Loading api/current.txt +20 −2 Original line number Original line Diff line number Diff line Loading @@ -20555,19 +20555,37 @@ package android.sax { package android.security { package android.security { public class AndroidKeyPairGeneratorSpec implements java.security.spec.AlgorithmParameterSpec { public final class AndroidKeyPairGeneratorSpec implements java.security.spec.AlgorithmParameterSpec { method public android.content.Context getContext(); method public java.util.Date getEndDate(); method public java.lang.String getKeystoreAlias(); method public java.math.BigInteger getSerialNumber(); method public java.util.Date getStartDate(); method public javax.security.auth.x500.X500Principal getSubjectDN(); method public boolean isEncryptionRequired(); } } public static class AndroidKeyPairGeneratorSpec.Builder { public static final class AndroidKeyPairGeneratorSpec.Builder { ctor public AndroidKeyPairGeneratorSpec.Builder(android.content.Context); ctor public AndroidKeyPairGeneratorSpec.Builder(android.content.Context); method public android.security.AndroidKeyPairGeneratorSpec build(); method public android.security.AndroidKeyPairGeneratorSpec build(); method public android.security.AndroidKeyPairGeneratorSpec.Builder setAlias(java.lang.String); method public android.security.AndroidKeyPairGeneratorSpec.Builder setAlias(java.lang.String); method public android.security.AndroidKeyPairGeneratorSpec.Builder setEncryptionRequired(); method public android.security.AndroidKeyPairGeneratorSpec.Builder setEndDate(java.util.Date); method public android.security.AndroidKeyPairGeneratorSpec.Builder setEndDate(java.util.Date); method public android.security.AndroidKeyPairGeneratorSpec.Builder setSerialNumber(java.math.BigInteger); method public android.security.AndroidKeyPairGeneratorSpec.Builder setSerialNumber(java.math.BigInteger); method public android.security.AndroidKeyPairGeneratorSpec.Builder setStartDate(java.util.Date); method public android.security.AndroidKeyPairGeneratorSpec.Builder setStartDate(java.util.Date); method public android.security.AndroidKeyPairGeneratorSpec.Builder setSubject(javax.security.auth.x500.X500Principal); method public android.security.AndroidKeyPairGeneratorSpec.Builder setSubject(javax.security.auth.x500.X500Principal); } } public final class AndroidKeyStoreParameter implements java.security.KeyStore.ProtectionParameter { method public boolean isEncryptionRequired(); } public static final class AndroidKeyStoreParameter.Builder { ctor public AndroidKeyStoreParameter.Builder(android.content.Context); method public android.security.AndroidKeyStoreParameter build(); method public android.security.AndroidKeyStoreParameter.Builder setEncryptionRequired(); } public final class KeyChain { public final class KeyChain { ctor public KeyChain(); ctor public KeyChain(); method public static void choosePrivateKeyAlias(android.app.Activity, android.security.KeyChainAliasCallback, java.lang.String[], java.security.Principal[], java.lang.String, int, java.lang.String); method public static void choosePrivateKeyAlias(android.app.Activity, android.security.KeyChainAliasCallback, java.lang.String[], java.security.Principal[], java.lang.String, int, java.lang.String); core/java/android/security/IKeystoreService.java +10 −6 Original line number Original line Diff line number Diff line Loading @@ -78,7 +78,7 @@ public interface IKeystoreService extends IInterface { return _result; return _result; } } public int insert(String name, byte[] item, int uid) throws RemoteException { public int insert(String name, byte[] item, int uid, int flags) throws RemoteException { Parcel _data = Parcel.obtain(); Parcel _data = Parcel.obtain(); Parcel _reply = Parcel.obtain(); Parcel _reply = Parcel.obtain(); int _result; int _result; Loading @@ -87,6 +87,7 @@ public interface IKeystoreService extends IInterface { _data.writeString(name); _data.writeString(name); _data.writeByteArray(item); _data.writeByteArray(item); _data.writeInt(uid); _data.writeInt(uid); _data.writeInt(flags); mRemote.transact(Stub.TRANSACTION_insert, _data, _reply, 0); mRemote.transact(Stub.TRANSACTION_insert, _data, _reply, 0); _reply.readException(); _reply.readException(); _result = _reply.readInt(); _result = _reply.readInt(); Loading Loading @@ -243,7 +244,7 @@ public interface IKeystoreService extends IInterface { return _result; return _result; } } public int generate(String name, int uid) throws RemoteException { public int generate(String name, int uid, int flags) throws RemoteException { Parcel _data = Parcel.obtain(); Parcel _data = Parcel.obtain(); Parcel _reply = Parcel.obtain(); Parcel _reply = Parcel.obtain(); int _result; int _result; Loading @@ -251,6 +252,7 @@ public interface IKeystoreService extends IInterface { _data.writeInterfaceToken(DESCRIPTOR); _data.writeInterfaceToken(DESCRIPTOR); _data.writeString(name); _data.writeString(name); _data.writeInt(uid); _data.writeInt(uid); _data.writeInt(flags); mRemote.transact(Stub.TRANSACTION_generate, _data, _reply, 0); mRemote.transact(Stub.TRANSACTION_generate, _data, _reply, 0); _reply.readException(); _reply.readException(); _result = _reply.readInt(); _result = _reply.readInt(); Loading @@ -261,7 +263,8 @@ public interface IKeystoreService extends IInterface { return _result; return _result; } } public int import_key(String name, byte[] data, int uid) throws RemoteException { public int import_key(String name, byte[] data, int uid, int flags) throws RemoteException { Parcel _data = Parcel.obtain(); Parcel _data = Parcel.obtain(); Parcel _reply = Parcel.obtain(); Parcel _reply = Parcel.obtain(); int _result; int _result; Loading @@ -270,6 +273,7 @@ public interface IKeystoreService