KeyPairGeneratorSpec.java revision 4d5443f37f2bc58be8d22ed50024c39a5a1fbc8f
1db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root/* 2db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * Copyright (C) 2012 The Android Open Source Project 3db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * 4db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * Licensed under the Apache License, Version 2.0 (the "License"); 5db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * you may not use this file except in compliance with the License. 6db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * You may obtain a copy of the License at 7db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * 8db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * http://www.apache.org/licenses/LICENSE-2.0 9db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * 10db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * Unless required by applicable law or agreed to in writing, software 11db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * distributed under the License is distributed on an "AS IS" BASIS, 12db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * See the License for the specific language governing permissions and 14db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * limitations under the License. 15db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root */ 16db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 17db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Rootpackage android.security; 18db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 19db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Rootimport android.content.Context; 20db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Rootimport android.text.TextUtils; 21db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 22db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Rootimport java.math.BigInteger; 23a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Rootimport java.security.NoSuchAlgorithmException; 24db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Rootimport java.security.PrivateKey; 25db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Rootimport java.security.cert.Certificate; 26db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Rootimport java.security.spec.AlgorithmParameterSpec; 27db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Rootimport java.util.Date; 28db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 29db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Rootimport javax.security.auth.x500.X500Principal; 30db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 31db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root/** 32acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * This provides the required parameters needed for initializing the 331c219f619291ba818bc2542390a2988539d94ed0Kenny Root * {@code KeyPairGenerator} that works with 34716cc7dcac1bb9279326ab92a78a246b3a70de4eRobert Ly * <a href="{@docRoot}training/articles/keystore.html">Android KeyStore 351c219f619291ba818bc2542390a2988539d94ed0Kenny Root * facility</a>. The Android KeyStore facility is accessed through a 362eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * {@link java.security.KeyPairGenerator} API using the {@code AndroidKeyStore} 372eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * provider. The {@code context} passed in may be used to pop up some UI to ask 382eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * the user to unlock or initialize the Android KeyStore facility. 39acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * <p> 40acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * After generation, the {@code keyStoreAlias} is used with the 41acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * {@link java.security.KeyStore#getEntry(String, java.security.KeyStore.ProtectionParameter)} 42acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * interface to retrieve the {@link PrivateKey} and its associated 43acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * {@link Certificate} chain. 44acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * <p> 45acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * The KeyPair generator will create a self-signed certificate with the subject 46acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * as its X.509v3 Subject Distinguished Name and as its X.509v3 Issuer 47acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * Distinguished Name along with the other parameters specified with the 48acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * {@link Builder}. 49acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * <p> 502eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * The self-signed X.509 certificate may be replaced at a later time by a 512eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * certificate signed by a real Certificate Authority. 52db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root */ 531c219f619291ba818bc2542390a2988539d94ed0Kenny Rootpublic final class KeyPairGeneratorSpec implements AlgorithmParameterSpec { 54db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 5567d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin private static final X500Principal DEFAULT_CERT_SUBJECT = new X500Principal("CN=fake"); 5667d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin private static final BigInteger DEFAULT_CERT_SERIAL_NUMBER = new BigInteger("1"); 5767d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin private static final Date DEFAULT_CERT_NOT_BEFORE = new Date(0L); // Jan 1 1970 5867d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin private static final Date DEFAULT_CERT_NOT_AFTER = new Date(2461449600000L); // Jan 1 2048 5967d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin 60db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root private final Context mContext; 61db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 62a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root private final String mKeystoreAlias; 63a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root 64a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root private final String mKeyType; 65a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root 66a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root private final int mKeySize; 67a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root 68a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root private final AlgorithmParameterSpec mSpec; 69a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root 70db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root private final X500Principal mSubjectDN; 71db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 72db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root private final BigInteger mSerialNumber; 73db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 74db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root private final Date mStartDate; 75db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 76db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root private final Date mEndDate; 77db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 782eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root private final int mFlags; 792eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root 80855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin private final Date mKeyValidityStart; 81855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 82855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin private final Date mKeyValidityForOriginationEnd; 83855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 84855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin private final Date mKeyValidityForConsumptionEnd; 85855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 865927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin private final @KeyStoreKeyProperties.PurposeEnum int mPurposes; 87855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 884d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin private final @KeyStoreKeyProperties.DigestEnum String[] mDigests; 89855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 904d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin private final @KeyStoreKeyProperties.EncryptionPaddingEnum String[] mEncryptionPaddings; 91855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 924d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin private final @KeyStoreKeyProperties.SignaturePaddingEnum String[] mSignaturePaddings; 935927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin 944d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin private final @KeyStoreKeyProperties.BlockModeEnum String[] mBlockModes; 95855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 96f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin private final boolean mRandomizedEncryptionRequired; 97f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin 981eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin private final boolean mUserAuthenticationRequired; 99855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 100c46e9e7da4558f6bc99262361fd1ca35c3a44090Alex Klyubin private final int mUserAuthenticationValidityDurationSeconds; 101855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 102db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root /** 103db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * Parameter specification for the "{@code AndroidKeyPairGenerator}" 104db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * instance of the {@link java.security.KeyPairGenerator} API. The 105db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * {@code context} passed in may be used to pop up some UI to ask the user 106db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * to unlock or initialize the Android keystore facility. 