1cc21bb3a56915842b545a577d3481047005b1764Alex Klyubin/* 2cc21bb3a56915842b545a577d3481047005b1764Alex Klyubin * Copyright (C) 2015 The Android Open Source Project 3cc21bb3a56915842b545a577d3481047005b1764Alex Klyubin * 4cc21bb3a56915842b545a577d3481047005b1764Alex Klyubin * Licensed under the Apache License, Version 2.0 (the "License"); 5cc21bb3a56915842b545a577d3481047005b1764Alex Klyubin * you may not use this file except in compliance with the License. 6cc21bb3a56915842b545a577d3481047005b1764Alex Klyubin * You may obtain a copy of the License at 7cc21bb3a56915842b545a577d3481047005b1764Alex Klyubin * 8cc21bb3a56915842b545a577d3481047005b1764Alex Klyubin * http://www.apache.org/licenses/LICENSE-2.0 9cc21bb3a56915842b545a577d3481047005b1764Alex Klyubin * 10cc21bb3a56915842b545a577d3481047005b1764Alex Klyubin * Unless required by applicable law or agreed to in writing, software 11cc21bb3a56915842b545a577d3481047005b1764Alex Klyubin * distributed under the License is distributed on an "AS IS" BASIS, 12cc21bb3a56915842b545a577d3481047005b1764Alex Klyubin * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13cc21bb3a56915842b545a577d3481047005b1764Alex Klyubin * See the License for the specific language governing permissions and 14cc21bb3a56915842b545a577d3481047005b1764Alex Klyubin * limitations under the License. 15cc21bb3a56915842b545a577d3481047005b1764Alex Klyubin */ 16cc21bb3a56915842b545a577d3481047005b1764Alex Klyubin 173f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubinpackage android.security.keystore; 18acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin 1954bb1596e470144932943046ec7a99551d020ba0Alex Klyubinimport android.annotation.NonNull; 2054bb1596e470144932943046ec7a99551d020ba0Alex Klyubinimport android.annotation.Nullable; 2154bb1596e470144932943046ec7a99551d020ba0Alex Klyubin 22eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubinimport java.security.PrivateKey; 23acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubinimport java.security.spec.KeySpec; 24acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubinimport java.util.Date; 25acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin 26eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubinimport javax.crypto.SecretKey; 27eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubin 28acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin/** 29acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin * Information about a key from the <a href="{@docRoot}training/articles/keystore.html">Android 303f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin * Keystore system</a>. This class describes whether the key material is available in 31eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubin * plaintext outside of secure hardware, whether user authentication is required for using the key 32eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubin * and whether this requirement is enforced by secure hardware, the key's origin, what uses the key 33a5e21f0ee2fbf3a6f03e31fca8da459e1fe9e213Alex Klyubin * is authorized for (e.g., only in {@code GCM} mode, or signing only), whether the key should be 34eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubin * encrypted at rest, the key's and validity start and end dates. 35eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubin * 36ffdfb57931d1189feef51c4baa866d07265976a3Alex Klyubin * <p>Instances of this class are immutable. 37ffdfb57931d1189feef51c4baa866d07265976a3Alex Klyubin * 38eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubin * <p><h3>Example: Symmetric Key</h3> 393f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin * The following example illustrates how to obtain a {@code KeyInfo} describing the provided Android 403f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin * Keystore {@link SecretKey}. 419498e8a8d2deb7b0a2e964d5d3c5d3b8747610e9Neil Fuller * <pre>{@code 423f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin * SecretKey key = ...; // Android Keystore key 43eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubin * 44eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubin * SecretKeyFactory factory = SecretKeyFactory.getInstance(key.getAlgorithm(), "AndroidKeyStore"); 453f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin * KeyInfo keyInfo; 469498e8a8d2deb7b0a2e964d5d3c5d3b8747610e9Neil Fuller * try { 473f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin * keyInfo = (KeyInfo) factory.getKeySpec(key, KeyInfo.class); 489498e8a8d2deb7b0a2e964d5d3c5d3b8747610e9Neil Fuller * } catch (InvalidKeySpecException e) { 49eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubin * // Not an Android KeyStore key. 509498e8a8d2deb7b0a2e964d5d3c5d3b8747610e9Neil Fuller * }}</pre> 51eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubin * 52eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubin * <p><h3>Example: Private Key</h3> 533f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin * The following example illustrates how to obtain a {@code KeyInfo} describing the provided 54eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubin * Android KeyStore {@link PrivateKey}. 