extends IInterface { _data.writeString(name); _data.writeString(name); _data.writeByteArray(data); _data.writeByteArray(data); _data.writeInt(uid); _data.writeInt(uid); _data.writeInt(flags); mRemote.transact(Stub.TRANSACTION_import, _data, _reply, 0); mRemote.transact(Stub.TRANSACTION_import, _data, _reply, 0); _reply.readException(); _reply.readException(); _result = _reply.readInt(); _result = _reply.readInt(); Loading Loading @@ -538,7 +542,7 @@ public interface IKeystoreService extends IInterface { public byte[] get(String name) throws RemoteException; public byte[] get(String name) throws RemoteException; public int insert(String name, byte[] item, int uid) throws RemoteException; public int insert(String name, byte[] item, int uid, int flags) throws RemoteException; public int del(String name, int uid) throws RemoteException; public int del(String name, int uid) throws RemoteException; Loading @@ -556,9 +560,9 @@ public interface IKeystoreService extends IInterface { public int zero() throws RemoteException; public int zero() throws RemoteException; public int generate(String name, int uid) throws RemoteException; public int generate(String name, int uid, int flags) throws RemoteException; public int import_key(String name, byte[] data, int uid) throws RemoteException; public int import_key(String name, byte[] data, int uid, int flags) throws RemoteException; public byte[] sign(String name, byte[] data) throws RemoteException; public byte[] sign(String name, byte[] data) throws RemoteException; Loading keystore/java/android/security/AndroidKeyPairGenerator.java +12 −5 Original line number Original line Diff line number Diff line Loading @@ -49,10 +49,7 @@ import java.security.spec.X509EncodedKeySpec; * * * {@hide} * {@hide} */ */ @SuppressWarnings("deprecation") public class AndroidKeyPairGenerator extends KeyPairGeneratorSpi { public class AndroidKeyPairGenerator extends KeyPairGeneratorSpi { public static final String NAME = "AndroidKeyPairGenerator"; private android.security.KeyStore mKeyStore; private android.security.KeyStore mKeyStore; private AndroidKeyPairGeneratorSpec mSpec; private AndroidKeyPairGeneratorSpec mSpec; Loading @@ -79,12 +76,21 @@ public class AndroidKeyPairGenerator extends KeyPairGeneratorSpi { "Must call initialize with an AndroidKeyPairGeneratorSpec first"); "Must call initialize with an AndroidKeyPairGeneratorSpec first"); } } if (((mSpec.getFlags() & KeyStore.FLAG_ENCRYPTED) != 0) && (mKeyStore.state() != KeyStore.State.UNLOCKED)) { throw new IllegalStateException( "Android keystore must be in initialized and unlocked state " + "if encryption is required"); } final String alias = mSpec.getKeystoreAlias(); final String alias = mSpec.getKeystoreAlias(); Credentials.deleteAllTypesForAlias(mKeyStore, alias); Credentials.deleteAllTypesForAlias(mKeyStore, alias); final String privateKeyAlias = Credentials.USER_PRIVATE_KEY + alias; final String privateKeyAlias = Credentials.USER_PRIVATE_KEY + alias; mKeyStore.generate(privateKeyAlias); if (!mKeyStore.generate(privateKeyAlias, KeyStore.UID_SELF, mSpec.getFlags())) { throw new IllegalStateException("could not generate key in keystore"); } final PrivateKey privKey; final PrivateKey privKey; final OpenSSLEngine engine = OpenSSLEngine.getInstance("keystore"); final OpenSSLEngine engine = OpenSSLEngine.getInstance("keystore"); Loading Loading @@ -131,7 +137,8 @@ public class AndroidKeyPairGenerator extends KeyPairGeneratorSpi { throw new IllegalStateException("Can't get encoding of certificate", e); throw new IllegalStateException("Can't get encoding of certificate", e); } } if (!mKeyStore.put(Credentials.USER_CERTIFICATE + alias, certBytes)) { if (!mKeyStore.put(Credentials.USER_CERTIFICATE + alias, certBytes, KeyStore.UID_SELF, mSpec.getFlags())) { Credentials.deleteAllTypesForAlias(mKeyStore, alias); Credentials.deleteAllTypesForAlias(mKeyStore, alias); throw new IllegalStateException("Can't store certificate in AndroidKeyStore"); throw new IllegalStateException("Can't store certificate in AndroidKeyStore"); } } Loading keystore/java/android/security/AndroidKeyPairGeneratorSpec.java +72 −29 Original line number Original line Diff line number Diff line Loading @@ -32,10 +32,9 @@ import javax.security.auth.x500.X500Principal; * {@code KeyPairGenerator} that works with <a href="{@docRoot} * {@code KeyPairGenerator} that works with <a href="{@docRoot} * guide/topics/security/keystore.html">Android KeyStore facility</a>. The * guide/topics/security/keystore.html">Android KeyStore facility</a>. The * Android KeyStore facility is accessed through a * Android KeyStore facility is accessed through a * {@link java.security.KeyPairGenerator} API using the * {@link java.security.KeyPairGenerator} API using the {@code AndroidKeyStore} * {@code AndroidKeyPairGenerator} provider. The {@code context} passed in may * provider. The {@code context} passed in may be used to pop up some UI to ask * be used to pop up some UI to ask the user to unlock or initialize the Android * the user to unlock or initialize the Android KeyStore facility. * keystore facility. * <p> * <p> * After generation, the {@code keyStoreAlias} is used with the * After generation, the {@code keyStoreAlias} is used with the * {@link java.security.KeyStore#getEntry(String, java.security.KeyStore.ProtectionParameter)} * {@link java.security.KeyStore#getEntry(String, java.security.KeyStore.ProtectionParameter)} Loading @@ -47,10 +46,10 @@ import javax.security.auth.x500.X500Principal; * Distinguished Name along with the other parameters specified with the * Distinguished Name along with the other parameters specified with the * {@link Builder}. * {@link Builder}. * <p> * <p> * The self-signed