107db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * <p> 108db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * After generation, the {@code keyStoreAlias} is used with the 109db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * {@link java.security.KeyStore#getEntry(String, java.security.KeyStore.ProtectionParameter)} 110db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * interface to retrieve the {@link PrivateKey} and its associated 111db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * {@link Certificate} chain. 112db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * <p> 113db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * The KeyPair generator will create a self-signed certificate with the 114db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * properties of {@code subjectDN} as its X.509v3 Subject Distinguished Name 115db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * and as its X.509v3 Issuer Distinguished Name, using the specified 116db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * {@code serialNumber}, and the validity date starting at {@code startDate} 117db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * and ending at {@code endDate}. 118db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * 119db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * @param context Android context for the activity 120db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * @param keyStoreAlias name to use for the generated key in the Android 121db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * keystore 122cd2329dbfa5aef82c38ffa36a478bbaf5088af92Alex Klyubin * @param keyType key algorithm to use (EC, RSA) 123a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root * @param keySize size of key to generate 124a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root * @param spec the underlying key type parameters 125db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * @param subjectDN X.509 v3 Subject Distinguished Name 126db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * @param serialNumber X509 v3 certificate serial number 127db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * @param startDate the start of the self-signed certificate validity period 128db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * @param endDate the end date of the self-signed certificate validity 129db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * period 130db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * @throws IllegalArgumentException when any argument is {@code null} or 131db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root * {@code endDate} is before {@code startDate}. 1321c219f619291ba818bc2542390a2988539d94ed0Kenny Root * @hide should be built with KeyPairGeneratorSpecBuilder 133db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root */ 134a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root public KeyPairGeneratorSpec(Context context, String keyStoreAlias, String keyType, int keySize, 135a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root AlgorithmParameterSpec spec, X500Principal subjectDN, BigInteger serialNumber, 136855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin Date startDate, Date endDate, int flags, 137855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin Date keyValidityStart, 138855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin Date keyValidityForOriginationEnd, 139855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin Date keyValidityForConsumptionEnd, 1405927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin @KeyStoreKeyProperties.PurposeEnum int purposes, 1414d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin @KeyStoreKeyProperties.DigestEnum String[] digests, 1424d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin @KeyStoreKeyProperties.EncryptionPaddingEnum String[] encryptionPaddings, 1434d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin @KeyStoreKeyProperties.SignaturePaddingEnum String[] signaturePaddings, 1444d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin @KeyStoreKeyProperties.BlockModeEnum String[] blockModes, 145f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin boolean randomizedEncryptionRequired, 1461eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin boolean userAuthenticationRequired, 1471eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin int userAuthenticationValidityDurationSeconds) { 148db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root if (context == null) { 149db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root throw new IllegalArgumentException("context == null"); 150db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root } else if (TextUtils.isEmpty(keyStoreAlias)) { 151db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root throw new IllegalArgumentException("keyStoreAlias must not be empty"); 152c46e9e7da4558f6bc99262361fd1ca35c3a44090Alex Klyubin } else if ((userAuthenticationValidityDurationSeconds < 0) 153c46e9e7da4558f6bc99262361fd1ca35c3a44090Alex Klyubin && (userAuthenticationValidityDurationSeconds != -1)) { 154855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin throw new IllegalArgumentException( 155855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin "userAuthenticationValidityDurationSeconds must not be negative"); 156db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root } 157db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 15867d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin if (subjectDN == null) { 15967d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin subjectDN = DEFAULT_CERT_SUBJECT; 16067d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin } 16167d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin if (startDate == null) { 16267d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin startDate = DEFAULT_CERT_NOT_BEFORE; 16367d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin } 16467d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin if (endDate == null) { 16567d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin endDate = DEFAULT_CERT_NOT_AFTER; 16667d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin } 16767d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin if (serialNumber == null) { 16867d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin serialNumber = DEFAULT_CERT_SERIAL_NUMBER; 16967d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin } 17067d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin 17167d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin if (endDate.before(startDate)) { 17267d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin throw new IllegalArgumentException("endDate < startDate"); 17367d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin } 17467d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin 175db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root mContext = context; 176db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root mKeystoreAlias = keyStoreAlias; 177a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root mKeyType = keyType; 178a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root mKeySize = keySize; 179a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root mSpec = spec; 180db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root mSubjectDN = subjectDN; 181db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root mSerialNumber = serialNumber; 182db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root mStartDate = startDate; 183db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root mEndDate = endDate; 1842eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root mFlags = flags; 185855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mKeyValidityStart = keyValidityStart; 186855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mKeyValidityForOriginationEnd = keyValidityForOriginationEnd; 187855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mKeyValidityForConsumptionEnd = keyValidityForConsumptionEnd; 188855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mPurposes = purposes; 1895927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin mDigests = ArrayUtils.cloneIfNotEmpty(ArrayUtils.nullToEmpty(digests)); 1905927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin mEncryptionPaddings = 1915927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin ArrayUtils.cloneIfNotEmpty(ArrayUtils.nullToEmpty(encryptionPaddings)); 1925927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin mSignaturePaddings = ArrayUtils.cloneIfNotEmpty(ArrayUtils.nullToEmpty(signaturePaddings)); 1935927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin mBlockModes = ArrayUtils.cloneIfNotEmpty(ArrayUtils.nullToEmpty(blockModes)); 194f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin mRandomizedEncryptionRequired = randomizedEncryptionRequired; 1951eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin mUserAuthenticationRequired = userAuthenticationRequired; 196855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds; 197855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 198855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 199855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 200855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * TODO: Remove this constructor once tests are switched over to the new one above. 