKeyStore extends KeyStoreSpi {
// TODO: Remove this once keymaster does not require us to specify the size of imported key.
args.addInt(KeymasterDefs.KM_TAG_KEY_SIZE, keyMaterial.length * 8);
- if (((purposes & KeyStoreKeyProperties.Purpose.ENCRYPT) != 0)
+ if (((purposes & KeyStoreKeyProperties.PURPOSE_ENCRYPT) != 0)
&& (!params.isRandomizedEncryptionRequired())) {
// Permit caller-provided IV when encrypting with this key
args.addBoolean(KeymasterDefs.KM_TAG_CALLER_NONCE);
diff --git a/keystore/java/android/security/KeyChain.java b/keystore/java/android/security/KeyChain.java
index d3dbebf..3853eca 100644
--- a/keystore/java/android/security/KeyChain.java
+++ b/keystore/java/android/security/KeyChain.java
@@ -266,7 +266,7 @@ public final class KeyChain {
*/
public static void choosePrivateKeyAlias(@NonNull Activity activity,
@NonNull KeyChainAliasCallback response,
- @KeyStoreKeyProperties.AlgorithmEnum String[] keyTypes, Principal[] issuers,
+ @KeyStoreKeyProperties.KeyAlgorithmEnum String[] keyTypes, Principal[] issuers,
@Nullable String host, int port, @Nullable String alias) {
choosePrivateKeyAlias(activity, response, keyTypes, issuers, host, port, null, alias);
}
@@ -312,7 +312,7 @@ public final class KeyChain {
*/
public static void choosePrivateKeyAlias(@NonNull Activity activity,
@NonNull KeyChainAliasCallback response,
- @KeyStoreKeyProperties.AlgorithmEnum String[] keyTypes, Principal[] issuers,
+ @KeyStoreKeyProperties.KeyAlgorithmEnum String[] keyTypes, Principal[] issuers,
@Nullable String host, int port, @Nullable String url, @Nullable String alias) {
/*
* TODO currently keyTypes, issuers are unused. They are meant
@@ -439,10 +439,10 @@ public final class KeyChain {
* "RSA").
*/
public static boolean isKeyAlgorithmSupported(
- @NonNull @KeyStoreKeyProperties.AlgorithmEnum String algorithm) {
+ @NonNull @KeyStoreKeyProperties.KeyAlgorithmEnum String algorithm) {
final String algUpper = algorithm.toUpperCase(Locale.US);
- return KeyStoreKeyProperties.Algorithm.EC.equals(algUpper)
- || KeyStoreKeyProperties.Algorithm.RSA.equals(algUpper);
+ return KeyStoreKeyProperties.KEY_ALGORITHM_EC.equals(algUpper)
+ || KeyStoreKeyProperties.KEY_ALGORITHM_RSA.equals(algUpper);
}
/**
@@ -453,7 +453,7 @@ public final class KeyChain {
* that makes it non-exportable.
*/
public static boolean isBoundKeyAlgorithm(
- @NonNull @KeyStoreKeyProperties.AlgorithmEnum String algorithm) {
+ @NonNull @KeyStoreKeyProperties.KeyAlgorithmEnum String algorithm) {
if (!isKeyAlgorithmSupported(algorithm)) {
return false;
}
diff --git a/keystore/java/android/security/KeyGeneratorSpec.java b/keystore/java/android/security/KeyGeneratorSpec.java
index 3849fae..e63566b 100644
--- a/keystore/java/android/security/KeyGeneratorSpec.java
+++ b/keystore/java/android/security/KeyGeneratorSpec.java
@@ -56,13 +56,13 @@ import javax.crypto.KeyGenerator;
* been authenticated within the last five minutes.
* <pre> {@code
* KeyGenerator keyGenerator = KeyGenerator.getInstance(
- * KeyStoreKeyProperties.Algorithm.HMAC_SHA256,
+ * KeyStoreKeyProperties.KEY_ALGORITHM_HMAC_SHA256,
* "AndroidKeyStore");
* keyGenerator.initialize(
* new KeyGeneratorSpec.Builder(context)
* .setAlias("key1")
- * .setPurposes(KeyStoreKeyProperties.Purpose.SIGN
- * | KeyStoreKeyProperties.Purpose.VERIFY)
+ * .setPurposes(KeyStoreKeyProperties.PURPOSE_SIGN
+ * | KeyStoreKeyProperties.PURPOSE_VERIFY)
* // Only permit this key to be used if the user authenticated
* // within the last five minutes.
* .setUserAuthenticationRequired(true)
@@ -192,20 +192,21 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec {
}
/**
- * Gets the set of purposes (e.g., {@code ENCRYPT}, {@code DECRYPT}, {@code SIGN}) for which the
- * key can be used.
+ * Gets the set of purposes (e.g., encrypt, decrypt, sign) for which the key can be used.
+ * Attempts to use the key for any other purpose will be rejected.
*
- * @see KeyStoreKeyProperties.Purpose
+ * <p>See {@link KeyStoreKeyProperties}.{@code PURPOSE} flags.
*/
public @KeyStoreKeyProperties.PurposeEnum int getPurposes() {
return mPurposes;
}
/**
- * Gets the set of padding schemes (e.g., {@code PKCS7Padding}, {@code NoPadding}) with which
- * the key can be used when encrypting/decrypting.
+ * Gets the set of padding schemes (e.g., {@code PKCS7Padding}, {@code NoPadding}) with
+ * which the key can be used when encrypting/decrypting. Attempts to use the key with any
+ * other padding scheme will be rejected.
*
- * @see KeyStoreKeyProperties.EncryptionPadding
+ * <p>See {@link KeyStoreKeyProperties}.{@code ENCRYPTION_PADDING} constants.
*/
@NonNull
public @KeyStoreKeyProperties.EncryptionPaddingEnum String[] getEncryptionPaddings() {
@@ -213,9 +214,11 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec {
}
/**
- * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used.
+ * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used
+ * when encrypting/decrypting. Attempts to use the key with any other block modes will be
+ * rejected.
*
- * @see KeyStoreKeyProperties.BlockMode
+ * <p>See {@link KeyStoreKeyProperties}.{@code BLOCK_MODE} constants.
*/
@NonNull
public @KeyStoreKeyProperties.BlockModeEnum String[] getBlockModes() {
@@ -394,12 +397,12 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec {
}
/**
- * Sets the set of purposes (e.g., {@code ENCRYPT}, {@code DECRYPT}, {@code SIGN}) for which
- * the key can be used.
+ * Sets the set of purposes (e.g., encrypt, decrypt, sign) for which the key can be used.
+ * Attempts to use the key for any other purpose will be rejected.
*
* <p>This must be specified for all keys. There is no default.
*
- * @see KeyStoreKeyProperties.Purpose
+ * <p>See {@link KeyStoreKeyProperties}.{@code PURPOSE} flags.
*/
@NonNull
public Builder setPurposes(@KeyStoreKeyProperties.PurposeEnum int purposes) {
@@ -414,7 +417,7 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec {
*
* <p>This must be specified for keys which are used for encryption/decryption.
*
- * @see KeyStoreKeyProperties.EncryptionPadding
+ * <p>See {@link KeyStoreKeyProperties}.{@code ENCRYPTION_PADDING} constants.
*/
@NonNull
public Builder setEncryptionPaddings(
@@ -430,7 +433,7 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec {
*
* <p>This must be specified for encryption/decryption keys.
*
- * @see KeyStoreKeyProperties.BlockMode
+ * <p>See {@link KeyStoreKeyProperties}.{@code BLOCK_MODE} constants.
*/
@NonNull
public Builder setBlockModes(@KeyStoreKeyProperties.BlockModeEnum String... blockModes) {
diff --git a/keystore/java/android/security/KeyPairGeneratorSpec.java b/keystore/java/android/security/KeyPairGeneratorSpec.java
index 08af16c..b07c052 100644
--- a/keystore/java/android/security/KeyPairGeneratorSpec.java
+++ b/keystore/java/android/security/KeyPairGeneratorSpec.java
@@ -69,16 +69,16 @@ import javax.security.auth.x500.X500Principal;
* digest and only if the user has been authenticated within the last five minutes.