certificate may be replaced at a later time by a certificate * The self-signed X.509 certificate may be replaced at a later time by a * signed by a real Certificate Authority. * certificate signed by a real Certificate Authority. */ */ public class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { public final class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { private final String mKeystoreAlias; private final String mKeystoreAlias; private final Context mContext; private final Context mContext; Loading @@ -63,6 +62,8 @@ public class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { private final Date mEndDate; private final Date mEndDate; private final int mFlags; /** /** * Parameter specification for the "{@code AndroidKeyPairGenerator}" * Parameter specification for the "{@code AndroidKeyPairGenerator}" * instance of the {@link java.security.KeyPairGenerator} API. The * instance of the {@link java.security.KeyPairGenerator} API. The Loading Loading @@ -93,7 +94,8 @@ public class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { * @hide should be built with AndroidKeyPairGeneratorSpecBuilder * @hide should be built with AndroidKeyPairGeneratorSpecBuilder */ */ public AndroidKeyPairGeneratorSpec(Context context, String keyStoreAlias, public AndroidKeyPairGeneratorSpec(Context context, String keyStoreAlias, X500Principal subjectDN, BigInteger serialNumber, Date startDate, Date endDate) { X500Principal subjectDN, BigInteger serialNumber, Date startDate, Date endDate, int flags) { if (context == null) { if (context == null) { throw new IllegalArgumentException("context == null"); throw new IllegalArgumentException("context == null"); } else if (TextUtils.isEmpty(keyStoreAlias)) { } else if (TextUtils.isEmpty(keyStoreAlias)) { Loading @@ -116,50 +118,71 @@ public class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { mSerialNumber = serialNumber; mSerialNumber = serialNumber; mStartDate = startDate; mStartDate = startDate; mEndDate = endDate; mEndDate = endDate; mFlags = flags; } } /** /** * @hide * Returns the alias that will be used in the {@code java.security.KeyStore} * in conjunction with the {@code AndroidKeyStore}. */ */ String getKeystoreAlias() { public String getKeystoreAlias() { return mKeystoreAlias; return mKeystoreAlias; } } /** /** * @hide * Gets the Android context used for operations with this instance. */ */ Context getContext() { public Context getContext() { return mContext; return mContext; } } /** /** * @hide * Gets the subject distinguished name to be used on the X.509 certificate * that will be put in the {@link java.security.KeyStore}. */ */ X500Principal getSubjectDN() { public X500Principal getSubjectDN() { return mSubjectDN; return mSubjectDN; } } /** /** * @hide * Gets the serial number to be used on the X.509 certificate that will be * put in the {@link java.security.KeyStore}. */ */ BigInteger getSerialNumber() { public BigInteger getSerialNumber() { return mSerialNumber; return mSerialNumber; } } /** /** * @hide * Gets the start date to be used on the X.509 certificate that will be put * in the {@link java.security.KeyStore}. */ */ Date getStartDate() { public Date getStartDate() { return mStartDate; return mStartDate; } } /** /** * @hide * Gets the end date to be used on the X.509 certificate that will be put in * the {@link java.security.KeyStore}. */ */ Date getEndDate() { public Date getEndDate() { return mEndDate; return mEndDate; } } /** * @hide */ int getFlags() { return mFlags; } /** * Returns {@code true} if this parameter will require generated keys to be * encrypted in the {@link java.security.KeyStore}. */ public boolean isEncryptionRequired() { return (mFlags & KeyStore.FLAG_ENCRYPTED) != 0; } /** /** * Builder class for {@link AndroidKeyPairGeneratorSpec} objects. * Builder class for {@link AndroidKeyPairGeneratorSpec} objects. * <p> * <p> Loading @@ -175,16 +198,17 @@ public class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { * Calendar end = new Calendar(); * Calendar end = new Calendar(); * end.add(1, Calendar.YEAR); * end.add(1, Calendar.YEAR); * * * AndroidKeyPairGeneratorSpec spec = new AndroidKeyPairGeneratorSpec.Builder(mContext) * AndroidKeyPairGeneratorSpec spec = * .setAlias("myKey") * new AndroidKeyPairGeneratorSpec.Builder(mContext) * .setSubject(new X500Principal("CN=myKey")) * .setAlias("myKey") * .setSubject(new X500Principal("CN=myKey")) * .setSerial(BigInteger.valueOf(1337)) * .setSerial(BigInteger.valueOf(1337)) * .setStartDate(start.getTime()) * .setStartDate(start.getTime()) * .setEndDate(end.getTime()) * .setEndDate(end.getTime()) * .build(); * .build(); * </pre> * </pre> */ */ public static class Builder { public final static class Builder { private final Context mContext; private final Context mContext; private String mKeystoreAlias; private String mKeystoreAlias; Loading @@ -197,6 +221,14 @@ public class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { private Date mEndDate; private Date mEndDate; private int mFlags; /** * Creates a new instance of the {@code Builder} with the given * {@code context}. The {@code context} passed in may be used to pop up * some UI to ask the user to unlock or initialize the Android KeyStore * facility. */ public Builder(Context context) { public Builder(Context context) { if (context == null) { if (context == null) { throw new NullPointerException("context == null"); throw new NullPointerException("context == null"); Loading Loading @@ -265,6 +297,17 @@ public class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { return this; return this; } } /** * Indicates that this key must be encrypted at rest on storage. Note * that enabling this will require that the user