201855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * @hide 202855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 203855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin public KeyPairGeneratorSpec(Context context, String keyStoreAlias, String keyType, int keySize, 204855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin AlgorithmParameterSpec spec, X500Principal subjectDN, BigInteger serialNumber, 205855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin Date startDate, Date endDate, int flags) { 206b30cc6c3e87e56fc939051ff8d41442a988ff20cAlex Klyubin 207f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin this(context, 208f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin keyStoreAlias, 209f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin keyType, 210f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin keySize, 211f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin spec, 212f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin subjectDN, 213f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin serialNumber, 214f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin startDate, 215f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin endDate, 216f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin flags, 217f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin startDate, 218f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin endDate, 219f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin endDate, 2205927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin 0, // purposes 2215927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin null, // digests 2225927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin null, // encryption paddings 2235927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin null, // signature paddings 2245927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin null, // block modes 2255927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin false, // randomized encryption required 2261eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin false, // user authentication required 2271eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin -1 // user authentication validity duration (seconds) 2285927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin ); 229db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root } 230db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 231a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root /** 232a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root * Gets the Android context used for operations with this instance. 233a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root */ 234a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root public Context getContext() { 235a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root return mContext; 236a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root } 237a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root 238db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root /** 2392eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * Returns the alias that will be used in the {@code java.security.KeyStore} 2402eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * in conjunction with the {@code AndroidKeyStore}. 241db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root */ 2422eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root public String getKeystoreAlias() { 243db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root return mKeystoreAlias; 244db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root } 245db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 246db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root /** 247cd2329dbfa5aef82c38ffa36a478bbaf5088af92Alex Klyubin * Returns the key type (e.g., "EC", "RSA") specified by this parameter. 248db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root */ 2494d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin public @KeyStoreKeyProperties.AlgorithmEnum String getKeyType() { 250a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root return mKeyType; 251a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root } 252a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root 253a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root /** 254a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root * Returns the key size specified by this parameter. For instance, for RSA 255a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root * this will return the modulus size and for EC it will return the field 256a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root * size. 257a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root */ 258a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root public int getKeySize() { 259a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root return mKeySize; 260a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root } 261a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root 262a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root /** 263a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root * Returns the {@link AlgorithmParameterSpec} that will be used for creation 264a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root * of the key pair. 265a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root */ 266a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root public AlgorithmParameterSpec getAlgorithmParameterSpec() { 267a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root return mSpec; 268db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root } 269db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 270db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root /** 2712eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * Gets the subject distinguished name to be used on the X.509 certificate 2722eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * that will be put in the {@link java.security.KeyStore}. 273db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root */ 2742eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root public X500Principal getSubjectDN() { 275db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root return mSubjectDN; 276db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root } 277db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 278db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root /** 2792eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * Gets the serial number to be used on the X.509 certificate that will be 2802eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * put in the {@link java.security.KeyStore}. 281db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root */ 2822eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root public BigInteger getSerialNumber() { 283db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root return mSerialNumber; 284db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root } 285db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 286db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root /** 2872eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * Gets the start date to be used on the X.509 certificate that will be put 2882eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * in the {@link java.security.KeyStore}. 289db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root */ 2902eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root public Date getStartDate() { 291db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root return mStartDate; 292db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root } 293db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root 294db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root /** 2952eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * Gets the end date to be used on the X.509 certificate that will be put in 2962eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * the {@link java.security.KeyStore}. 297db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root */ 2982eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root public Date getEndDate() { 299db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root return mEndDate; 300db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root } 301acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root 302acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root /** 3032eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * @hide 3042eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root */ 3052eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root int getFlags() { 3062eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root return mFlags; 3072eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root } 3082eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root 3092eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root /** 3102eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * Returns {@code true} if this parameter will require generated keys to be 3112eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * encrypted in the {@link java.security.KeyStore}. 