559498e8a8d2deb7b0a2e964d5d3c5d3b8747610e9Neil Fuller * <pre>{@code 56eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubin * PrivateKey key = ...; // Android KeyStore key 57eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubin * 58eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubin * KeyFactory factory = KeyFactory.getInstance(key.getAlgorithm(), "AndroidKeyStore"); 593f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin * KeyInfo keyInfo; 609498e8a8d2deb7b0a2e964d5d3c5d3b8747610e9Neil Fuller * try { 613f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin * keyInfo = factory.getKeySpec(key, KeyInfo.class); 629498e8a8d2deb7b0a2e964d5d3c5d3b8747610e9Neil Fuller * } catch (InvalidKeySpecException e) { 63eedda45ad7d829b4d65936d33e8aa6fa9c9c1ecdAlex Klyubin * // Not an Android KeyStore key. 649498e8a8d2deb7b0a2e964d5d3c5d3b8747610e9Neil Fuller * }}</pre> 65acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin */ 663f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubinpublic class KeyInfo implements KeySpec { 67acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin private final String mKeystoreAlias; 68acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin private final int mKeySize; 69eae1da7788f0f9f37fa142a2df34bfaec1f4253eAlex Klyubin private final boolean mInsideSecureHardware; 703f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin private final @KeyProperties.OriginEnum int mOrigin; 71acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin private final Date mKeyValidityStart; 72acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin private final Date mKeyValidityForOriginationEnd; 73acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin private final Date mKeyValidityForConsumptionEnd; 743f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin private final @KeyProperties.PurposeEnum int mPurposes; 753f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin private final @KeyProperties.EncryptionPaddingEnum String[] mEncryptionPaddings; 763f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin private final @KeyProperties.SignaturePaddingEnum String[] mSignaturePaddings; 773f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin private final @KeyProperties.DigestEnum String[] mDigests; 783f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin private final @KeyProperties.BlockModeEnum String[] mBlockModes; 791eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin private final boolean mUserAuthenticationRequired; 80c46e9e7da4558f6bc99262361fd1ca35c3a44090Alex Klyubin private final int mUserAuthenticationValidityDurationSeconds; 81eae1da7788f0f9f37fa142a2df34bfaec1f4253eAlex Klyubin private final boolean mUserAuthenticationRequirementEnforcedBySecureHardware; 82adef49640d6339e6b4a6ad736c5815e35d9b8803Shawn Willden private final boolean mUserAuthenticationValidWhileOnBody; 83fcd05a94ef0642857abcd0e7746c40d601a787e7Allen Webb private final boolean mTrustedUserPresenceRequired; 84c38eae5229a820966008ae1885af90cd27c265e7Shawn Willden private final boolean mInvalidatedByBiometricEnrollment; 85a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen private final boolean mUserConfirmationRequired; 86acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin 87acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin /** 88acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin * @hide 89acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin */ 903f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin public KeyInfo(String keystoreKeyAlias, 91eae1da7788f0f9f37fa142a2df34bfaec1f4253eAlex Klyubin boolean insideSecureHardware, 923f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin @KeyProperties.OriginEnum int origin, 93c46e9e7da4558f6bc99262361fd1ca35c3a44090Alex Klyubin int keySize, 94c46e9e7da4558f6bc99262361fd1ca35c3a44090Alex Klyubin Date keyValidityStart, 95c46e9e7da4558f6bc99262361fd1ca35c3a44090Alex