enable a strong lock * screen (e.g., PIN, password) before creating or using the generated * key is successful. */ public Builder setEncryptionRequired() { mFlags |= KeyStore.FLAG_ENCRYPTED; return this; } /** /** * Builds the instance of the {@code AndroidKeyPairGeneratorSpec}. * Builds the instance of the {@code AndroidKeyPairGeneratorSpec}. * * Loading @@ -273,7 +316,7 @@ public class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { */ */ public AndroidKeyPairGeneratorSpec build() { public AndroidKeyPairGeneratorSpec build() { return new AndroidKeyPairGeneratorSpec(mContext, mKeystoreAlias, mSubjectDN, return new AndroidKeyPairGeneratorSpec(mContext, mKeystoreAlias, mSubjectDN, mSerialNumber, mStartDate, mEndDate); mSerialNumber, mStartDate, mEndDate, mFlags); } } } } } } keystore/java/android/security/AndroidKeyStore.java +50 −7 Original line number Original line Diff line number Diff line Loading @@ -27,6 +27,10 @@ import java.io.InputStream; import java.io.OutputStream; import java.io.OutputStream; import java.security.InvalidKeyException; import java.security.InvalidKeyException; import java.security.Key; import java.security.Key; import java.security.KeyStore.Entry; import java.security.KeyStore.PrivateKeyEntry; import java.security.KeyStore.ProtectionParameter; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.KeyStoreException; import java.security.KeyStoreSpi; import java.security.KeyStoreSpi; import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException; Loading Loading @@ -198,14 +202,14 @@ public class AndroidKeyStore extends KeyStoreSpi { } } if (key instanceof PrivateKey) { if (key instanceof PrivateKey) { setPrivateKeyEntry(alias, (PrivateKey) key, chain); setPrivateKeyEntry(alias, (PrivateKey) key, chain, null); } else { } else { throw new KeyStoreException("Only PrivateKeys are supported"); throw new KeyStoreException("Only PrivateKeys are supported"); } } } } private void setPrivateKeyEntry(String alias, PrivateKey key, Certificate[] chain) private void setPrivateKeyEntry(String alias, PrivateKey key, Certificate[] chain, throws KeyStoreException { AndroidKeyStoreParameter params) throws KeyStoreException { byte[] keyBytes = null; byte[] keyBytes = null; final String pkeyAlias; final String pkeyAlias; Loading Loading @@ -317,15 +321,20 @@ public class AndroidKeyStore extends KeyStoreSpi { Credentials.deleteCertificateTypesForAlias(mKeyStore, alias); Credentials.deleteCertificateTypesForAlias(mKeyStore, alias); } } final int flags = (params == null) ? 0 : params.getFlags(); if (shouldReplacePrivateKey if (shouldReplacePrivateKey && !mKeyStore.importKey(Credentials.USER_PRIVATE_KEY + alias, keyBytes)) { && !mKeyStore.importKey(Credentials.USER_PRIVATE_KEY + alias, keyBytes, android.security.KeyStore.UID_SELF, flags)) { Credentials.deleteAllTypesForAlias(mKeyStore, alias); Credentials.deleteAllTypesForAlias(mKeyStore, alias); throw new KeyStoreException("Couldn't put private key in keystore"); throw new KeyStoreException("Couldn't put private key in keystore"); } else if (!mKeyStore.put(Credentials.USER_CERTIFICATE + alias, userCertBytes)) { } else if (!mKeyStore.put(Credentials.USER_CERTIFICATE + alias, userCertBytes, android.security.KeyStore.UID_SELF, flags)) { Credentials.deleteAllTypesForAlias(mKeyStore, alias); Credentials.deleteAllTypesForAlias(mKeyStore, alias); throw new KeyStoreException("Couldn't put certificate #1 in keystore"); throw new KeyStoreException("Couldn't put certificate #1 in keystore"); } else if (chainBytes != null } else if (chainBytes != null && !mKeyStore.put(Credentials.CA_CERTIFICATE + alias, chainBytes)) { && !mKeyStore.put(Credentials.CA_CERTIFICATE + alias, chainBytes, android.security.KeyStore.UID_SELF, flags)) { Credentials.deleteAllTypesForAlias(mKeyStore, alias); Credentials.deleteAllTypesForAlias(mKeyStore, alias); throw new KeyStoreException("Couldn't put certificate chain in keystore"); throw new KeyStoreException("Couldn't put certificate chain in keystore"); } } Loading Loading @@ -355,7 +364,8 @@ public class AndroidKeyStore extends KeyStoreSpi { throw new KeyStoreException(e); throw new KeyStoreException(e); } } if (!mKeyStore.put(Credentials.CA_CERTIFICATE + alias, encoded)) { if (!mKeyStore.put(Credentials.CA_CERTIFICATE + alias, encoded, android.security.KeyStore.UID_SELF, android.security.KeyStore.FLAG_NONE)) { throw new KeyStoreException("Couldn't insert certificate; is KeyStore initialized?"); throw new KeyStoreException("Couldn't insert certificate; is KeyStore initialized?"); } } } } Loading Loading @@ -517,4 +527,37 @@ public class AndroidKeyStore extends KeyStoreSpi { mKeyStore = android.security.KeyStore.getInstance(); mKeyStore = android.security.KeyStore.getInstance(); } } @Override public void engineSetEntry(String alias, Entry entry, ProtectionParameter param) throws KeyStoreException { if (entry == null) { throw new KeyStoreException("entry == null"); } if (engineContainsAlias(alias)) { engineDeleteEntry(alias); } if (entry instanceof KeyStore.TrustedCertificateEntry) { KeyStore.TrustedCertificateEntry trE = (KeyStore.TrustedCertificateEntry) entry; engineSetCertificateEntry(alias, trE.getTrustedCertificate()); return; } if (param != null && !(param instanceof AndroidKeyStoreParameter)) { throw new KeyStoreException("protParam should be AndroidKeyStoreParameter; was: " + param.getClass().getName()); } if (entry instanceof PrivateKeyEntry) { PrivateKeyEntry prE = (PrivateKeyEntry) entry; setPrivateKeyEntry(alias, prE.getPrivateKey(), prE.getCertificateChain(), (AndroidKeyStoreParameter) param); return; } throw new KeyStoreException( "Entry must be a PrivateKeyEntry or TrustedCertificateEntry; was " + entry); } } } Loading
