diff options
| -rw-r--r-- | api/current.txt | 4 | ||||
| -rw-r--r-- | api/system-current.txt | 4 | ||||
| -rw-r--r-- | keystore/java/android/security/KeyStoreKeyProperties.java | 2 | ||||
| -rw-r--r-- | keystore/java/android/security/KeyStoreKeySpec.java | 29 | ||||
| -rw-r--r-- | keystore/java/android/security/KeyStoreSecretKeyFactorySpi.java | 12 |
5 files changed, 27 insertions, 24 deletions
diff --git a/api/current.txt b/api/current.txt index cdc2404..929da0e 100644 --- a/api/current.txt +++ b/api/current.txt @@ -28593,9 +28593,9 @@ package android.security { method public int getPurposes(); method public java.lang.String[] getSignaturePaddings(); method public int getUserAuthenticationValidityDurationSeconds(); - method public boolean isTeeBacked(); + method public boolean isInsideSecureHardware(); method public boolean isUserAuthenticationRequired(); - method public boolean isUserAuthenticationRequirementTeeEnforced(); + method public boolean isUserAuthenticationRequirementEnforcedBySecureHardware(); } public final class KeyStoreParameter implements java.security.KeyStore.ProtectionParameter { diff --git a/api/system-current.txt b/api/system-current.txt index 7012773..f9fa4e3 100644 --- a/api/system-current.txt +++ b/api/system-current.txt @@ -30607,9 +30607,9 @@ package android.security { method public int getPurposes(); method public java.lang.String[] getSignaturePaddings(); method public int getUserAuthenticationValidityDurationSeconds(); - method public boolean isTeeBacked(); + method public boolean isInsideSecureHardware(); method public boolean isUserAuthenticationRequired(); - method public boolean isUserAuthenticationRequirementTeeEnforced(); + method public boolean isUserAuthenticationRequirementEnforcedBySecureHardware(); } public final class KeyStoreParameter implements java.security.KeyStore.ProtectionParameter { diff --git a/keystore/java/android/security/KeyStoreKeyProperties.java b/keystore/java/android/security/KeyStoreKeyProperties.java index 1c3e300..1cf6a7a 100644 --- a/keystore/java/android/security/KeyStoreKeyProperties.java +++ b/keystore/java/android/security/KeyStoreKeyProperties.java @@ -656,7 +656,7 @@ public abstract class KeyStoreKeyProperties { public static final int IMPORTED = 1 << 1; /** - * Origin of the key is unknown. This can occur only for keys backed by an old TEE + * Origin of the key is unknown. This can occur only for keys backed by an old TEE-backed * implementation which does not record origin information. */ public static final int UNKNOWN = 1 << 2; diff --git a/keystore/java/android/security/KeyStoreKeySpec.java b/keystore/java/android/security/KeyStoreKeySpec.java index 7533bdc..a630a0a 100644 --- a/keystore/java/android/security/KeyStoreKeySpec.java +++ b/keystore/java/android/security/KeyStoreKeySpec.java @@ -26,7 +26,7 @@ import java.util.Date; public class KeyStoreKeySpec implements KeySpec { private final String mKeystoreAlias; private final int mKeySize; - private final boolean mTeeBacked; + private final boolean mInsideSecureHardware; private final @KeyStoreKeyProperties.OriginEnum int mOrigin; private final Date mKeyValidityStart; private final Date mKeyValidityForOriginationEnd; @@ -38,13 +38,13 @@ public class KeyStoreKeySpec implements KeySpec { private final @KeyStoreKeyProperties.BlockModeEnum String[] mBlockModes; private final boolean mUserAuthenticationRequired; private final int mUserAuthenticationValidityDurationSeconds; - private final boolean mUserAuthenticationRequirementTeeEnforced; + private final boolean mUserAuthenticationRequirementEnforcedBySecureHardware; /** * @hide */ KeyStoreKeySpec(String keystoreKeyAlias, - boolean teeBacked, + boolean insideSecureHardware, @KeyStoreKeyProperties.OriginEnum int origin, int keySize, Date keyValidityStart, @@ -57,9 +57,9 @@ public class KeyStoreKeySpec implements KeySpec { @KeyStoreKeyProperties.BlockModeEnum String[] blockModes, boolean userAuthenticationRequired, int userAuthenticationValidityDurationSeconds, - boolean userAuthenticationRequirementTeeEnforced) { + boolean userAuthenticationRequirementEnforcedBySecureHardware) { mKeystoreAlias = keystoreKeyAlias; - mTeeBacked = teeBacked; + mInsideSecureHardware = insideSecureHardware; mOrigin = origin; mKeySize = keySize; mKeyValidityStart = keyValidityStart; @@ -74,7 +74,8 @@ public class KeyStoreKeySpec implements KeySpec { mBlockModes = ArrayUtils.cloneIfNotEmpty(ArrayUtils.nullToEmpty(blockModes)); mUserAuthenticationRequired = userAuthenticationRequired; mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds; - mUserAuthenticationRequirementTeeEnforced = userAuthenticationRequirementTeeEnforced; + mUserAuthenticationRequirementEnforcedBySecureHardware = + userAuthenticationRequirementEnforcedBySecureHardware; } /** @@ -85,11 +86,12 @@ public class KeyStoreKeySpec implements KeySpec { } /** - * Returns {@code true} if the key is TEE-backed. Key material of TEE-backed keys is available - * in plaintext only inside the TEE. + * Returns {@code true} if the key resides inside secure hardware (e.g., Trusted Execution + * Environment (TEE) or Secure Element (SE)). Key material of such keys is available in + * plaintext only inside the secure hardware and is not exposed outside of it. */ - public boolean isTeeBacked() { - return mTeeBacked; + public boolean isInsideSecureHardware() { + return mInsideSecureHardware; } /** @@ -192,11 +194,12 @@ public class KeyStoreKeySpec implements KeySpec { /** * Returns {@code true} if the requirement that this key can only be used if the user has been - * authenticated if enforced by the TEE. + * authenticated if enforced by secure hardware (e.g., Trusted Execution Environment (TEE) or + * Secure Element (SE)). * * @see #isUserAuthenticationRequired() */ - public boolean isUserAuthenticationRequirementTeeEnforced() { - return mUserAuthenticationRequirementTeeEnforced; + public boolean isUserAuthenticationRequirementEnforcedBySecureHardware() { + return mUserAuthenticationRequirementEnforcedBySecureHardware; } } diff --git a/keystore/java/android/security/KeyStoreSecretKeyFactorySpi.java b/keystore/java/android/security/KeyStoreSecretKeyFactorySpi.java index ff79b7a..548296b 100644 --- a/keystore/java/android/security/KeyStoreSecretKeyFactorySpi.java +++ b/keystore/java/android/security/KeyStoreSecretKeyFactorySpi.java @@ -74,7 +74,7 @@ public class KeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { + " Keystore error: " + errorCode); } - boolean teeBacked; + boolean insideSecureHardware; @KeyStoreKeyProperties.OriginEnum int origin; int keySize; @KeyStoreKeyProperties.PurposeEnum int purposes; @@ -85,11 +85,11 @@ public class KeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { int keymasterHwEnforcedUserAuthenticators; try { if (keyCharacteristics.hwEnforced.containsTag(KeymasterDefs.KM_TAG_ORIGIN)) { - teeBacked = true; + insideSecureHardware = true; origin = KeyStoreKeyProperties.Origin.fromKeymaster( keyCharacteristics.hwEnforced.getInt(KeymasterDefs.KM_TAG_ORIGIN, -1)); } else if (keyCharacteristics.swEnforced.containsTag(KeymasterDefs.KM_TAG_ORIGIN)) { - teeBacked = false; + insideSecureHardware = false; origin = KeyStoreKeyProperties.Origin.fromKeymaster( keyCharacteristics.swEnforced.getInt(KeymasterDefs.KM_TAG_ORIGIN, -1)); } else { @@ -150,12 +150,12 @@ public class KeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { !keyCharacteristics.getBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); int userAuthenticationValidityDurationSeconds = keyCharacteristics.getInt(KeymasterDefs.KM_TAG_AUTH_TIMEOUT, -1); - boolean userAuthenticationRequirementEnforcedInTee = (userAuthenticationRequired) + boolean userAuthenticationRequirementEnforcedBySecureHardware = (userAuthenticationRequired) && (keymasterHwEnforcedUserAuthenticators != 0) && (keymasterSwEnforcedUserAuthenticators == 0); return new KeyStoreKeySpec(entryAlias, - teeBacked, + insideSecureHardware, origin, keySize, keyValidityStart, @@ -168,7 +168,7 @@ public class KeyStoreSecretKeyFactorySpi extends SecretKeyFactorySpi { blockModes, userAuthenticationRequired, userAuthenticationValidityDurationSeconds, - userAuthenticationRequirementEnforcedInTee); + userAuthenticationRequirementEnforcedBySecureHardware); } @Override |