Klyubin Date keyValidityForOriginationEnd, 96acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin Date keyValidityForConsumptionEnd, 973f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin @KeyProperties.PurposeEnum int purposes, 983f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin @KeyProperties.EncryptionPaddingEnum String[] encryptionPaddings, 993f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin @KeyProperties.SignaturePaddingEnum String[] signaturePaddings, 1003f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin @KeyProperties.DigestEnum String[] digests, 1013f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin @KeyProperties.BlockModeEnum String[] blockModes, 1021eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin boolean userAuthenticationRequired, 1031620a65d32251ca058b60cb2751394e9ee1f0019Alex Klyubin int userAuthenticationValidityDurationSeconds, 104adef49640d6339e6b4a6ad736c5815e35d9b8803Shawn Willden boolean userAuthenticationRequirementEnforcedBySecureHardware, 105c38eae5229a820966008ae1885af90cd27c265e7Shawn Willden boolean userAuthenticationValidWhileOnBody, 106fcd05a94ef0642857abcd0e7746c40d601a787e7Allen Webb boolean trustedUserPresenceRequired, 107a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen boolean invalidatedByBiometricEnrollment, 108a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen boolean userConfirmationRequired) { 109acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin mKeystoreAlias = keystoreKeyAlias; 110eae1da7788f0f9f37fa142a2df34bfaec1f4253eAlex Klyubin mInsideSecureHardware = insideSecureHardware; 111acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin mOrigin = origin; 112acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin mKeySize = keySize; 113ffdfb57931d1189feef51c4baa866d07265976a3Alex Klyubin mKeyValidityStart = Utils.cloneIfNotNull(keyValidityStart); 114ffdfb57931d1189feef51c4baa866d07265976a3Alex Klyubin mKeyValidityForOriginationEnd = Utils.cloneIfNotNull(keyValidityForOriginationEnd); 115ffdfb57931d1189feef51c4baa866d07265976a3Alex Klyubin mKeyValidityForConsumptionEnd = Utils.cloneIfNotNull(keyValidityForConsumptionEnd); 116acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin mPurposes = purposes; 1175927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin mEncryptionPaddings = 1185927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin ArrayUtils.cloneIfNotEmpty(ArrayUtils.nullToEmpty(encryptionPaddings)); 1195927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin mSignaturePaddings = 1205927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin ArrayUtils.cloneIfNotEmpty(ArrayUtils.nullToEmpty(signaturePaddings)); 1215927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin mDigests = ArrayUtils.cloneIfNotEmpty(ArrayUtils.nullToEmpty(digests)); 1225927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin mBlockModes = ArrayUtils.cloneIfNotEmpty(ArrayUtils.nullToEmpty(blockModes)); 1231eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin mUserAuthenticationRequired = userAuthenticationRequired; 124acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds; 125eae1da7788f0f9f37fa142a2df34bfaec1f4253eAlex Klyubin mUserAuthenticationRequirementEnforcedBySecureHardware = 126eae1da7788f0f9f37fa142a2df34bfaec1f4253eAlex Klyubin userAuthenticationRequirementEnforcedBySecureHardware; 127adef49640d6339e6b4a6ad736c5815e35d9b8803Shawn Willden mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody; 128fcd05a94ef0642857abcd0e7746c40d601a787e7Allen Webb mTrustedUserPresenceRequired = trustedUserPresenceRequired; 129c38eae5229a820966008ae1885af90cd27c265e7Shawn Willden mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment; 130a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen mUserConfirmationRequired = userConfirmationRequired; 131acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin } 132acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin 133acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin /** 134acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin * Gets the entry alias under which the key is stored in the {@code AndroidKeyStore}. 135acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin */ 136acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin public String getKeystoreAlias() { 137acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin return mKeystoreAlias; 138acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin } 139acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin 140acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin /** 141eae1da7788f0f9f37fa142a2df34bfaec1f4253eAlex Klyubin * Returns {@code true} if the key resides inside secure hardware (e.g., Trusted Execution 142eae1da7788f0f9f37fa142a2df34bfaec1f4253eAlex Klyubin * Environment (TEE) or Secure Element (SE)). Key material of such keys is available in 143eae1da7788f0f9f37fa142a2df34bfaec1f4253eAlex Klyubin * plaintext only inside the secure hardware and is not exposed outside of it. 144b503c52f07ff658b9192411580151eb746408d5aAlex Klyubin */ 145eae1da7788f0f9f37fa142a2df34bfaec1f4253eAlex Klyubin public boolean isInsideSecureHardware() { 146eae1da7788f0f9f37fa142a2df34bfaec1f4253eAlex Klyubin return mInsideSecureHardware; 147b503c52f07ff658b9192411580151eb746408d5aAlex Klyubin } 148b503c52f07ff658b9192411580151eb746408d5aAlex Klyubin 149b503c52f07ff658b9192411580151eb746408d5aAlex Klyubin /** 1503f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin * Gets the origin of the key. See {@link KeyProperties}.{@code ORIGIN} constants. 151acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin */ 1523f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin public @KeyProperties.OriginEnum int getOrigin() { 153acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin return mOrigin; 154acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin } 155acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin 156acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin /** 157c46e9e7da4558f6bc99262361fd1ca35c3a44090Alex Klyubin * Gets the size of the key in bits. 158acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin */ 159acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin public int getKeySize() { 160acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin return mKeySize; 161acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin } 162acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin 163acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin /** 164acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin * Gets the time instant before which the key is not yet valid. 165acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin * 166acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin * @return instant or {@code null} if not restricted. 167acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin */ 16854bb1596e470144932943046ec7a99551d020ba0Alex Klyubin @Nullable 169acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin public Date getKeyValidityStart() { 170ffdfb57931d1189feef51c4baa866d07265976a3Alex Klyubin return Utils.cloneIfNotNull(mKeyValidityStart); 171acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin } 172acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin 173acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin /** 174acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin * Gets the time instant after which the key is no long valid for decryption and verification. 175acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin * 176acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin * @return instant or {@code null} if not restricted. 177acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin */ 17854bb1596e470144932943046ec7a99551d020ba0Alex Klyubin @Nullable 179acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin public Date getKeyValidityForConsumptionEnd() { 180ffdfb57931d1189feef51c4baa866d07265976a3Alex Klyubin return Utils.cloneIfNotNull(mKeyValidityForConsumptionEnd); 181acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin } 182acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin 183acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin /** 184acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin * Gets the time instant after which the key is no long valid for encryption and signing. 185acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin * 186acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin * @return instant or {@code null} if not restricted. 187acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin */ 18854bb1596e470144932943046ec7a99551d020ba0Alex Klyubin @Nullable 189acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin public Date getKeyValidityForOriginationEnd() { 190ffdfb57931d1189feef51c4baa866d07265976a3Alex Klyubin return Utils.cloneIfNotNull(mKeyValidityForOriginationEnd); 191acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin } 192acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin 193acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin /** 194622fd932fd33c6e86c86c8a24082674ad077a810Alex Klyubin * Gets the set of purposes (e.g., encrypt, decrypt, sign) for which the key can be used. 195622fd932fd33c6e86c86c8a24082674ad077a810Alex Klyubin * Attempts to use the key for any other purpose will be rejected. 