api/current.txt +20 −2 Original line number Original line Diff line number Diff line Loading @@ -20555,19 +20555,37 @@ package android.sax { package android.security { package android.security { public class AndroidKeyPairGeneratorSpec implements java.security.spec.AlgorithmParameterSpec { public final class AndroidKeyPairGeneratorSpec implements java.security.spec.AlgorithmParameterSpec { method public android.content.Context getContext(); method public java.util.Date getEndDate(); method public java.lang.String getKeystoreAlias(); method public java.math.BigInteger getSerialNumber(); method public java.util.Date getStartDate(); method public javax.security.auth.x500.X500Principal getSubjectDN(); method public boolean isEncryptionRequired(); } } public static class AndroidKeyPairGeneratorSpec.Builder { public static final class AndroidKeyPairGeneratorSpec.Builder { ctor public AndroidKeyPairGeneratorSpec.Builder(android.content.Context); ctor public AndroidKeyPairGeneratorSpec.Builder(android.content.Context); method public android.security.AndroidKeyPairGeneratorSpec build(); method public android.security.AndroidKeyPairGeneratorSpec build(); method public android.security.AndroidKeyPairGeneratorSpec.Builder setAlias(java.lang.String); method public android.security.AndroidKeyPairGeneratorSpec.Builder setAlias(java.lang.String); method public android.security.AndroidKeyPairGeneratorSpec.Builder setEncryptionRequired(); method public android.security.AndroidKeyPairGeneratorSpec.Builder setEndDate(java.util.Date); method public android.security.AndroidKeyPairGeneratorSpec.Builder setEndDate(java.util.Date); method public android.security.AndroidKeyPairGeneratorSpec.Builder setSerialNumber(java.math.BigInteger); method public android.security.AndroidKeyPairGeneratorSpec.Builder setSerialNumber(java.math.BigInteger); method public android.security.AndroidKeyPairGeneratorSpec.Builder setStartDate(java.util.Date); method public android.security.AndroidKeyPairGeneratorSpec.Builder setStartDate(java.util.Date); method public android.security.AndroidKeyPairGeneratorSpec.Builder setSubject(javax.security.auth.x500.X500Principal); method public android.security.AndroidKeyPairGeneratorSpec.Builder setSubject(javax.security.auth.x500.X500Principal); } } public final class AndroidKeyStoreParameter implements java.security.KeyStore.ProtectionParameter { method public boolean isEncryptionRequired(); } public static final class AndroidKeyStoreParameter.Builder { ctor public AndroidKeyStoreParameter.Builder(android.content.Context); method public android.security.AndroidKeyStoreParameter build(); method public android.security.AndroidKeyStoreParameter.Builder setEncryptionRequired(); } public final class KeyChain { public final class KeyChain { ctor public KeyChain(); ctor public KeyChain(); method public static void choosePrivateKeyAlias(android.app.Activity, android.security.KeyChainAliasCallback, java.lang.String[], java.security.Principal[], java.lang.String, int, java.lang.String); method public static void choosePrivateKeyAlias(android.app.Activity, android.security.KeyChainAliasCallback, java.lang.String[], java.security.Principal[], java.lang.String, int, java.lang.String);
core/java/android/security/IKeystoreService.java +10 −6 Original line number Original line Diff line number Diff line Loading @@ -78,7 +78,7 @@ public interface IKeystoreService extends IInterface { return _result; return _result; } } public int insert(String name, byte[] item, int uid) throws RemoteException { public int insert(String name, byte[] item, int uid, int flags) throws RemoteException { Parcel _data = Parcel.obtain(); Parcel _data = Parcel.obtain(); Parcel _reply = Parcel.obtain(); Parcel _reply = Parcel.obtain(); int _result; int _result; Loading @@ -87,6 +87,7 @@ public interface IKeystoreService extends IInterface { _data.writeString(name); _data.writeString(name); _data.writeByteArray(item); _data.writeByteArray(item); _data.writeInt(uid); _data.writeInt(uid); _data.writeInt(flags); mRemote.transact(Stub.TRANSACTION_insert, _data, _reply, 0); mRemote.transact(Stub.TRANSACTION_insert, _data, _reply, 0); _reply.readException(); _reply.readException(); _result = _reply.readInt(); _result = _reply.readInt(); Loading Loading @@ -243,7 +244,7 @@ public interface IKeystoreService extends IInterface { return _result; return _result; } } public int generate(String name, int uid) throws RemoteException { public int generate(String name, int uid, int flags) throws RemoteException { Parcel _data = Parcel.obtain(); Parcel _data = Parcel.obtain(); Parcel _reply = Parcel.obtain(); Parcel _reply = Parcel.obtain(); int _result; int _result; Loading @@ -251,6 +252,7 @@ public interface IKeystoreService extends IInterface { _data.writeInterfaceToken(DESCRIPTOR); _data.writeInterfaceToken(DESCRIPTOR); _data.writeString(name); _data.writeString(name); _data.writeInt(uid); _data.writeInt(uid); _data.writeInt(flags); mRemote.transact(Stub.TRANSACTION_generate, _data, _reply, 0); mRemote.transact(Stub.TRANSACTION_generate, _data, _reply, 0); _reply.readException(); _reply.readException(); _result = _reply.readInt(); _result = _reply.readInt(); Loading @@ -261,7 +263,8 @@ public interface IKeystoreService extends IInterface { return _result; return _result; } } public int import_key(String name, byte[] data, int uid) throws RemoteException { public int import_key(String name, byte[] data, int uid, int flags) throws RemoteException { Parcel _data = Parcel.obtain(); Parcel _data = Parcel.obtain(); Parcel _reply = Parcel.obtain(); Parcel _reply = Parcel.obtain(); int _result; int _result; Loading @@ -270,6 +273,7 @@ public interface IKeystoreService extends