diff options
author | Alex Klyubin <klyubin@google.com> | 2015-06-04 12:36:27 -0700 |
---|---|---|
committer | Alex Klyubin <klyubin@google.com> | 2015-06-08 13:22:53 -0700 |
commit | 469cbf5156ad54650726ade59f2ee5aa01359ec2 (patch) | |
tree | 0da14fe1f3c95a9ad97b5cd389db6b5d0e297159 /keystore | |
parent | 266894644a160a93949cb82f5f969bef4ad91532 (diff) | |
download | frameworks_base-469cbf5156ad54650726ade59f2ee5aa01359ec2.zip frameworks_base-469cbf5156ad54650726ade59f2ee5aa01359ec2.tar.gz frameworks_base-469cbf5156ad54650726ade59f2ee5aa01359ec2.tar.bz2 |
Deprecate KeyChain.isBoundKeyAlgorithm.
This is bad API. There was never a guarantee that when this method
returns true for a key algorithm (e.g., RSA or EC), then all keys of
that type will be imported into secure hardware. For example, the
secure hardware may reject a key if it's of unsupported size or uses
an unsupported public exponent or EC curve. In that case, the key
will be imported into keystore/KeyChain without being backed by secure
hardware.
Bug: 18088752
Change-Id: I8daa574a2e703a347d09d93401cd1ea2d0162ed9
Diffstat (limited to 'keystore')
-rw-r--r-- | keystore/java/android/security/KeyChain.java | 15 | ||||
-rw-r--r-- | keystore/java/android/security/KeyStore.java | 2 |
2 files changed, 16 insertions, 1 deletions
diff --git a/keystore/java/android/security/KeyChain.java b/keystore/java/android/security/KeyChain.java index 817b7c9..059d8e6 100644 --- a/keystore/java/android/security/KeyChain.java +++ b/keystore/java/android/security/KeyChain.java @@ -29,11 +29,13 @@ import android.os.Looper; import android.os.Process; import android.os.RemoteException; import android.os.UserHandle; +import android.security.keystore.KeyInfo; import android.security.keystore.KeyProperties; import java.io.ByteArrayInputStream; import java.io.Closeable; import java.security.InvalidKeyException; +import java.security.KeyFactory; import java.security.Principal; import java.security.PrivateKey; import java.security.cert.Certificate; @@ -442,7 +444,20 @@ public final class KeyChain { * imported or generated. This can be used to tell if there is special * hardware support that can be used to bind keys to the device in a way * that makes it non-exportable. + * + * @deprecated Whether the key is bound to the secure hardware is known only + * once the key has been imported. To find out, use: + * <pre>{@code + * PrivateKey key = ...; // private key from KeyChain + * + * KeyFactory keyFactory = + * KeyFactory.getInstance(key.getAlgorithm(), "AndroidKeyStore"); + * KeyInfo keyInfo = keyFactory.getKeySpec(key, KeyInfo.class); + * if (keyInfo.isInsideSecureHardware()) { + * // The key is bound to the secure hardware of this Android + * }}</pre> */ + @Deprecated public static boolean isBoundKeyAlgorithm( @NonNull @KeyProperties.KeyAlgorithmEnum String algorithm) { if (!isKeyAlgorithmSupported(algorithm)) { diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java index 367257a..ad348f8 100644 --- a/keystore/java/android/security/KeyStore.java +++ b/keystore/java/android/security/KeyStore.java @@ -383,7 +383,7 @@ public class KeyStore { } } - // TODO remove this when it's removed from Settings + // TODO: remove this when it's removed from Settings public boolean isHardwareBacked() { return isHardwareBacked("RSA"); } |