am 6d8cf7a7: am bb320299: am 155d41a0: am 304b01c2: Merge "Document what algorithms Android Keystore supports." into mnc-dev

* commit '6d8cf7a7a063cfa0c37ea85946c6f1fe105435c5':
  Document what algorithms Android Keystore supports.

docs/html/training/articles/keystore.jd

@@ -7,14 +7,15 @@ page.title=Android Keystore System
     <ol>
       <li><a href="#SecurityFeatures">Security Features</a></li>
       <li><a href="#WhichShouldIUse">Choosing Between a Keychain or the Android Keystore Provider</a></li>
-      <li><a href="#UsingAndroidKeyStore">Using Android Keystore Provider
-      </a></li>
+      <li><a href="#UsingAndroidKeyStore">Using Android Keystore Provider</a>
       <ol>
         <li><a href="#GeneratingANewPrivateKey">Generating a New Private Key</a></li>
         <li><a href="#WorkingWithKeyStoreEntries">Working with Keystore Entries</a></li>
         <li><a href="#ListingEntries">Listing Entries</a></li>
         <li><a href="#SigningAndVerifyingData">Signing and Verifying Data</a></li>
       </ol>
+      </li>
+      <li><a href="#SupportedAlgorithms">Supported Algorithms</a></li>
     </ol>
 
     <h2>Blog articles</h2>
@@ -27,6 +28,14 @@ page.title=Android Keystore System
   </div>
 </div>
 
