Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

am 155d41a0: am 304b01c2: Merge "Document what algorithms Android Keystore supports." into mnc-dev

Browse Source 
* commit '155d41a0f29ebe895f32d9c42e47e56acf0be59c':
  Document what algorithms Android Keystore supports.
This commit is contained in:
Alex Klyubin
2015-07-24 03:08:21 +00:00
committed by Android Git Automerger
parent e77b00cef3 155d41a0f2
commit bb3202995a
1 changed files with 464 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

467
docs/html/training/articles/keystore.jd
View File

@@ -7,14 +7,15 @@ page.title=Android Keystore System
<ol> <ol>
<li><a href="#SecurityFeatures">Security Features</a></li> <li><a href="#SecurityFeatures">Security Features</a></li>
<li><a href="#WhichShouldIUse">Choosing Between a Keychain or the Android Keystore Provider</a></li> <li><a href="#WhichShouldIUse">Choosing Between a Keychain or the Android Keystore Provider</a></li>
<li><a href="#UsingAndroidKeyStore">Using Android Keystore Provider <li><a href="#UsingAndroidKeyStore">Using Android Keystore Provider</a>
</a></li>
<ol> <ol>
<li><a href="#GeneratingANewPrivateKey">Generating a New Private Key</a></li> <li><a href="#GeneratingANewPrivateKey">Generating a New Private Key</a></li>
<li><a href="#WorkingWithKeyStoreEntries">Working with Keystore Entries</a></li> <li><a href="#WorkingWithKeyStoreEntries">Working with Keystore Entries</a></li>
<li><a href="#ListingEntries">Listing Entries</a></li> <li><a href="#ListingEntries">Listing Entries</a></li>
<li><a href="#SigningAndVerifyingData">Signing and Verifying Data</a></li> <li><a href="#SigningAndVerifyingData">Signing and Verifying Data</a></li>
</ol> </ol>
</li>
<li><a href="#SupportedAlgorithms">Supported Algorithms</a></li>
</ol> </ol>
<h2>Blog articles</h2> <h2>Blog articles</h2>
@@ -27,6 +28,14 @@ page.title=Android Keystore System
</div> </div>
</div> </div>
<style type="text/css">
tr.deprecated {
background-color: #ccc;
color: #999;
font-style: italic;
}
</style>
<p>The Android Keystore system lets you store cryptographic keys in a container <p>The Android Keystore system lets you store cryptographic keys in a container
to make it more difficult to extract from the device. Once keys are in the to make it more difficult to extract from the device. Once keys are in the
keystore, they can be used for cryptographic operations with the key material keystore, they can be used for cryptographic operations with the key material
@@ -213,4 +222,456 @@ operate in one of the two modes:
{@link android.hardware.fingerprint.FingerprintManager#hasEnrolledFingerprints() FingerprintManager.hasEnrolledFingerprints}). {@link android.hardware.fingerprint.FingerprintManager#hasEnrolledFingerprints() FingerprintManager.hasEnrolledFingerprints}).
These keys become permanently invalidated once a new fingerprint is enrolled or all fingerprints These keys become permanently invalidated once a new fingerprint is enrolled or all fingerprints
are unenrolled.</li> are unenrolled.</li>
</ul> </ul>
<h2 id="SupportedAlgorithms">Supported Algorithms</h2>
<ul>
<li><a href="#SupportedCiphers">{@code Cipher}</a></li>
<li><a href="#SupportedKeyGenerators">{@code KeyGenerator}</a></li>
<li><a href="#SupportedKeyFactories">{@code KeyFactory}</a></li>
<li><a href="#SupportedKeyPairGenerators">{@code KeyPairGenerator}</a></li>
<li><a href="#SupportedMacs">{@code Mac}</a></li>
<li><a href="#SupportedSignatures">{@code Signature}</a></li>
<li><a href="#SupportedSecretKeyFactories">{@code SecretKeyFactory}</a></li>
</ul>
<h3 id="SupportedCiphers">Cipher</h3>
<table>
<thead>
<tr>
<th>Algorithm</th>
<th>Supported (API Levels)</th>
<th>Notes</th>
</tr>
</thead>
<tbody>
<tr>
<td>AES/CBC/NoPadding</td>
<td>23+</td>
<td></td>
</tr>
<tr>
<td>AES/CBC/PKCS7Padding</td>
<td>23+</td>
<td></td>
</tr>
<tr>
<td>AES/CTR/NoPadding</td>
<td>23+</td>
<td></td>
</tr>
<tr>
<td>AES/ECB/NoPadding</td>
<td>23+</td>
<td></td>
</tr>
<tr>
<td>AES/ECB/PKCS7Padding</td>
<td>23+</td>
<td></td>
</tr>
<tr>
<td>AES/GCM/NoPadding</td>
<td>23+</td>
