1 /* 2 * Copyright (C) 2012 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.security.keystore; 18 19 import android.annotation.IntRange; 20 import android.annotation.NonNull; 21 import android.annotation.Nullable; 22 import android.annotation.SystemApi; 23 import android.annotation.TestApi; 24 import android.app.KeyguardManager; 25 import android.compat.annotation.UnsupportedAppUsage; 26 import android.hardware.biometrics.BiometricManager; 27 import android.hardware.biometrics.BiometricPrompt; 28 import android.os.Build; 29 import android.security.GateKeeper; 30 import android.text.TextUtils; 31 32 import java.math.BigInteger; 33 import java.security.KeyPairGenerator; 34 import java.security.Signature; 35 import java.security.cert.Certificate; 36 import java.security.spec.AlgorithmParameterSpec; 37 import java.util.Date; 38 39 import javax.crypto.Cipher; 40 import javax.crypto.KeyGenerator; 41 import javax.crypto.Mac; 42 import javax.security.auth.x500.X500Principal; 43 44 /** 45 * {@link AlgorithmParameterSpec} for initializing a {@link KeyPairGenerator} or a 46 * {@link KeyGenerator} of the <a href="{@docRoot}training/articles/keystore.html">Android Keystore 47 * system</a>. The spec determines authorized uses of the key, such as whether user authentication 48 * is required for using the key, what operations are authorized (e.g., signing, but not 49 * decryption), with what parameters (e.g., only with a particular padding scheme or digest), and 50 * the key's validity start and end dates. Key use authorizations expressed in the spec apply 51 * only to secret keys and private keys -- public keys can be used for any supported operations. 52 * 53 * <p>To generate an asymmetric key pair or a symmetric key, create an instance of this class using 54 * the {@link Builder}, initialize a {@code KeyPairGenerator} or a {@code KeyGenerator} of the 55 * desired key type (e.g., {@code EC} or {@code AES} -- see 56 * {@link KeyProperties}.{@code KEY_ALGORITHM} constants) from the {@code AndroidKeyStore} provider 57 * with the {@code KeyGenParameterSpec} instance, and then generate a key or key pair using 58 * {@link KeyGenerator#generateKey()} or {@link KeyPairGenerator#generateKeyPair()}. 59 * 60 * <p>The generated key pair or key will be returned by the generator and also stored in the Android 61 * Keystore under the alias specified in this spec. To obtain the secret or private key from the 62 * Android Keystore use {@link java.security.KeyStore#getKey(String, char[]) KeyStore.getKey(String, null)} 63 * or {@link java.security.KeyStore#getEntry(String, java.security.KeyStore.ProtectionParameter) KeyStore.getEntry(String, null)}. 64 * To obtain the public key from the Android Keystore use 65 * {@link java.security.KeyStore#getCertificate(String)} and then 66 * {@link Certificate#getPublicKey()}. 67 * 68 * <p>To help obtain algorithm-specific public parameters of key pairs stored in the Android 69 * Keystore, generated private keys implement {@link java.security.interfaces.ECKey} or 70 * {@link java.security.interfaces.RSAKey} interfaces whereas public keys implement 71 * {@link java.security.interfaces.ECPublicKey} or {@link java.security.interfaces.RSAPublicKey} 72 * interfaces. 73 * 74 * <p>For asymmetric key pairs, a self-signed X.509 certificate will be also generated and stored in 75 * the Android Keystore. This is because the {@link java.security.KeyStore} abstraction does not 76 * support storing key pairs without a certificate. The subject, serial number, and validity dates 77 * of the certificate can be customized in this spec. The self-signed certificate may be replaced at 78 * a later time by a certificate signed by a Certificate Authority (CA). 79 * 80 * <p>NOTE: If a private key is not authorized to sign the self-signed certificate, then the 81 * certificate will be created with an invalid signature which will not verify. Such a certificate 82 * is still useful because it provides access to the public key. To generate a valid signature for 83 * the certificate the key needs to be authorized for all of the following: 84 * <ul> 85 * <li>{@link KeyProperties#PURPOSE_SIGN},</li> 86 * <li>operation without requiring the user to be authenticated (see 87 * {@link Builder#setUserAuthenticationRequired(boolean)}),</li> 88 * <li>signing/origination at this moment in time (see {@link Builder#setKeyValidityStart(Date)} 89 * and {@link Builder#setKeyValidityForOriginationEnd(Date)}),</li> 90 * <li>suitable digest,</li> 91 * <li>(RSA keys only) padding scheme {@link KeyProperties#SIGNATURE_PADDING_RSA_PKCS1}.</li> 92 * </ul> 93 * 94 * <p>NOTE: The key material of the generated symmetric and private keys is not accessible. The key 95 * material of the public keys is accessible. 96 * 97 * <p>Instances of this class are immutable. 98 * 99 * <p><h3>Known issues</h3> 100 * A known bug in Android 6.0 (API Level 23) causes user authentication-related authorizations to be 101 * enforced even for public keys. To work around this issue extract the public key material to use 102 * outside of Android Keystore. For example: 103 * <pre> {@code 104 * PublicKey unrestrictedPublicKey = 105 * KeyFactory.getInstance(publicKey.getAlgorithm()).generatePublic( 106 * new X509EncodedKeySpec(publicKey.getEncoded())); 107 * }</pre> 108 * 109 * <p><h3>Example: NIST P-256 EC key pair for signing/verification using ECDSA</h3> 110 * This example illustrates how to generate a NIST P-256 (aka secp256r1 aka prime256v1) EC key pair 111 * in the Android KeyStore system under alias {@code key1} where the private key is authorized to be 112 * used only for signing using SHA-256, SHA-384, or SHA-512 digest and only if the user has been 113 * authenticated within the last five minutes. The use of the public key is unrestricted (See Known 114 * Issues). 115 * <pre> {@code 116 * KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance( 117 * KeyProperties.KEY_ALGORITHM_EC, "AndroidKeyStore"); 118 * keyPairGenerator.initialize( 119 * new KeyGenParameterSpec.Builder( 120 * "key1", 121 * KeyProperties.PURPOSE_SIGN) 122 * .setAlgorithmParameterSpec(new ECGenParameterSpec("secp256r1")) 123 * .setDigests(KeyProperties.DIGEST_SHA256, 124 * KeyProperties.DIGEST_SHA384, 125 * KeyProperties.DIGEST_SHA512) 126 * // Only permit the private key to be used if the user authenticated 127 * // within the last five minutes. 128 * .setUserAuthenticationRequired(true) 129 * .setUserAuthenticationValidityDurationSeconds(5 * 60) 130 * .build()); 131 * KeyPair keyPair = keyPairGenerator.generateKeyPair(); 132 * Signature signature = Signature.getInstance("SHA256withECDSA"); 133 * signature.initSign(keyPair.getPrivate()); 134 * ... 135 * 136 * // The key pair can also be obtained from the Android Keystore any time as follows: 137 * KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore"); 138 * keyStore.load(null); 139 * PrivateKey privateKey = (PrivateKey) keyStore.getKey("key1", null); 140 * PublicKey publicKey = keyStore.getCertificate("key1").getPublicKey(); 141 * }</pre> 142 * 143 * <p><h3>Example: RSA key pair for signing/verification using RSA-PSS</h3> 144 * This example illustrates how to generate an RSA key pair in the Android KeyStore system under 145 * alias {@code key1} authorized to be used only for signing using the RSA-PSS signature padding 146 * scheme with SHA-256 or SHA-512 digests. The use of the public key is unrestricted. 147 * <pre> {@code 148 * KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance( 149 * KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore"); 150 * keyPairGenerator.initialize( 151 * new KeyGenParameterSpec.Builder( 152 * "key1", 153 * KeyProperties.PURPOSE_SIGN) 154 * .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512) 155 * .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PSS) 156 * .build()); 157 * KeyPair keyPair = keyPairGenerator.generateKeyPair(); 158 * Signature signature = Signature.getInstance("SHA256withRSA/PSS"); 159 * signature.initSign(keyPair.getPrivate()); 160 * ... 161 * 162 * // The key pair can also be obtained from the Android Keystore any time as follows: 163 * KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore"); 164 * keyStore.load(null); 165 * PrivateKey privateKey = (PrivateKey) keyStore.getKey("key1", null); 166 * PublicKey publicKey = keyStore.getCertificate("key1").getPublicKey(); 167 * }</pre> 168 * 169 * <p><h3>Example: RSA key pair for encryption/decryption using RSA OAEP</h3> 170 * This example illustrates how to generate an RSA key pair in the Android KeyStore system under 171 * alias {@code key1} where the private key is authorized to be used only for decryption using RSA 172 * OAEP encryption padding scheme with SHA-256 or SHA-512 digests. The use of the public key is 173 * unrestricted. 174 * <pre> {@code 175 * KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance( 176 * KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore"); 177 * keyPairGenerator.initialize( 178 * new KeyGenParameterSpec.Builder( 179 * "key1", 180 * KeyProperties.PURPOSE_DECRYPT) 181 * .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512) 182 * .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_OAEP) 183 * .build()); 184 * KeyPair keyPair = keyPairGenerator.generateKeyPair(); 185 * Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding"); 186 * cipher.init(Cipher.DECRYPT_MODE, keyPair.getPrivate()); 187 * ... 188 * 189 * // The key pair can also be obtained from the Android Keystore any time as follows: 190 * KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore"); 191 * keyStore.load(null); 192 * PrivateKey privateKey = (PrivateKey) keyStore.getKey("key1", null); 193 * PublicKey publicKey = keyStore.getCertificate("key1").getPublicKey(); 194 * }</pre> 195 * 196 * <p><h3>Example: AES key for encryption/decryption in GCM mode</h3> 197 * The following example illustrates how to generate an AES key in the Android KeyStore system under 198 * alias {@code key2} authorized to be used only for encryption/decryption in GCM mode with no 199 * padding. 200 * <pre> {@code 201 * KeyGenerator keyGenerator = KeyGenerator.getInstance( 202 * KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore"); 203 * keyGenerator.init( 204 * new KeyGenParameterSpec.Builder("key2", 205 * KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) 206 * .setBlockModes(KeyProperties.BLOCK_MODE_GCM) 207 * .