3122eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root */ 3132eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root public boolean isEncryptionRequired() { 3142eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root return (mFlags & KeyStore.FLAG_ENCRYPTED) != 0; 3152eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root } 3162eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root 3172eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root /** 318855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * Gets the time instant before which the key pair is not yet valid. 319855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 320855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * @return instant or {@code null} if not restricted. 321855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 322855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin public Date getKeyValidityStart() { 323855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin return mKeyValidityStart; 324855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 325855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 326855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 327855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * Gets the time instant after which the key pair is no longer valid for decryption and 328855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * verification. 329855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 330855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * @return instant or {@code null} if not restricted. 331855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 332855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin public Date getKeyValidityForConsumptionEnd() { 333855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin return mKeyValidityForConsumptionEnd; 334855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 335855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 336855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 337855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * Gets the time instant after which the key pair is no longer valid for encryption and signing. 338855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 339855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * @return instant or {@code null} if not restricted. 340855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 341855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin public Date getKeyValidityForOriginationEnd() { 342855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin return mKeyValidityForOriginationEnd; 343855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 344855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 345855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 346855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * Gets the set of purposes for which the key can be used. 347855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 3485927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin public @KeyStoreKeyProperties.PurposeEnum int getPurposes() { 349855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin return mPurposes; 350855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 351855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 352855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 3535927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * Gets the set of digest algorithms with which the key can be used. 3545927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin */ 3554d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin public @KeyStoreKeyProperties.DigestEnum String[] getDigests() { 3565927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin return ArrayUtils.cloneIfNotEmpty(mDigests); 3575927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin } 3585927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin 3595927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin /** 3605927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * Gets the set of padding schemes with which the key can be used when encrypting/decrypting. 361855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 3624d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin public @KeyStoreKeyProperties.EncryptionPaddingEnum String[] getEncryptionPaddings() { 3635927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin return ArrayUtils.cloneIfNotEmpty(mEncryptionPaddings); 364855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 365855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 366855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 3675927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * Gets the set of padding schemes with which the key can be used when signing/verifying. 368855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 3694d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin public @KeyStoreKeyProperties.SignaturePaddingEnum String[] getSignaturePaddings() { 3705927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin return ArrayUtils.cloneIfNotEmpty(mSignaturePaddings); 371855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 372855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 373855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 3745927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * Gets the set of block modes with which the key can be used. 375855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 3764d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin public @KeyStoreKeyProperties.BlockModeEnum String[] getBlockModes() { 3775927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin return ArrayUtils.cloneIfNotEmpty(mBlockModes); 378855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 379855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 380855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 381f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * Returns {@code true} if encryption using this key must be sufficiently randomized to produce 382f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * different ciphertexts for the same plaintext every time. The formal cryptographic property 383f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * being required is <em>indistinguishability under chosen-plaintext attack ({@code 384f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * IND-CPA})</em>. This property is important because it mitigates several classes of 385f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * weaknesses due to which ciphertext may leak information about plaintext. For example, if a 386f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * given plaintext always produces the same ciphertext, an attacker may see the repeated 387f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * ciphertexts and be able to deduce something about the plaintext. 388f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin */ 389f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin public boolean isRandomizedEncryptionRequired() { 390f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin return mRandomizedEncryptionRequired; 391f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin } 392f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin 393f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin /** 3941eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * Returns {@code true} if user authentication is required for this key to be used. 395855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 396855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * <p>This restriction applies only to private key operations. Public key operations are not 397855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * restricted. 398855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 3991eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * @see #getUserAuthenticationValidityDurationSeconds() 400855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 4011eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin public boolean isUserAuthenticationRequired() { 4021eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin return mUserAuthenticationRequired; 403855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 404855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 405855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 406855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * Gets the duration of time (seconds) for which the private key can be used after the user 4071eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * is successfully authenticated. 408855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 409855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * <p>This restriction applies only to private key operations. Public key operations are not 410855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * restricted. 