* <pre> {@code
* KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(
- * KeyStoreKeyProperties.Algorithm.EC,
+ * KeyStoreKeyProperties.KEY_ALGORITHM_EC,
* "AndroidKeyStore");
* keyPairGenerator.initialize(
* new KeyGeneratorSpec.Builder(context)
* .setAlias("key2")
- * .setPurposes(KeyStoreKeyProperties.Purpose.SIGN
- * | KeyStoreKeyProperties.Purpose.VERIFY)
- * .setDigests(KeyStoreKeyProperties.Digest.SHA256
- * | KeyStoreKeyProperties.Digest.SHA384
- * | KeyStoreKeyProperties.Digest.SHA512)
+ * .setPurposes(KeyStoreKeyProperties.PURPOSE_SIGN
+ * | KeyStoreKeyProperties.PURPOSE_VERIFY)
+ * .setDigests(KeyStoreKeyProperties.DIGEST_SHA256
+ * | KeyStoreKeyProperties.DIGEST_SHA384
+ * | KeyStoreKeyProperties.DIGEST_SHA512)
* // Only permit this key to be used if the user authenticated
* // within the last five minutes.
* .setUserAuthenticationRequired(true)
@@ -287,10 +287,11 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
}
/**
- * Returns the key type (e.g., "EC", "RSA") specified by this parameter.
+ * Returns the type of key pair (e.g., {@code EC}, {@code RSA}) to be generated. See
+ * {@link KeyStoreKeyProperties}.{@code KEY_ALGORITHM} constants.
*/
@Nullable
- public @KeyStoreKeyProperties.AlgorithmEnum String getKeyType() {
+ public @KeyStoreKeyProperties.KeyAlgorithmEnum String getKeyType() {
return mKeyType;
}
@@ -395,10 +396,10 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
}
/**
- * Gets the set of purposes (e.g., {@code ENCRYPT}, {@code DECRYPT}, {@code SIGN}) for which the
- * key can be used.
+ * Gets the set of purposes (e.g., encrypt, decrypt, sign) for which the key can be used.
+ * Attempts to use the key for any other purpose will be rejected.
*
- * @see KeyStoreKeyProperties.Purpose
+ * <p>See {@link KeyStoreKeyProperties}.{@code PURPOSE} flags.
*/
public @KeyStoreKeyProperties.PurposeEnum int getPurposes() {
return mPurposes;
@@ -416,10 +417,11 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
}
/**
- * Gets the set of padding schemes (e.g., {@code PKCS1Padding}, {@code NoPadding}) with which
- * the key can be used when encrypting/decrypting.
+ * Gets the set of padding schemes (e.g., {@code OEAPPadding}, {@code PKCS1Padding},
+ * {@code NoPadding}) with which the key can be used when encrypting/decrypting. Attempts to use
+ * the key with any other padding scheme will be rejected.
*
- * @see KeyStoreKeyProperties.EncryptionPadding
+ * <p>See {@link KeyStoreKeyProperties}.{@code ENCRYPTION_PADDING} constants.
*/
@NonNull
public @KeyStoreKeyProperties.EncryptionPaddingEnum String[] getEncryptionPaddings() {
@@ -427,10 +429,11 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
}
/**
- * Gets the set of padding schemes (e.g., {@code PSS}) with which the key can be used when
- * signing/verifying.
+ * Gets the set of padding schemes (e.g., {@code PSS}, {@code PKCS#1}) with which the key
+ * can be used when signing/verifying. Attempts to use the key with any other padding scheme
+ * will be rejected.
*
- * @see KeyStoreKeyProperties.SignaturePadding
+ * <p>See {@link KeyStoreKeyProperties}.{@code SIGNATURE_PADDING} constants.
*/
@NonNull
public @KeyStoreKeyProperties.SignaturePaddingEnum String[] getSignaturePaddings() {
@@ -438,9 +441,11 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
}
/**
- * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used.
+ * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used
+ * when encrypting/decrypting. Attempts to use the key with any other block modes will be
+ * rejected.
*
- * @see KeyStoreKeyProperties.BlockMode
+ * <p>See {@link KeyStoreKeyProperties}.{@code BLOCK_MODE} constants.
*/
@NonNull
public @KeyStoreKeyProperties.BlockModeEnum String[] getBlockModes() {
@@ -580,10 +585,12 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
}
/**
- * Sets the key type (e.g., EC, RSA) of the keypair to be created.
+ * Sets the type of key pair (e.g., {@code EC}, {@code RSA}) of the key pair to be
+ * generated. See {@link KeyStoreKeyProperties}.{@code KEY_ALGORITHM} constants.
+ *
*/
@NonNull
- public Builder setKeyType(@NonNull @KeyStoreKeyProperties.AlgorithmEnum String keyType)
+ public Builder setKeyType(@NonNull @KeyStoreKeyProperties.KeyAlgorithmEnum String keyType)
throws NoSuchAlgorithmException {
if (keyType == null) {
throw new NullPointerException("keyType == null");
@@ -713,7 +720,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
*
* <p>By default, the key is valid at any instant.
*
- * <p><b>NOTE: This has currently no effect.
+ * <p><b>NOTE: This has currently no effect.</b>
*
* @see #setKeyValidityEnd(Date)
*/
@@ -728,7 +735,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
*
* <p>By default, the key is valid at any instant.
*
- * <p><b>NOTE: This has currently no effect.
+ * <p><b>NOTE: This has currently no effect.</b>
*
* @see #setKeyValidityStart(Date)
* @see #setKeyValidityForConsumptionEnd(Date)
@@ -746,7 +753,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
*
* <p>By default, the key is valid at any instant.
*
- * <p><b>NOTE: This has currently no effect.
+ * <p><b>NOTE: This has currently no effect.</b>
*
* @see #setKeyValidityForConsumptionEnd(Date)
*/
@@ -762,7 +769,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
*
* <p>By default, the key is valid at any instant.
*
- * <p><b>NOTE: This has currently no effect.
+ * <p><b>NOTE: This has currently no effect.</b>
*
* @see #setKeyValidityForOriginationEnd(Date)
*/
@@ -773,20 +780,20 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
}
/**
- * Sets the set of purposes (e.g., {@code ENCRYPT}, {@code DECRYPT}, {@code SIGN}) for which
- * the key can be used.
+ * Sets the set of purposes (e.g., encrypt, decrypt, sign) for which the key can be used.
+ * Attempts to use the key for any other purpose will be rejected.
*
* <p>This must be specified for all keys. There is no default.
*
* <p>If the set of purposes for which the key can be used does not contain
- * {@link KeyStoreKeyProperties.Purpose#SIGN}, the self-signed certificate generated by
+ * {@link KeyStoreKeyProperties#PURPOSE_SIGN}, the self-signed certificate generated by
* {@link KeyPairGenerator} of {@code AndroidKeyStore} provider will contain an invalid
* signature. This is OK if the certificate is only used for obtaining the public key from
* Android KeyStore.
*
- * <p><b>NOTE: This has currently no effect.
+ * <p><b>NOTE: This has currently no effect.</b>
*
- * @see KeyStoreKeyProperties.Purpose
+ * <p>See {@link KeyStoreKeyProperties}.{@code PURPOSE} flags.
*/
@NonNull
public Builder setPurposes(@KeyStoreKeyProperties.PurposeEnum int purposes) {
@@ -801,7 +808,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
*
* <p>This must be specified for keys which are used for signing/verification.
*
- * <p><b>NOTE: This has currently no effect.
+ * <p><b>NOTE: This has currently no effect.</b>
*
* @see KeyStoreKeyProperties.Digest
*/
@@ -812,15 +819,15 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
}
/**
- * Sets the set of padding schemes (e.g., {@code PKCS1Padding}, {@code NoPadding}) with
- * which the key can be used when encrypting/decrypting. Attempts to use the key with any
- * other padding scheme will be rejected.
+ * Sets the set of padding schemes (e.g., {@code OAEPPadding}, {@code PKCS1Padding},
+ * {@code NoPadding}) with which the key can be used when encrypting/decrypting. Attempts to
+ * use the key with any other padding scheme will be rejected.
*
* <p>This must be specified for keys which are used for encryption/decryption.
*
- * <p><b>NOTE: This has currently no effect.
+ * <p><b>NOTE: This has currently no effect.</b>
*
- * @see KeyStoreKeyProperties.EncryptionPadding
+ * <p>See {@link KeyStoreKeyProperties}.{@code ENCRYPTION_PADDING} constants.
*/
@NonNull
public Builder setEncryptionPaddings(
@@ -830,15 +837,15 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
}
/**
- * Sets the set of padding schemes (e.g., {@code PSS}) with which the key can be used when
- * signing/verifying. Attempts to use the key with any other padding scheme will be
- * rejected.