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) 208 * .build()); 209 * SecretKey key = keyGenerator.generateKey(); 210 * 211 * Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding"); 212 * cipher.init(Cipher.ENCRYPT_MODE, key); 213 * ... 214 * 215 * // The key can also be obtained from the Android Keystore any time as follows: 216 * KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore"); 217 * keyStore.load(null); 218 * key = (SecretKey) keyStore.getKey("key2", null); 219 * }</pre> 220 * 221 * <p><h3>Example: HMAC key for generating a MAC using SHA-256</h3> 222 * This example illustrates how to generate an HMAC key in the Android KeyStore system under alias 223 * {@code key2} authorized to be used only for generating an HMAC using SHA-256. 224 * <pre> {@code 225 * KeyGenerator keyGenerator = KeyGenerator.getInstance( 226 * KeyProperties.KEY_ALGORITHM_HMAC_SHA256, "AndroidKeyStore"); 227 * keyGenerator.init( 228 * new KeyGenParameterSpec.Builder("key2", KeyProperties.PURPOSE_SIGN).build()); 229 * SecretKey key = keyGenerator.generateKey(); 230 * Mac mac = Mac.getInstance("HmacSHA256"); 231 * mac.init(key); 232 * ... 233 * 234 * // The key can also be obtained from the Android Keystore any time as follows: 235 * KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore"); 236 * keyStore.load(null); 237 * key = (SecretKey) keyStore.getKey("key2", null); 238 * }</pre> 239 * 240 * <p><h3 id="example:ecdh">Example: EC key for ECDH key agreement</h3> 241 * This example illustrates how to generate an elliptic curve key pair, used to establish a shared 242 * secret with another party using ECDH key agreement. 243 * <pre> {@code 244 * KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance( 245 * KeyProperties.KEY_ALGORITHM_EC, "AndroidKeyStore"); 246 * keyPairGenerator.initialize( 247 * new KeyGenParameterSpec.Builder( 248 * "eckeypair", 249 * KeyProperties.PURPOSE_AGREE_KEY) 250 * .setAlgorithmParameterSpec(new ECGenParameterSpec("secp256r1")) 251 * .build()); 252 * KeyPair myKeyPair = keyPairGenerator.generateKeyPair(); 253 * 254 * // Exchange public keys with server. A new ephemeral key MUST be used for every message. 255 * PublicKey serverEphemeralPublicKey; // Ephemeral key received from server. 256 * 257 * // Create a shared secret based on our private key and the other party's public key. 258 * KeyAgreement keyAgreement = KeyAgreement.getInstance("ECDH", "AndroidKeyStore"); 259 * keyAgreement.init(myKeyPair.getPrivate()); 260 * keyAgreement.doPhase(serverEphemeralPublicKey, true); 261 * byte[] sharedSecret = keyAgreement.generateSecret(); 262 * 263 * // sharedSecret cannot safely be used as a key yet. We must run it through a key derivation 264 * // function with some other data: "salt" and "info". Salt is an optional random value, 265 * // omitted in this example. It's good practice to include both public keys and any other 266 * // key negotiation data in info. Here we use the public keys and a label that indicates 267 * // messages encrypted with this key are coming from the server. 268 * byte[] salt = {}; 269 * ByteArrayOutputStream info = new ByteArrayOutputStream(); 270 * info.write("ECDH secp256r1 AES-256-GCM-SIV\0".getBytes(StandardCharsets.UTF_8)); 271 * info.write(myKeyPair.getPublic().getEncoded()); 272 * info.write(serverEphemeralPublicKey.getEncoded()); 273 * 274 * // This example uses the Tink library and the HKDF key derivation function. 275 * AesGcmSiv key = new AesGcmSiv(Hkdf.computeHkdf( 276 * "HMACSHA256", sharedSecret, salt, info.toByteArray(), 32)); 277 * byte[] associatedData = {}; 278 * return key.decrypt(ciphertext, associatedData); 279 * } 280 */ 281 public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAuthArgs { 282 private static final X500Principal DEFAULT_ATTESTATION_CERT_SUBJECT = 283 new X500Principal("CN=Android Keystore Key"); 284 private static final X500Principal DEFAULT_SELF_SIGNED_CERT_SUBJECT = 285 new X500Principal("CN=Fake"); 286 private static final BigInteger DEFAULT_CERT_SERIAL_NUMBER = new BigInteger("1"); 287 private static final Date DEFAULT_CERT_NOT_BEFORE = new Date(0L); // Jan 1 1970 288 private static final Date DEFAULT_CERT_NOT_AFTER = new Date(2461449600000L); // Jan 1 2048 289 290 private final String mKeystoreAlias; 291 private final @KeyProperties.Namespace int mNamespace; 292 private final int mKeySize; 293 private final AlgorithmParameterSpec mSpec; 294 private final X500Principal mCertificateSubject; 295 private final BigInteger mCertificateSerialNumber; 296 private final Date mCertificateNotBefore; 297 private final Date mCertificateNotAfter; 298 private final Date mKeyValidityStart; 299 private final Date mKeyValidityForOriginationEnd; 300 private final Date mKeyValidityForConsumptionEnd; 301 private final @KeyProperties.PurposeEnum int mPurposes; 302 private final @KeyProperties.DigestEnum String[] mDigests; 303 private final @KeyProperties.EncryptionPaddingEnum String[] mEncryptionPaddings; 304 private final @KeyProperties.SignaturePaddingEnum String[] mSignaturePaddings; 305 private final @KeyProperties.BlockModeEnum String[] mBlockModes; 306 private final boolean mRandomizedEncryptionRequired; 307 private final boolean mUserAuthenticationRequired; 308 private final int mUserAuthenticationValidityDurationSeconds; 309 private final @KeyProperties.AuthEnum int mUserAuthenticationType; 310 private final boolean mUserPresenceRequired; 311 private final byte[] mAttestationChallenge; 312 private final boolean mDevicePropertiesAttestationIncluded; 313 private final int[] mAttestationIds; 314 private final boolean mUniqueIdIncluded; 315 private final boolean mUserAuthenticationValidWhileOnBody; 316 private final boolean mInvalidatedByBiometricEnrollment; 317 private final boolean mIsStrongBoxBacked; 318 private final boolean mUserConfirmationRequired; 319 private final boolean mUnlockedDeviceRequired; 320 private final boolean mCriticalToDeviceEncryption; 321 private final int mMaxUsageCount; 322 private final String mAttestKeyAlias; 323 /* 324 * ***NOTE***: All new fields MUST also be added to the following: 325 * ParcelableKeyGenParameterSpec class. 326 * The KeyGenParameterSpec.Builder constructor that takes a KeyGenParameterSpec 327 */ 328 329 /** 330 * @hide should be built with Builder 331 */ KeyGenParameterSpec( String keyStoreAlias, @KeyProperties.Namespace int namespace, int keySize, AlgorithmParameterSpec spec, X500Principal certificateSubject, BigInteger certificateSerialNumber, Date certificateNotBefore, Date certificateNotAfter, Date keyValidityStart, Date keyValidityForOriginationEnd, Date keyValidityForConsumptionEnd, @KeyProperties.PurposeEnum int purposes, @KeyProperties.DigestEnum String[] digests, @KeyProperties.EncryptionPaddingEnum String[] encryptionPaddings, @KeyProperties.SignaturePaddingEnum String[] signaturePaddings, @KeyProperties.BlockModeEnum String[] blockModes, boolean randomizedEncryptionRequired, boolean userAuthenticationRequired, int userAuthenticationValidityDurationSeconds, @KeyProperties.AuthEnum int userAuthenticationType, boolean userPresenceRequired, byte[] attestationChallenge, boolean devicePropertiesAttestationIncluded, @NonNull int[] attestationIds, boolean uniqueIdIncluded, boolean userAuthenticationValidWhileOnBody, boolean invalidatedByBiometricEnrollment, boolean isStrongBoxBacked, boolean userConfirmationRequired, boolean unlockedDeviceRequired, boolean criticalToDeviceEncryption, int maxUsageCount, String attestKeyAlias)332 public KeyGenParameterSpec( 333 String keyStoreAlias, 334 @KeyProperties.Namespace int namespace, 335 int keySize, 336 AlgorithmParameterSpec spec, 337 X500Principal certificateSubject, 338 BigInteger certificateSerialNumber, 339 Date certificateNotBefore, 340 Date certificateNotAfter, 341 Date keyValidityStart, 342 Date keyValidityForOriginationEnd, 343 Date keyValidityForConsumptionEnd, 344 @KeyProperties.PurposeEnum int purposes, 345 @KeyProperties.DigestEnum String[] digests, 346 @KeyProperties.EncryptionPaddingEnum String[] encryptionPaddings, 347 @KeyProperties.SignaturePaddingEnum String[] signaturePaddings, 348 @KeyProperties.BlockModeEnum String[] blockModes, 349 boolean randomizedEncryptionRequired, 350 boolean userAuthenticationRequired, 351 int userAuthenticationValidityDurationSeconds, 352 @KeyProperties.AuthEnum int userAuthenticationType, 353 boolean userPresenceRequired, 354 byte[] attestationChallenge, 355 boolean devicePropertiesAttestationIncluded, 356 @NonNull int[] attestationIds, 357 boolean uniqueIdIncluded, 358 boolean userAuthenticationValidWhileOnBody, 359 boolean invalidatedByBiometricEnrollment, 360 boolean isStrongBoxBacked, 361 boolean userConfirmationRequired, 362 boolean unlockedDeviceRequired, 363 boolean criticalToDeviceEncryption, 364 int maxUsageCount, 365 String attestKeyAlias) { 366 if (TextUtils.isEmpty(keyStoreAlias)) { 367 throw new IllegalArgumentException("keyStoreAlias must not be empty"); 368 } 369 370 if (certificateSubject == null) { 371 if (attestationChallenge == null) { 372 certificateSubject = DEFAULT_SELF_SIGNED_CERT_SUBJECT; 373 } else { 374 certificateSubject = DEFAULT_ATTESTATION_CERT_SUBJECT; 375 } 376 } 377 if (certificateNotBefore == null) { 378 certificateNotBefore = DEFAULT_CERT_NOT_BEFORE; 379 } 380 if (certificateNotAfter == null) { 381 certificateNotAfter = DEFAULT_CERT_NOT_AFTER; 382 } 383 if (certificateSerialNumber == null) { 384 certificateSerialNumber = DEFAULT_CERT_SERIAL_NUMBER; 385 } 386 387 if (certificateNotAfter.before(certificateNotBefore)) { 388 throw new IllegalArgumentException("certificateNotAfter < certificateNotBefore"); 389 } 390 391 mKeystoreAlias = keyStoreAlias; 392 mNamespace = namespace; 393 mKeySize = keySize; 394 mSpec = spec; 395 mCertificateSubject = certificateSubject; 396 mCertificateSerialNumber = certificateSerialNumber; 397 mCertificateNotBefore = Utils.cloneIfNotNull(certificateNotBefore); 398 mCertificateNotAfter = Utils.cloneIfNotNull(certificateNotAfter); 399 mKeyValidityStart = Utils.cloneIfNotNull(keyValidityStart); 400 mKeyValidityForOriginationEnd = Utils.cloneIfNotNull(keyValidityForOriginationEnd); 401 mKeyValidityForConsumptionEnd = Utils.cloneIfNotNull(keyValidityForConsumptionEnd); 402 mPurposes = purposes; 403 mDigests = ArrayUtils.cloneIfNotEmpty(digests); 404 mEncryptionPaddings = 405 ArrayUtils.cloneIfNotEmpty(ArrayUtils.nullToEmpty(encryptionPaddings)); 406 mSignaturePaddings = ArrayUtils.cloneIfNotEmpty(ArrayUtils.nullToEmpty(signaturePaddings)); 407 mBlockModes = ArrayUtils.cloneIfNotEmpty(ArrayUtils.nullToEmpty(blockModes)); 408 mRandomizedEncryptionRequired = randomizedEncryptionRequired; 409 mUserAuthenticationRequired = userAuthenticationRequired; 410 mUserPresenceRequired = userPresenceRequired; 411 mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds; 412 mUserAuthenticationType = userAuthenticationType; 413 mAttestationChallenge = Utils.cloneIfNotNull(attestationChallenge); 414 mDevicePropertiesAttestationIncluded = devicePropertiesAttestationIncluded; 415 mAttestationIds = attestationIds; 416 mUniqueIdIncluded = uniqueIdIncluded; 417 mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody; 418 mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment; 419 mIsStrongBoxBacked = isStrongBoxBacked; 420 mUserConfirmationRequired = userConfirmationRequired; 421 mUnlockedDeviceRequired = unlockedDeviceRequired; 422 mCriticalToDeviceEncryption = criticalToDeviceEncryption; 423 mMaxUsageCount = maxUsageCount; 424 mAttestKeyAlias = attestKeyAlias; 425 } 426 427 /** 428 * Returns the alias that will be used in the {@code java.security.KeyStore} 429 * in conjunction with the {@code AndroidKeyStore}. 