411855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 412c46e9e7da4558f6bc99262361fd1ca35c3a44090Alex Klyubin * @return duration in seconds or {@code -1} if not restricted. {@code 0} means authentication 413855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * is required for every use of the key. 4141eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * 4151eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * @see #isUserAuthenticationRequired() 416855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 417c46e9e7da4558f6bc99262361fd1ca35c3a44090Alex Klyubin public int getUserAuthenticationValidityDurationSeconds() { 418855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin return mUserAuthenticationValidityDurationSeconds; 419855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 420855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 421855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 4221c219f619291ba818bc2542390a2988539d94ed0Kenny Root * Builder class for {@link KeyPairGeneratorSpec} objects. 423acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * <p> 424acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * This will build a parameter spec for use with the <a href="{@docRoot} 425716cc7dcac1bb9279326ab92a78a246b3a70de4eRobert Ly * training/articles/keystore.html">Android KeyStore facility</a>. 426acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * <p> 427acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * The required fields must be filled in with the builder. 428acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * <p> 429acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * Example: 430acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * 431acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * <pre class="prettyprint"> 432acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * Calendar start = new Calendar(); 433acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * Calendar end = new Calendar(); 434acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * end.add(1, Calendar.YEAR); 435acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * 4361c219f619291ba818bc2542390a2988539d94ed0Kenny Root * KeyPairGeneratorSpec spec = 4371c219f619291ba818bc2542390a2988539d94ed0Kenny Root * new KeyPairGeneratorSpec.Builder(mContext).setAlias("myKey") 4381c219f619291ba818bc2542390a2988539d94ed0Kenny Root * .setSubject(new X500Principal("CN=myKey")).setSerial(BigInteger.valueOf(1337)) 4391c219f619291ba818bc2542390a2988539d94ed0Kenny Root * .setStartDate(start.getTime()).setEndDate(end.getTime()).build(); 440acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * </pre> 441acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root */ 4422eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root public final static class Builder { 443acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root private final Context mContext; 444acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root 445acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root private String mKeystoreAlias; 446acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root 44721a76df55cf4b956f4d34f57c7b9e694d0363f54Alex Klyubin private String mKeyType; 448a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root 449a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root private int mKeySize = -1; 450a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root 451a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root private AlgorithmParameterSpec mSpec; 452a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root 453acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root private X500Principal mSubjectDN; 454acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root 455acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root private BigInteger mSerialNumber; 456acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root 457acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root private Date mStartDate; 458acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root 459acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root private Date mEndDate; 460acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root 4612eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root private int mFlags; 4622eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root 463855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin private Date mKeyValidityStart; 464855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 465855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin private Date mKeyValidityForOriginationEnd; 466855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 467855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin private Date mKeyValidityForConsumptionEnd; 468855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 4695927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin private @KeyStoreKeyProperties.PurposeEnum int mPurposes; 4705927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin 4714d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin private @KeyStoreKeyProperties.DigestEnum String[] mDigests; 472855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 4734d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin private @KeyStoreKeyProperties.EncryptionPaddingEnum String[] mEncryptionPaddings; 474855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 4754d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin private @KeyStoreKeyProperties.SignaturePaddingEnum String[] mSignaturePaddings; 476855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 4774d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin private @KeyStoreKeyProperties.BlockModeEnum String[] mBlockModes; 478855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 479f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin private boolean mRandomizedEncryptionRequired = true; 480f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin 4811eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin private boolean mUserAuthenticationRequired; 482855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 483c46e9e7da4558f6bc99262361fd1ca35c3a44090Alex Klyubin private int mUserAuthenticationValidityDurationSeconds = -1; 484855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 4852eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root /** 4862eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * Creates a new instance of the {@code Builder} with the given 4872eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * {@code context}. The {@code context} passed in may be used to pop up 4882eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * some UI to ask the user to unlock or initialize the Android KeyStore 4892eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * facility. 4902eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root */ 491acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root public Builder(Context context) { 492acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root if (context == null) { 493acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root throw new NullPointerException("context == null"); 494acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root } 495acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root mContext = context; 496acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root } 497acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root 498acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root /** 499acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * Sets the alias to be used to retrieve the key later from a 500acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * {@link java.security.KeyStore} instance using the 501acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * {@code AndroidKeyStore} provider. 502acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root */ 503acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root public Builder setAlias(String alias) { 504acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root if (alias == null) { 505acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root throw new NullPointerException("alias == null"); 506acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root } 507acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root mKeystoreAlias = alias; 508acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root return this; 509acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root } 510acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root 511acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root /** 512cd2329dbfa5aef82c38ffa36a478bbaf5088af92Alex Klyubin * Sets the key type (e.g., EC, RSA) of the keypair to be created. 