+ * Sets the set of padding schemes (e.g., {@code PSS}, {@code PKCS#1}) with which the key
+ * can be used when signing/verifying. Attempts to use the key with any other padding scheme
+ * will be rejected.
*
* <p>This must be specified for RSA keys which are used for signing/verification.
*
- * <p><b>NOTE: This has currently no effect.
+ * <p><b>NOTE: This has currently no effect.</b>
*
- * @see KeyStoreKeyProperties.SignaturePadding
+ * <p>See {@link KeyStoreKeyProperties}.{@code SIGNATURE_PADDING} constants.
*/
@NonNull
public Builder setSignaturePaddings(
@@ -848,15 +855,15 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
}
/**
- * Sets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be
- * used when encrypting/decrypting. Attempts to use the key with any other block modes will
- * be rejected.
+ * Sets the set of block modes (e.g., {@code ECB}, {@code CBC}, {@code CTR}) with which the
+ * key can be used when encrypting/decrypting. Attempts to use the key with any other block
+ * modes will be rejected.
*
* <p>This must be specified for encryption/decryption keys.
*
- * <p><b>NOTE: This has currently no effect.
+ * <p><b>NOTE: This has currently no effect.</b>
*
- * @see KeyStoreKeyProperties.BlockMode
+ * <p>See {@link KeyStoreKeyProperties}.{@code BLOCK_MODE} constants.
*/
@NonNull
public Builder setBlockModes(@KeyStoreKeyProperties.BlockModeEnum String... blockModes) {
@@ -884,7 +891,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
* schemes which offer {@code IND-CPA}, such as PKCS#1 or OAEP.</li>
* </ul>
*
- * <p><b>NOTE: This has currently no effect.
+ * <p><b>NOTE: This has currently no effect.</b>
*/
@NonNull
public Builder setRandomizedEncryptionRequired(boolean required) {
@@ -908,7 +915,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
* <p>This restriction applies only to private key operations. Public key operations are not
* restricted.
*
- * <p><b>NOTE: This has currently no effect.
+ * <p><b>NOTE: This has currently no effect.</b>
*
* @see #setUserAuthenticationValidityDurationSeconds(int)
*/
@@ -927,7 +934,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
* <p>This restriction applies only to private key operations. Public key operations are not
* restricted.
*
- * <p><b>NOTE: This has currently no effect.
+ * <p><b>NOTE: This has currently no effect.</b>
*
* @param seconds duration in seconds or {@code -1} if the user needs to authenticate for
* every use of the key.
diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java
index 3ed8899..7e3193d 100644
--- a/keystore/java/android/security/KeyStore.java
+++ b/keystore/java/android/security/KeyStore.java
@@ -131,10 +131,10 @@ public class KeyStore {
return mToken;
}
- static int getKeyTypeForAlgorithm(@KeyStoreKeyProperties.AlgorithmEnum String keyType) {
- if (KeyStoreKeyProperties.Algorithm.RSA.equalsIgnoreCase(keyType)) {
+ static int getKeyTypeForAlgorithm(@KeyStoreKeyProperties.KeyAlgorithmEnum String keyType) {
+ if (KeyStoreKeyProperties.KEY_ALGORITHM_RSA.equalsIgnoreCase(keyType)) {
return NativeConstants.EVP_PKEY_RSA;
- } else if (KeyStoreKeyProperties.Algorithm.EC.equalsIgnoreCase(keyType)) {
+ } else if (KeyStoreKeyProperties.KEY_ALGORITHM_EC.equalsIgnoreCase(keyType)) {
return NativeConstants.EVP_PKEY_EC;
} else {
return -1;
diff --git a/keystore/java/android/security/KeyStoreCipherSpi.java b/keystore/java/android/security/KeyStoreCipherSpi.java
index bd601bc..4eeca47 100644
--- a/keystore/java/android/security/KeyStoreCipherSpi.java
+++ b/keystore/java/android/security/KeyStoreCipherSpi.java
@@ -496,7 +496,7 @@ public abstract class KeyStoreCipherSpi extends CipherSpi implements KeyStoreCry
if ((mIv != null) && (mIv.length > 0)) {
try {
AlgorithmParameters params =
- AlgorithmParameters.getInstance(KeyStoreKeyProperties.Algorithm.AES);
+ AlgorithmParameters.getInstance(KeyStoreKeyProperties.KEY_ALGORITHM_AES);
params.init(new IvParameterSpec(mIv));
return params;
} catch (NoSuchAlgorithmException e) {
diff --git a/keystore/java/android/security/KeyStoreKeyGeneratorSpi.java b/keystore/java/android/security/KeyStoreKeyGeneratorSpi.java
index 4b914c2..d734d66 100644
--- a/keystore/java/android/security/KeyStoreKeyGeneratorSpi.java
+++ b/keystore/java/android/security/KeyStoreKeyGeneratorSpi.java
@@ -174,7 +174,7 @@ public abstract class KeyStoreKeyGeneratorSpi extends KeyGeneratorSpi {
spec.getEncryptionPaddings());
mKeymasterBlockModes =
KeyStoreKeyProperties.BlockMode.allToKeymaster(spec.getBlockModes());
- if (((spec.getPurposes() & KeyStoreKeyProperties.Purpose.ENCRYPT) != 0)
+ if (((spec.getPurposes() & KeyStoreKeyProperties.PURPOSE_ENCRYPT) != 0)
&& (spec.isRandomizedEncryptionRequired())) {
for (int keymasterBlockMode : mKeymasterBlockModes) {
if (!KeymasterUtils.isKeymasterBlockModeIndCpaCompatible(
@@ -247,7 +247,7 @@ public abstract class KeyStoreKeyGeneratorSpi extends KeyGeneratorSpi {
(spec.getKeyValidityForConsumptionEnd() != null)
? spec.getKeyValidityForConsumptionEnd() : new Date(Long.MAX_VALUE));
- if (((spec.getPurposes() & KeyStoreKeyProperties.Purpose.ENCRYPT) != 0)
+ if (((spec.getPurposes() & KeyStoreKeyProperties.PURPOSE_ENCRYPT) != 0)
&& (!spec.isRandomizedEncryptionRequired())) {
// Permit caller-provided IV when encrypting with this key
args.addBoolean(KeymasterDefs.KM_TAG_CALLER_NONCE);
@@ -265,9 +265,9 @@ public abstract class KeyStoreKeyGeneratorSpi extends KeyGeneratorSpi {
throw new ProviderException(
"Keystore operation failed", KeyStore.getKeyStoreException(errorCode));
}
- String keyAlgorithmJCA;
+ @KeyStoreKeyProperties.KeyAlgorithmEnum String keyAlgorithmJCA;
try {
- keyAlgorithmJCA = KeyStoreKeyProperties.Algorithm.fromKeymasterSecretKeyAlgorithm(
+ keyAlgorithmJCA = KeyStoreKeyProperties.KeyAlgorithm.fromKeymasterSecretKeyAlgorithm(
mKeymasterAlgorithm, mKeymasterDigest);
} catch (IllegalArgumentException e) {
throw new ProviderException("Failed to obtain JCA secret key algorithm name", e);
diff --git a/keystore/java/android/security/KeyStoreKeyProperties.java b/keystore/java/android/security/KeyStoreKeyProperties.java
index 021c6dd..b58a7dd 100644
--- a/keystore/java/android/security/KeyStoreKeyProperties.java
+++ b/keystore/java/android/security/KeyStoreKeyProperties.java
@@ -26,17 +26,9 @@ import libcore.util.EmptyArray;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
-import java.security.Key;
-import java.security.KeyFactory;
-import java.security.KeyPairGenerator;
import java.util.Collection;
import java.util.Locale;
-import javax.crypto.Cipher;
-import javax.crypto.KeyGenerator;
-import javax.crypto.Mac;
-import javax.crypto.SecretKeyFactory;
-
/**
* Properties of {@code AndroidKeyStore} keys.
*/
@@ -48,76 +40,69 @@ public abstract class KeyStoreKeyProperties {
*/
@Retention(RetentionPolicy.SOURCE)
@IntDef(flag = true,
- value = {Purpose.ENCRYPT, Purpose.DECRYPT, Purpose.SIGN, Purpose.VERIFY})
+ value = {
+ PURPOSE_ENCRYPT,
+ PURPOSE_DECRYPT,
+ PURPOSE_SIGN,
+ PURPOSE_VERIFY,
+ })
public @interface PurposeEnum {}
/**
- * Purposes of key.
+ * Purpose of key: encryption.
*/
- public static abstract class Purpose {
- private Purpose() {}
+ public static final int PURPOSE_ENCRYPT = 1 << 0;
- /**
- * Purpose: encryption.