430 */ 431 @NonNull getKeystoreAlias()432 public String getKeystoreAlias() { 433 return mKeystoreAlias; 434 } 435 436 /** 437 * Returns the UID which will own the key. {@code -1} is an alias for the UID of the current 438 * process. 439 * 440 * @deprecated See deprecation message on {@link KeyGenParameterSpec.Builder#setUid(int)}. 441 * Known namespaces will be translated to their legacy UIDs. Unknown 442 * Namespaces will yield {@link IllegalStateException}. 443 * 444 * @hide 445 */ 446 @UnsupportedAppUsage 447 @Deprecated getUid()448 public int getUid() { 449 try { 450 return KeyProperties.namespaceToLegacyUid(mNamespace); 451 } catch (IllegalArgumentException e) { 452 throw new IllegalStateException("getUid called on KeyGenParameterSpec with non legacy" 453 + " keystore namespace.", e); 454 } 455 } 456 457 /** 458 * Returns the target namespace for the key. 459 * See {@link KeyGenParameterSpec.Builder#setNamespace(int)}. 460 * 461 * @return The numeric namespace as configured in the keystore2_key_contexts files of Android's 462 * SEPolicy. 463 * See <a href="https://source.android.com/security/keystore#access-control"> 464 * Keystore 2.0 access control</a> 465 * @hide 466 */ 467 @SystemApi getNamespace()468 public @KeyProperties.Namespace int getNamespace() { 469 return mNamespace; 470 } 471 472 /** 473 * Returns the requested key size. If {@code -1}, the size should be looked up from 474 * {@link #getAlgorithmParameterSpec()}, if provided, otherwise an algorithm-specific default 475 * size should be used. 476 */ getKeySize()477 public int getKeySize() { 478 return mKeySize; 479 } 480 481 /** 482 * Returns the key algorithm-specific {@link AlgorithmParameterSpec} that will be used for 483 * creation of the key or {@code null} if algorithm-specific defaults should be used. 484 */ 485 @Nullable getAlgorithmParameterSpec()486 public AlgorithmParameterSpec getAlgorithmParameterSpec() { 487 return mSpec; 488 } 489 490 /** 491 * Returns the subject distinguished name to be used on the X.509 certificate that will be put 492 * in the {@link java.security.KeyStore}. 493 */ 494 @NonNull getCertificateSubject()495 public X500Principal getCertificateSubject() { 496 return mCertificateSubject; 497 } 498 499 /** 500 * Returns the serial number to be used on the X.509 certificate that will be put in the 501 * {@link java.security.KeyStore}. 502 */ 503 @NonNull getCertificateSerialNumber()504 public BigInteger getCertificateSerialNumber() { 505 return mCertificateSerialNumber; 506 } 507 508 /** 509 * Returns the start date to be used on the X.509 certificate that will be put in the 510 * {@link java.security.KeyStore}. 511 */ 512 @NonNull getCertificateNotBefore()513 public Date getCertificateNotBefore() { 514 return Utils.cloneIfNotNull(mCertificateNotBefore); 515 } 516 517 /** 518 * Returns the end date to be used on the X.509 certificate that will be put in the 519 * {@link java.security.KeyStore}. 520 */ 521 @NonNull getCertificateNotAfter()522 public Date getCertificateNotAfter() { 523 return Utils.cloneIfNotNull(mCertificateNotAfter); 524 } 525 526 /** 527 * Returns the time instant before which the key is not yet valid or {@code null} if not 528 * restricted. 529 */ 530 @Nullable getKeyValidityStart()531 public Date getKeyValidityStart() { 532 return Utils.cloneIfNotNull(mKeyValidityStart); 533 } 534 535 /** 536 * Returns the time instant after which the key is no longer valid for decryption and 537 * verification or {@code null} if not restricted. 538 */ 539 @Nullable getKeyValidityForConsumptionEnd()540 public Date getKeyValidityForConsumptionEnd() { 541 return Utils.cloneIfNotNull(mKeyValidityForConsumptionEnd); 542 } 543 544 /** 545 * Returns the time instant after which the key is no longer valid for encryption and signing 546 * or {@code null} if not restricted. 547 */ 548 @Nullable getKeyValidityForOriginationEnd()549 public Date getKeyValidityForOriginationEnd() { 550 return Utils.cloneIfNotNull(mKeyValidityForOriginationEnd); 551 } 552 553 /** 554 * Returns the set of purposes (e.g., encrypt, decrypt, sign) for which the key can be used. 555 * Attempts to use the key for any other purpose will be rejected. 556 * 557 * <p>See {@link KeyProperties}.{@code PURPOSE} flags. 558 */ getPurposes()559 public @KeyProperties.PurposeEnum int getPurposes() { 560 return mPurposes; 561 } 562 563 /** 564 * Returns the set of digest algorithms (e.g., {@code SHA-256}, {@code SHA-384} with which the 565 * key can be used or {@code null} if not specified. 566 * 567 * <p>See {@link KeyProperties}.{@code DIGEST} constants. 568 * 569 * @throws IllegalStateException if this set has not been specified. 570 * 571 * @see #isDigestsSpecified() 572 */ 573 @NonNull getDigests()574 public @KeyProperties.DigestEnum String[] getDigests() { 575 if (mDigests == null) { 576 throw new IllegalStateException("Digests not specified"); 577 } 578 return ArrayUtils.cloneIfNotEmpty(mDigests); 579 } 580 581 /** 582 * Returns {@code true} if the set of digest algorithms with which the key can be used has been 583 * specified. 584 * 585 * @see #getDigests() 586 */ 587 @NonNull isDigestsSpecified()588 public boolean isDigestsSpecified() { 589 return mDigests != null; 590 } 591 592 /** 593 * Returns the set of padding schemes (e.g., {@code PKCS7Padding}, {@code OEAPPadding}, 594 * {@code PKCS1Padding}, {@code NoPadding}) with which the key can be used when 595 * encrypting/decrypting. Attempts to use the key with any other padding scheme will be 596 * rejected. 597 * 598 * <p>See {@link KeyProperties}.{@code ENCRYPTION_PADDING} constants. 599 */ 600 @NonNull getEncryptionPaddings()601 public @KeyProperties.EncryptionPaddingEnum String[] getEncryptionPaddings() { 602 return ArrayUtils.cloneIfNotEmpty(mEncryptionPaddings); 603 } 604 605 /** 606 * Gets the set of padding schemes (e.g., {@code PSS}, {@code PKCS#1}) with which the key 607 * can be used when signing/verifying. Attempts to use the key with any other padding scheme 608 * will be rejected. 609 * 610 * <p>See {@link KeyProperties}.{@code SIGNATURE_PADDING} constants. 611 */ 612 @NonNull getSignaturePaddings()613 public @KeyProperties.SignaturePaddingEnum String[] getSignaturePaddings() { 614 return ArrayUtils.cloneIfNotEmpty(mSignaturePaddings); 615 } 616 617 /** 618 * Gets the set of block modes (e.g., {@code GCM}, {@code CBC}) with which the key can be used 619 * when encrypting/decrypting. Attempts to use the key with any other block modes will be 620 * rejected. 621 * 622 * <p>See {@link KeyProperties}.{@code BLOCK_MODE} constants. 623 */ 624 @NonNull getBlockModes()625 public @KeyProperties.BlockModeEnum String[] getBlockModes() { 626 return ArrayUtils.cloneIfNotEmpty(mBlockModes); 627 } 628 629 /** 630 * Returns {@code true} if encryption using this key must be sufficiently randomized to produce 631 * different ciphertexts for the same plaintext every time. The formal cryptographic property 632 * being required is <em>indistinguishability under chosen-plaintext attack ({@code 633 * IND-CPA})</em>. This property is important because it mitigates several classes of 634 * weaknesses due to which ciphertext may leak information about plaintext. For example, if a 635 * given plaintext always produces the same ciphertext, an attacker may see the repeated 636 * ciphertexts and be able to deduce something about the plaintext. 637 */ isRandomizedEncryptionRequired()638 public boolean isRandomizedEncryptionRequired() { 639 return mRandomizedEncryptionRequired; 640 } 641 642 /** 643 * Returns {@code true} if the key is authorized to be used only if the user has been 644 * authenticated. 645 * 646 * <p>This authorization applies only to secret key and private key operations. Public key 647 * operations are not restricted. 648 * 649 * @see #getUserAuthenticationValidityDurationSeconds() 650 * @see Builder#setUserAuthenticationRequired(boolean) 651 */ isUserAuthenticationRequired()652 public boolean isUserAuthenticationRequired() { 653 return mUserAuthenticationRequired; 654 } 655 656 /** 657 * Returns {@code true} if the key is authorized to be used only for messages confirmed by the 658 * user. 659 * 660 * Confirmation is separate from user authentication (see 661 * {@link Builder#setUserAuthenticationRequired(boolean)}). Keys can be created that require 662 * confirmation but not user authentication, or user authentication but not confirmation, or 663 * both. Confirmation verifies that some user with physical possession of the device has 664 * approved a displayed message. User authentication verifies that the correct user is present 665 * and has authenticated. 666 * 667 * <p>This authorization applies only to secret key and private key operations. Public key 668 * operations are not restricted. 