196e3049dc953acd5d477c159be8e8b0548bae60cabAlex Klyubin * 1973f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin * <p>See {@link KeyProperties}.{@code PURPOSE} flags. 198acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin */ 1993f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin public @KeyProperties.PurposeEnum int getPurposes() { 200acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin return mPurposes; 201acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin } 202acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin 203acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin /** 204a5e21f0ee2fbf3a6f03e31fca8da459e1fe9e213Alex Klyubin * Gets the set of block modes (e.g., {@code GCM}, {@code CBC}) with which the key can be used 205622fd932fd33c6e86c86c8a24082674ad077a810Alex Klyubin * when encrypting/decrypting. Attempts to use the key with any other block modes will be 206622fd932fd33c6e86c86c8a24082674ad077a810Alex Klyubin * rejected. 207e3049dc953acd5d477c159be8e8b0548bae60cabAlex Klyubin * 2083f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin * <p>See {@link KeyProperties}.{@code BLOCK_MODE} constants. 209acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin */ 21054bb1596e470144932943046ec7a99551d020ba0Alex Klyubin @NonNull 2113f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin public @KeyProperties.BlockModeEnum String[] getBlockModes() { 2125927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin return ArrayUtils.cloneIfNotEmpty(mBlockModes); 213acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin } 214acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin 215acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin /** 216622fd932fd33c6e86c86c8a24082674ad077a810Alex Klyubin * Gets the set of padding schemes (e.g., {@code PKCS7Padding}, {@code PKCS1Padding}, 217622fd932fd33c6e86c86c8a24082674ad077a810Alex Klyubin * {@code NoPadding}) with which the key can be used when encrypting/decrypting. Attempts to use 218622fd932fd33c6e86c86c8a24082674ad077a810Alex Klyubin * the key with any other padding scheme will be rejected. 219e3049dc953acd5d477c159be8e8b0548bae60cabAlex Klyubin * 2203f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin * <p>See {@link KeyProperties}.{@code ENCRYPTION_PADDING} constants. 221acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin */ 22254bb1596e470144932943046ec7a99551d020ba0Alex Klyubin @NonNull 2233f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin public @KeyProperties.EncryptionPaddingEnum String[] getEncryptionPaddings() { 2245927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin return ArrayUtils.cloneIfNotEmpty(mEncryptionPaddings); 225acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin } 226acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin 227acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin /** 228622fd932fd33c6e86c86c8a24082674ad077a810Alex Klyubin * Gets the set of padding schemes (e.g., {@code PSS}, {@code PKCS#1}) with which the key 229622fd932fd33c6e86c86c8a24082674ad077a810Alex Klyubin * can be used when signing/verifying. Attempts to use the key with any other padding scheme 230622fd932fd33c6e86c86c8a24082674ad077a810Alex Klyubin * will be rejected. 231e3049dc953acd5d477c159be8e8b0548bae60cabAlex Klyubin * 2323f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin * <p>See {@link KeyProperties}.{@code SIGNATURE_PADDING} constants. 233acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin */ 23454bb1596e470144932943046ec7a99551d020ba0Alex Klyubin @NonNull 2353f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin public @KeyProperties.SignaturePaddingEnum String[] getSignaturePaddings() { 2365927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin return ArrayUtils.cloneIfNotEmpty(mSignaturePaddings); 237acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin } 238acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin 239acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin /** 240e3049dc953acd5d477c159be8e8b0548bae60cabAlex Klyubin * Gets the set of digest algorithms (e.g., {@code SHA-256}, {@code SHA-384}) with which the key 241e3049dc953acd5d477c159be8e8b0548bae60cabAlex Klyubin * can be used. 242e3049dc953acd5d477c159be8e8b0548bae60cabAlex Klyubin * 2433f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin * <p>See {@link KeyProperties}.