- */
- public static final int ENCRYPT = 1 << 0;
+ /**
+ * Purpose of key: decryption.
+ */
+ public static final int PURPOSE_DECRYPT = 1 << 1;
- /**
- * Purpose: decryption.
- */
- public static final int DECRYPT = 1 << 1;
+ /**
+ * Purpose of key: signing or generating a Message Authentication Code (MAC).
+ */
+ public static final int PURPOSE_SIGN = 1 << 2;
- /**
- * Purpose: signing.
- */
- public static final int SIGN = 1 << 2;
+ /**
+ * Purpose of key: signature or Message Authentication Code (MAC) verification.
+ */
+ public static final int PURPOSE_VERIFY = 1 << 3;
- /**
- * Purpose: signature verification.
- */
- public static final int VERIFY = 1 << 3;
+ static abstract class Purpose {
+ private Purpose() {}
- /**
- * @hide
- */
- public static int toKeymaster(@PurposeEnum int purpose) {
+ static int toKeymaster(@PurposeEnum int purpose) {
switch (purpose) {
- case ENCRYPT:
+ case PURPOSE_ENCRYPT:
return KeymasterDefs.KM_PURPOSE_ENCRYPT;
- case DECRYPT:
+ case PURPOSE_DECRYPT:
return KeymasterDefs.KM_PURPOSE_DECRYPT;
- case SIGN:
+ case PURPOSE_SIGN:
return KeymasterDefs.KM_PURPOSE_SIGN;
- case VERIFY:
+ case PURPOSE_VERIFY:
return KeymasterDefs.KM_PURPOSE_VERIFY;
default:
throw new IllegalArgumentException("Unknown purpose: " + purpose);
}
}
- /**
- * @hide
- */
- public static @PurposeEnum int fromKeymaster(int purpose) {
+ static @PurposeEnum int fromKeymaster(int purpose) {
switch (purpose) {
case KeymasterDefs.KM_PURPOSE_ENCRYPT:
- return ENCRYPT;
+ return PURPOSE_ENCRYPT;
case KeymasterDefs.KM_PURPOSE_DECRYPT:
- return DECRYPT;
+ return PURPOSE_DECRYPT;
case KeymasterDefs.KM_PURPOSE_SIGN:
- return SIGN;
+ return PURPOSE_SIGN;
case KeymasterDefs.KM_PURPOSE_VERIFY:
- return VERIFY;
+ return PURPOSE_VERIFY;
default:
throw new IllegalArgumentException("Unknown purpose: " + purpose);
}
}
- /**
- * @hide
- */
@NonNull
- public static int[] allToKeymaster(@PurposeEnum int purposes) {
+ static int[] allToKeymaster(@PurposeEnum int purposes) {
int[] result = getSetFlags(purposes);
for (int i = 0; i < result.length; i++) {
result[i] = toKeymaster(result[i]);
@@ -125,10 +110,7 @@ public abstract class KeyStoreKeyProperties {
return result;
}
- /**
- * @hide
- */
- public static @PurposeEnum int allFromKeymaster(@NonNull Collection<Integer> purposes) {
+ static @PurposeEnum int allFromKeymaster(@NonNull Collection<Integer> purposes) {
@PurposeEnum int result = 0;
for (int keymasterPurpose : purposes) {
result |= fromKeymaster(keymasterPurpose);
@@ -142,57 +124,46 @@ public abstract class KeyStoreKeyProperties {
*/
@Retention(RetentionPolicy.SOURCE)
@StringDef({
- Algorithm.RSA,
- Algorithm.EC,
- Algorithm.AES,
- Algorithm.HMAC_SHA1,
- Algorithm.HMAC_SHA224,
- Algorithm.HMAC_SHA256,
- Algorithm.HMAC_SHA384,
- Algorithm.HMAC_SHA512,
+ KEY_ALGORITHM_RSA,
+ KEY_ALGORITHM_EC,
+ KEY_ALGORITHM_AES,
+ KEY_ALGORITHM_HMAC_SHA1,
+ KEY_ALGORITHM_HMAC_SHA224,
+ KEY_ALGORITHM_HMAC_SHA256,
+ KEY_ALGORITHM_HMAC_SHA384,
+ KEY_ALGORITHM_HMAC_SHA512,
})
- public @interface AlgorithmEnum {}
+ public @interface KeyAlgorithmEnum {}
- /**
- * Key algorithms.
- *
- * <p>These are standard names which can be used to obtain instances of {@link KeyGenerator},
- * {@link KeyPairGenerator}, {@link Cipher} (as part of the transformation string), {@link Mac},
- * {@link KeyFactory}, {@link SecretKeyFactory}. These are also the names used by
- * {@link Key#getAlgorithm()}.
- */
- public static abstract class Algorithm {
- private Algorithm() {}
+ /** Rivest Shamir Adleman (RSA) key. */
+ public static final String KEY_ALGORITHM_RSA = "RSA";
- /** Rivest Shamir Adleman (RSA) key. */
- public static final String RSA = "RSA";
+ /** Elliptic Curve (EC) Cryptography key. */
+ public static final String KEY_ALGORITHM_EC = "EC";
- /** Elliptic Curve (EC) key. */
- public static final String EC = "EC";
+ /** Advanced Encryption Standard (AES) key. */
+ public static final String KEY_ALGORITHM_AES = "AES";
- /** Advanced Encryption Standard (AES) key. */
- public static final String AES = "AES";
+ /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-1 as the hash. */
+ public static final String KEY_ALGORITHM_HMAC_SHA1 = "HmacSHA1";
- /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-1 as the hash. */
- public static final String HMAC_SHA1 = "HmacSHA1";
+ /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-224 as the hash. */
+ public static final String KEY_ALGORITHM_HMAC_SHA224 = "HmacSHA224";
- /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-224 as the hash. */
- public static final String HMAC_SHA224 = "HmacSHA224";
+ /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-256 as the hash. */
+ public static final String KEY_ALGORITHM_HMAC_SHA256 = "HmacSHA256";
- /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-256 as the hash. */
- public static final String HMAC_SHA256 = "HmacSHA256";
+ /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-384 as the hash. */
+ public static final String KEY_ALGORITHM_HMAC_SHA384 = "HmacSHA384";
- /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-384 as the hash. */
- public static final String HMAC_SHA384 = "HmacSHA384";
+ /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-512 as the hash. */
+ public static final String KEY_ALGORITHM_HMAC_SHA512 = "HmacSHA512";
- /** Keyed-Hash Message Authentication Code (HMAC) key using SHA-512 as the hash. */
- public static final String HMAC_SHA512 = "HmacSHA512";
+ static abstract class KeyAlgorithm {
+ private KeyAlgorithm() {}
- /**
- * @hide
- */
- static int toKeymasterSecretKeyAlgorithm(@NonNull @AlgorithmEnum String algorithm) {
- if (AES.equalsIgnoreCase(algorithm)) {
+ static int toKeymasterSecretKeyAlgorithm(@NonNull @KeyAlgorithmEnum String algorithm) {
+ if (KEY_ALGORITHM_AES.equalsIgnoreCase(algorithm)) {
return KeymasterDefs.KM_ALGORITHM_AES;
} else if (algorithm.toUpperCase(Locale.US).startsWith("HMAC")) {
return KeymasterDefs.KM_ALGORITHM_HMAC;
@@ -202,11 +173,8 @@ public abstract class KeyStoreKeyProperties {
}
}
- /**
- * @hide
- */
@NonNull
- static @AlgorithmEnum String fromKeymasterSecretKeyAlgorithm(
+ static @KeyAlgorithmEnum String fromKeymasterSecretKeyAlgorithm(
int keymasterAlgorithm, int keymasterDigest) {
switch (keymasterAlgorithm) {
case KeymasterDefs.KM_ALGORITHM_AES:
@@ -214,26 +182,26 @@ public abstract class KeyStoreKeyProperties {
throw new IllegalArgumentException("Digest not supported for AES key: "
+ Digest.fromKeymaster(keymasterDigest));
}
- return AES;
+ return KEY_ALGORITHM_AES;
case KeymasterDefs.KM_ALGORITHM_HMAC:
switch (keymasterDigest) {
case KeymasterDefs.KM_DIGEST_SHA1:
- return HMAC_SHA1;
+ return KEY_ALGORITHM_HMAC_SHA1;
case KeymasterDefs.KM_DIGEST_SHA_2_224:
- return HMAC_SHA224;
+ return KEY_ALGORITHM_HMAC_SHA224;
case KeymasterDefs.KM_DIGEST_SHA_2_256:
- return HMAC_SHA256;
+ return KEY_ALGORITHM_HMAC_SHA256;
case KeymasterDefs.KM_DIGEST_SHA_2_384:
- return HMAC_SHA384;
+ return KEY_ALGORITHM_HMAC_SHA384;
case KeymasterDefs.KM_DIGEST_SHA_2_512:
- return HMAC_SHA512;
+ return KEY_ALGORITHM_HMAC_SHA512;
default:
throw new IllegalArgumentException("Unsupported HMAC digest: "
+ Digest.fromKeymaster(keymasterDigest));
}
default:
throw new IllegalArgumentException(
- "Unsupported algorithm: " + keymasterAlgorithm);
+ "Unsupported key algorithm: " + keymasterAlgorithm);
}
}
@@ -242,7 +210,7 @@ public abstract class KeyStoreKeyProperties {
*
* @return keymaster digest or {@code -1} if the algorithm does not involve a digest.
