Loading docs/html/training/articles/keystore.jd +464 −3 Original line number Diff line number Diff line Loading @@ -7,14 +7,15 @@ page.title=Android Keystore System <ol> <li><a href="#SecurityFeatures">Security Features</a></li> <li><a href="#WhichShouldIUse">Choosing Between a Keychain or the Android Keystore Provider</a></li> <li><a href="#UsingAndroidKeyStore">Using Android Keystore Provider </a></li> <li><a href="#UsingAndroidKeyStore">Using Android Keystore Provider</a> <ol> <li><a href="#GeneratingANewPrivateKey">Generating a New Private Key</a></li> <li><a href="#WorkingWithKeyStoreEntries">Working with Keystore Entries</a></li> <li><a href="#ListingEntries">Listing Entries</a></li> <li><a href="#SigningAndVerifyingData">Signing and Verifying Data</a></li> </ol> </li> <li><a href="#SupportedAlgorithms">Supported Algorithms</a></li> </ol> <h2>Blog articles</h2> Loading @@ -27,6 +28,14 @@ page.title=Android Keystore System </div> </div> <style type="text/css"> tr.deprecated { background-color: #ccc; color: #999; font-style: italic; } </style> <p>The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the key material Loading Loading @@ -214,3 +223,455 @@ operate in one of the two modes: These keys become permanently invalidated once a new fingerprint is enrolled or all fingerprints are unenrolled.</li> </ul> <h2 id="SupportedAlgorithms">Supported Algorithms</h2> <ul> <li><a href="#SupportedCiphers">{@code Cipher}</a></li> <li><a href="#SupportedKeyGenerators">{@code KeyGenerator}</a></li> <li><a href="#SupportedKeyFactories">{@code KeyFactory}</a></li> <li><a href="#SupportedKeyPairGenerators">{@code KeyPairGenerator}</a></li> <li><a href="#SupportedMacs">{@code Mac}</a></li> <li><a href="#SupportedSignatures">{@code Signature}</a></li> <li><a href="#SupportedSecretKeyFactories">{@code SecretKeyFactory}</a></li> </ul> <h3 id="SupportedCiphers">Cipher</h3> <table> <thead> <tr> <th>Algorithm</th> <th>Supported (API Levels)</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>AES/CBC/NoPadding</td> <td>23+</td> <td></td> </tr> <tr> <td>AES/CBC/PKCS7Padding</td> <td>23+</td> <td></td> </tr> <tr> <td>AES/CTR/NoPadding</td> <td>23+</td> <td></td> </tr> <tr> <td>AES/ECB/NoPadding</td> <td>23+</td> <td></td> </tr> <tr> <td>AES/ECB/PKCS7Padding</td> <td>23+</td> <td></td> </tr> <tr> <td>AES/GCM/NoPadding</td> <td>23+</td> <td>Only 12-byte long IVs supported.</td> </tr> <tr> <td>RSA/ECB/NoPadding</td> <td>18+</td> <td></td> </tr> <tr> <td>RSA/ECB/PKCS1Padding</td> <td>18+</td> <td></td> </tr> <tr> <td>RSA/ECB/OAEPWithSHA-1AndMGF1Padding</td> <td>23+</td> <td></td> </tr> <tr> <td>RSA/ECB/OAEPWithSHA-224AndMGF1Padding</td> <td>23+</td> <td></td> </tr> <tr> <td>RSA/ECB/OAEPWithSHA-256AndMGF1Padding</td> <td>23+</td> <td></td> </tr> <tr> <td>RSA/ECB/OAEPWithSHA-384AndMGF1Padding</td> <td>23+</td> <td></td> </tr> <tr> <td>RSA/ECB/OAEPWithSHA-512AndMGF1Padding</td> <td>23+</td> <td></td> </tr> <tr> <td>RSA/ECB/OAEPPadding</td> <td>23+</td> <td></td> </tr> </tbody> </table> <h3 id="SupportedKeyGenerators">KeyGenerator</h3> <table> <thead> <tr> <th>Algorithm</th> <th>Supported (API Levels)</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>AES</td> <td>23+</td> <td>Supported sizes: 128, 192, 256</td> </tr> <tr> <td>HmacSHA1</td> <td>23+</td> <td> <ul> <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li> <li>Default size: 160</li> <ul> </td> </tr> <tr> <td>HmacSHA224</td> <td>23+</td> <td> <ul> <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li> <li>Default size: 