IInterface { _data.writeString(name); _data.writeString(name); _data.writeByteArray(data); _data.writeByteArray(data); _data.writeInt(uid); _data.writeInt(uid); _data.writeInt(flags); mRemote.transact(Stub.TRANSACTION_import, _data, _reply, 0); mRemote.transact(Stub.TRANSACTION_import, _data, _reply, 0); _reply.readException(); _reply.readException(); _result = _reply.readInt(); _result = _reply.readInt(); Loading Loading @@ -538,7 +542,7 @@ public interface IKeystoreService extends IInterface { public byte[] get(String name) throws RemoteException; public byte[] get(String name) throws RemoteException; public int insert(String name, byte[] item, int uid) throws RemoteException; public int insert(String name, byte[] item, int uid, int flags) throws RemoteException; public int del(String name, int uid) throws RemoteException; public int del(String name, int uid) throws RemoteException; Loading @@ -556,9 +560,9 @@ public interface IKeystoreService extends IInterface { public int zero() throws RemoteException; public int zero() throws RemoteException; public int generate(String name, int uid) throws RemoteException; public int generate(String name, int uid, int flags) throws RemoteException; public int import_key(String name, byte[] data, int uid) throws RemoteException; public int import_key(String name, byte[] data, int uid, int flags) throws RemoteException; public byte[] sign(String name, byte[] data) throws RemoteException; public byte[] sign(String name, byte[] data) throws RemoteException; Loading
keystore/java/android/security/AndroidKeyPairGenerator.java +12 −5 Original line number Original line Diff line number Diff line Loading @@ -49,10 +49,7 @@ import java.security.spec.X509EncodedKeySpec; * * * {@hide} * {@hide} */ */ @SuppressWarnings("deprecation") public class AndroidKeyPairGenerator extends KeyPairGeneratorSpi { public class AndroidKeyPairGenerator extends KeyPairGeneratorSpi { public static final String NAME = "AndroidKeyPairGenerator"; private android.security.KeyStore mKeyStore; private android.security.KeyStore mKeyStore; private AndroidKeyPairGeneratorSpec mSpec; private AndroidKeyPairGeneratorSpec mSpec; Loading @@ -79,12 +76,21 @@ public class AndroidKeyPairGenerator extends KeyPairGeneratorSpi { "Must call initialize with an AndroidKeyPairGeneratorSpec first"); "Must call initialize with an AndroidKeyPairGeneratorSpec first"); } } if (((mSpec.getFlags() & KeyStore.FLAG_ENCRYPTED) != 0) && (mKeyStore.state() != KeyStore.State.UNLOCKED)) { throw new IllegalStateException( "Android keystore must be in initialized and unlocked state " + "if encryption is required"); } final String alias = mSpec.getKeystoreAlias(); final String alias = mSpec.getKeystoreAlias(); Credentials.deleteAllTypesForAlias(mKeyStore, alias); Credentials.deleteAllTypesForAlias(mKeyStore, alias); final String privateKeyAlias = Credentials.USER_PRIVATE_KEY + alias; final String privateKeyAlias = Credentials.USER_PRIVATE_KEY + alias; mKeyStore.generate(privateKeyAlias); if (!mKeyStore.generate(privateKeyAlias, KeyStore.UID_SELF, mSpec.getFlags())) { throw new IllegalStateException("could not generate key in keystore"); } final PrivateKey privKey; final PrivateKey privKey; final OpenSSLEngine engine = OpenSSLEngine.getInstance("keystore"); final OpenSSLEngine engine = OpenSSLEngine.getInstance("keystore"); Loading Loading @@ -131,7 +137,8 @@ public class AndroidKeyPairGenerator extends KeyPairGeneratorSpi { throw new IllegalStateException("Can't get encoding of certificate", e); throw new IllegalStateException("Can't get encoding of certificate", e); } } if (!mKeyStore.put(Credentials.USER_CERTIFICATE + alias, certBytes)) { if (!mKeyStore.put(Credentials.USER_CERTIFICATE + alias, certBytes, KeyStore.UID_SELF, mSpec.getFlags())) { Credentials.deleteAllTypesForAlias(mKeyStore, alias); Credentials.deleteAllTypesForAlias(mKeyStore, alias); throw new IllegalStateException("Can't store certificate in AndroidKeyStore"); throw new IllegalStateException("Can't store certificate in AndroidKeyStore"); } } Loading
keystore/java/android/security/AndroidKeyPairGeneratorSpec.java +72 −29 Original line number Original line Diff line number Diff line Loading @@ -32,10 +32,9 @@ import javax.security.auth.x500.X500Principal; * {@code KeyPairGenerator} that works with <a href="{@docRoot} * {@code KeyPairGenerator} that works with <a href="{@docRoot} * guide/topics/security/keystore.html">Android KeyStore facility</a>. The * guide/topics/security/keystore.html">Android KeyStore facility</a>. The * Android KeyStore facility is accessed through a * Android KeyStore facility is accessed through a * {@link java.security.KeyPairGenerator} API using the * {@link java.security.KeyPairGenerator} API using the {@code AndroidKeyStore} * {@code AndroidKeyPairGenerator} provider. The {@code context} passed in may * provider. The {@code context} passed in may be used to pop up some UI to ask * be used to pop up some UI to ask the user to unlock or initialize the Android * the user to unlock or initialize the Android KeyStore facility. * keystore facility. * <p> * <p> * After generation, the {@code keyStoreAlias} is used with the * After generation, the {@code keyStoreAlias} is used with the * {@link java.security.KeyStore#getEntry(String, java.security.KeyStore.ProtectionParameter)} * {@link java.security.KeyStore#getEntry(String, java.security.KeyStore.ProtectionParameter)} Loading @@ -47,10 +46,10 @@ import javax.security.auth.x500.X500Principal; * Distinguished Name along with the other parameters specified with the * Distinguished Name along with the other parameters specified with the * {@link Builder}. * {@link Builder}. * <p> * <p> * The self-signed