513a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root */ 5144d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin public Builder setKeyType(@KeyStoreKeyProperties.AlgorithmEnum String keyType) 5154d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin throws NoSuchAlgorithmException { 516a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root if (keyType == null) { 517a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root throw new NullPointerException("keyType == null"); 518a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root } else { 51921a76df55cf4b956f4d34f57c7b9e694d0363f54Alex Klyubin if (KeyStore.getKeyTypeForAlgorithm(keyType) == -1) { 520a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root throw new NoSuchAlgorithmException("Unsupported key type: " + keyType); 521a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root } 522a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root } 523a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root mKeyType = keyType; 524a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root return this; 525a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root } 526a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root 527a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root /** 528a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root * Sets the key size for the keypair to be created. For instance, for a 529a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root * key type of RSA this will set the modulus size and for a key type of 530a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root * EC it will select a curve with a matching field size. 531a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root */ 532a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root public Builder setKeySize(int keySize) { 533a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root if (keySize < 0) { 534a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root throw new IllegalArgumentException("keySize < 0"); 535a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root } 536a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root mKeySize = keySize; 537a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root return this; 538a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root } 539a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root 540a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root /** 541cd2329dbfa5aef82c38ffa36a478bbaf5088af92Alex Klyubin * Sets the algorithm-specific key generation parameters. For example, for RSA keys 542cd2329dbfa5aef82c38ffa36a478bbaf5088af92Alex Klyubin * this may be an instance of {@link java.security.spec.RSAKeyGenParameterSpec}. 543a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root */ 544a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root public Builder setAlgorithmParameterSpec(AlgorithmParameterSpec spec) { 545a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root if (spec == null) { 546a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root throw new NullPointerException("spec == null"); 547a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root } 548a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root mSpec = spec; 549a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root return this; 550a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root } 551a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root 552a39859889b7de0ad3190386cc732fa4bdcbe5504Kenny Root /** 553acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * Sets the subject used for the self-signed certificate of the 554acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * generated key pair. 55567d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin * 55667d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin * <p>The subject must be specified on API Level 55767d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin * {@link android.os.Build.VERSION_CODES#LOLLIPOP_MR1 LOLLIPOP_MR1} and older platforms. On 55867d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin * newer platforms the subject defaults to {@code CN=fake} if not specified. 559acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root */ 560acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root public Builder setSubject(X500Principal subject) { 561acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root if (subject == null) { 562acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root throw new NullPointerException("subject == null"); 563acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root } 564acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root mSubjectDN = subject; 565acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root return this; 566acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root } 567acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root 568acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root /** 569acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * Sets the serial number used for the self-signed certificate of the 570acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * generated key pair. 57167d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin * 57267d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin * <p>The serial number must be specified on API Level 57367d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin * {@link android.os.Build.VERSION_CODES#LOLLIPOP_MR1 LOLLIPOP_MR1} and older platforms. On 57467d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin * newer platforms the serial number defaults to {@code 1} if not specified. 575acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root */ 576acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root public Builder setSerialNumber(BigInteger serialNumber) { 577acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root if (serialNumber == null) { 578acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root throw new NullPointerException("serialNumber == null"); 579acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root } 580acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root mSerialNumber = serialNumber; 581acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root return this; 582acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root } 583acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root 584acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root /** 585acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * Sets the start of the validity period for the self-signed certificate 586acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * of the generated key pair. 58767d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin * 58867d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin * <p>The date must be specified on API Level 58967d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin * {@link android.os.Build.VERSION_CODES#LOLLIPOP_MR1 LOLLIPOP_MR1} and older platforms. On 59067d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin * newer platforms the date defaults to {@code Jan 1 1970} if not specified. 591acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root */ 592acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root public Builder setStartDate(Date startDate) { 593acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root if (startDate == null) { 594acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root throw new NullPointerException("startDate == null"); 595acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root } 596acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root mStartDate = startDate; 597acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root return this; 598acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root } 599acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root 600acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root /** 601acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * Sets the end of the validity period for the self-signed certificate 602acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * of the generated key pair. 60367d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin * 60467d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin * <p>The date must be specified on API Level 60567d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin * {@link android.os.Build.VERSION_CODES#LOLLIPOP_MR1 LOLLIPOP_MR1} and older platforms. On 60667d21aef98bbafd0def2cacc6254e644e911c8ddAlex Klyubin * newer platforms the date defaults to {@code Jan 1 2048} if not specified. 607acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root */ 608acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root public Builder setEndDate(Date endDate) { 609acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root if (endDate == null) { 610acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root throw new NullPointerException("endDate == null"); 611acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root } 612acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root mEndDate = endDate; 613acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root return this; 614acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root } 615acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root 616acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root /** 6172eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * Indicates that this key must be encrypted at rest on storage. Note 6182eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * that enabling this will require that the user enable a strong lock 6192eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * screen (e.g., PIN, password) before creating or using the generated 6202eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root * key is successful. 6212eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root */ 6222eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root public Builder setEncryptionRequired() { 6232eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root mFlags |= KeyStore.FLAG_ENCRYPTED; 6242eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root return this; 6252eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root } 6262eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root 6272eeda7286f3c7cb79f7eb71ae6464cad213d12a3Kenny Root /** 628855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * Sets the time instant before which the key is not yet valid. 