224</li> <ul> </td> </tr> <tr> <td>HmacSHA256</td> <td>23+</td> <td> <ul> <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li> <li>Default size: 256</li> <ul> </td> </tr> <tr> <td>HmacSHA384</td> <td>23+</td> <td> <ul> <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li> <li>Default size: 384</li> <ul> </td> </tr> <tr> <td>HmacSHA512</td> <td>23+</td> <td> <ul> <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li> <li>Default size: 512</li> <ul> </td> </tr> </tbody> </table> <h3 id="SupportedKeyFactories">KeyFactory</h3> <table> <thead> <tr> <th>Algorithm</th> <th>Supported (API Levels)</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>EC</td> <td>23+</td> <td>Supported key specs: {@link android.security.keystore.KeyInfo} (private key only), {@link java.security.spec.ECPublicKeySpec} (public key only), {@link java.security.spec.X509EncodedKeySpec} (public key only) </td> </tr> <tr> <td>RSA</td> <td>23+</td> <td>Supported key specs: {@link android.security.keystore.KeyInfo} (private key only), {@link java.security.spec.RSAPublicKeySpec} (public key only), {@link java.security.spec.X509EncodedKeySpec} (public key only) </td> </tr> </tbody> </table> <h3 id="SupportedKeyStoreKeys">KeyStore</h3> KeyStore supports the same key types as <a href="#SupportedKeyPairGenerators">{@code KeyPairGenerator}</a> and <a href="#SupportedKeyGenerators">{@code KeyGenerator}</a>. <h3 id="SupportedKeyPairGenerators">KeyPairGenerator</h3> <table> <thead> <tr> <th>Algorithm</th> <th>Supported (API Levels)</th> <th>Notes</th> </tr> </thead> <tbody> <tr class="deprecated"> <td>DSA</td> <td>19–22</td> <td></td> </tr> <tr> <td>EC</td> <td>23+</td> <td> <ul> <li>Supported sizes: 224, 256, 384, 521</li> <li>Supported named curves: P-224 (secp256r1), P-256 (aka secp256r1 and prime256v1), P-384 (aka secp384r1), P-521 (aka secp521r1)</li> </ul> <p>Prior to API Level 23, EC keys can be generated using KeyPairGenerator of algorithm "RSA" initialized {@link android.security.KeyPairGeneratorSpec} whose key type is set to "EC" using {@link android.security.KeyPairGeneratorSpec.Builder#setKeyType(String)}. EC curve name cannot be specified using this method -- a NIST P-curve is automatically chosen based on the requested key size. </td> </tr> <tr> <td>RSA</td> <td>18+</td> <td> <ul> <li>Supported sizes: 512, 768, 1024, 2048, 3072, 4096</li> <li>Supported public exponents: 3, 65537</li> <li>Default public exponent: 65537</li> </ul> </td> </tr> </tbody> </table> <h3 id="SupportedMacs">Mac</h3> <table> <thead> <tr> <th>Algorithm</th> <th>Supported (API Levels)</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>HmacSHA1</td> <td>23+</td> <td></td> </tr> <tr> <td>HmacSHA224</td> <td>23+</td> <td></td> </tr> <tr> <td>HmacSHA256</td> <td>23+</td> <td></td> </tr> <tr> <td>HmacSHA384</td> <td>23+</td> <td></td> </tr> <tr> <td>HmacSHA512</td> <td>23+</td> <td></td> </tr> </tbody> </table> <h3 id="SupportedSignatures">Signature</h3> <table> <thead> <tr> <th>Algorithm</th> <th>Supported (API Levels)</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>MD5withRSA</td> <td>18+</td> <td></td> </tr> <tr> <td>NONEwithECDSA</td> <td>23+</td> <td></td> </tr> <tr> <td>NONEwithRSA</td> <td>18+</td> <td></td> </tr> <tr class="deprecated"> <td>SHA1withDSA</td> <td>19–22</td> <td></td> </tr> <tr> <td>SHA1withECDSA</td> <td>19+</td> <td></td> </tr> <tr> <td>SHA1withRSA</td> <td>18+</td> <td></td> </tr> <tr> <td>SHA1withRSA/PSS</td> <td>23+</td> <td></td> </tr> <tr