4a0ff7ca984d29bd34b02e54441957cad65e8b53 |
|
09-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Android Keystore keys are no longer backed by Conscrypt. This switches Android Keystore asymmetric keys from being backed by Conscrypt (via keystore-engine which is an OpenSSL/BoringSSL ENGINE which talks to keystore via the old KeyStore API) to being backed by the AndroidKeyStore Provider which talks to keystore via the new KeyStore API. In effect, this switches asymmetric crypto offered by Android Keystore from old Keystore API to new KeyStore API, enabling all the new features such as enforcement of authorizations on key use. Some algorithms offered by Android Keystore, such as RSA with OAEP or PSS padding schemes, are not supported by other providers. This complicates matters because Android Keystore only supports public key operations if the corresponding private key is in the keystore. Thus, Android Keystore can only offer these operations for its own public keys only. This requires AndroidKeyStore to use its own subclasses of PublicKey everywhere. The ugliest place is where it needs to return its own subclass of X509Certificate only to be able to return its own subclass of PublicKey from Certificate.getPublicKey(). Bug: 18088752 Bug: 19284418 Bug: 20912868 Change-Id: Id234f9ab9ff72d353ca1ff66768bd3d46da50d64
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
3f8d4d840894468f2be8a5b56ff266cef2d71c50 |
|
13-May-2015 |
Alex Klyubin <klyubin@google.com> |
New AndroidKeyStore API in android.security.keystore. This CL addresses the comments from API Council about Android KeyStore KeyPairGeneratorSpec, KeyGeneratorSpec and KeyStoreParameter: 1. These abstractions should not take or hold references to Context. 2. The Builders of these abstractions should take all mandatory parameters in their constructors rather than expose them as setters -- only optional paratemers should be exposed via setters. These comments cannot be addressed without deprecation in the already launched KeyPairGeneratorSpec and KeyStoreParameter. Instead of deprecating just the getContext methods and Builder constructors, this CL goes for the nuclear option of deprecating KeyPairGeneratorSpec and KeyStoreParameter as a whole and exposing all of the AndroidKeyStore API in the new package android.security.keystore. This enables this CL to correct all of the accrued design issues with KeyPairGeneratorSpec (e.g., naming of certificate-related methods) and KeyStoreParameter. This also makes the transition to API Level M more clear for existing users of the AndroidKeyStore API. These users will only have to deal with the new always-mandatory parameters (e.g., purposes) and sometimes-mandatory (e.g., digests, block modes, paddings) if they switch to the new API. Prior to this CL they would've had to deal with this if they invoked any of the new methods of KeyPairGeneratorSpec or KeyStoreParameter introduced in API Level M. This CL rips out all the new API introduced into KeyPairGeneratorSpec and KeyStoreParameter classes for Android M, thus reverting these classes to the API launched in L MR1. This is because the new API is now in android.security.keystore.KeyGenParameterSpec and KeyProtection respectively. Bug: 21039983 Change-Id: I59672b3c6ef7bc25c40aa85f1c47d9d8a05d627c
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
622fd932fd33c6e86c86c8a24082674ad077a810 |
|
12-May-2015 |
Alex Klyubin <klyubin@google.com> |
Flatten KeyStoreKeyProperties constants. This moves constants/flags declared in inner classes of KeyStoreKeyProperties into KeyStoreKeyProperties, as requested by API Council. Bug: 21039983 Change-Id: I84a3c983e13644a027bed9f605ab8044220a352c
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
e3049dc953acd5d477c159be8e8b0548bae60cab |
|
11-May-2015 |
Alex Klyubin <klyubin@google.com> |