629855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 6307882a7fcd4e236be1d569cdf657db2b072dfb28aAlex Klyubin * <p>By default, the key is valid at any instant. 631855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 632855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * @see #setKeyValidityEnd(Date) 633855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 634855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin public Builder setKeyValidityStart(Date startDate) { 635855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mKeyValidityStart = startDate; 636855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin return this; 637855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 638855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 639855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 640855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * Sets the time instant after which the key is no longer valid. 641855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 6427882a7fcd4e236be1d569cdf657db2b072dfb28aAlex Klyubin * <p>By default, the key is valid at any instant. 643855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 644855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * @see #setKeyValidityStart(Date) 645855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * @see #setKeyValidityForConsumptionEnd(Date) 646855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * @see #setKeyValidityForOriginationEnd(Date) 647855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 648855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin public Builder setKeyValidityEnd(Date endDate) { 649855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin setKeyValidityForOriginationEnd(endDate); 650855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin setKeyValidityForConsumptionEnd(endDate); 651855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin return this; 652855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 653855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 654855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 655855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * Sets the time instant after which the key is no longer valid for encryption and signing. 656855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 6577882a7fcd4e236be1d569cdf657db2b072dfb28aAlex Klyubin * <p>By default, the key is valid at any instant. 658855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 659855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * @see #setKeyValidityForConsumptionEnd(Date) 660855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 661855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin public Builder setKeyValidityForOriginationEnd(Date endDate) { 662855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mKeyValidityForOriginationEnd = endDate; 663855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin return this; 664855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 665855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 666855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 667855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * Sets the time instant after which the key is no longer valid for decryption and 668855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * verification. 669855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 6707882a7fcd4e236be1d569cdf657db2b072dfb28aAlex Klyubin * <p>By default, the key is valid at any instant. 671855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 672855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * @see #setKeyValidityForOriginationEnd(Date) 673855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 674855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin public Builder setKeyValidityForConsumptionEnd(Date endDate) { 675855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mKeyValidityForConsumptionEnd = endDate; 676855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin return this; 677855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 678855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 679855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 6805927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * Sets the set of purposes for which the key can be used. 681855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 6825927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * <p>This must be specified for all keys. There is no default. 683855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 6845927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin public Builder setPurposes(@KeyStoreKeyProperties.PurposeEnum int purposes) { 685855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mPurposes = purposes; 686855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin return this; 687855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 688855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 689855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 6905927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * Sets the set of digests with which the key can be used when signing/verifying. Attempts 6915927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * to use the key with any other digest will be rejected. 6925927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * 6935927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * <p>This must be specified for keys which are used for signing/verification. 6945927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin */ 6954d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin public Builder setDigests(@KeyStoreKeyProperties.DigestEnum String... digests) { 6965927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin mDigests = ArrayUtils.cloneIfNotEmpty(digests); 6975927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin return this; 6985927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin } 6995927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin 7005927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin /** 7015927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * Sets the set of padding schemes with which the key can be used when 7025927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * encrypting/decrypting. Attempts to use the key with any other padding scheme will be 7035927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * rejected. 704855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 7055927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * <p>This must be specified for keys which are used for encryption/decryption. 706855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 7074d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin public Builder setEncryptionPaddings( 7084d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin @KeyStoreKeyProperties.EncryptionPaddingEnum String... paddings) { 7095927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin mEncryptionPaddings = ArrayUtils.cloneIfNotEmpty(paddings); 710855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin return this; 711855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 712855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 713855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 7145927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * Sets the set of padding schemes with which the key can be used when 7155927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * signing/verifying. Attempts to use the key with any other padding scheme will be 7165927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * rejected. 717855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 7185927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * <p>This must be specified for RSA keys which are used for signing/verification. 719855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 7204d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin public Builder setSignaturePaddings( 7214d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin @KeyStoreKeyProperties.SignaturePaddingEnum String... paddings) { 7225927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin mSignaturePaddings = ArrayUtils.cloneIfNotEmpty(paddings); 723855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin return this; 724855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 725855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 726855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 7275927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * Sets the set of block modes with which the key can be used when encrypting/decrypting. 7285927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * Attempts to use the key with any other block modes will be rejected. 