669 * 670 * @see Builder#setUserConfirmationRequired(boolean) 671 */ isUserConfirmationRequired()672 public boolean isUserConfirmationRequired() { 673 return mUserConfirmationRequired; 674 } 675 676 /** 677 * Gets the duration of time (seconds) for which this key is authorized to be used after the 678 * user is successfully authenticated. This has effect only if user authentication is required 679 * (see {@link #isUserAuthenticationRequired()}). 680 * 681 * <p>This authorization applies only to secret key and private key operations. Public key 682 * operations are not restricted. 683 * 684 * @return duration in seconds or {@code -1} if authentication is required for every use of the 685 * key. 686 * 687 * @see #isUserAuthenticationRequired() 688 * @see Builder#setUserAuthenticationValidityDurationSeconds(int) 689 */ getUserAuthenticationValidityDurationSeconds()690 public int getUserAuthenticationValidityDurationSeconds() { 691 return mUserAuthenticationValidityDurationSeconds; 692 } 693 694 /** 695 * Gets the modes of authentication that can authorize use of this key. This has effect only if 696 * user authentication is required (see {@link #isUserAuthenticationRequired()}). 697 * 698 * <p>This authorization applies only to secret key and private key operations. Public key 699 * operations are not restricted. 700 * 701 * @return integer representing the bitwse OR of all acceptable authentication types for the 702 * key. 703 * 704 * @see #isUserAuthenticationRequired() 705 * @see Builder#setUserAuthenticationParameters(int, int) 706 */ getUserAuthenticationType()707 public @KeyProperties.AuthEnum int getUserAuthenticationType() { 708 return mUserAuthenticationType; 709 } 710 /** 711 * Returns {@code true} if the key is authorized to be used only if a test of user presence has 712 * been performed between the {@code Signature.initSign()} and {@code Signature.sign()} calls. 713 * It requires that the KeyStore implementation have a direct way to validate the user presence 714 * for example a KeyStore hardware backed strongbox can use a button press that is observable 715 * in hardware. A test for user presence is tangential to authentication. The test can be part 716 * of an authentication step as long as this step can be validated by the hardware protecting 717 * the key and cannot be spoofed. For example, a physical button press can be used as a test of 718 * user presence if the other pins connected to the button are not able to simulate a button 719 * press. There must be no way for the primary processor to fake a button press, or that 720 * button must not be used as a test of user presence. 721 */ isUserPresenceRequired()722 public boolean isUserPresenceRequired() { 723 return mUserPresenceRequired; 724 } 725 726 /** 727 * Returns the attestation challenge value that will be placed in attestation certificate for 728 * this key pair. 729 * 730 * <p>If this method returns non-{@code null}, the public key certificate for this key pair will 731 * contain an extension that describes the details of the key's configuration and 732 * authorizations, including the content of the attestation challenge value. If the key is in 733 * secure hardware, and if the secure hardware supports attestation, the certificate will be 734 * signed by a chain of certificates rooted at a trustworthy CA key. Otherwise the chain will 735 * be rooted at an untrusted certificate. 736 * 737 * <p>If this method returns {@code null}, and the spec is used to generate an asymmetric (RSA 738 * or EC) key pair, the public key will have a self-signed certificate if it has purpose {@link 739 * KeyProperties#PURPOSE_SIGN}. If does not have purpose {@link KeyProperties#PURPOSE_SIGN}, it 740 * will have a fake certificate. 741 * 742 * <p>Symmetric keys, such as AES and HMAC keys, do not have public key certificates. If a 743 * KeyGenParameterSpec with getAttestationChallenge returning non-null is used to generate a 744 * symmetric (AES or HMAC) key, {@link javax.crypto.KeyGenerator#generateKey()} will throw 745 * {@link java.security.InvalidAlgorithmParameterException}. 746 * 747 * @see Builder#setAttestationChallenge(byte[]) 748 */ getAttestationChallenge()749 public byte[] getAttestationChallenge() { 750 return Utils.cloneIfNotNull(mAttestationChallenge); 751 } 752 753 /** 754 * Returns {@code true} if attestation for the base device properties ({@link Build#BRAND}, 755 * {@link Build#DEVICE}, {@link Build#MANUFACTURER}, {@link Build#MODEL}, {@link Build#PRODUCT}) 756 * was requested to be added in the attestation certificate for the generated key. 757 * 758 * {@link javax.crypto.KeyGenerator#generateKey()} will throw 759 * {@link java.security.ProviderException} if device properties attestation fails or is not 760 * supported. 761 * 762 * @see Builder#setDevicePropertiesAttestationIncluded(boolean) 763 */ isDevicePropertiesAttestationIncluded()764 public boolean isDevicePropertiesAttestationIncluded() { 765 return mDevicePropertiesAttestationIncluded; 766 } 767 768 /** 769 * @hide 770 * Allows the caller to specify device IDs to be attested to in the certificate for the 771 * generated key pair. These values are the enums specified in 772 * {@link android.security.keystore.AttestationUtils} 773 * 774 * @see android.security.keystore.AttestationUtils#ID_TYPE_SERIAL 775 * @see android.security.keystore.AttestationUtils#ID_TYPE_IMEI 776 * @see android.security.keystore.AttestationUtils#ID_TYPE_MEID 777 * @see android.security.keystore.AttestationUtils#USE_INDIVIDUAL_ATTESTATION 778 * 779 * @return integer array representing the requested device IDs to attest. 780 */ 781 @SystemApi getAttestationIds()782 public @NonNull int[] getAttestationIds() { 783 return mAttestationIds.clone(); 784 } 785 786 /** 787 * @hide This is a system-only API 788 * 789 * Returns {@code true} if the attestation certificate will contain a unique ID field. 790 */ 791 @UnsupportedAppUsage isUniqueIdIncluded()792 public boolean isUniqueIdIncluded() { 793 return mUniqueIdIncluded; 794 } 795 796 /** 797 * Returns {@code true} if the key will remain authorized only until the device is removed from 798 * the user's body, up to the validity duration. This option has no effect on keys that don't 799 * have an authentication validity duration, and has no effect if the device lacks an on-body 800 * sensor. 801 * 802 * <p>Authorization applies only to secret key and private key operations. Public key operations 803 * are not restricted. 804 * 805 * @see #isUserAuthenticationRequired() 806 * @see #getUserAuthenticationValidityDurationSeconds() 807 * @see Builder#setUserAuthenticationValidWhileOnBody(boolean) 808 */ isUserAuthenticationValidWhileOnBody()809 public boolean isUserAuthenticationValidWhileOnBody() { 810 return mUserAuthenticationValidWhileOnBody; 811 } 812 813 /** 814 * Returns {@code true} if the key is irreversibly invalidated when a new biometric is 815 * enrolled or all enrolled biometrics are removed. This has effect only for keys that 816 * require biometric user authentication for every use. 817 * 818 * @see #isUserAuthenticationRequired() 819 * @see #getUserAuthenticationValidityDurationSeconds() 820 * @see Builder#setInvalidatedByBiometricEnrollment(boolean) 821 */ isInvalidatedByBiometricEnrollment()822 public boolean isInvalidatedByBiometricEnrollment() { 823 return mInvalidatedByBiometricEnrollment; 824 } 825 826 /** 827 * Returns {@code true} if the key is protected by a Strongbox security chip. 828 */ isStrongBoxBacked()829 public boolean isStrongBoxBacked() { 830 return mIsStrongBoxBacked; 831 } 832 833 /** 834 * Returns {@code true} if the screen must be unlocked for this key to be used for decryption or 835 * signing. Encryption and signature verification will still be available when the screen is 836 * locked. 837 * 838 * @see Builder#setUnlockedDeviceRequired(boolean) 839 */ isUnlockedDeviceRequired()840 public boolean isUnlockedDeviceRequired() { 841 return mUnlockedDeviceRequired; 842 } 843 844 /** 845 * @hide 846 */ getBoundToSpecificSecureUserId()847 public long getBoundToSpecificSecureUserId() { 848 return GateKeeper.INVALID_SECURE_USER_ID; 849 } 850 851 /** 852 * Returns whether this key is critical to the device encryption flow. 853 * 854 * @see android.security.KeyStore#FLAG_CRITICAL_TO_DEVICE_ENCRYPTION 855 * @hide 856 */ isCriticalToDeviceEncryption()857 public boolean isCriticalToDeviceEncryption() { 858 return mCriticalToDeviceEncryption; 859 } 860 861 /** 862 * Returns the maximum number of times the limited use key is allowed to be used or 863 * {@link KeyProperties#UNRESTRICTED_USAGE_COUNT} if there’s no restriction on the number of 864 * times the key can be used. 865 * 866 * @see Builder#setMaxUsageCount(int) 867 */ getMaxUsageCount()868 public int getMaxUsageCount() { 869 return mMaxUsageCount; 870 } 871 872 /** 873 * Returns the alias of the attestation key that will be used to sign the attestation 874 * certificate of the generated key. Note that an attestation certificate will only be 875 * generated if an attestation challenge is set. 876 * 877 * @see Builder#setAttestKeyAlias(String) 878 */ 879 @Nullable getAttestKeyAlias()880 public String getAttestKeyAlias() { 881 return mAttestKeyAlias; 882 } 883 884 /** 885 * Builder of {@link KeyGenParameterSpec} instances. 886 */ 887 public final static class Builder { 888 private final String mKeystoreAlias; 889 private @KeyProperties.PurposeEnum int mPurposes; 890 891 private @KeyProperties.Namespace int mNamespace = KeyProperties.NAMESPACE_APPLICATION; 892 private int mKeySize = -1; 893 private AlgorithmParameterSpec mSpec; 894 private X500Principal mCertificateSubject; 895 private BigInteger mCertificateSerialNumber; 896 private Date mCertificateNotBefore; 897 private Date mCertificateNotAfter; 898 private Date mKeyValidityStart; 899 private Date mKeyValidityForOriginationEnd; 900 private Date mKeyValidityForConsumptionEnd; 901 private @KeyProperties.DigestEnum String[] mDigests; 902 private @KeyProperties.EncryptionPaddingEnum String[] mEncryptionPaddings; 903 private @KeyProperties.SignaturePaddingEnum String[] mSignaturePaddings; 904 private @KeyProperties.BlockModeEnum String[] mBlockModes; 905 private boolean mRandomizedEncryptionRequired = true; 906 private boolean mUserAuthenticationRequired; 907 private int mUserAuthenticationValidityDurationSeconds = 0; 908 private @KeyProperties.AuthEnum int mUserAuthenticationType = 909 KeyProperties.AUTH_BIOMETRIC_STRONG; 910 private boolean mUserPresenceRequired = false; 911 private byte[] mAttestationChallenge = null; 912 private boolean mDevicePropertiesAttestationIncluded = false; 913 private int[] mAttestationIds = new int[0]; 914 private boolean mUniqueIdIncluded = false; 915 private boolean mUserAuthenticationValidWhileOnBody; 916 private boolean mInvalidatedByBiometricEnrollment = true; 917 private boolean mIsStrongBoxBacked = false; 918 private boolean mUserConfirmationRequired; 919 private boolean mUnlockedDeviceRequired = false; 920 private boolean mCriticalToDeviceEncryption = false; 921 private int mMaxUsageCount = KeyProperties.UNRESTRICTED_USAGE_COUNT; 922 private String mAttestKeyAlias = null; 923 924 /** 925 * Creates a new instance of the {@code Builder}. 