Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5418393c authored by Alex Klyubin's avatar Alex Klyubin
Browse files

Document when encrypted AndroidKeyStore keys are wiped. 

This also drops the boolean parameter from
KeyGeneratorSpec.Builder.setEncryptionRequired to match the already
launched KeyPairGeneratorSpec.Builder.setEncryptionRequired.

Bug: 18088752
Change-Id: I91a3e8c77958971b1bda8329319f1a0d8043b669
parent b2fa5f31

api/current.txt

+1 −1
Original line number Diff line number Diff line
@@ -28432,7 +28432,7 @@ package android.security { 
    method public android.security.KeyGeneratorSpec.Builder setAlias(java.lang.String);

    method public android.security.KeyGeneratorSpec.Builder setBlockModes(java.lang.String...);

    method public android.security.KeyGeneratorSpec.Builder setEncryptionPaddings(java.lang.String...);

    method public android.security.KeyGeneratorSpec.Builder setEncryptionRequired(boolean);

    method public android.security.KeyGeneratorSpec.Builder setEncryptionRequired();

    method public android.security.KeyGeneratorSpec.Builder setKeySize(int);

    method public android.security.KeyGeneratorSpec.Builder setKeyValidityEnd(java.util.Date);

    method public android.security.KeyGeneratorSpec.Builder setKeyValidityForConsumptionEnd(java.util.Date);

api/system-current.txt

+1 −1
Original line number Diff line number Diff line
@@ -30446,7 +30446,7 @@ package android.security { 
    method public android.security.KeyGeneratorSpec.Builder setAlias(java.lang.String);

    method public android.security.KeyGeneratorSpec.Builder setBlockModes(java.lang.String...);

    method public android.security.KeyGeneratorSpec.Builder setEncryptionPaddings(java.lang.String...);

    method public android.security.KeyGeneratorSpec.Builder setEncryptionRequired(boolean);

    method public android.security.KeyGeneratorSpec.Builder setEncryptionRequired();

    method public android.security.KeyGeneratorSpec.Builder setKeySize(int);

    method public android.security.KeyGeneratorSpec.Builder setKeyValidityEnd(java.util.Date);

    method public android.security.KeyGeneratorSpec.Builder setKeyValidityForConsumptionEnd(java.util.Date);

keystore/java/android/security/AndroidKeyStore.java

+3 −2
Original line number Diff line number Diff line
@@ -103,8 +103,9 @@ public class AndroidKeyStore extends KeyStoreSpi { 
                    keyAliasInKeystore, null, null, keyCharacteristics);

            if ((errorCode != KeymasterDefs.KM_ERROR_OK)

                    && (errorCode != android.security.KeyStore.NO_ERROR)) {

                throw new UnrecoverableKeyException("Failed to load information about key."

                        + " Error code: " + errorCode);

                throw (UnrecoverableKeyException)

                        new UnrecoverableKeyException("Failed to load information about key")

                                .initCause(mKeyStore.getInvalidKeyException(alias, errorCode));

            }



            int keymasterAlgorithm =

keystore/java/android/security/KeyGeneratorSpec.java

+6 −7
Original line number Diff line number Diff line
@@ -306,16 +306,15 @@ public class KeyGeneratorSpec implements AlgorithmParameterSpec { 
         * secure lock screen credential (e.g., password, PIN, or pattern).

         *

         * <p>Note that this feature requires that the secure lock screen (e.g., password, PIN,

         * pattern) is set up. Otherwise key generation will fail.

         * pattern) is set up, otherwise key generation will fail. Moreover, this key will be

         * deleted when the secure lock screen is disabled or reset (e.g., by the user or a Device

         * Administrator). Finally, this key cannot be used until the user unlocks the secure lock

         * screen after boot.

         *

         * @see KeyguardManager#isDeviceSecure()

         */

        public Builder setEncryptionRequired(boolean required) {

            if (required) {

        public Builder setEncryptionRequired() {

            mFlags |= KeyStore.FLAG_ENCRYPTED;

            } else {

                mFlags &= ~KeyStore.FLAG_ENCRYPTED;

            }

            return this;

        }

keystore/java/android/security/KeyPairGeneratorSpec.java

+6 −3
Original line number Diff line number Diff line
@@ -654,11 +654,14 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { 
        }



        /**

         * Indicates that this key must be encrypted at rest. This will protect the key pair with

         * the secure lock screen credential (e.g., password, PIN, or pattern).

         * Indicates that this key pair must be encrypted at rest. This will protect the key pair

         * with the secure lock screen credential (e.g., password, PIN, or pattern).

         *

         * <p>Note that this feature requires that the secure lock screen (e.g., password, PIN,

         * pattern) is set up. Otherwise key pair generation will fail.

         * pattern) is set up, otherwise key pair generation will fail. Moreover, this key pair will

         * be deleted when the secure lock screen is disabled or reset (e.g., by the user or a

         * Device Administrator). Finally, this key pair cannot be used until the user unlocks the

         * secure lock screen after boot.

         *

         * @see KeyguardManager#isDeviceSecure()

         */