Link to magic constants used by AndroidKeyStore API. This updates the Javadocs of AndroidKeyStore methods which take constants defined in KeyStoreKeyProperties to contain a link to the corresponding set of constants and an example of a couple of accepted constants, to make it easier to understand and find out what constants to use. Bug: 18088752 Change-Id: I338134ef136db62a7caca782cb59dbebdc996670
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
54bb1596e470144932943046ec7a99551d020ba0 |
|
11-May-2015 |
Alex Klyubin <klyubin@google.com> |
Add NonNull and Nullable annotations to AndroidKeyStore API. This is to enable Android Lint and Android Studio to flag nullness issues at compile time. Bug: 18088752 Change-Id: I21033b8fcdd989d08c89b50685e47fbb9c74acbf
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
5418393c58d1d80fe37a209ab931f6d56bd46a86 |
|
09-May-2015 |
Alex Klyubin <klyubin@google.com> |
Document when encrypted AndroidKeyStore keys are wiped. This also drops the boolean parameter from KeyGeneratorSpec.Builder.setEncryptionRequired to match the already launched KeyPairGeneratorSpec.Builder.setEncryptionRequired. Bug: 18088752 Change-Id: I91a3e8c77958971b1bda8329319f1a0d8043b669
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecd |
|
08-May-2015 |
Alex Klyubin <klyubin@google.com> |
More Javadocs for AndroidKeyStore public classes. This adds more detailed class-level Javadocs (incl. examples) for the following public API of Android KeyStore facility: * KeyPairGeneratorSpec, * KeyGeneratorSpec, * KeyStoreParameter, * KeyStoreKeySpec. This also clarifies what encryption at rest means. Bug: 18088752 Change-Id: I9951a528c34dea322534763b596902a2b6ac64f9
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
ca84b19f10d5cb6bbaca1f71077bcaea5c84bdc1 |
|
07-May-2015 |
Alex Klyubin <klyubin@google.com> |
Document that new APIs for asymmetric crypto have no effect. Bug: 18088752 Change-Id: Idfcf57251e76185425b9271d6a2001c5556f9f59
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
f555887237665fd2cd16182e63dd7ff5f4b7e708 |
|
07-May-2015 |
Alex Klyubin <klyubin@google.com> |
Merge "Adjust the Javadoc for user authentication timeout." into mnc-dev
|
27dd1a22275e92afed612655822438ab3df15356 |
|
07-May-2015 |
Alex Klyubin <klyubin@google.com> |
Adjust the Javadoc for user authentication timeout. The Javadoc incorrectly stated that: * 0 means authentication required for every use. * -1 means that timeout is not specified and the key can be any time. Bug: 18088752 Change-Id: Ie5f37e74dc207f23443527ac1725ae8a37213d75
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
4d5443f37f2bc58be8d22ed50024c39a5a1fbc8f |
|
07-May-2015 |
Alex Klyubin <klyubin@google.com> |
Define String constants for AndroidKeyStore crypto. This defines the String enum values based on JCA standard names for key algorithm, block mode, padding schemes, and digests. This should make it safer to interact with AndroidKeyStore code that uses JCA strings. This was requested by API Council. Bug: 18088752 Change-Id: I241d9225a13b85479d0a84e49d0a98cbc77e5817
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
1eda77ae2122e2b85084eb429fbeecec0b9962e5 |
|
28-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
Align AndroidKeyStore API with user auth API. This simplifies the AndroidKeyStore API around user authentication: no more explicit control over which user authenticators are bound to which keys. User-authenticated keys with timeout are unlocked by whatever unlocks the secure lock screen (currently, password/PIN/pattern or fingerprint). User-authenticated keys that need authentication for every use are unlocked by fingerprint only. Bug: 20526234 Bug: 20642549 Change-Id: I1e5e6c988f32657d820797ad5696797477a9ebe9
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
8e5fbc70e19c5e294e8f99939161e1a8ff78bd6f |
|
14-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
am fa2bd4fe: am 888f5cb7: am ecfda064: Merge "Make specifying self-signed cert parameters optional." * commit 'fa2bd4fe5c10b8132a155f0f8d0207435ca2c8dc': Make specifying self-signed cert parameters optional.