926 * 927 * @param keystoreAlias alias of the entry in which the generated key will appear in 928 * Android KeyStore. Must not be empty. 929 * @param purposes set of purposes (e.g., encrypt, decrypt, sign) for which the key can be 930 * used. Attempts to use the key for any other purpose will be rejected. 931 * 932 * <p>If the set of purposes for which the key can be used does not contain 933 * {@link KeyProperties#PURPOSE_SIGN}, the self-signed certificate generated by 934 * {@link KeyPairGenerator} of {@code AndroidKeyStore} provider will contain an 935 * invalid signature. This is OK if the certificate is only used for obtaining the 936 * public key from Android KeyStore. 937 * 938 * <p>See {@link KeyProperties}.{@code PURPOSE} flags. 939 */ Builder(@onNull String keystoreAlias, @KeyProperties.PurposeEnum int purposes)940 public Builder(@NonNull String keystoreAlias, @KeyProperties.PurposeEnum int purposes) { 941 if (keystoreAlias == null) { 942 throw new NullPointerException("keystoreAlias == null"); 943 } else if (keystoreAlias.isEmpty()) { 944 throw new IllegalArgumentException("keystoreAlias must not be empty"); 945 } 946 mKeystoreAlias = keystoreAlias; 947 mPurposes = purposes; 948 } 949 950 /** 951 * A Builder constructor taking in an already-built KeyGenParameterSpec, useful for 952 * changing values of the KeyGenParameterSpec quickly. 953 * @hide Should be used internally only. 954 */ Builder(@onNull KeyGenParameterSpec sourceSpec)955 public Builder(@NonNull KeyGenParameterSpec sourceSpec) { 956 this(sourceSpec.getKeystoreAlias(), sourceSpec.getPurposes()); 957 mNamespace = sourceSpec.getNamespace(); 958 mKeySize = sourceSpec.getKeySize(); 959 mSpec = sourceSpec.getAlgorithmParameterSpec(); 960 mCertificateSubject = sourceSpec.getCertificateSubject(); 961 mCertificateSerialNumber = sourceSpec.getCertificateSerialNumber(); 962 mCertificateNotBefore = sourceSpec.getCertificateNotBefore(); 963 mCertificateNotAfter = sourceSpec.getCertificateNotAfter(); 964 mKeyValidityStart = sourceSpec.getKeyValidityStart(); 965 mKeyValidityForOriginationEnd = sourceSpec.getKeyValidityForOriginationEnd(); 966 mKeyValidityForConsumptionEnd = sourceSpec.getKeyValidityForConsumptionEnd(); 967 mPurposes = sourceSpec.getPurposes(); 968 if (sourceSpec.isDigestsSpecified()) { 969 mDigests = sourceSpec.getDigests(); 970 } 971 mEncryptionPaddings = sourceSpec.getEncryptionPaddings(); 972 mSignaturePaddings = sourceSpec.getSignaturePaddings(); 973 mBlockModes = sourceSpec.getBlockModes(); 974 mRandomizedEncryptionRequired = sourceSpec.isRandomizedEncryptionRequired(); 975 mUserAuthenticationRequired = sourceSpec.isUserAuthenticationRequired(); 976 mUserAuthenticationValidityDurationSeconds = 977 sourceSpec.getUserAuthenticationValidityDurationSeconds(); 978 mUserAuthenticationType = sourceSpec.getUserAuthenticationType(); 979 mUserPresenceRequired = sourceSpec.isUserPresenceRequired(); 980 mAttestationChallenge = sourceSpec.getAttestationChallenge(); 981 mDevicePropertiesAttestationIncluded = 982 sourceSpec.isDevicePropertiesAttestationIncluded(); 983 mAttestationIds = sourceSpec.getAttestationIds(); 984 mUniqueIdIncluded = sourceSpec.isUniqueIdIncluded(); 985 mUserAuthenticationValidWhileOnBody = sourceSpec.isUserAuthenticationValidWhileOnBody(); 986 mInvalidatedByBiometricEnrollment = sourceSpec.isInvalidatedByBiometricEnrollment(); 987 mIsStrongBoxBacked = sourceSpec.isStrongBoxBacked(); 988 mUserConfirmationRequired = sourceSpec.isUserConfirmationRequired(); 989 mUnlockedDeviceRequired = sourceSpec.isUnlockedDeviceRequired(); 990 mCriticalToDeviceEncryption = sourceSpec.isCriticalToDeviceEncryption(); 991 mMaxUsageCount = sourceSpec.getMaxUsageCount(); 992 mAttestKeyAlias = sourceSpec.getAttestKeyAlias(); 993 } 994 995 /** 996 * Sets the UID which will own the key. 997 * 998 * Such cross-UID access is permitted to a few system UIDs and only to a few other UIDs 999 * (e.g., Wi-Fi, VPN) all of which are system. 1000 * 1001 * @param uid UID or {@code -1} for the UID of the current process. 1002 * 1003 * @deprecated Setting the UID of the target namespace is based on a hardcoded 1004 * hack in the Keystore service. This is no longer supported with Keystore 2.0/Android S. 1005 * Instead, dedicated non UID based namespaces can be configured in SEPolicy using 1006 * the keystore2_key_contexts files. The functionality of this method will be supported 1007 * by mapping knows special UIDs, such as WIFI, to the newly configured SELinux based 1008 * namespaces. Unknown UIDs will yield {@link IllegalArgumentException}. 1009 * 1010 * @hide 1011 */ 1012 @SystemApi 1013 @NonNull 1014 @Deprecated setUid(int uid)1015 public Builder setUid(int uid) { 1016 mNamespace = KeyProperties.legacyUidToNamespace(uid); 1017 return this; 1018 } 1019 1020 /** 1021 * Set the designated SELinux namespace that the key shall live in. The caller must 1022 * have sufficient permissions to install a key in the given namespace. Namespaces 1023 * can be created using SEPolicy. The keystore2_key_contexts files map numeric 1024 * namespaces to SELinux labels, and SEPolicy can be used to grant access to these 1025 * namespaces to the desired target context. This is the preferred way to share 1026 * keys between system and vendor components, e.g., WIFI settings and WPA supplicant. 1027 * 1028 * @param namespace Numeric SELinux namespace as configured in keystore2_key_contexts 1029 * of Android's SEPolicy. 1030 * See <a href="https://source.android.com/security/keystore#access-control"> 1031 * Keystore 2.0 access control</a> 1032 * @return this Builder object. 1033 * 1034 * @hide 1035 */ 1036 @SystemApi 1037 @NonNull setNamespace(@eyProperties.Namespace int namespace)1038 public Builder setNamespace(@KeyProperties.Namespace int namespace) { 1039 mNamespace = namespace; 1040 return this; 1041 } 1042 1043 /** 1044 * Sets the size (in bits) of the key to be generated. For instance, for RSA keys this sets 1045 * the modulus size, for EC keys this selects a curve with a matching field size, and for 1046 * symmetric keys this sets the size of the bitstring which is their key material. 1047 * 1048 * <p>The default key size is specific to each key algorithm. If key size is not set 1049 * via this method, it should be looked up from the algorithm-specific parameters (if any) 1050 * provided via 1051 * {@link #setAlgorithmParameterSpec(AlgorithmParameterSpec) setAlgorithmParameterSpec}. 1052 */ 1053 @NonNull setKeySize(int keySize)1054 public Builder setKeySize(int keySize) { 1055 if (keySize < 0) { 1056 throw new IllegalArgumentException("keySize < 0"); 1057 } 1058 mKeySize = keySize; 1059 return this; 1060 } 1061 1062 /** 1063 * Sets the algorithm-specific key generation parameters. For example, for RSA keys this may 1064 * be an instance of {@link java.security.spec.RSAKeyGenParameterSpec} whereas for EC keys 1065 * this may be an instance of {@link java.security.spec.ECGenParameterSpec}. 1066 * 1067 * <p>These key generation parameters must match other explicitly set parameters (if any), 1068 * such as key size. 1069 */ setAlgorithmParameterSpec(@onNull AlgorithmParameterSpec spec)1070 public Builder setAlgorithmParameterSpec(@NonNull AlgorithmParameterSpec spec) { 1071 if (spec == null) { 1072 throw new NullPointerException("spec == null"); 1073 } 1074 mSpec = spec; 1075 return this; 1076 } 1077 1078 /** 1079 * Sets the subject used for the self-signed certificate of the generated key pair. 1080 * 1081 * <p>By default, the subject is {@code CN=fake}. 1082 */ 1083 @NonNull setCertificateSubject(@onNull X500Principal subject)1084 public Builder setCertificateSubject(@NonNull X500Principal subject) { 1085 if (subject == null) { 1086 throw new NullPointerException("subject == null"); 1087 } 1088 mCertificateSubject = subject; 1089 return this; 1090 } 1091 1092 /** 1093 * Sets the serial number used for the self-signed certificate of the generated key pair. 1094 * 1095 * <p>By default, the serial number is {@code 1}. 1096 */ 1097 @NonNull setCertificateSerialNumber(@onNull BigInteger serialNumber)1098 public Builder setCertificateSerialNumber(@NonNull BigInteger serialNumber) { 1099 if (serialNumber == null) { 1100 throw new NullPointerException("serialNumber == null"); 1101 } 1102 mCertificateSerialNumber = serialNumber; 1103 return this; 1104 } 1105 1106 /** 1107 * Sets the start of the validity period for the self-signed certificate of the generated 1108 * key pair. 1109 * 1110 * <p>By default, this date is {@code Jan 1 1970}. 1111 */ 1112 @NonNull setCertificateNotBefore(@onNull Date date)1113 public Builder setCertificateNotBefore(@NonNull Date date) { 1114 if (date == null) { 1115 throw new NullPointerException("date == null"); 1116 } 1117 mCertificateNotBefore = Utils.cloneIfNotNull(date); 1118 return this; 1119 } 1120 1121 /** 1122 * Sets the end of the validity period for the self-signed certificate of the generated key 1123 * pair. 1124 * 1125 * <p>By default, this date is {@code Jan 1 2048}. 1126 */ 1127 @NonNull setCertificateNotAfter(@onNull Date date)1128 public Builder setCertificateNotAfter(@NonNull Date date) { 1129 if (date == null) { 1130 throw new NullPointerException("date == null"); 1131 } 1132 mCertificateNotAfter = Utils.cloneIfNotNull(date); 1133 return this; 1134 } 1135 1136 /** 1137 * Sets the time instant before which the key is not yet valid. 1138 * 1139 * <p>By default, the key is valid at any instant. 