certificate may be replaced at a later time by a certificate * The self-signed X.509 certificate may be replaced at a later time by a * signed by a real Certificate Authority. * certificate signed by a real Certificate Authority. */ */ public class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { public final class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { private final String mKeystoreAlias; private final String mKeystoreAlias; private final Context mContext; private final Context mContext; Loading @@ -63,6 +62,8 @@ public class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { private final Date mEndDate; private final Date mEndDate; private final int mFlags; /** /** * Parameter specification for the "{@code AndroidKeyPairGenerator}" * Parameter specification for the "{@code AndroidKeyPairGenerator}" * instance of the {@link java.security.KeyPairGenerator} API. The * instance of the {@link java.security.KeyPairGenerator} API. The Loading Loading @@ -93,7 +94,8 @@ public class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { * @hide should be built with AndroidKeyPairGeneratorSpecBuilder * @hide should be built with AndroidKeyPairGeneratorSpecBuilder */ */ public AndroidKeyPairGeneratorSpec(Context context, String keyStoreAlias, public AndroidKeyPairGeneratorSpec(Context context, String keyStoreAlias, X500Principal subjectDN, BigInteger serialNumber, Date startDate, Date endDate) { X500Principal subjectDN, BigInteger serialNumber, Date startDate, Date endDate, int flags) { if (context == null) { if (context == null) { throw new IllegalArgumentException("context == null"); throw new IllegalArgumentException("context == null"); } else if (TextUtils.isEmpty(keyStoreAlias)) { } else if (TextUtils.isEmpty(keyStoreAlias)) { Loading @@ -116,50 +118,71 @@ public class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { mSerialNumber = serialNumber; mSerialNumber = serialNumber; mStartDate = startDate; mStartDate = startDate; mEndDate = endDate; mEndDate = endDate; mFlags = flags; } } /** /** * @hide * Returns the alias that will be used in the {@code java.security.KeyStore} * in conjunction with the {@code AndroidKeyStore}. */ */ String getKeystoreAlias() { public String getKeystoreAlias() { return mKeystoreAlias; return mKeystoreAlias; } } /** /** * @hide * Gets the Android context used for operations with this instance. */ */ Context getContext() { public Context getContext() { return mContext; return mContext; } } /** /** * @hide * Gets the subject distinguished name to be used on the X.509 certificate * that will be put in the {@link java.security.KeyStore}. */ */ X500Principal getSubjectDN() { public X500Principal getSubjectDN() { return mSubjectDN; return mSubjectDN; } } /** /** * @hide * Gets the serial number to be used on the X.509 certificate that will be * put in the {@link java.security.KeyStore}. */ */ BigInteger getSerialNumber() { public BigInteger getSerialNumber() { return mSerialNumber; return mSerialNumber; } } /** /** * @hide * Gets the start date to be used on the X.509 certificate that will be put * in the {@link java.security.KeyStore}. */ */ Date getStartDate() { public Date getStartDate() { return mStartDate; return mStartDate; } } /** /** * @hide * Gets the end date to be used on the X.509 certificate that will be put in * the {@link java.security.KeyStore}. */ */ Date getEndDate() { public Date getEndDate() { return mEndDate; return mEndDate; } } /** * @hide */ int getFlags() { return mFlags; } /** * Returns {@code true} if this parameter will require generated keys to be * encrypted in the {@link java.security.KeyStore}. */ public boolean isEncryptionRequired() { return (mFlags & KeyStore.FLAG_ENCRYPTED) != 0; } /** /** * Builder class for {@link AndroidKeyPairGeneratorSpec} objects. * Builder class for {@link AndroidKeyPairGeneratorSpec} objects. * <p> * <p> Loading @@ -175,16 +198,17 @@ public class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { * Calendar end = new Calendar(); * Calendar end = new Calendar(); * end.add(1, Calendar.YEAR); * end.add(1, Calendar.YEAR); * * * AndroidKeyPairGeneratorSpec spec = new AndroidKeyPairGeneratorSpec.Builder(mContext) * AndroidKeyPairGeneratorSpec spec = * .setAlias("myKey") * new AndroidKeyPairGeneratorSpec.Builder(mContext) * .setSubject(new X500Principal("CN=myKey")) * .setAlias("myKey") * .setSubject(new X500Principal("CN=myKey")) * .setSerial(BigInteger.valueOf(1337)) * .setSerial(BigInteger.valueOf(1337)) * .setStartDate(start.getTime()) * .setStartDate(start.getTime()) * .setEndDate(end.getTime()) * .setEndDate(end.getTime()) * .build(); * .build(); * </pre> * </pre> */ */ public static class Builder { public final static class Builder { private final Context mContext; private final Context mContext; private String mKeystoreAlias; private String mKeystoreAlias; Loading @@ -197,6 +221,14 @@ public class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { private Date mEndDate; private Date mEndDate; private int mFlags; /** * Creates a new instance of the {@code Builder} with the given * {@code context}. The {@code context} passed in may be used to pop up * some UI to ask the user to unlock or initialize the Android KeyStore * facility. */ public Builder(Context context) { public Builder(Context context) { if (context == null) { if (context == null) { throw new NullPointerException("context == null"); throw new NullPointerException("context == null"); Loading Loading @@ -265,6 +297,17 @@ public class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { return this; return this; } } /** * Indicates that this key must be encrypted at rest on storage. Note * that enabling this will require that the user enable a strong lock * screen (e.g., PIN, password) before creating or using the generated * key is successful. */ public Builder setEncryptionRequired() { mFlags |= KeyStore.FLAG_ENCRYPTED; return this; } /** /** * Builds the instance of the {@code AndroidKeyPairGeneratorSpec}. * Builds the instance of the {@code AndroidKeyPairGeneratorSpec}. * * Loading @@ -273,7 +316,7 @@ public class AndroidKeyPairGeneratorSpec implements AlgorithmParameterSpec { */ */ public AndroidKeyPairGeneratorSpec build() { public AndroidKeyPairGeneratorSpec build() { return new AndroidKeyPairGeneratorSpec(mContext, mKeystoreAlias, mSubjectDN, return new AndroidKeyPairGeneratorSpec(mContext, mKeystoreAlias, mSubjectDN, mSerialNumber, mStartDate, mEndDate); mSerialNumber, mStartDate, mEndDate, mFlags); } } } } } }