{@code DIGEST} constants. 244acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin */ 24554bb1596e470144932943046ec7a99551d020ba0Alex Klyubin @NonNull 2463f8d4d840894468f2be8a5b56ff266cef2d71c50Alex Klyubin public @KeyProperties.DigestEnum String[] getDigests() { 2475927c9f1b12f597839a664c1c6593114175cbcd8Alex Klyubin return ArrayUtils.cloneIfNotEmpty(mDigests); 248acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin } 249acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin 250acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin /** 25183cc7a347f4775821ebeed04a2244b8b847be516Alex Klyubin * Returns {@code true} if the key is authorized to be used only if the user has been 25283cc7a347f4775821ebeed04a2244b8b847be516Alex Klyubin * authenticated. 25383cc7a347f4775821ebeed04a2244b8b847be516Alex Klyubin * 25483cc7a347f4775821ebeed04a2244b8b847be516Alex Klyubin * <p>This authorization applies only to secret key and private key operations. Public key 25583cc7a347f4775821ebeed04a2244b8b847be516Alex Klyubin * operations are not restricted. 256acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin * 2571eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * @see #getUserAuthenticationValidityDurationSeconds() 25883cc7a347f4775821ebeed04a2244b8b847be516Alex Klyubin * @see KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean) 25983cc7a347f4775821ebeed04a2244b8b847be516Alex Klyubin * @see KeyProtection.Builder#setUserAuthenticationRequired(boolean) 260acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin */ 2611eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin public boolean isUserAuthenticationRequired() { 2621eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin return mUserAuthenticationRequired; 263acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin } 264acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin 265acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin /** 266a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen * Returns {@code true} if the key is authorized to be used only for messages confirmed by the 267a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen * user. 268a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen * 269a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen * Confirmation is separate from user authentication (see 270a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen * {@link #isUserAuthenticationRequired()}). Keys can be created that require confirmation but 271a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen * not user authentication, or user authentication but not confirmation, or both. Confirmation 272a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen * verifies that some user with physical possession of the device has approved a displayed 273a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen * message. User authentication verifies that the correct user is present and has 274a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen * authenticated. 275a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen * 276a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen * <p>This authorization applies only to secret key and private key operations. Public key 277a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen * operations are not restricted. 278a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen * 279a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen * @see KeyGenParameterSpec.Builder#setUserConfirmationRequired(boolean) 280a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen * @see KeyProtection.Builder#setUserConfirmationRequired(boolean) 281a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen */ 282a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen public boolean isUserConfirmationRequired() { 283a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen return mUserConfirmationRequired; 284a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen } 285a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen 286a8e8b659d0a872c9221e70b94c094cb6bff0508aDavid Zeuthen /** 28783cc7a347f4775821ebeed04a2244b8b847be516Alex Klyubin * Gets the duration of time (seconds) for which this key is authorized to be used after the 28883cc7a347f4775821ebeed04a2244b8b847be516Alex Klyubin * user is successfully authenticated. This has effect only if user authentication is required 28983cc7a347f4775821ebeed04a2244b8b847be516Alex Klyubin * (see {@link #isUserAuthenticationRequired()}). 