*/
- static int toKeymasterDigest(@NonNull @AlgorithmEnum String algorithm) {
+ static int toKeymasterDigest(@NonNull @KeyAlgorithmEnum String algorithm) {
String algorithmUpper = algorithm.toUpperCase(Locale.US);
if (algorithmUpper.startsWith("HMAC")) {
String digestUpper = algorithmUpper.substring("HMAC".length());
@@ -272,70 +240,58 @@ public abstract class KeyStoreKeyProperties {
*/
@Retention(RetentionPolicy.SOURCE)
@StringDef({
- BlockMode.ECB,
- BlockMode.CBC,
- BlockMode.CTR,
- BlockMode.GCM,
+ BLOCK_MODE_ECB,
+ BLOCK_MODE_CBC,
+ BLOCK_MODE_CTR,
+ BLOCK_MODE_GCM,
})
public @interface BlockModeEnum {}
- /**
- * Block modes that can be used when encrypting/decrypting using a key.
- */
- public static abstract class BlockMode {
- private BlockMode() {}
+ /** Electronic Codebook (ECB) block mode. */
+ public static final String BLOCK_MODE_ECB = "ECB";
- /** Electronic Codebook (ECB) block mode. */
- public static final String ECB = "ECB";
+ /** Cipher Block Chaining (CBC) block mode. */
+ public static final String BLOCK_MODE_CBC = "CBC";
- /** Cipher Block Chaining (CBC) block mode. */
- public static final String CBC = "CBC";
+ /** Counter (CTR) block mode. */
+ public static final String BLOCK_MODE_CTR = "CTR";
- /** Counter (CTR) block mode. */
- public static final String CTR = "CTR";
+ /** Galois/Counter Mode (GCM) block mode. */
+ public static final String BLOCK_MODE_GCM = "GCM";
- /** Galois/Counter Mode (GCM) block mode. */
- public static final String GCM = "GCM";
+ static abstract class BlockMode {
+ private BlockMode() {}
- /**
- * @hide
- */
static int toKeymaster(@NonNull @BlockModeEnum String blockMode) {
- if (ECB.equalsIgnoreCase(blockMode)) {
+ if (BLOCK_MODE_ECB.equalsIgnoreCase(blockMode)) {
return KeymasterDefs.KM_MODE_ECB;
- } else if (CBC.equalsIgnoreCase(blockMode)) {
+ } else if (BLOCK_MODE_CBC.equalsIgnoreCase(blockMode)) {
return KeymasterDefs.KM_MODE_CBC;
- } else if (CTR.equalsIgnoreCase(blockMode)) {
+ } else if (BLOCK_MODE_CTR.equalsIgnoreCase(blockMode)) {
return KeymasterDefs.KM_MODE_CTR;
- } else if (GCM.equalsIgnoreCase(blockMode)) {
+ } else if (BLOCK_MODE_GCM.equalsIgnoreCase(blockMode)) {
return KeymasterDefs.KM_MODE_GCM;
} else {
throw new IllegalArgumentException("Unsupported block mode: " + blockMode);
}
}
- /**
- * @hide
- */
@NonNull
static @BlockModeEnum String fromKeymaster(int blockMode) {
switch (blockMode) {
case KeymasterDefs.KM_MODE_ECB:
- return ECB;
+ return BLOCK_MODE_ECB;
case KeymasterDefs.KM_MODE_CBC:
- return CBC;
+ return BLOCK_MODE_CBC;
case KeymasterDefs.KM_MODE_CTR:
- return CTR;
+ return BLOCK_MODE_CTR;
case KeymasterDefs.KM_MODE_GCM:
- return GCM;
+ return BLOCK_MODE_GCM;
default:
throw new IllegalArgumentException("Unsupported block mode: " + blockMode);
}
}
- /**
- * @hide
- */
@NonNull
static @BlockModeEnum String[] allFromKeymaster(@NonNull Collection<Integer> blockModes) {
if ((blockModes == null) || (blockModes.isEmpty())) {
@@ -350,9 +306,6 @@ public abstract class KeyStoreKeyProperties {
return result;
}
- /**
- * @hide
- */
static int[] allToKeymaster(@Nullable @BlockModeEnum String[] blockModes) {
if ((blockModes == null) || (blockModes.length == 0)) {
return EmptyArray.INT;
@@ -370,50 +323,44 @@ public abstract class KeyStoreKeyProperties {
*/
@Retention(RetentionPolicy.SOURCE)
@StringDef({
- EncryptionPadding.NONE,
- EncryptionPadding.PKCS7,
- EncryptionPadding.RSA_PKCS1,
- EncryptionPadding.RSA_OAEP,
+ ENCRYPTION_PADDING_NONE,
+ ENCRYPTION_PADDING_PKCS7,
+ ENCRYPTION_PADDING_RSA_PKCS1,
+ ENCRYPTION_PADDING_RSA_OAEP,
})
public @interface EncryptionPaddingEnum {}
/**
- * Padding schemes for encryption/decryption.
+ * No encryption padding.
*/
- public static abstract class EncryptionPadding {
- private EncryptionPadding() {}
+ public static final String ENCRYPTION_PADDING_NONE = "NoPadding";
- /**
- * No padding.
- */
- public static final String NONE = "NoPadding";
+ /**
+ * PKCS#7 encryption padding scheme.
+ */
+ public static final String ENCRYPTION_PADDING_PKCS7 = "PKCS7Padding";
- /**
- * PKCS#7 padding.
- */
- public static final String PKCS7 = "PKCS7Padding";
+ /**
+ * RSA PKCS#1 v1.5 padding scheme for encryption.
+ */
+ public static final String ENCRYPTION_PADDING_RSA_PKCS1 = "PKCS1Padding";
- /**
- * RSA PKCS#1 v1.5 padding for encryption/decryption.
- */
- public static final String RSA_PKCS1 = "PKCS1Padding";
+ /**
+ * RSA Optimal Asymmetric Encryption Padding (OAEP) scheme.
+ */
+ public static final String ENCRYPTION_PADDING_RSA_OAEP = "OAEPPadding";
- /**
- * RSA Optimal Asymmetric Encryption Padding (OAEP).