1140 * 1141 * @see #setKeyValidityEnd(Date) 1142 */ 1143 @NonNull setKeyValidityStart(Date startDate)1144 public Builder setKeyValidityStart(Date startDate) { 1145 mKeyValidityStart = Utils.cloneIfNotNull(startDate); 1146 return this; 1147 } 1148 1149 /** 1150 * Sets the time instant after which the key is no longer valid. 1151 * 1152 * <p>By default, the key is valid at any instant. 1153 * 1154 * @see #setKeyValidityStart(Date) 1155 * @see #setKeyValidityForConsumptionEnd(Date) 1156 * @see #setKeyValidityForOriginationEnd(Date) 1157 */ 1158 @NonNull setKeyValidityEnd(Date endDate)1159 public Builder setKeyValidityEnd(Date endDate) { 1160 setKeyValidityForOriginationEnd(endDate); 1161 setKeyValidityForConsumptionEnd(endDate); 1162 return this; 1163 } 1164 1165 /** 1166 * Sets the time instant after which the key is no longer valid for encryption and signing. 1167 * 1168 * <p>By default, the key is valid at any instant. 1169 * 1170 * @see #setKeyValidityForConsumptionEnd(Date) 1171 */ 1172 @NonNull setKeyValidityForOriginationEnd(Date endDate)1173 public Builder setKeyValidityForOriginationEnd(Date endDate) { 1174 mKeyValidityForOriginationEnd = Utils.cloneIfNotNull(endDate); 1175 return this; 1176 } 1177 1178 /** 1179 * Sets the time instant after which the key is no longer valid for decryption and 1180 * verification. 1181 * 1182 * <p>By default, the key is valid at any instant. 1183 * 1184 * @see #setKeyValidityForOriginationEnd(Date) 1185 */ 1186 @NonNull setKeyValidityForConsumptionEnd(Date endDate)1187 public Builder setKeyValidityForConsumptionEnd(Date endDate) { 1188 mKeyValidityForConsumptionEnd = Utils.cloneIfNotNull(endDate); 1189 return this; 1190 } 1191 1192 /** 1193 * Sets the set of digests algorithms (e.g., {@code SHA-256}, {@code SHA-384}) with which 1194 * the key can be used. Attempts to use the key with any other digest algorithm will be 1195 * rejected. 1196 * 1197 * <p>This must be specified for signing/verification keys and RSA encryption/decryption 1198 * keys used with RSA OAEP padding scheme because these operations involve a digest. For 1199 * HMAC keys, the default is the digest associated with the key algorithm (e.g., 1200 * {@code SHA-256} for key algorithm {@code HmacSHA256}). HMAC keys cannot be authorized 1201 * for more than one digest. 1202 * 1203 * <p>For private keys used for TLS/SSL client or server authentication it is usually 1204 * necessary to authorize the use of no digest ({@link KeyProperties#DIGEST_NONE}). This is 1205 * because TLS/SSL stacks typically generate the necessary digest(s) themselves and then use 1206 * a private key to sign it. 1207 * 1208 * <p>See {@link KeyProperties}.{@code DIGEST} constants. 1209 */ 1210 @NonNull setDigests(@eyProperties.DigestEnum String... digests)1211 public Builder setDigests(@KeyProperties.DigestEnum String... digests) { 1212 mDigests = ArrayUtils.cloneIfNotEmpty(digests); 1213 return this; 1214 } 1215 1216 /** 1217 * Sets the set of padding schemes (e.g., {@code PKCS7Padding}, {@code OAEPPadding}, 1218 * {@code PKCS1Padding}, {@code NoPadding}) with which the key can be used when 1219 * encrypting/decrypting. Attempts to use the key with any other padding scheme will be 1220 * rejected. 1221 * 1222 * <p>This must be specified for keys which are used for encryption/decryption. 1223 * 1224 * <p>For RSA private keys used by TLS/SSL servers to authenticate themselves to clients it 1225 * is usually necessary to authorize the use of no/any padding 1226 * ({@link KeyProperties#ENCRYPTION_PADDING_NONE}) and/or PKCS#1 encryption padding 1227 * ({@link KeyProperties#ENCRYPTION_PADDING_RSA_PKCS1}). This is because RSA decryption is 1228 * required by some cipher suites, and some stacks request decryption using no padding 1229 * whereas others request PKCS#1 padding. 1230 * 1231 * <p>See {@link KeyProperties}.{@code ENCRYPTION_PADDING} constants. 1232 */ 1233 @NonNull setEncryptionPaddings( @eyProperties.EncryptionPaddingEnum String... paddings)1234 public Builder setEncryptionPaddings( 1235 @KeyProperties.EncryptionPaddingEnum String... paddings) { 1236 mEncryptionPaddings = ArrayUtils.cloneIfNotEmpty(paddings); 1237 return this; 1238 } 1239 1240 /** 1241 * Sets the set of padding schemes (e.g., {@code PSS}, {@code PKCS#1}) with which the key 1242 * can be used when signing/verifying. Attempts to use the key with any other padding scheme 1243 * will be rejected. 1244 * 1245 * <p>This must be specified for RSA keys which are used for signing/verification. 1246 * 1247 * <p>See {@link KeyProperties}.{@code SIGNATURE_PADDING} constants. 1248 */ 1249 @NonNull setSignaturePaddings( @eyProperties.SignaturePaddingEnum String... paddings)1250 public Builder setSignaturePaddings( 1251 @KeyProperties.SignaturePaddingEnum String... paddings) { 1252 mSignaturePaddings = ArrayUtils.cloneIfNotEmpty(paddings); 1253 return this; 1254 } 1255 1256 /** 1257 * Sets the set of block modes (e.g., {@code GCM}, {@code CBC}) with which the key can be 1258 * used when encrypting/decrypting. Attempts to use the key with any other block modes will 1259 * be rejected. 1260 * 1261 * <p>This must be specified for symmetric encryption/decryption keys. 1262 * 1263 * <p>See {@link KeyProperties}.{@code BLOCK_MODE} constants. 1264 */ 1265 @NonNull setBlockModes(@eyProperties.BlockModeEnum String... blockModes)1266 public Builder setBlockModes(@KeyProperties.BlockModeEnum String... blockModes) { 1267 mBlockModes = ArrayUtils.cloneIfNotEmpty(blockModes); 1268 return this; 1269 } 1270 1271 /** 1272 * Sets whether encryption using this key must be sufficiently randomized to produce 1273 * different ciphertexts for the same plaintext every time. The formal cryptographic 1274 * property being required is <em>indistinguishability under chosen-plaintext attack 1275 * ({@code IND-CPA})</em>. This property is important because it mitigates several classes 1276 * of weaknesses due to which ciphertext may leak information about plaintext. For example, 1277 * if a given plaintext always produces the same ciphertext, an attacker may see the 1278 * repeated ciphertexts and be able to deduce something about the plaintext. 1279 * 1280 * <p>By default, {@code IND-CPA} is required. 1281 * 1282 * <p>When {@code IND-CPA} is required: 1283 * <ul> 1284 * <li>encryption/decryption transformation which do not offer {@code IND-CPA}, such as 1285 * {@code ECB} with a symmetric encryption algorithm, or RSA encryption/decryption without 1286 * padding, are prohibited;</li> 1287 * <li>in block modes which use an IV, such as {@code GCM}, {@code CBC}, and {@code CTR}, 1288 * caller-provided IVs are rejected when encrypting, to ensure that only random IVs are 1289 * used.</li> 1290 * </ul> 1291 * 1292 * <p>Before disabling this requirement, consider the following approaches instead: 1293 * <ul> 1294 * <li>If you are generating a random IV for encryption and then initializing a {@code} 1295 * Cipher using the IV, the solution is to let the {@code Cipher} generate a random IV 1296 * instead. This will occur if the {@code Cipher} is initialized for encryption without an 1297 * IV. The IV can then be queried via {@link Cipher#getIV()}.</li> 1298 * <li>If you are generating a non-random IV (e.g., an IV derived from something not fully 1299 * random, such as the name of the file being encrypted, or transaction ID, or password, 1300 * or a device identifier), consider changing your design to use a random IV which will then 1301 * be provided in addition to the ciphertext to the entities which need to decrypt the 1302 * ciphertext.</li> 1303 * <li>If you are using RSA encryption without padding, consider switching to encryption 1304 * padding schemes which offer {@code IND-CPA}, such as PKCS#1 or OAEP.</li> 1305 * </ul> 1306 */ 1307 @NonNull setRandomizedEncryptionRequired(boolean required)1308 public Builder setRandomizedEncryptionRequired(boolean required) { 1309 mRandomizedEncryptionRequired = required; 1310 return this; 1311 } 1312 1313 /** 1314 * Sets whether this key is authorized to be used only if the user has been authenticated. 1315 * 1316 * <p>By default, the key is authorized to be used regardless of whether the user has been 1317 * authenticated. 1318 * 1319 * <p>When user authentication is required: 1320 * <ul> 1321 * <li>The key can only be generated if secure lock screen is set up (see 1322 * {@link KeyguardManager#isDeviceSecure()}). Additionally, if the key requires that user 1323 * authentication takes place for every use of the key (see 1324 * {@link #setUserAuthenticationValidityDurationSeconds(int)}), at least one biometric 1325 * must be enrolled (see {@link BiometricManager#canAuthenticate()}).</li> 1326 * <li>The use of the key must be authorized by the user by authenticating to this Android 1327 * device using a subset of their secure lock screen credentials such as 1328 * password/PIN/pattern or biometric. 1329 * <a href="{@docRoot}training/articles/keystore.html#UserAuthentication">More 1330 * information</a>. 1331 * <li>The key will become <em>irreversibly invalidated</em> once the secure lock screen is 1332 * disabled (reconfigured to None, Swipe or other mode which does not authenticate the user) 1333 * or when the secure lock screen is forcibly reset (e.g., by a Device Administrator). 1334 * Additionally, if the key requires that user authentication takes place for every use of 1335 * the key, it is also irreversibly invalidated once a new biometric is enrolled or once\ 1336 * no more biometrics are enrolled, unless {@link 1337 * #setInvalidatedByBiometricEnrollment(boolean)} is used to allow validity after 1338 * enrollment. Attempts to initialize cryptographic operations using such keys will throw 1339 * {@link KeyPermanentlyInvalidatedException}.</li> 1340 * </ul> 1341 * 1342 * <p>This authorization applies only to secret key and private key operations. Public key 1343 * operations are not restricted. 1344 * 1345 * @see #setUserAuthenticationValidityDurationSeconds(int) 1346 * @see KeyguardManager#isDeviceSecure() 1347 * @see BiometricManager#canAuthenticate() 1348 */ 1349 @NonNull setUserAuthenticationRequired(boolean required)1350 public Builder setUserAuthenticationRequired(boolean required) { 1351 mUserAuthenticationRequired = required; 1352 return this; 1353 } 1354 1355 /** 1356 * Sets whether this key is authorized to be used only for messages confirmed by the 1357 * user. 1358 * 1359 * Confirmation is separate from user authentication (see 1360 * {@link #setUserAuthenticationRequired(boolean)}). Keys can be created that require 1361 * confirmation but not user authentication, or user authentication but not confirmation, 1362 * or both. Confirmation verifies that some user with physical possession of the device has 1363 * approved a displayed message. User authentication verifies that the correct user is 1364 * present and has authenticated. 