29083cc7a347f4775821ebeed04a2244b8b847be516Alex Klyubin * 29183cc7a347f4775821ebeed04a2244b8b847be516Alex Klyubin * <p>This authorization applies only to secret key and private key operations. Public key 29283cc7a347f4775821ebeed04a2244b8b847be516Alex Klyubin * operations are not restricted. 293acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin * 29427dd1a22275e92afed612655822438ab3df15356Alex Klyubin * @return duration in seconds or {@code -1} if authentication is required for every use of the 29527dd1a22275e92afed612655822438ab3df15356Alex Klyubin * key. 2961eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * 2971eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * @see #isUserAuthenticationRequired() 298acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin */ 299c46e9e7da4558f6bc99262361fd1ca35c3a44090Alex Klyubin public int getUserAuthenticationValidityDurationSeconds() { 300acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin return mUserAuthenticationValidityDurationSeconds; 301acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin } 3022ea13d42689ab10456a575772d069c91ae9b6075Alex Klyubin 3032ea13d42689ab10456a575772d069c91ae9b6075Alex Klyubin /** 3041eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * Returns {@code true} if the requirement that this key can only be used if the user has been 305d9dded5a46bb26f621d9da9334dd982217645e93Alex Klyubin * authenticated is enforced by secure hardware (e.g., Trusted Execution Environment (TEE) or 306eae1da7788f0f9f37fa142a2df34bfaec1f4253eAlex Klyubin * Secure Element (SE)). 3072ea13d42689ab10456a575772d069c91ae9b6075Alex Klyubin * 3081eda77ae2122e2b85084eb429fbeecec0b9962e5Alex Klyubin * @see #isUserAuthenticationRequired() 3092ea13d42689ab10456a575772d069c91ae9b6075Alex Klyubin */ 310eae1da7788f0f9f37fa142a2df34bfaec1f4253eAlex Klyubin public boolean isUserAuthenticationRequirementEnforcedBySecureHardware() { 311eae1da7788f0f9f37fa142a2df34bfaec1f4253eAlex Klyubin return mUserAuthenticationRequirementEnforcedBySecureHardware; 3122ea13d42689ab10456a575772d069c91ae9b6075Alex Klyubin } 313adef49640d6339e6b4a6ad736c5815e35d9b8803Shawn Willden 314adef49640d6339e6b4a6ad736c5815e35d9b8803Shawn Willden /** 31526e8d553e52055955db83061c5799ba4439ebe1bShawn Willden * Returns {@code true} if this key will become unusable when the device is removed from the 31626e8d553e52055955db83061c5799ba4439ebe1bShawn Willden * user's body. This is possible only for keys with a specified validity duration, and only on 31726e8d553e52055955db83061c5799ba4439ebe1bShawn Willden * devices with an on-body sensor. Always returns {@code false} on devices that lack an on-body 31826e8d553e52055955db83061c5799ba4439ebe1bShawn Willden * sensor. 319adef49640d6339e6b4a6ad736c5815e35d9b8803Shawn Willden */ 320adef49640d6339e6b4a6ad736c5815e35d9b8803Shawn Willden public boolean isUserAuthenticationValidWhileOnBody() { 321adef49640d6339e6b4a6ad736c5815e35d9b8803Shawn Willden return mUserAuthenticationValidWhileOnBody; 322adef49640d6339e6b4a6ad736c5815e35d9b8803Shawn Willden } 323c38eae5229a820966008ae1885af90cd27c265e7Shawn Willden 324c38eae5229a820966008ae1885af90cd27c265e7Shawn Willden /** 325c38eae5229a820966008ae1885af90cd27c265e7Shawn Willden * Returns {@code true} if the key will be invalidated by enrollment of a new fingerprint or 326c38eae5229a820966008ae1885af90cd27c265e7Shawn Willden * removal of all fingerprints. 327c38eae5229a820966008ae1885af90cd27c265e7Shawn Willden */ 328c38eae5229a820966008ae1885af90cd27c265e7Shawn Willden public boolean isInvalidatedByBiometricEnrollment() { 329c38eae5229a820966008ae1885af90cd27c265e7Shawn Willden return mInvalidatedByBiometricEnrollment; 330c38eae5229a820966008ae1885af90cd27c265e7Shawn Willden } 331fcd05a94ef0642857abcd0e7746c40d601a787e7Allen Webb 332fcd05a94ef0642857abcd0e7746c40d601a787e7Allen Webb /** 333fcd05a94ef0642857abcd0e7746c40d601a787e7Allen Webb * Returns {@code true} if the key can only be only be used if a test for user presence has 334fcd05a94ef0642857abcd0e7746c40d601a787e7Allen Webb * succeeded since Signature.initSign() has been called. 335fcd05a94ef0642857abcd0e7746c40d601a787e7Allen Webb */ 336fcd05a94ef0642857abcd0e7746c40d601a787e7Allen Webb public boolean isTrustedUserPresenceRequired() { 337fcd05a94ef0642857abcd0e7746c40d601a787e7Allen Webb return mTrustedUserPresenceRequired; 338fcd05a94ef0642857abcd0e7746c40d601a787e7Allen Webb } 339acc835f3857c1a1bf2618fabb7307794aba5d76aAlex Klyubin} 340