729855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 7305927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin * <p>This must be specified for encryption/decryption keys. 731855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 7324d5443f37f2bc58be8d22ed50024c39a5a1fbc8fAlex Klyubin public Builder setBlockModes(@KeyStoreKeyProperties.BlockModeEnum String... blockModes) { 7335927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin mBlockModes = ArrayUtils.cloneIfNotEmpty(blockModes); 734855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin return this; 735855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 736855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 737855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 738f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * Sets whether encryption using this key must be sufficiently randomized to produce 739f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * different ciphertexts for the same plaintext every time. The formal cryptographic 740f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * property being required is <em>indistinguishability under chosen-plaintext attack 741f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * ({@code IND-CPA})</em>. This property is important because it mitigates several classes 742f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * of weaknesses due to which ciphertext may leak information about plaintext. For example, 743f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * if a given plaintext always produces the same ciphertext, an attacker may see the 744f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * repeated ciphertexts and be able to deduce something about the plaintext. 745f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * 746f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * <p>By default, {@code IND-CPA} is required. 747f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * 748f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * <p>When {@code IND-CPA} is required, encryption/decryption transformations which do not 749f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * offer {@code IND-CPA}, such as RSA without padding, are prohibited. 750f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * 751f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * <p>Before disabling this requirement, consider the following approaches instead: 752f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * <ul> 753f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * <li>If you are using RSA encryption without padding, consider switching to padding 754f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * schemes which offer {@code IND-CPA}, such as PKCS#1 or OAEP.</li> 755f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin * </ul> 756f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin */ 757f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin public Builder setRandomizedEncryptionRequired(boolean required) { 758f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin mRandomizedEncryptionRequired = required; 759f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin return this; 760f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin } 761f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin 762f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin /** 7631eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * Sets whether user authentication is required to use this key. 764855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 765855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * <p>By default, the key can be used without user authentication. 766855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 7671eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * <p>When user authentication is required, the user authorizes the use of the key by 7681eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * authenticating to this Android device using a subset of their secure lock screen 7691eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * credentials. Different authentication methods are used depending on whether the every 7701eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * use of the key must be authenticated (as specified by 7711eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * {@link #setUserAuthenticationValidityDurationSeconds(int)}). 7721eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * <a href="{@docRoot}training/articles/keystore.html#UserAuthentication">More 7731eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * information</a>. 7741eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * 775855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * <p>This restriction applies only to private key operations. Public key operations are not 776855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * restricted. 777855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 778855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * @see #setUserAuthenticationValidityDurationSeconds(int) 779855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 7801eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin public Builder setUserAuthenticationRequired(boolean required) { 7811eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin mUserAuthenticationRequired = required; 782855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin return this; 783855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 784855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 785855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 7861eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * Sets the duration of time (seconds) for which this key can be used after the user is 7871eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * successfully authenticated. This has effect only if user authentication is required. 788855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 789855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * <p>By default, the user needs to authenticate for every use of the key. 790855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 791855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * <p>This restriction applies only to private key operations. Public key operations are not 792855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * restricted. 793855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 794855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * @param seconds duration in seconds or {@code 0} if the user needs to authenticate for 795855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * every use of the key. 796855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin * 7971eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * @see #setUserAuthenticationRequired(boolean) 798855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin */ 799855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin public Builder setUserAuthenticationValidityDurationSeconds(int seconds) { 800855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mUserAuthenticationValidityDurationSeconds = seconds; 801855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin return this; 802855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin } 803855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin 804855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin /** 8051c219f619291ba818bc2542390a2988539d94ed0Kenny Root * Builds the instance of the {@code KeyPairGeneratorSpec}. 806acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * 807acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root * @throws IllegalArgumentException if a required field is missing 8081c219f619291ba818bc2542390a2988539d94ed0Kenny Root * @return built instance of {@code KeyPairGeneratorSpec} 809acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root */ 8101c219f619291ba818bc2542390a2988539d94ed0Kenny Root public KeyPairGeneratorSpec build() { 811855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin return new KeyPairGeneratorSpec(mContext, 812855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mKeystoreAlias, 813855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mKeyType, 814855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mKeySize, 815855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mSpec, 816855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mSubjectDN, 817855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mSerialNumber, 818855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mStartDate, 819855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mEndDate, 820855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mFlags, 821855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mKeyValidityStart, 822855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mKeyValidityForOriginationEnd, 823855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mKeyValidityForConsumptionEnd, 824855fa31eb5ff68d131f3e496920594d875841cb0Alex Klyubin mPurposes, 825c46e9e7da4558f6bc99262361fd1ca35c3a44090Alex Klyubin mDigests, 8265927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin mEncryptionPaddings, 8275927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin mSignaturePaddings, 828c46e9e7da4558f6bc99262361fd1ca35c3a44090Alex Klyubin mBlockModes, 829f853f649981ed3cf2f1fbf1363a0932e9736daf6Alex Klyubin mRandomizedEncryptionRequired, 8301eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin mUserAuthenticationRequired, 8311eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin mUserAuthenticationValidityDurationSeconds); 832acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root } 833acb0b5b220b2cb15f5a800a356bb25f47252a6eaKenny Root } 834db026710ec0adcf7f72dfb24c65d38a882ee26d8Kenny Root} 835