|
67d21aef98bbafd0def2cacc6254e644e911c8dd |
|
14-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
Make specifying self-signed cert parameters optional. This removes the need to specify the three parameters of the self-signed certificate (serial number, subject, validity range) when generating key pairs in AndroidKeyStore. This is achieved by providing sensible defaults for these parameters: * serial number: 1 * subject: CN=fake * validity range: Jan 1 1970 to Jan 1 2048. Bug: 18088752 Change-Id: I5df918b1ef8b26ed3ddd43828c4c78c9fa58cd43
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
9b3e005a4ebd94af2d234cc5470e9691437d3888 |
|
13-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
Unhide the new AndroidKeyStore API. Bug: 18088752 Change-Id: I93f87cbb1cd04a4a2e34f3d544d678c92cf052ee
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
fbf1472d613572d991bc9d68ded4c9e937f13586 |
|
13-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
resolved conflicts for merge of a978a3d6 to master Change-Id: Ifd7ca9e1dfa0d50a87f2bafef377fcaeb5d9f6d5
|
5927c9f1b12f597839a664c1c6593114175cbcd8 |
|
10-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
Use JCA names for block modes, paddings, and digests. This replaces int-based enums from KeyStoreKeyConstraints with String values commonly used in JCA API. As part of under the hood refactoring: * KeyStoreKeyCharacteristics and KeyStoreKeyConstraints have been merged into KeyStoreKeyProperties. * KeymasterUtils methods operating on KeymasterArguments and KeymasterCharacteristics have been moved to their respective classes. Bug: 18088752 Change-Id: I9c8b984cb3c28184adb617e34d87f2837bd1d3a1
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
43de2a9b521611926810ec53332a08e786a7b5f3 |
|
10-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
am 4acc3392: am 8676a88e: am 97d2d7c4: Merge "Fix minor issues in new Javadocs of AndroidKeyStore." * commit '4acc3392c35e5ad98c8e7b650b1368a2956746b7': Fix minor issues in new Javadocs of AndroidKeyStore.
|
7882a7fcd4e236be1d569cdf657db2b072dfb28a |
|
09-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
Fix minor issues in new Javadocs of AndroidKeyStore. Bug: 18088752 Change-Id: Ie84cc6066c82f2659da17a1eb158c2e3acf5094d
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
b30cc6c3e87e56fc939051ff8d41442a988ff20c |
|
09-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
resolved conflicts for merge of b9a9d46c to master Change-Id: Ibec45f0f8f9618dd7bd1b34561dccbdd9599cdeb
|
f853f649981ed3cf2f1fbf1363a0932e9736daf6 |
|
08-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
Require IND-CPA by default for new AndroidKeyStore keys. Bug: 18088752 Change-Id: I01e44b7155df4326b5c9d83dda57f889c1f23ec7
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
1620a65d32251ca058b60cb2751394e9ee1f0019 |
|
07-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
resolved conflicts for merge of 06adabdb to master Change-Id: Ifb09e2e6242f79cabe76e95eacc982f6cc7e1a6c
|
c46e9e7da4558f6bc99262361fd1ca35c3a44090 |
|
07-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
Make the new AndroidKeyStore API conformant. This makes the new AndroidKeyStore API conform with the latest Keymaster API changes as well as the latest Android framework API design guidelines. Keymaster changes: * Multiple paddings, block modes, and digests can be set on a key. * "max uses per boot" and "min seconds between use" restrictions will not be exposed in the framework API. * Padding scheme ZERO will not be exposed. Changes due to Android framework design guidelines: * Sets of enum values have been replaced with bitsets represented as ints. * Integer has been replaced with int, with null being represented with a special value (e.g., -1 or 0) where possible. Bug: 18088752 Change-Id: Ib21739aa9b42d48895cb7a681e836a5c6d972ac6
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
36662ba6aef74816d1876e4e13127bf7f12f372b |
|
03-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
Add fingerprint-specific API to KeyPairGeneratorSpec. This is identical to the existing API in KeyStoreParameter and KeyGeneratorSpec. Bug: 18088752 Change-Id: I8aad4fdeb858cc9586f46d5a81561505914ac334
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
855fa31eb5ff68d131f3e496920594d875841cb0 |
|
02-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
Expose new key use constraints in KeyPairGeneratorSpec. The constraints are currently ignored. Bug: 18088752 Change-Id: Iabd2018200afb2bf8ac1748d1def47af74bfb9d3
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
0b486da65076c13c98ab3973128c64f452b4c589 |
|
16-Jan-2015 |
Alex Klyubin <klyubin@google.com> |
Merge "Remove DSA support from Android KeyStore and KeyChain."