- */
- public static final String RSA_OAEP = "OAEPPadding";
+ static abstract class EncryptionPadding {
+ private EncryptionPadding() {}
- /**
- * @hide
- */
static int toKeymaster(@NonNull @EncryptionPaddingEnum String padding) {
- if (NONE.equalsIgnoreCase(padding)) {
+ if (ENCRYPTION_PADDING_NONE.equalsIgnoreCase(padding)) {
return KeymasterDefs.KM_PAD_NONE;
- } else if (PKCS7.equalsIgnoreCase(padding)) {
+ } else if (ENCRYPTION_PADDING_PKCS7.equalsIgnoreCase(padding)) {
return KeymasterDefs.KM_PAD_PKCS7;
- } else if (RSA_PKCS1.equalsIgnoreCase(padding)) {
+ } else if (ENCRYPTION_PADDING_RSA_PKCS1.equalsIgnoreCase(padding)) {
return KeymasterDefs.KM_PAD_RSA_PKCS1_1_5_ENCRYPT;
- } else if (RSA_OAEP.equalsIgnoreCase(padding)) {
+ } else if (ENCRYPTION_PADDING_RSA_OAEP.equalsIgnoreCase(padding)) {
return KeymasterDefs.KM_PAD_RSA_OAEP;
} else {
throw new IllegalArgumentException(
@@ -421,29 +368,23 @@ public abstract class KeyStoreKeyProperties {
}
}
- /**
- * @hide
- */
@NonNull
static @EncryptionPaddingEnum String fromKeymaster(int padding) {
switch (padding) {
case KeymasterDefs.KM_PAD_NONE:
- return NONE;
+ return ENCRYPTION_PADDING_NONE;
case KeymasterDefs.KM_PAD_PKCS7:
- return PKCS7;
+ return ENCRYPTION_PADDING_PKCS7;
case KeymasterDefs.KM_PAD_RSA_PKCS1_1_5_ENCRYPT:
- return RSA_PKCS1;
+ return ENCRYPTION_PADDING_RSA_PKCS1;
case KeymasterDefs.KM_PAD_RSA_OAEP:
- return RSA_OAEP;
+ return ENCRYPTION_PADDING_RSA_OAEP;
default:
throw new IllegalArgumentException(
"Unsupported encryption padding: " + padding);
}
}
- /**
- * @hide
- */
@NonNull
static int[] allToKeymaster(@Nullable @EncryptionPaddingEnum String[] paddings) {
if ((paddings == null) || (paddings.length == 0)) {
@@ -462,35 +403,29 @@ public abstract class KeyStoreKeyProperties {
*/
@Retention(RetentionPolicy.SOURCE)
@StringDef({
- SignaturePadding.RSA_PKCS1,
- SignaturePadding.RSA_PSS,
+ SIGNATURE_PADDING_RSA_PKCS1,
+ SIGNATURE_PADDING_RSA_PSS,
})
public @interface SignaturePaddingEnum {}
/**
- * Padding schemes for signing/verification.
+ * RSA PKCS#1 v1.5 padding for signatures.
*/
- public static abstract class SignaturePadding {
- private SignaturePadding() {}
+ public static final String SIGNATURE_PADDING_RSA_PKCS1 = "PKCS1";
- /**
- * RSA PKCS#1 v1.5 padding for signatures.
- */
- public static final String RSA_PKCS1 = "PKCS1";
+ /**
+ * RSA PKCS#1 v2.1 Probabilistic Signature Scheme (PSS) padding.
+ */
+ public static final String SIGNATURE_PADDING_RSA_PSS = "PSS";
- /**
- * RSA PKCS#1 v2.1 Probabilistic Signature Scheme (PSS) padding.
- */
- public static final String RSA_PSS = "PSS";
+ static abstract class SignaturePadding {
+ private SignaturePadding() {}
- /**
- * @hide
- */
static int toKeymaster(@NonNull @SignaturePaddingEnum String padding) {
switch (padding.toUpperCase(Locale.US)) {
- case RSA_PKCS1:
+ case SIGNATURE_PADDING_RSA_PKCS1:
return KeymasterDefs.KM_PAD_RSA_PKCS1_1_5_SIGN;
- case RSA_PSS:
+ case SIGNATURE_PADDING_RSA_PSS:
return KeymasterDefs.KM_PAD_RSA_PSS;
default:
throw new IllegalArgumentException(
@@ -498,24 +433,18 @@ public abstract class KeyStoreKeyProperties {
}
}
- /**
- * @hide
- */
@NonNull
static @SignaturePaddingEnum String fromKeymaster(int padding) {
switch (padding) {
case KeymasterDefs.KM_PAD_RSA_PKCS1_1_5_SIGN:
- return RSA_PKCS1;
+ return SIGNATURE_PADDING_RSA_PKCS1;
case KeymasterDefs.KM_PAD_RSA_PSS:
- return RSA_PSS;
+ return SIGNATURE_PADDING_RSA_PSS;
default:
throw new IllegalArgumentException("Unsupported signature padding: " + padding);
}
}
- /**
- * @hide
- */
@NonNull
static int[] allToKeymaster(@Nullable @SignaturePaddingEnum String[] paddings) {
if ((paddings == null) || (paddings.length == 0)) {
@@ -534,110 +463,97 @@ public abstract class KeyStoreKeyProperties {
*/
@Retention(RetentionPolicy.SOURCE)
@StringDef({
- Digest.NONE,
- Digest.MD5,
- Digest.SHA1,
- Digest.SHA224,
- Digest.SHA256,
- Digest.SHA384,
- Digest.SHA512,
+ DIGEST_NONE,
+ DIGEST_MD5,
+ DIGEST_SHA1,
+ DIGEST_SHA224,
+ DIGEST_SHA256,
+ DIGEST_SHA384,
+ DIGEST_SHA512,
})
public @interface DigestEnum {}
/**
- * Digests that can be used with a key when signing or generating Message Authentication
- * Codes (MACs).
+ * No digest: sign/authenticate the raw message.
*/
- public static abstract class Digest {
- private Digest() {}
+ public static final String DIGEST_NONE = "NONE";
- /**
- * No digest: sign/authenticate the raw message.
- */
- public static final String NONE = "NONE";
+ /**
+ * MD5 digest.
+ */
+ public static final String DIGEST_MD5 = "MD5";
- /**
- * MD5 digest.
- */
- public static final String MD5 = "MD5";
+ /**
+ * SHA-1 digest.
+ */
+ public static final String DIGEST_SHA1 = "SHA-1";
- /**
- * SHA-1 digest.
- */
- public static final String SHA1 = "SHA-1";
+ /**
+ * SHA-2 224 (aka SHA-224) digest.
+ */
+ public static final String DIGEST_SHA224 = "SHA-224";
- /**
- * SHA-2 224 (aka SHA-224) digest.
- */
- public static final String SHA224 = "SHA-224";
+ /**
+ * SHA-2 256 (aka SHA-256) digest.
+ */
+ public static final String DIGEST_SHA256 = "SHA-256";
- /**
- * SHA-2 256 (aka SHA-256) digest.
- */
- public static final String SHA256 = "SHA-256";
+ /**
+ * SHA-2 384 (aka SHA-384) digest.
+ */
+ public static final String DIGEST_SHA384 = "SHA-384";
- /**
- * SHA-2 384 (aka SHA-384) digest.
- */
- public static final String SHA384 = "SHA-384";
+ /**
+ * SHA-2 512 (aka SHA-512) digest.
+ */
+ public static final String DIGEST_SHA512 = "SHA-512";
- /**
- * SHA-2 512 (aka SHA-512) digest.
- */
- public static final String SHA512 = "SHA-512";
+ static abstract class Digest {
+ private Digest() {}
- /**
- * @hide
- */
static int toKeymaster(@NonNull @DigestEnum String digest) {
switch (digest.toUpperCase(Locale.US)) {
- case SHA1:
+ case DIGEST_SHA1:
return KeymasterDefs.KM_DIGEST_SHA1;
- case SHA224:
+ case DIGEST_SHA224:
return KeymasterDefs.KM_DIGEST_SHA_2_224;
- case SHA256:
+ case DIGEST_SHA256:
return KeymasterDefs.KM_DIGEST_SHA_2_256;
- case SHA384:
+ case DIGEST_SHA384:
return KeymasterDefs.KM_DIGEST_SHA_2_384;
- case SHA512:
+ case DIGEST_SHA512:
return KeymasterDefs.KM_DIGEST_SHA_2_512;
- case NONE:
+ case DIGEST_NONE:
return KeymasterDefs.KM_DIGEST_NONE;
- case MD5:
+ case DIGEST_MD5:
return KeymasterDefs.KM_DIGEST_MD5;
default:
throw new IllegalArgumentException("Unsupported digest algorithm: " + digest);
}
}
- /**
- * @hide
- */
@NonNull
static @DigestEnum String fromKeymaster(int digest) {
switch (digest) {
case KeymasterDefs.KM_DIGEST_NONE:
- return NONE;
+ return DIGEST_NONE;
case KeymasterDefs.KM_DIGEST_MD5:
- return MD5;
+ return DIGEST_MD5;
case KeymasterDefs.KM_DIGEST_SHA1:
- return SHA1;
+ return DIGEST_SHA1;
case KeymasterDefs.KM_DIGEST_SHA_2_224:
- return SHA224;
+ return DIGEST_SHA224;
case KeymasterDefs.KM_DIGEST_SHA_2_256:
- return SHA256;
+ return DIGEST_SHA256;
case KeymasterDefs.KM_DIGEST_SHA_2_384:
- return SHA384;
+ return DIGEST_SHA384;
case KeymasterDefs.KM_DIGEST_SHA_2_512:
- return SHA512;
+ return DIGEST_SHA512;
default:
throw new IllegalArgumentException("Unsupported digest algorithm: " + digest);
}
}
- /**
- * @hide
- */
@NonNull
static @DigestEnum String[] allFromKeymaster(@NonNull Collection<Integer> digests) {
if (digests.isEmpty()) {
@@ -652,9 +568,6 @@ public abstract class KeyStoreKeyProperties {
return result;
}
- /**
- * @hide
- */
@NonNull
static int[] allToKeymaster(@Nullable @DigestEnum String[] digests) {
if ((digests == null) || (digests.length == 0)) {
@@ -674,38 +587,36 @@ public abstract class KeyStoreKeyProperties {
* @hide
*/
@Retention(RetentionPolicy.SOURCE)
- @IntDef({Origin.GENERATED, Origin.IMPORTED, Origin.UNKNOWN})
+ @IntDef({
+ ORIGIN_GENERATED,
+ ORIGIN_IMPORTED,
+ ORIGIN_UNKNOWN,
+ })
public @interface OriginEnum {}
- /**
- * Origin of the key.