1365 * 1366 * <p>This authorization applies only to secret key and private key operations. Public key 1367 * operations are not restricted. 1368 * 1369 * See {@link android.security.ConfirmationPrompt} class for 1370 * more details about user confirmations. 1371 */ 1372 @NonNull setUserConfirmationRequired(boolean required)1373 public Builder setUserConfirmationRequired(boolean required) { 1374 mUserConfirmationRequired = required; 1375 return this; 1376 } 1377 1378 /** 1379 * Sets the duration of time (seconds) for which this key is authorized to be used after the 1380 * user is successfully authenticated. This has effect if the key requires user 1381 * authentication for its use (see {@link #setUserAuthenticationRequired(boolean)}). 1382 * 1383 * <p>By default, if user authentication is required, it must take place for every use of 1384 * the key. 1385 * 1386 * <p>Cryptographic operations involving keys which require user authentication to take 1387 * place for every operation can only use biometric authentication. This is achieved by 1388 * initializing a cryptographic operation ({@link Signature}, {@link Cipher}, {@link Mac}) 1389 * with the key, wrapping it into a {@link BiometricPrompt.CryptoObject}, invoking 1390 * {@code BiometricPrompt.authenticate} with {@code CryptoObject}, and proceeding with 1391 * the cryptographic operation only if the authentication flow succeeds. 1392 * 1393 * <p>Cryptographic operations involving keys which are authorized to be used for a duration 1394 * of time after a successful user authentication event can only use secure lock screen 1395 * authentication. These cryptographic operations will throw 1396 * {@link UserNotAuthenticatedException} during initialization if the user needs to be 1397 * authenticated to proceed. This situation can be resolved by the user unlocking the secure 1398 * lock screen of the Android or by going through the confirm credential flow initiated by 1399 * {@link KeyguardManager#createConfirmDeviceCredentialIntent(CharSequence, CharSequence)}. 1400 * Once resolved, initializing a new cryptographic operation using this key (or any other 1401 * key which is authorized to be used for a fixed duration of time after user 1402 * authentication) should succeed provided the user authentication flow completed 1403 * successfully. 1404 * 1405 * @param seconds duration in seconds or {@code -1} if user authentication must take place 1406 * for every use of the key. 1407 * 1408 * @see #setUserAuthenticationRequired(boolean) 1409 * @see BiometricPrompt 1410 * @see BiometricPrompt.CryptoObject 1411 * @see KeyguardManager 1412 * @deprecated See {@link #setUserAuthenticationParameters(int, int)} 1413 */ 1414 @Deprecated 1415 @NonNull setUserAuthenticationValidityDurationSeconds( @ntRangefrom = -1) int seconds)1416 public Builder setUserAuthenticationValidityDurationSeconds( 1417 @IntRange(from = -1) int seconds) { 1418 if (seconds < -1) { 1419 throw new IllegalArgumentException("seconds must be -1 or larger"); 1420 } 1421 if (seconds == -1) { 1422 return setUserAuthenticationParameters(0, KeyProperties.AUTH_BIOMETRIC_STRONG); 1423 } 1424 return setUserAuthenticationParameters(seconds, KeyProperties.AUTH_DEVICE_CREDENTIAL 1425 | KeyProperties.AUTH_BIOMETRIC_STRONG); 1426 } 1427 1428 /** 1429 * Sets the duration of time (seconds) and authorization type for which this key is 1430 * authorized to be used after the user is successfully authenticated. This has effect if 1431 * the key requires user authentication for its use (see 1432 * {@link #setUserAuthenticationRequired(boolean)}). 1433 * 1434 * <p>By default, if user authentication is required, it must take place for every use of 1435 * the key. 1436 * 1437 * <p>These cryptographic operations will throw {@link UserNotAuthenticatedException} during 1438 * initialization if the user needs to be authenticated to proceed. This situation can be 1439 * resolved by the user authenticating with the appropriate biometric or credential as 1440 * required by the key. See {@link BiometricPrompt.Builder#setAllowedAuthenticators(int)} 1441 * and {@link BiometricManager.Authenticators}. 1442 * 1443 * <p>Once resolved, initializing a new cryptographic operation using this key (or any other 1444 * key which is authorized to be used for a fixed duration of time after user 1445 * authentication) should succeed provided the user authentication flow completed 1446 * successfully. 1447 * 1448 * @param timeout duration in seconds or {@code 0} if user authentication must take place 1449 * for every use of the key. 1450 * @param type set of authentication types which can authorize use of the key. See 1451 * {@link KeyProperties}.{@code AUTH} flags. 1452 * 1453 * @see #setUserAuthenticationRequired(boolean) 1454 * @see BiometricPrompt 1455 * @see BiometricPrompt.CryptoObject 1456 * @see KeyguardManager 1457 */ 1458 @NonNull setUserAuthenticationParameters(@ntRangefrom = 0) int timeout, @KeyProperties.AuthEnum int type)1459 public Builder setUserAuthenticationParameters(@IntRange(from = 0) int timeout, 1460 @KeyProperties.AuthEnum int type) { 1461 if (timeout < 0) { 1462 throw new IllegalArgumentException("timeout must be 0 or larger"); 1463 } 1464 mUserAuthenticationValidityDurationSeconds = timeout; 1465 mUserAuthenticationType = type; 1466 return this; 1467 } 1468 1469 /** 1470 * Sets whether a test of user presence is required to be performed between the 1471 * {@code Signature.initSign()} and {@code Signature.sign()} method calls. 1472 * It requires that the KeyStore implementation have a direct way to validate the user 1473 * presence for example a KeyStore hardware backed strongbox can use a button press that 1474 * is observable in hardware. A test for user presence is tangential to authentication. The 1475 * test can be part of an authentication step as long as this step can be validated by the 1476 * hardware protecting the key and cannot be spoofed. For example, a physical button press 1477 * can be used as a test of user presence if the other pins connected to the button are not 1478 * able to simulate a button press.There must be no way for the primary processor to fake a 1479 * button press, or that button must not be used as a test of user presence. 1480 */ 1481 @NonNull setUserPresenceRequired(boolean required)1482 public Builder setUserPresenceRequired(boolean required) { 1483 mUserPresenceRequired = required; 1484 return this; 1485 } 1486 1487 /** 1488 * Sets whether an attestation certificate will be generated for this key pair, and what 1489 * challenge value will be placed in the certificate. The attestation certificate chain 1490 * can be retrieved with with {@link java.security.KeyStore#getCertificateChain(String)}. 1491 * 1492 * <p>If {@code attestationChallenge} is not {@code null}, the public key certificate for 1493 * this key pair will contain an extension that describes the details of the key's 1494 * configuration and authorizations, including the {@code attestationChallenge} value. If 1495 * the key is in secure hardware, and if the secure hardware supports attestation, the 1496 * certificate will be signed by a chain of certificates rooted at a trustworthy CA key. 1497 * Otherwise the chain will be rooted at an untrusted certificate. 1498 * 1499 * <p>The purpose of the challenge value is to enable relying parties to verify that the key 1500 * was created in response to a specific request. If attestation is desired but no 1501 * challenged is needed, any non-{@code null} value may be used, including an empty byte 1502 * array. 1503 * 1504 * <p>If {@code attestationChallenge} is {@code null}, and this spec is used to generate an 1505 * asymmetric (RSA or EC) key pair, the public key certificate will be self-signed if the 1506 * key has purpose {@link android.security.keystore.KeyProperties#PURPOSE_SIGN}. If the key 1507 * does not have purpose {@link android.security.keystore.KeyProperties#PURPOSE_SIGN}, it is 1508 * not possible to use the key to sign a certificate, so the public key certificate will 1509 * contain a dummy signature. 1510 * 1511 * <p>Symmetric keys, such as AES and HMAC keys, do not have public key certificates. If a 1512 * {@link #getAttestationChallenge()} returns non-null and the spec is used to generate a 1513 * symmetric (AES or HMAC) key, {@link javax.crypto.KeyGenerator#generateKey()} will throw 1514 * {@link java.security.InvalidAlgorithmParameterException}. 1515 */ 1516 @NonNull setAttestationChallenge(byte[] attestationChallenge)1517 public Builder setAttestationChallenge(byte[] attestationChallenge) { 1518 mAttestationChallenge = attestationChallenge; 1519 return this; 1520 } 1521 1522 /** 1523 * Sets whether to include the base device properties in the attestation certificate. 1524 * 1525 * <p>If {@code attestationChallenge} is not {@code null}, the public key certificate for 1526 * this key pair will contain an extension that describes the details of the key's 1527 * configuration and authorizations, including the device properties values (brand, device, 1528 * manufacturer, model, product). These should be the same as in ({@link Build#BRAND}, 1529 * {@link Build#DEVICE}, {@link Build#MANUFACTURER}, {@link Build#MODEL}, 1530 * {@link Build#PRODUCT}). The attestation certificate chain can 1531 * be retrieved with {@link java.security.KeyStore#getCertificateChain(String)}. 1532 * 1533 * <p> If {@code attestationChallenge} is {@code null}, the public key certificate for 1534 * this key pair will not contain the extension with the requested attested values. 1535 * 1536 * <p> {@link javax.crypto.KeyGenerator#generateKey()} will throw 1537 * {@link java.security.ProviderException} if device properties attestation fails or is not 1538 * supported. 