class="deprecated"> <td>SHA224withDSA</td> <td>20–22</td> <td></td> </tr> <tr> <td>SHA224withECDSA</td> <td>20+</td> <td></td> </tr> <tr> <td>SHA224withRSA</td> <td>20+</td> <td></td> </tr> <tr> <td>SHA224withRSA/PSS</td> <td>23+</td> <td></td> </tr> <tr class="deprecated"> <td>SHA256withDSA</td> <td>19–22</td> <td></td> </tr> <tr> <td>SHA256withECDSA</td> <td>19+</td> <td></td> </tr> <tr> <td>SHA256withRSA</td> <td>18+</td> <td></td> </tr> <tr> <td>SHA256withRSA/PSS</td> <td>23+</td> <td></td> </tr> <tr class="deprecated"> <td>SHA384withDSA</td> <td>19–22</td> <td></td> </tr> <tr> <td>SHA384withECDSA</td> <td>19+</td> <td></td> </tr> <tr> <td>SHA384withRSA</td> <td>18+</td> <td></td> </tr> <tr> <td>SHA384withRSA/PSS</td> <td>23+</td> <td></td> </tr> <tr class="deprecated"> <td>SHA512withDSA</td> <td>19–22</td> <td></td> </tr> <tr> <td>SHA512withECDSA</td> <td>19+</td> <td></td> </tr> <tr> <td>SHA512withRSA</td> <td>18+</td> <td></td> </tr> <tr> <td>SHA512withRSA/PSS</td> <td>23+</td> <td></td> </tr> </tbody> </table> <h3 id="SupportedSecretKeyFactories">SecretKeyFactory</h3> <table> <thead> <tr> <th>Algorithm</th> <th>Supported (API Levels)</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>AES</td> <td>23+</td> <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td> </tr> <tr> <td>HmacSHA1</td> <td>23+</td> <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td> </tr> <tr> <td>HmacSHA224</td> <td>23+</td> <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td> </tr> <tr> <td>HmacSHA256</td> <td>23+</td> <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td> </tr> <tr> <td>HmacSHA384</td> <td>23+</td> <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td> </tr> <tr> <td>HmacSHA512</td> <td>23+</td> <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td> </tr> </tbody> </table> No newline at end of file Loading
docs/html/training/articles/keystore.jd +464 −3 Original line number Diff line number Diff line Loading @@ -7,14 +7,15 @@ page.title=Android Keystore System <ol> <li><a href="#SecurityFeatures">Security Features</a></li> <li><a href="#WhichShouldIUse">Choosing Between a Keychain or the Android Keystore Provider</a></li> <li><a href="#UsingAndroidKeyStore">Using Android Keystore Provider </a></li> <li><a href="#UsingAndroidKeyStore">Using Android Keystore Provider</a> <ol> <li><a href="#GeneratingANewPrivateKey">Generating a New Private Key</a></li> <li><a href="#WorkingWithKeyStoreEntries">Working with Keystore Entries</a></li> <li><a href="#ListingEntries">Listing Entries</a></li> <li><a href="#SigningAndVerifyingData">Signing and Verifying Data</a></li> </ol> </li> <li><a href="#SupportedAlgorithms">Supported Algorithms</a></li> </ol> <h2>Blog articles</h2> Loading @@ -27,6 +28,14 @@ page.title=Android Keystore System </div> </div> <style type="text/css"> tr.deprecated { background-color: #ccc; color: #999; font-style: italic; } </style> <p>The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the key material Loading Loading @@ -214,3 +223,455 @@ operate in one of the two modes: These keys become permanently invalidated once a new fingerprint is enrolled or all fingerprints are unenrolled.