- */
- public static abstract class Origin {
- private Origin() {}
+ /** Key was generated inside AndroidKeyStore. */
+ public static final int ORIGIN_GENERATED = 1 << 0;
- /** Key was generated inside AndroidKeyStore. */
- public static final int GENERATED = 1 << 0;
+ /** Key was imported into AndroidKeyStore. */
+ public static final int ORIGIN_IMPORTED = 1 << 1;
- /** Key was imported into AndroidKeyStore. */
- public static final int IMPORTED = 1 << 1;
+ /**
+ * Origin of the key is unknown. This can occur only for keys backed by an old TEE-backed
+ * implementation which does not record origin information.
+ */
+ public static final int ORIGIN_UNKNOWN = 1 << 2;
- /**
- * Origin of the key is unknown. This can occur only for keys backed by an old TEE-backed
- * implementation which does not record origin information.
- */
- public static final int UNKNOWN = 1 << 2;
+ static abstract class Origin {
+ private Origin() {}
- /**
- * @hide
- */
- public static @OriginEnum int fromKeymaster(int origin) {
+ static @OriginEnum int fromKeymaster(int origin) {
switch (origin) {
case KeymasterDefs.KM_ORIGIN_GENERATED:
- return GENERATED;
+ return ORIGIN_GENERATED;
case KeymasterDefs.KM_ORIGIN_IMPORTED:
- return IMPORTED;
+ return ORIGIN_IMPORTED;
case KeymasterDefs.KM_ORIGIN_UNKNOWN:
- return UNKNOWN;
+ return ORIGIN_UNKNOWN;
default:
throw new IllegalArgumentException("Unknown origin: " + origin);
}
diff --git a/keystore/java/android/security/KeyStoreKeySpec.java b/keystore/java/android/security/KeyStoreKeySpec.java
index acd6404..4c43f89 100644
--- a/keystore/java/android/security/KeyStoreKeySpec.java
+++ b/keystore/java/android/security/KeyStoreKeySpec.java
@@ -135,7 +135,7 @@ public class KeyStoreKeySpec implements KeySpec {
}
/**
- * Gets the origin of the key.
+ * Gets the origin of the key. See {@link KeyStoreKeyProperties}.{@code ORIGIN} constants.
*/
public @KeyStoreKeyProperties.OriginEnum int getOrigin() {
return mOrigin;
@@ -179,19 +179,21 @@ public class KeyStoreKeySpec implements KeySpec {
}
/**
- * Gets the set of purposes (e.g., {@code ENCRYPT}, {@code DECRYPT}, {@code SIGN}) for which the
- * key can be used.
+ * Gets the set of purposes (e.g., encrypt, decrypt, sign) for which the key can be used.
+ * Attempts to use the key for any other purpose will be rejected.
*
- * @see KeyStoreKeyProperties.Purpose
+ * <p>See {@link KeyStoreKeyProperties}.{@code PURPOSE} flags.
*/
public @KeyStoreKeyProperties.PurposeEnum int getPurposes() {
return mPurposes;
}
/**
- * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used.
+ * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used
+ * when encrypting/decrypting. Attempts to use the key with any other block modes will be
+ * rejected.
*
- * @see KeyStoreKeyProperties.BlockMode
+ * <p>See {@link KeyStoreKeyProperties}.{@code BLOCK_MODE} constants.
*/
@NonNull
public @KeyStoreKeyProperties.BlockModeEnum String[] getBlockModes() {
@@ -199,10 +201,11 @@ public class KeyStoreKeySpec implements KeySpec {
}
/**
- * Gets the set of padding schemes (e.g., {@code PKCS7Padding}, {@code NoPadding}) with which
- * the key can be used when encrypting/decrypting.
+ * Gets the set of padding schemes (e.g., {@code PKCS7Padding}, {@code PKCS1Padding},
+ * {@code NoPadding}) with which the key can be used when encrypting/decrypting. Attempts to use
+ * the key with any other padding scheme will be rejected.
*
- * @see KeyStoreKeyProperties.EncryptionPadding
+ * <p>See {@link KeyStoreKeyProperties}.{@code ENCRYPTION_PADDING} constants.
*/
@NonNull
public @KeyStoreKeyProperties.EncryptionPaddingEnum String[] getEncryptionPaddings() {
@@ -210,10 +213,11 @@ public class KeyStoreKeySpec implements KeySpec {
}
/**
- * Gets the set of padding schemes (e.g., {@code PSS}) with which the key can be used when
- * signing/verifying.
+ * Gets the set of padding schemes (e.g., {@code PSS}, {@code PKCS#1}) with which the key
+ * can be used when signing/verifying. Attempts to use the key with any other padding scheme
+ * will be rejected.
*
- * @see KeyStoreKeyProperties.SignaturePadding
+ * <p>See {@link KeyStoreKeyProperties}.{@code SIGNATURE_PADDING} constants.
*/
@NonNull
public @KeyStoreKeyProperties.SignaturePaddingEnum String[] getSignaturePaddings() {
diff --git a/keystore/java/android/security/KeyStoreParameter.java b/keystore/java/android/security/KeyStoreParameter.java
index 9369f5b..a7fab80 100644
--- a/keystore/java/android/security/KeyStoreParameter.java
+++ b/keystore/java/android/security/KeyStoreParameter.java
@@ -62,11 +62,11 @@ import javax.crypto.Cipher;
* "key1",
* new KeyStore.SecretKeyEntry(key),
* new KeyStoreParameter.Builder(context)
- * .setPurposes(KeyStoreKeyProperties.Purpose.ENCRYPT
- * | KeyStoreKeyProperties.Purpose.DECRYPT)
- * .setBlockMode(KeyStoreKeyProperties.BlockMode.CBC)
+ * .setPurposes(KeyStoreKeyProperties.PURPOSE_ENCRYPT
+ * | KeyStoreKeyProperties.PURPOSE_DECRYPT)
+ * .setBlockMode(KeyStoreKeyProperties.BLOCK_MODE_CBC)
* .setEncryptionPaddings(
- * KeyStoreKeyProperties.EncryptionPaddings.PKCS7)
+ * KeyStoreKeyProperties.ENCRYPTION_PADDING_PKCS7)
* .build());
* // Key imported, obtain a reference to it.
* SecretKey keyStoreKey = (SecretKey) keyStore.getKey("key1", null);
@@ -90,8 +90,8 @@ import javax.crypto.Cipher;
* "key2",
* new KeyStore.PrivateKeyEntry(privateKey, certChain),
* new KeyStoreParameter.Builder(context)
- * .setPurposes(KeyStoreKeyProperties.Purpose.SIGN)
- * .setDigests(KeyStoreKeyProperties.Digest.SHA256)
+ * .setPurposes(KeyStoreKeyProperties.PURPOSE_SIGN)
+ * .setDigests(KeyStoreKeyProperties.DIGEST_SHA256)
* // Only permit this key to be used if the user
* // authenticated within the last ten minutes.
* .setUserAuthenticationRequired(true)
@@ -211,20 +211,21 @@ public final class KeyStoreParameter implements ProtectionParameter {
}
/**
- * Gets the set of purposes (e.g., {@code ENCRYPT}, {@code DECRYPT}, {@code SIGN}) for which the
- * key can be used.
+ * Gets the set of purposes (e.g., encrypt, decrypt, sign) for which the key can be used.
+ * Attempts to use the key for any other purpose will be rejected.
*
- * @see KeyStoreKeyProperties.Purpose
+ * <p>See {@link KeyStoreKeyProperties}.{@code PURPOSE} flags.