1539 */ 1540 @NonNull setDevicePropertiesAttestationIncluded( boolean devicePropertiesAttestationIncluded)1541 public Builder setDevicePropertiesAttestationIncluded( 1542 boolean devicePropertiesAttestationIncluded) { 1543 mDevicePropertiesAttestationIncluded = devicePropertiesAttestationIncluded; 1544 return this; 1545 } 1546 1547 /** 1548 * @hide 1549 * Sets which IDs to attest in the attestation certificate for the key. The acceptable 1550 * values in this integer array are the enums specified in 1551 * {@link android.security.keystore.AttestationUtils} 1552 * 1553 * @param attestationIds the array of ID types to attest to in the certificate. 1554 * 1555 * @see android.security.keystore.AttestationUtils#ID_TYPE_SERIAL 1556 * @see android.security.keystore.AttestationUtils#ID_TYPE_IMEI 1557 * @see android.security.keystore.AttestationUtils#ID_TYPE_MEID 1558 * @see android.security.keystore.AttestationUtils#USE_INDIVIDUAL_ATTESTATION 1559 */ 1560 @SystemApi 1561 @NonNull setAttestationIds(@onNull int[] attestationIds)1562 public Builder setAttestationIds(@NonNull int[] attestationIds) { 1563 mAttestationIds = attestationIds; 1564 return this; 1565 } 1566 1567 /** 1568 * @hide Only system apps can use this method. 1569 * 1570 * Sets whether to include a temporary unique ID field in the attestation certificate. 1571 */ 1572 @UnsupportedAppUsage 1573 @TestApi 1574 @NonNull setUniqueIdIncluded(boolean uniqueIdIncluded)1575 public Builder setUniqueIdIncluded(boolean uniqueIdIncluded) { 1576 mUniqueIdIncluded = uniqueIdIncluded; 1577 return this; 1578 } 1579 1580 /** 1581 * Sets whether the key will remain authorized only until the device is removed from the 1582 * user's body up to the limit of the authentication validity period (see 1583 * {@link #setUserAuthenticationValidityDurationSeconds} and 1584 * {@link #setUserAuthenticationRequired}). Once the device has been removed from the 1585 * user's body, the key will be considered unauthorized and the user will need to 1586 * re-authenticate to use it. For keys without an authentication validity period this 1587 * parameter has no effect. 1588 * 1589 * <p>Similarly, on devices that do not have an on-body sensor, this parameter will have no 1590 * effect; the device will always be considered to be "on-body" and the key will therefore 1591 * remain authorized until the validity period ends. 1592 * 1593 * @param remainsValid if {@code true}, and if the device supports on-body detection, key 1594 * will be invalidated when the device is removed from the user's body or when the 1595 * authentication validity expires, whichever occurs first. 1596 */ 1597 @NonNull setUserAuthenticationValidWhileOnBody(boolean remainsValid)1598 public Builder setUserAuthenticationValidWhileOnBody(boolean remainsValid) { 1599 mUserAuthenticationValidWhileOnBody = remainsValid; 1600 return this; 1601 } 1602 1603 /** 1604 * Sets whether this key should be invalidated on biometric enrollment. This 1605 * applies only to keys which require user authentication (see {@link 1606 * #setUserAuthenticationRequired(boolean)}) and if no positive validity duration has been 1607 * set (see {@link #setUserAuthenticationValidityDurationSeconds(int)}, meaning the key is 1608 * valid for biometric authentication only. 1609 * 1610 * <p>By default, {@code invalidateKey} is {@code true}, so keys that are valid for 1611 * biometric authentication only are <em>irreversibly invalidated</em> when a new 1612 * biometric is enrolled, or when all existing biometrics are deleted. That may be 1613 * changed by calling this method with {@code invalidateKey} set to {@code false}. 1614 * 1615 * <p>Invalidating keys on enrollment of a new biometric or unenrollment of all biometrics 1616 * improves security by ensuring that an unauthorized person who obtains the password can't 1617 * gain the use of biometric-authenticated keys by enrolling their own biometric. However, 1618 * invalidating keys makes key-dependent operations impossible, requiring some fallback 1619 * procedure to authenticate the user and set up a new key. 1620 */ 1621 @NonNull setInvalidatedByBiometricEnrollment(boolean invalidateKey)1622 public Builder setInvalidatedByBiometricEnrollment(boolean invalidateKey) { 1623 mInvalidatedByBiometricEnrollment = invalidateKey; 1624 return this; 1625 } 1626 1627 /** 1628 * Sets whether this key should be protected by a StrongBox security chip. 1629 */ 1630 @NonNull setIsStrongBoxBacked(boolean isStrongBoxBacked)1631 public Builder setIsStrongBoxBacked(boolean isStrongBoxBacked) { 1632 mIsStrongBoxBacked = isStrongBoxBacked; 1633 return this; 1634 } 1635 1636 /** 1637 * Sets whether the keystore requires the screen to be unlocked before allowing decryption 1638 * using this key. If this is set to {@code true}, any attempt to decrypt or sign using this 1639 * key while the screen is locked will fail. A locked device requires a PIN, password, 1640 * biometric, or other trusted factor to access. While the screen is locked, the key can 1641 * still be used for encryption or signature verification. 1642 */ 1643 @NonNull setUnlockedDeviceRequired(boolean unlockedDeviceRequired)1644 public Builder setUnlockedDeviceRequired(boolean unlockedDeviceRequired) { 1645 mUnlockedDeviceRequired = unlockedDeviceRequired; 1646 return this; 1647 } 1648 1649 /** 1650 * Set whether this key is critical to the device encryption flow 1651 * 1652 * This is a special flag only available to system servers to indicate the current key 1653 * is part of the device encryption flow. Setting this flag causes the key to not 1654 * be cryptographically bound to the LSKF even if the key is otherwise authentication 1655 * bound. 1656 * 1657 * @hide 1658 */ setCriticalToDeviceEncryption(boolean critical)1659 public Builder setCriticalToDeviceEncryption(boolean critical) { 1660 mCriticalToDeviceEncryption = critical; 1661 return this; 1662 } 1663 1664 /** 1665 * Sets the maximum number of times the key is allowed to be used. After every use of the 1666 * key, the use counter will decrease. This authorization applies only to secret key and 1667 * private key operations. Public key operations are not restricted. For example, after 1668 * successfully encrypting and decrypting data using methods such as 1669 * {@link Cipher#doFinal()}, the use counter of the secret key will decrease. After 1670 * successfully signing data using methods such as {@link Signature#sign()}, the use 1671 * counter of the private key will decrease. 1672 * 1673 * When the use counter is depleted, the key will be marked for deletion by Android 1674 * Keystore and any subsequent attempt to use the key will throw 1675 * {@link KeyPermanentlyInvalidatedException}. There is no key to be loaded from the 1676 * Android Keystore once the exhausted key is permanently deleted, as if the key never 1677 * existed before. 1678 * 1679 * <p>By default, there is no restriction on the usage of key. 1680 * 1681 * <p>Some secure hardware may not support this feature at all, in which case it will 1682 * be enforced in software, some secure hardware may support it but only with 1683 * maxUsageCount = 1, and some secure hardware may support it with larger value 1684 * of maxUsageCount. 1685 * 1686 * <p>The PackageManger feature flags: 1687 * {@link android.content.pm.PackageManager#FEATURE_KEYSTORE_SINGLE_USE_KEY} and 1688 * {@link android.content.pm.PackageManager#FEATURE_KEYSTORE_LIMITED_USE_KEY} can be used 1689 * to check whether the secure hardware cannot enforce this feature, can only enforce it 1690 * with maxUsageCount = 1, or can enforce it with larger value of maxUsageCount. 1691 * 1692 * @param maxUsageCount maximum number of times the key is allowed to be used or 1693 * {@link KeyProperties#UNRESTRICTED_USAGE_COUNT} if there is no restriction on the 1694 * usage. 1695 */ 1696 @NonNull setMaxUsageCount(int maxUsageCount)1697 public Builder setMaxUsageCount(int maxUsageCount) { 1698 if (maxUsageCount == KeyProperties.UNRESTRICTED_USAGE_COUNT || maxUsageCount > 0) { 1699 mMaxUsageCount = maxUsageCount; 1700 return this; 1701 } 1702 throw new IllegalArgumentException("maxUsageCount is not valid"); 1703 } 1704 1705 /** 1706 * Sets the alias of the attestation key that will be used to sign the attestation 1707 * certificate for the generated key pair, if an attestation challenge is set with {@link 1708 * #setAttestationChallenge}. If an attestKeyAlias is set but no challenge, {@link 1709 * java.security.KeyPairGenerator#initialize} will throw {@link 1710 * java.security.InvalidAlgorithmParameterException}. 1711 * 1712 * <p>If the attestKeyAlias is set to null (the default), Android Keystore will select an 1713 * appropriate system-provided attestation signing key. If not null, the alias must 1714 * reference an Android Keystore Key that was created with {@link 1715 * android.security.keystore.KeyProperties#PURPOSE_ATTEST_KEY}, or key generation will throw 1716 * {@link java.security.InvalidAlgorithmParameterException}. 1717 * 1718 * @param attestKeyAlias the alias of the attestation key to be used to sign the 1719 * attestation certificate. 1720 */ 1721 @NonNull setAttestKeyAlias(@ullable String attestKeyAlias)1722 public Builder setAttestKeyAlias(@Nullable String attestKeyAlias) { 1723 mAttestKeyAlias = attestKeyAlias; 1724 return this; 1725 } 1726 1727 /** 1728 * Builds an instance of {@code KeyGenParameterSpec}. 1729 */ 1730 @NonNull build()1731 public KeyGenParameterSpec build() { 1732 return new KeyGenParameterSpec( 1733 mKeystoreAlias, 1734 mNamespace, 1735 mKeySize, 1736 mSpec, 1737 mCertificateSubject, 1738 mCertificateSerialNumber, 1739 mCertificateNotBefore, 1740 mCertificateNotAfter, 1741 mKeyValidityStart, 1742 mKeyValidityForOriginationEnd, 1743 mKeyValidityForConsumptionEnd, 1744 mPurposes, 1745 mDigests, 1746 mEncryptionPaddings, 1747 mSignaturePaddings, 1748 mBlockModes, 1749 mRandomizedEncryptionRequired, 1750 mUserAuthenticationRequired, 1751 mUserAuthenticationValidityDurationSeconds, 1752 mUserAuthenticationType, 1753 mUserPresenceRequired, 1754 mAttestationChallenge, 1755 mDevicePropertiesAttestationIncluded, 1756 mAttestationIds, 1757 mUniqueIdIncluded, 1758 mUserAuthenticationValidWhileOnBody, 1759 mInvalidatedByBiometricEnrollment, 1760 mIsStrongBoxBacked, 1761 mUserConfirmationRequired, 1762 mUnlockedDeviceRequired, 1763 mCriticalToDeviceEncryption, 1764 mMaxUsageCount, 1765 mAttestKeyAlias); 1766 } 1767 } 1768 } 1769