</li> </ul> <h2 id="SupportedAlgorithms">Supported Algorithms</h2> <ul> <li><a href="#SupportedCiphers">{@code Cipher}</a></li> <li><a href="#SupportedKeyGenerators">{@code KeyGenerator}</a></li> <li><a href="#SupportedKeyFactories">{@code KeyFactory}</a></li> <li><a href="#SupportedKeyPairGenerators">{@code KeyPairGenerator}</a></li> <li><a href="#SupportedMacs">{@code Mac}</a></li> <li><a href="#SupportedSignatures">{@code Signature}</a></li> <li><a href="#SupportedSecretKeyFactories">{@code SecretKeyFactory}</a></li> </ul> <h3 id="SupportedCiphers">Cipher</h3> <table> <thead> <tr> <th>Algorithm</th> <th>Supported (API Levels)</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>AES/CBC/NoPadding</td> <td>23+</td> <td></td> </tr> <tr> <td>AES/CBC/PKCS7Padding</td> <td>23+</td> <td></td> </tr> <tr> <td>AES/CTR/NoPadding</td> <td>23+</td> <td></td> </tr> <tr> <td>AES/ECB/NoPadding</td> <td>23+</td> <td></td> </tr> <tr> <td>AES/ECB/PKCS7Padding</td> <td>23+</td> <td></td> </tr> <tr> <td>AES/GCM/NoPadding</td> <td>23+</td> <td>Only 12-byte long IVs supported.</td> </tr> <tr> <td>RSA/ECB/NoPadding</td> <td>18+</td> <td></td> </tr> <tr> <td>RSA/ECB/PKCS1Padding</td> <td>18+</td> <td></td> </tr> <tr> <td>RSA/ECB/OAEPWithSHA-1AndMGF1Padding</td> <td>23+</td> <td></td> </tr> <tr> <td>RSA/ECB/OAEPWithSHA-224AndMGF1Padding</td> <td>23+</td> <td></td> </tr> <tr> <td>RSA/ECB/OAEPWithSHA-256AndMGF1Padding</td> <td>23+</td> <td></td> </tr> <tr> <td>RSA/ECB/OAEPWithSHA-384AndMGF1Padding</td> <td>23+</td> <td></td> </tr> <tr> <td>RSA/ECB/OAEPWithSHA-512AndMGF1Padding</td> <td>23+</td> <td></td> </tr> <tr> <td>RSA/ECB/OAEPPadding</td> <td>23+</td> <td></td> </tr> </tbody> </table> <h3 id="SupportedKeyGenerators">KeyGenerator</h3> <table> <thead> <tr> <th>Algorithm</th> <th>Supported (API Levels)</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>AES</td> <td>23+</td> <td>Supported sizes: 128, 192, 256</td> </tr> <tr> <td>HmacSHA1</td> <td>23+</td> <td> <ul> <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li> <li>Default size: 160</li> <ul> </td> </tr> <tr> <td>HmacSHA224</td> <td>23+</td> <td> <ul> <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li> <li>Default size: 224</li> <ul> </td> </tr> <tr> <td>HmacSHA256</td> <td>23+</td> <td> <ul> <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li> <li>Default size: 256</li> <ul> </td> </tr> <tr> <td>HmacSHA384</td> <td>23+</td> <td> <ul> <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li> <li>Default size: 384</li> <ul> </td> </tr> <tr> <td>HmacSHA512</td> <td>23+</td> <td> <ul> <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li> <li>Default size: 512</li> <ul> </td> </tr> </tbody> </table> <h3 id="SupportedKeyFactories">KeyFactory</h3> <table> <thead> <tr> <th>Algorithm</th> <th>Supported (API Levels)</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>EC</td> <td>23+</td> <td>Supported key specs: {@link android.security.keystore.KeyInfo} (private key only), {@link java.security.spec.ECPublicKeySpec} (public key only), {@link java.security.spec.X509EncodedKeySpec} (public key only) </td> </tr> <tr> <td>RSA</td> <td>23+</td> <td>Supported key specs: {@link android.security.keystore.KeyInfo} (private key only), {@link java.security.spec.RSAPublicKeySpec} (public key only), {@link java.security.spec.X509EncodedKeySpec} (public key only) </td> </tr> </tbody> </table> <h3 id="SupportedKeyStoreKeys">KeyStore</h3> KeyStore supports the same key types as <a href="#SupportedKeyPairGenerators">{@code KeyPairGenerator}</a> and <a href="#SupportedKeyGenerators">{@code KeyGenerator}</a>. <h3 id="SupportedKeyPairGenerators">KeyPairGenerator</h3> <table> <thead> <tr> <th>Algorithm</th> <th>Supported (API Levels)</th> <th>Notes</th> </tr> </thead> <tbody> <tr class="deprecated"> <td>DSA</td> <td>19–22</td> <td></td> </tr> <tr> <td>EC</td> <td>23+</td> <td> <ul> <li>Supported sizes: 224, 256, 384, 521</li> <li>Supported named curves: P-224 (secp256r1), P-256 (aka secp256r1 and