+<style type="text/css">
+  tr.deprecated {
+    background-color: #ccc;
+    color: #999;
+    font-style: italic;
+  }
+</style>
+
 <p>The Android Keystore system lets you store cryptographic keys in a container
   to make it more difficult to extract from the device. Once keys are in the
   keystore, they can be used for cryptographic operations with the key material
@@ -213,4 +222,456 @@ operate in one of the two modes:
   {@link android.hardware.fingerprint.FingerprintManager#hasEnrolledFingerprints() FingerprintManager.hasEnrolledFingerprints}).
   These keys become permanently invalidated once a new fingerprint is enrolled or all fingerprints
   are unenrolled.</li>
-</ul>
+</ul>
+
+<h2 id="SupportedAlgorithms">Supported Algorithms</h2>
+
+<ul>
+  <li><a href="#SupportedCiphers">{@code Cipher}</a></li>
+  <li><a href="#SupportedKeyGenerators">{@code KeyGenerator}</a></li>
+  <li><a href="#SupportedKeyFactories">{@code KeyFactory}</a></li>
+  <li><a href="#SupportedKeyPairGenerators">{@code KeyPairGenerator}</a></li>
+  <li><a href="#SupportedMacs">{@code Mac}</a></li>
+  <li><a href="#SupportedSignatures">{@code Signature}</a></li>
+  <li><a href="#SupportedSecretKeyFactories">{@code SecretKeyFactory}</a></li>
+</ul>
+
+<h3 id="SupportedCiphers">Cipher</h3>
+<table>
+  <thead>
+    <tr>
+      <th>Algorithm</th>
+      <th>Supported (API Levels)</th>
+      <th>Notes</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>AES/CBC/NoPadding</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>AES/CBC/PKCS7Padding</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>AES/CTR/NoPadding</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>AES/ECB/NoPadding</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>AES/ECB/PKCS7Padding</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>AES/GCM/NoPadding</td>
+      <td>23+</td>
+      <td>Only 12-byte long IVs supported.</td>
+    </tr>
+    <tr>
+      <td>RSA/ECB/NoPadding</td>
+      <td>18+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>RSA/ECB/PKCS1Padding</td>
+      <td>18+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>RSA/ECB/OAEPWithSHA-1AndMGF1Padding</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>RSA/ECB/OAEPWithSHA-224AndMGF1Padding</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>RSA/ECB/OAEPWithSHA-256AndMGF1Padding</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>RSA/ECB/OAEPWithSHA-384AndMGF1Padding</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>RSA/ECB/OAEPWithSHA-512AndMGF1Padding</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>RSA/ECB/OAEPPadding</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+  </tbody>
+</table>
+
+<h3 id="SupportedKeyGenerators">KeyGenerator</h3>
+<table>
+  <thead>
+    <tr>
+      <th>Algorithm</th>
+      <th>Supported (API Levels)</th>
+      <th>Notes</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>AES</td>
+      <td>23+</td>
+      <td>Supported sizes: 128, 192, 256</td>
+    </tr>
+    <tr>
+      <td>HmacSHA1</td>
+      <td>23+</td>
+      <td>
+        <ul>
+          <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li>
+          <li>Default size: 160</li>
+        <ul>
+      </td>
+    </tr>
+    <tr>
+      <td>HmacSHA224</td>
+      <td>23+</td>
+      <td>
+        <ul>
+          <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li>
+          <li>Default size: 224</li>
+        <ul>
+      </td>
+    </tr>
+    <tr>
+      <td>HmacSHA256</td>
+      <td>23+</td>
+      <td>
+        <ul>
+          <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li>
+          <li>Default size: 256</li>
+        <ul>
+      </td>
+    </tr>
+    <tr>
+      <td>HmacSHA384</td>
+      <td>23+</td>
+      <td>
+        <ul>
+          <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li>
+          <li>Default size: 384</li>
+        <ul>
+      </td>
+    </tr>
+    <tr>
+      <td>HmacSHA512</td>
+      <td>23+</td>
+      <td>
+        <ul>
+          <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li>
+          <li>Default size: 512</li>
+        <ul>
+      </td>
+    </tr>
+  </tbody>
+</table>
+
+<h3 id="SupportedKeyFactories">KeyFactory</h3>
+<table>
+  <thead>
+    <tr>
+      <th>Algorithm</th>
+      <th>Supported (API Levels)</th>
+      <th>Notes</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>EC</td>
+      <td>23+</td>
+      <td>Supported key specs: {@link android.security.keystore.KeyInfo} (private key only),
+        {@link java.security.spec.ECPublicKeySpec} (public key only),
+        {@link java.security.spec.X509EncodedKeySpec} (public key only)
+      </td>
+    </tr>
+    <tr>
+      <td>RSA</td>
+      <td>23+</td>
+      <td>Supported key specs: {@link android.security.keystore.KeyInfo} (private key only),
+        {@link java.security.spec.RSAPublicKeySpec} (public key only),
+        {@link java.security.spec.X509EncodedKeySpec} (public key only)
+      </td>
+    </tr>
+  </tbody>
+</table>
+
+<h3 id="SupportedKeyStoreKeys">KeyStore</h3>
+KeyStore supports the same key types as
+<a href="#SupportedKeyPairGenerators">{@code KeyPairGenerator}</a> and
+<a href="#SupportedKeyGenerators">{@code KeyGenerator}</a>.
+
+<h3 id="SupportedKeyPairGenerators">KeyPairGenerator</h3>
+<table>
+  <thead>
+    <tr>
+      <th>Algorithm</th>
+      <th>Supported (API Levels)</th>
+      <th>Notes</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr class="deprecated">
+      <td>DSA</td>
+      <td>19&ndash;22</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>EC</td>
+      <td>23+</td>
+      <td>
+        <ul>
+          <li>Supported sizes: 224, 256, 384, 521</li>
+          <li>Supported named curves: P-224 (secp256r1), P-256 (aka secp256r1 and prime256v1), P-384
+            (aka secp384r1), P-521 (aka secp521r1)</li>
+        </ul>
+
+        <p>Prior to API Level 23, EC keys can be generated using KeyPairGenerator of algorithm "RSA"
+        initialized {@link android.security.KeyPairGeneratorSpec} whose key type is set to "EC"
+        using {@link android.security.KeyPairGeneratorSpec.Builder#setKeyType(String)}. EC curve
+        name cannot be specified using this method -- a NIST P-curve is automatically chosen based
+        on the requested key size.
+      </td>
+    </tr>
+    <tr>
+      <td>RSA</td>
+      <td>18+</td>
+      <td>
+        <ul>
+          <li>Supported sizes: 512, 768, 1024, 2048, 3072, 4096</li>
+          <li>Supported public exponents: 3, 65537</li>
+          <li>Default public exponent: 65537</li>
+        </ul>
+      </td>
+    </tr>
+  </tbody>
+</table>
+
+<h3 id="SupportedMacs">Mac</h3>
+<table>
+  <thead>
+    <tr>
+      <th>Algorithm</th>
+      <th>Supported (API Levels)</th>
+      <th>Notes</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>HmacSHA1</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>HmacSHA224</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>HmacSHA256</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>HmacSHA384</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>HmacSHA512</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+  </tbody>
+</table>
+
+<h3 id="SupportedSignatures">Signature</h3>
+<table>
+  <thead>
+    <tr>
+      <th>Algorithm</th>
+      <th>Supported (API Levels)</th>
+      <th>Notes</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>MD5withRSA</td>
+      <td>18+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>NONEwithECDSA</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>NONEwithRSA</td>
+      <td>18+</td>
+      <td></td>
+    </tr>
+    <tr class="deprecated">
+      <td>SHA1withDSA</td>
+      <td>19&ndash;22</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>SHA1withECDSA</td>
+      <td>19+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>SHA1withRSA</td>
+      <td>18+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>SHA1withRSA/PSS</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr class="deprecated">
+      <td>SHA224withDSA</td>
+      <td>20&ndash;22</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>SHA224withECDSA</td>
+      <td>20+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>SHA224withRSA</td>
+      <td>20+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>SHA224withRSA/PSS</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr class="deprecated">
+      <td>SHA256withDSA</td>
+      <td>19&ndash;22</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>SHA256withECDSA</td>
+      <td>19+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>SHA256withRSA</td>
+      <td>18+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>SHA256withRSA/PSS</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr class="deprecated">
+      <td>SHA384withDSA</td>
+      <td>19&ndash;22</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>SHA384withECDSA</td>
+      <td>19+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>SHA384withRSA</td>
+      <td>18+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>SHA384withRSA/PSS</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+    <tr class="deprecated">
+      <td>SHA512withDSA</td>
+      <td>19&ndash;22</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>SHA512withECDSA</td>
+      <td>19+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>SHA512withRSA</td>
+      <td>18+</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>SHA512withRSA/PSS</td>
+      <td>23+</td>
+      <td></td>
+    </tr>
+  </tbody>
+</table>
+
+<h3 id="SupportedSecretKeyFactories">SecretKeyFactory</h3>
+<table>
+  <thead>
+    <tr>
+      <th>Algorithm</th>
+      <th>Supported (API Levels)</th>
+      <th>Notes</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>AES</td>
+      <td>23+</td>
+      <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
+    </tr>
+    <tr>
+      <td>HmacSHA1</td>
+      <td>23+</td>
+      <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
+    </tr>
+    <tr>
+      <td>HmacSHA224</td>
+      <td>23+</td>
+      <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
+    </tr>
+    <tr>
+      <td>HmacSHA256</td>
+      <td>23+</td>
+      <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
+    </tr>
+    <tr>
+      <td>HmacSHA384</td>
+      <td>23+</td>
+      <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
+    </tr>
+    <tr>
+      <td>HmacSHA512</td>
+      <td>23+</td>
+      <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
+    </tr>
+  </tbody>
+</table>