From 36662ba6aef74816d1876e4e13127bf7f12f372b Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Thu, 2 Apr 2015 15:15:27 -0700
Subject: Add fingerprint-specific API to KeyPairGeneratorSpec.

This is identical to the existing API in KeyStoreParameter and
KeyGeneratorSpec.

Bug: 18088752
Change-Id: I8aad4fdeb858cc9586f46d5a81561505914ac334
---
 .../android/security/KeyPairGeneratorSpec.java     | 42 ++++++++++++++++++++--
 1 file changed, 39 insertions(+), 3 deletions(-)

(limited to 'keystore/java/android/security/KeyPairGeneratorSpec.java')

diff --git a/keystore/java/android/security/KeyPairGeneratorSpec.java b/keystore/java/android/security/KeyPairGeneratorSpec.java
index 0001604..dd62e9a 100644
--- a/keystore/java/android/security/KeyPairGeneratorSpec.java
+++ b/keystore/java/android/security/KeyPairGeneratorSpec.java
@@ -97,6 +97,8 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
 
     private final Integer mUserAuthenticationValidityDurationSeconds;
 
+    private final boolean mInvalidatedOnNewFingerprintEnrolled;
+
     /**
      * Parameter specification for the "{@code AndroidKeyPairGenerator}"
      * instance of the {@link java.security.KeyPairGenerator} API. The
@@ -142,7 +144,8 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
             Integer minSecondsBetweenOperations,
             Integer maxUsesPerBoot,
             Set<Integer> userAuthenticators,
-            Integer userAuthenticationValidityDurationSeconds) {
+            Integer userAuthenticationValidityDurationSeconds,
+            boolean invalidatedOnNewFingerprintEnrolled) {
         if (context == null) {
             throw new IllegalArgumentException("context == null");
         } else if (TextUtils.isEmpty(keyStoreAlias)) {
@@ -186,6 +189,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
                 ? new HashSet<Integer>(userAuthenticators)
                 : Collections.<Integer>emptySet();
         mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds;
+        mInvalidatedOnNewFingerprintEnrolled = invalidatedOnNewFingerprintEnrolled;
     }
 
     /**
@@ -197,7 +201,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
             Date startDate, Date endDate, int flags) {
         this(context, keyStoreAlias, keyType, keySize, spec, subjectDN, serialNumber, startDate,
                 endDate, flags, startDate, endDate, endDate, null, null, null, null, null, null,
-                null, null);
+                null, null, false);
     }
 
     /**
@@ -426,6 +430,19 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
     }
 
     /**
+     * Returns {@code true} if this key must be permanently invalidated once a new fingerprint is
+     * enrolled. This constraint only has effect if fingerprint reader is one of the user
+     * authenticators protecting access to this key.
+     *
+     * @see #getUserAuthenticators()
+     *
+     * @hide
+     */
+    public boolean isInvalidatedOnNewFingerprintEnrolled() {
+        return mInvalidatedOnNewFingerprintEnrolled;
+    }
+
+    /**
      * Builder class for {@link KeyPairGeneratorSpec} objects.
      * <p>
      * This will build a parameter spec for use with the <a href="{@docRoot}
@@ -489,6 +506,8 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
 
         private Integer mUserAuthenticationValidityDurationSeconds;
 
+        private boolean mInvalidatedOnNewFingerprintEnrolled;
+
         /**
          * Creates a new instance of the {@code Builder} with the given
          * {@code context}. The {@code context} passed in may be used to pop up
@@ -800,6 +819,22 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
         }
 
         /**
+         * Sets whether this key must be invalidated (permanently) once a new fingerprint is
+         * enrolled. This only has effect if fingerprint reader is one of the user authenticators
+         * protecting access to the key.
+         *
+         * <p>By default, enrolling a new fingerprint does not invalidate the key.
+         *
+         * @see #setUserAuthenticators(Set)
+         *
+         * @hide
+         */
+        public Builder setInvalidatedOnNewFingerprintEnrolled(boolean invalidated) {
+            mInvalidatedOnNewFingerprintEnrolled = invalidated;
+            return this;
+        }
+
+        /**
          * Builds the instance of the {@code KeyPairGeneratorSpec}.
          *
          * @throws IllegalArgumentException if a required field is missing
@@ -826,7 +861,8 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
                     mMinSecondsBetweenOperations,
                     mMaxUsesPerBoot,
                     mUserAuthenticators,
-                    mUserAuthenticationValidityDurationSeconds);
+                    mUserAuthenticationValidityDurationSeconds,
+                    mInvalidatedOnNewFingerprintEnrolled);
         }
     }
 }
-- 
cgit v1.1