keystore/java/android/security/AndroidKeyStore.java +50 −7 Original line number Original line Diff line number Diff line Loading @@ -27,6 +27,10 @@ import java.io.InputStream; import java.io.OutputStream; import java.io.OutputStream; import java.security.InvalidKeyException; import java.security.InvalidKeyException; import java.security.Key; import java.security.Key; import java.security.KeyStore.Entry; import java.security.KeyStore.PrivateKeyEntry; import java.security.KeyStore.ProtectionParameter; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.KeyStoreException; import java.security.KeyStoreSpi; import java.security.KeyStoreSpi; import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException; Loading Loading @@ -198,14 +202,14 @@ public class AndroidKeyStore extends KeyStoreSpi { } } if (key instanceof PrivateKey) { if (key instanceof PrivateKey) { setPrivateKeyEntry(alias, (PrivateKey) key, chain); setPrivateKeyEntry(alias, (PrivateKey) key, chain, null); } else { } else { throw new KeyStoreException("Only PrivateKeys are supported"); throw new KeyStoreException("Only PrivateKeys are supported"); } } } } private void setPrivateKeyEntry(String alias, PrivateKey key, Certificate[] chain) private void setPrivateKeyEntry(String alias, PrivateKey key, Certificate[] chain, throws KeyStoreException { AndroidKeyStoreParameter params) throws KeyStoreException { byte[] keyBytes = null; byte[] keyBytes = null; final String pkeyAlias; final String pkeyAlias; Loading Loading @@ -317,15 +321,20 @@ public class AndroidKeyStore extends KeyStoreSpi { Credentials.deleteCertificateTypesForAlias(mKeyStore, alias); Credentials.deleteCertificateTypesForAlias(mKeyStore, alias); } } final int flags = (params == null) ? 0 : params.getFlags(); if (shouldReplacePrivateKey if (shouldReplacePrivateKey && !mKeyStore.importKey(Credentials.USER_PRIVATE_KEY + alias, keyBytes)) { && !mKeyStore.importKey(Credentials.USER_PRIVATE_KEY + alias, keyBytes, android.security.KeyStore.UID_SELF, flags)) { Credentials.deleteAllTypesForAlias(mKeyStore, alias); Credentials.deleteAllTypesForAlias(mKeyStore, alias); throw new KeyStoreException("Couldn't put private key in keystore"); throw new KeyStoreException("Couldn't put private key in keystore"); } else if (!mKeyStore.put(Credentials.USER_CERTIFICATE + alias, userCertBytes)) { } else if (!mKeyStore.put(Credentials.USER_CERTIFICATE + alias, userCertBytes, android.security.KeyStore.UID_SELF, flags)) { Credentials.deleteAllTypesForAlias(mKeyStore, alias); Credentials.deleteAllTypesForAlias(mKeyStore, alias); throw new KeyStoreException("Couldn't put certificate #1 in keystore"); throw new KeyStoreException("Couldn't put certificate #1 in keystore"); } else if (chainBytes != null } else if (chainBytes != null && !mKeyStore.put(Credentials.CA_CERTIFICATE + alias, chainBytes)) { && !mKeyStore.put(Credentials.CA_CERTIFICATE + alias, chainBytes, android.security.KeyStore.UID_SELF, flags)) { Credentials.deleteAllTypesForAlias(mKeyStore, alias); Credentials.deleteAllTypesForAlias(mKeyStore, alias); throw new KeyStoreException("Couldn't put certificate chain in keystore"); throw new KeyStoreException("Couldn't put certificate chain in keystore"); } } Loading Loading @@ -355,7 +364,8 @@ public class AndroidKeyStore extends KeyStoreSpi { throw new KeyStoreException(e); throw new KeyStoreException(e); } } if (!mKeyStore.put(Credentials.CA_CERTIFICATE + alias, encoded)) { if (!mKeyStore.put(Credentials.CA_CERTIFICATE + alias, encoded, android.security.KeyStore.UID_SELF, android.security.KeyStore.FLAG_NONE)) { throw new KeyStoreException("Couldn't insert certificate; is KeyStore initialized?"); throw new KeyStoreException("Couldn't insert certificate; is KeyStore initialized?"); } } } } Loading Loading @@ -517,4 +527,37 @@ public class AndroidKeyStore extends KeyStoreSpi { mKeyStore = android.security.KeyStore.getInstance(); mKeyStore = android.security.KeyStore.getInstance(); } } @Override public void engineSetEntry(String alias, Entry entry, ProtectionParameter param) throws KeyStoreException { if (entry == null) { throw new KeyStoreException("entry == null"); } if (engineContainsAlias(alias)) { engineDeleteEntry(alias); } if (entry instanceof KeyStore.TrustedCertificateEntry) { KeyStore.TrustedCertificateEntry trE = (KeyStore.TrustedCertificateEntry) entry; engineSetCertificateEntry(alias, trE.getTrustedCertificate()); return; } if (param != null && !(param instanceof AndroidKeyStoreParameter)) { throw new KeyStoreException("protParam should be AndroidKeyStoreParameter; was: " + param.getClass().getName()); } if (entry instanceof PrivateKeyEntry) { PrivateKeyEntry prE = (PrivateKeyEntry) entry; setPrivateKeyEntry(alias, prE.getPrivateKey(), prE.getCertificateChain(), (AndroidKeyStoreParameter) param); return; } throw new KeyStoreException( "Entry must be a PrivateKeyEntry or TrustedCertificateEntry; was " + entry); } } }