|
cd2329dbfa5aef82c38ffa36a478bbaf5088af92 |
|
15-Jan-2015 |
Alex Klyubin <klyubin@google.com> |
Remove DSA support from Android KeyStore and KeyChain. We're switching from OpenSSL to BoringSSL which does not support DSA. Bug: 17409664 Change-Id: Id9b52666ba9ef234076105c925610b5b312988a5
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
21a76df55cf4b956f4d34f57c7b9e694d0363f54 |
|
14-Jan-2015 |
Alex Klyubin <klyubin@google.com> |
Add KeyPairGenerator.EC backed by Android KeyStore. The Android KeyStore backed KeyPairGenerator can generate EC key pairs, but it cannot be instantiated via the standard JCA approach of KeyPairGenerator.getInstance("EC", "AndroidKeyStore"). Instead, the user must invoke KeyPairGenerator.getInstance("RSA", "AndroidKeyStore") and then tell it to generate an EC key pair. This CL fixes this weirdness. The fix requires the introduction of late resolution of key algorithm and default key size. Prior to this CL, these parameters were resolved prior to KeyPairGenerator initialization, inside KeyPairGeneratorSpec. In this CL, these parameters are resolved during KeyPairGenerator initialization. This is fine because KeyPairGeneratorSpec should be as dumb as possible and all the logic should reside in KeyPairGenerator and lower layers. Bug: 19018089 Change-Id: I114502356e6c9691518cf05b6d9eb0920b4fe0b2
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
9d2d6b6b4b1b16221cbd857703cd6301c6bf873c |
|
26-Nov-2014 |
Kenny Root <kroot@google.com> |
Track change to Conscrypt Change-Id: I8814fd0720acf09332927f184fdd9b2cdac4f413
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
80e84e2db92ba190c6c517dd4c71cd12c0adb249 |
|
10-Jun-2014 |
Robert Ly <robertly@google.com> |
am f3cecfa2: am 55d525b2: am 716cc7dc: Add documentation for AndroidKeyStore * commit 'f3cecfa2185ef5622992b21da8204b8b6590ef2d': Add documentation for AndroidKeyStore
|
716cc7dcac1bb9279326ab92a78a246b3a70de4e |
|
08-May-2014 |
Robert Ly <robertly@google.com> |
Add documentation for AndroidKeyStore Add exposition about the use cases for AndroidKeyStore and links to the API sample application for different use cases. Bug: 8608817 Change-Id: Ic4ce9405781c92f12687895b28c671661ea5524f
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
c222ddd07ff9c65c682fd82f8534a9d7dea796cd |
|
03-Sep-2013 |
Kenny Root <kroot@google.com> |
Unhide functions to allow ECDSA support Bug: 10600582 Change-Id: Ic710807d7e771737521e0abd83af2f666ec1199c
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
a39859889b7de0ad3190386cc732fa4bdcbe5504 |
|
16-Aug-2013 |
Kenny Root <kroot@google.com> |
Add support for DSA and ECDSA key types (cherry picked from commit f64386fc26efeb245fd90fabaa47b8c8bf9b4613) Bug: 10600582 Change-Id: I88dfcc8ca602f55fad54bd8bf043aee460c0de24
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|
1c219f619291ba818bc2542390a2988539d94ed0 |
|
19-Apr-2013 |
Kenny Root <kroot@google.com> |
Rename API AndroidKey* -> Key* Bug: 8657552 Change-Id: Id9102b7c2c2f6d27fba7645f0629750cfe1eb510
/frameworks/base/keystore/java/android/security/KeyPairGeneratorSpec.java
|