prime256v1), P-384 (aka secp384r1), P-521 (aka secp521r1)</li> </ul> <p>Prior to API Level 23, EC keys can be generated using KeyPairGenerator of algorithm "RSA" initialized {@link android.security.KeyPairGeneratorSpec} whose key type is set to "EC" using {@link android.security.KeyPairGeneratorSpec.Builder#setKeyType(String)}. EC curve name cannot be specified using this method -- a NIST P-curve is automatically chosen based on the requested key size. </td> </tr> <tr> <td>RSA</td> <td>18+</td> <td> <ul> <li>Supported sizes: 512, 768, 1024, 2048, 3072, 4096</li> <li>Supported public exponents: 3, 65537</li> <li>Default public exponent: 65537</li> </ul> </td> </tr> </tbody> </table> <h3 id="SupportedMacs">Mac</h3> <table> <thead> <tr> <th>Algorithm</th> <th>Supported (API Levels)</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>HmacSHA1</td> <td>23+</td> <td></td> </tr> <tr> <td>HmacSHA224</td> <td>23+</td> <td></td> </tr> <tr> <td>HmacSHA256</td> <td>23+</td> <td></td> </tr> <tr> <td>HmacSHA384</td> <td>23+</td> <td></td> </tr> <tr> <td>HmacSHA512</td> <td>23+</td> <td></td> </tr> </tbody> </table> <h3 id="SupportedSignatures">Signature</h3> <table> <thead> <tr> <th>Algorithm</th> <th>Supported (API Levels)</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>MD5withRSA</td> <td>18+</td> <td></td> </tr> <tr> <td>NONEwithECDSA</td> <td>23+</td> <td></td> </tr> <tr> <td>NONEwithRSA</td> <td>18+</td> <td></td> </tr> <tr class="deprecated"> <td>SHA1withDSA</td> <td>19–22</td> <td></td> </tr> <tr> <td>SHA1withECDSA</td> <td>19+</td> <td></td> </tr> <tr> <td>SHA1withRSA</td> <td>18+</td> <td></td> </tr> <tr> <td>SHA1withRSA/PSS</td> <td>23+</td> <td></td> </tr> <tr class="deprecated"> <td>SHA224withDSA</td> <td>20–22</td> <td></td> </tr> <tr> <td>SHA224withECDSA</td> <td>20+</td> <td></td> </tr> <tr> <td>SHA224withRSA</td> <td>20+</td> <td></td> </tr> <tr> <td>SHA224withRSA/PSS</td> <td>23+</td> <td></td> </tr> <tr class="deprecated"> <td>SHA256withDSA</td> <td>19–22</td> <td></td> </tr> <tr> <td>SHA256withECDSA</td> <td>19+</td> <td></td> </tr> <tr> <td>SHA256withRSA</td> <td>18+</td> <td></td> </tr> <tr> <td>SHA256withRSA/PSS</td> <td>23+</td> <td></td> </tr> <tr class="deprecated"> <td>SHA384withDSA</td> <td>19–22</td> <td></td> </tr> <tr> <td>SHA384withECDSA</td> <td>19+</td> <td></td> </tr> <tr> <td>SHA384withRSA</td> <td>18+</td> <td></td> </tr> <tr> <td>SHA384withRSA/PSS</td> <td>23+</td> <td></td> </tr> <tr class="deprecated"> <td>SHA512withDSA</td> <td>19–22</td> <td></td> </tr> <tr> <td>SHA512withECDSA</td> <td>19+</td> <td></td> </tr> <tr> <td>SHA512withRSA</td> <td>18+</td> <td></td> </tr> <tr> <td>SHA512withRSA/PSS</td> <td>23+</td> <td></td> </tr> </tbody> </table> <h3 id="SupportedSecretKeyFactories">SecretKeyFactory</h3> <table> <thead> <tr> <th>Algorithm</th> <th>Supported (API Levels)</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>AES</td> <td>23+</td> <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td> </tr> <tr> <td>HmacSHA1</td> <td>23+</td> <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td> </tr> <tr> <td>HmacSHA224</td> <td>23+</td> <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td> </tr> <tr> <td>HmacSHA256</td> <td>23+</td> <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td> </tr> <tr> <td>HmacSHA384</td> <td>23+</td> <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td> </tr> <tr> <td>HmacSHA512</td> <td>23+</td> <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td> </tr> </tbody> </table> No newline at end of file