*/
public @KeyStoreKeyProperties.PurposeEnum int getPurposes() {
return mPurposes;
}
/**
- * Gets the set of padding schemes (e.g., {@code PKCS7Padding}, {@code NoPadding}) with which
- * the key can be used when encrypting/decrypting.
+ * Gets the set of padding schemes (e.g., {@code PKCS7Padding}, {@code PKCS1Padding},
+ * {@code NoPadding}) with which the key can be used when encrypting/decrypting. Attempts to use
+ * the key with any other padding scheme will be rejected.
*
- * @see KeyStoreKeyProperties.EncryptionPadding
+ * <p>See {@link KeyStoreKeyProperties}.{@code ENCRYPTION_PADDING} constants.
*/
@NonNull
public @KeyStoreKeyProperties.EncryptionPaddingEnum String[] getEncryptionPaddings() {
@@ -232,10 +233,11 @@ public final class KeyStoreParameter implements ProtectionParameter {
}
/**
- * Gets the set of padding schemes (e.g., {@code PSS}) with which the key can be used when
- * signing or verifying signatures.
+ * Gets the set of padding schemes (e.g., {@code PSS}, {@code PKCS#1}) with which the key
+ * can be used when signing/verifying. Attempts to use the key with any other padding scheme
+ * will be rejected.
*
- * @see KeyStoreKeyProperties.SignaturePadding
+ * <p>See {@link KeyStoreKeyProperties}.{@code SIGNATURE_PADDING} constants.
*/
@NonNull
public @KeyStoreKeyProperties.SignaturePaddingEnum String[] getSignaturePaddings() {
@@ -271,9 +273,11 @@ public final class KeyStoreParameter implements ProtectionParameter {
}
/**
- * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used.
+ * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used
+ * when encrypting/decrypting. Attempts to use the key with any other block modes will be
+ * rejected.
*
- * @see KeyStoreKeyProperties.BlockMode
+ * <p>See {@link KeyStoreKeyProperties}.{@code BLOCK_MODE} constants.
*/
@NonNull
public @KeyStoreKeyProperties.BlockModeEnum String[] getBlockModes() {
@@ -388,7 +392,7 @@ public final class KeyStoreParameter implements ProtectionParameter {
*
* <p>By default, the key is valid at any instant.
*
- * <p><b>NOTE: This has currently no effect on asymmetric key pairs.
+ * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b>
*
* @see #setKeyValidityEnd(Date)
*/
@@ -403,7 +407,7 @@ public final class KeyStoreParameter implements ProtectionParameter {
*
* <p>By default, the key is valid at any instant.
*
- * <p><b>NOTE: This has currently no effect on asymmetric key pairs.
+ * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b>
*
* @see #setKeyValidityStart(Date)
* @see #setKeyValidityForConsumptionEnd(Date)
@@ -421,7 +425,7 @@ public final class KeyStoreParameter implements ProtectionParameter {
*
* <p>By default, the key is valid at any instant.
*
- * <p><b>NOTE: This has currently no effect on asymmetric key pairs.
+ * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b>
*
* @see #setKeyValidityForConsumptionEnd(Date)
*/
@@ -437,7 +441,7 @@ public final class KeyStoreParameter implements ProtectionParameter {
*
* <p>By default, the key is valid at any instant.
*
- * <p><b>NOTE: This has currently no effect on asymmetric key pairs.
+ * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b>
*
* @see #setKeyValidityForOriginationEnd(Date)
*/
@@ -448,14 +452,14 @@ public final class KeyStoreParameter implements ProtectionParameter {
}
/**
- * Sets the set of purposes (e.g., {@code ENCRYPT}, {@code DECRYPT}, {@code SIGN}) for which
- * the key can be used.
+ * Sets the set of purposes (e.g., encrypt, decrypt, sign) for which the key can be used.
+ * Attempts to use the key for any other purpose will be rejected.
*
* <p>This must be specified for all keys. There is no default.
*
- * <p><b>NOTE: This has currently no effect on asymmetric key pairs.
+ * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b>
*
- * @see KeyStoreKeyProperties.Purpose
+ * <p>See {@link KeyStoreKeyProperties}.{@code PURPOSE} flags.
*/
@NonNull
public Builder setPurposes(@KeyStoreKeyProperties.PurposeEnum int purposes) {
@@ -464,15 +468,15 @@ public final class KeyStoreParameter implements ProtectionParameter {
}
/**
- * Sets the set of padding schemes (e.g., {@code PKCS7Padding}, {@code NoPadding}) with
- * which the key can be used when encrypting/decrypting. Attempts to use the key with any
- * other padding scheme will be rejected.
+ * Sets the set of padding schemes (e.g., {@code OAEPPadding}, {@code PKCS7Padding},
+ * {@code NoPadding}) with which the key can be used when encrypting/decrypting. Attempts to
+ * use the key with any other padding scheme will be rejected.
*
* <p>This must be specified for keys which are used for encryption/decryption.
*
- * <p><b>NOTE: This has currently no effect on asymmetric key pairs.
+ * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b>
*
- * @see KeyStoreKeyProperties.EncryptionPadding
+ * <p>See {@link KeyStoreKeyProperties}.{@code ENCRYPTION_PADDING} constants.
*/
@NonNull
public Builder setEncryptionPaddings(
@@ -482,15 +486,15 @@ public final class KeyStoreParameter implements ProtectionParameter {
}
/**
- * Sets the set of padding schemes (e.g., {@code PSS}) with which the key can be used when
- * signing/verifying. Attempts to use the key with any other padding scheme will be
- * rejected.
+ * Sets the set of padding schemes (e.g., {@code PSS}, {@code PKCS#1}) with which the key
+ * can be used when signing/verifying. Attempts to use the key with any other padding scheme
+ * will be rejected.
*
* <p>This must be specified for RSA keys which are used for signing/verification.
*
- * <p><b>NOTE: This has currently no effect on asymmetric key pairs.
+ * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b>
*
- * @see KeyStoreKeyProperties.SignaturePadding
+ * <p>See {@link KeyStoreKeyProperties}.{@code SIGNATURE_PADDING} constants.
*/
@NonNull
public Builder setSignaturePaddings(
@@ -509,7 +513,7 @@ public final class KeyStoreParameter implements ProtectionParameter {
* {@link Key#getAlgorithm()}. For asymmetric signing keys the set of digest algorithms
* must be specified.
*
- * <p><b>NOTE: This has currently no effect on asymmetric key pairs.
+ * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b>
*
* @see KeyStoreKeyProperties.Digest
*/
@@ -520,15 +524,15 @@ public final class KeyStoreParameter implements ProtectionParameter {
}
/**
- * Sets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be
- * used when encrypting/decrypting. Attempts to use the key with any other block modes will
- * be rejected.
+ * Sets the set of block modes (e.g., {@code CBC}, {@code CTR}, {@code ECB}) with which the
+ * key can be used when encrypting/decrypting. Attempts to use the key with any other block
+ * modes will be rejected.
*
* <p>This must be specified for encryption/decryption keys.
*
- * <p><b>NOTE: This has currently no effect on asymmetric key pairs.
+ * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b>
*
- * @see KeyStoreKeyProperties.BlockMode
+ * <p>See {@link KeyStoreKeyProperties}.{@code BLOCK_MODE} constants.
*/
@NonNull
public Builder setBlockModes(@KeyStoreKeyProperties.BlockModeEnum String... blockModes) {
@@ -570,7 +574,7 @@ public final class KeyStoreParameter implements ProtectionParameter {
* schemes which offer {@code IND-CPA}, such as PKCS#1 or OAEP.</li>
* </ul>
*
- * <p><b>NOTE: This has currently no effect on asymmetric key pairs.
+ * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b>
*/
@NonNull
public Builder setRandomizedEncryptionRequired(boolean required) {
@@ -591,7 +595,7 @@ public final class KeyStoreParameter implements ProtectionParameter {
* <a href="{@docRoot}training/articles/keystore.html#UserAuthentication">More
* information</a>.
*
- * <p><b>NOTE: This has currently no effect on asymmetric key pairs.
+ * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b>
*
* @see #setUserAuthenticationValidityDurationSeconds(int)
*/
@@ -607,7 +611,7 @@ public final class KeyStoreParameter implements ProtectionParameter {
*
* <p>By default, the user needs to authenticate for every use of the key.
*
- * <p><b>NOTE: This has currently no effect on asymmetric key pairs.
+ * <p><b>NOTE: This has currently no effect on asymmetric key pairs.</b>
*
* @param seconds duration in seconds or {@code -1} if the user needs to authenticate for
* every use of the key.