<td>Only 12-byte long IVs supported.</td>
</tr>
<tr>
<td>RSA/ECB/NoPadding</td>
<td>18+</td>
<td></td>
</tr>
<tr>
<td>RSA/ECB/PKCS1Padding</td>
<td>18+</td>
<td></td>
</tr>
<tr>
<td>RSA/ECB/OAEPWithSHA-1AndMGF1Padding</td>
<td>23+</td>
<td></td>
</tr>
<tr>
<td>RSA/ECB/OAEPWithSHA-224AndMGF1Padding</td>
<td>23+</td>
<td></td>
</tr>
<tr>
<td>RSA/ECB/OAEPWithSHA-256AndMGF1Padding</td>
<td>23+</td>
<td></td>
</tr>
<tr>
<td>RSA/ECB/OAEPWithSHA-384AndMGF1Padding</td>
<td>23+</td>
<td></td>
</tr>
<tr>
<td>RSA/ECB/OAEPWithSHA-512AndMGF1Padding</td>
<td>23+</td>
<td></td>
</tr>
<tr>
<td>RSA/ECB/OAEPPadding</td>
<td>23+</td>
<td></td>
</tr>
</tbody>
</table>
<h3 id="SupportedKeyGenerators">KeyGenerator</h3>
<table>
<thead>
<tr>
<th>Algorithm</th>
<th>Supported (API Levels)</th>
<th>Notes</th>
</tr>
</thead>
<tbody>
<tr>
<td>AES</td>
<td>23+</td>
<td>Supported sizes: 128, 192, 256</td>
</tr>
<tr>
<td>HmacSHA1</td>
<td>23+</td>
<td>
<ul>
<li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li>
<li>Default size: 160</li>
<ul>
</td>
</tr>
<tr>
<td>HmacSHA224</td>
<td>23+</td>
<td>
<ul>
<li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li>
<li>Default size: 224</li>
<ul>
</td>
</tr>
<tr>
<td>HmacSHA256</td>
<td>23+</td>
<td>
<ul>
<li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li>
<li>Default size: 256</li>
<ul>
</td>
</tr>
<tr>
<td>HmacSHA384</td>
<td>23+</td>
<td>
<ul>
<li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li>
<li>Default size: 384</li>
<ul>
</td>
</tr>
<tr>
<td>HmacSHA512</td>
<td>23+</td>
<td>
<ul>
<li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li>
<li>Default size: 512</li>
<ul>
</td>
</tr>
</tbody>
</table>
<h3 id="SupportedKeyFactories">KeyFactory</h3>
<table>
<thead>
<tr>
<th>Algorithm</th>
<th>Supported (API Levels)</th>
<th>Notes</th>
</tr>
</thead>
<tbody>
<tr>
<td>EC</td>
<td>23+</td>
<td>Supported key specs: {@link android.security.keystore.KeyInfo} (private key only),
{@link java.security.spec.ECPublicKeySpec} (public key only),
{@link java.security.spec.X509EncodedKeySpec} (public key only)
</td>
</tr>
<tr>
<td>RSA</td>
<td>23+</td>
<td>Supported key specs: {@link android.security.keystore.KeyInfo} (private key only),
{@link java.security.spec.RSAPublicKeySpec} (public key only),
{@link java.security.spec.X509EncodedKeySpec} (public key only)
</td>
</tr>
</tbody>
</table>
<h3 id="SupportedKeyStoreKeys">KeyStore</h3>
KeyStore supports the same key types as
<a href="#SupportedKeyPairGenerators">{@code KeyPairGenerator}</a> and
<a href="#SupportedKeyGenerators">{@code KeyGenerator}</a>.
<h3 id="SupportedKeyPairGenerators">KeyPairGenerator</h3>
<table>
<thead>
<tr>
<th>Algorithm</th>
<th>Supported (API Levels)</th>
<th>Notes</th>
</tr>
</thead>
<tbody>
<tr class="deprecated">
<td>DSA</td>
<td>19&ndash;22</td>
<td></td>
</tr>
<tr>
<td>EC</td>
<td>23+</td>
<td>
<ul>
<li>Supported sizes: 224, 256, 384, 521</li>
<li>Supported named curves: P-224 (secp256r1), P-256 (aka secp256r1 and prime256v1), P-384
(aka secp384r1), P-521 (aka secp521r1)</li>
</ul>
<p>Prior to API Level 23, EC keys can be generated using KeyPairGenerator of algorithm "RSA"
initialized {@link android.security.KeyPairGeneratorSpec} whose key type is set to "EC"
using {@link android.security.KeyPairGeneratorSpec.Builder#setKeyType(String)}. EC curve
name cannot be specified using this method -- a NIST P-curve is automatically chosen based
on the requested key size.
</td>
</tr>
<tr>
<td>RSA</td>
<td>18+</td>
<td>
<ul>
<li>Supported sizes: 512, 768, 1024, 2048, 3072, 4096</li>
<li>Supported public exponents: 3, 65537</li>
<li>Default public exponent: 65537</li>
</ul>
</td>
</tr>
</tbody>
</table>
<h3 id="SupportedMacs">Mac</h3>
<table>
<thead>
<tr>
<th>Algorithm</th>
<th>Supported (API Levels)</th>
<th>Notes</th>
</tr>
</thead>
<tbody>
<tr>
<td>HmacSHA1</td>
<td>23+</td>
<td></td>
</tr>
<tr>
<td>HmacSHA224</td>
<td>23+</td>
<td></td>
</tr>
<tr>
<td>HmacSHA256</td>
<td>23+</td>
<td></td>
</tr>
<tr>
<td>HmacSHA384</td>
<td>23+</td>
<td></td>
</tr>
<tr>
<td>HmacSHA512</td>
<td>23+</td>
<td></td>
</tr>
</tbody>
</table>
<h3 id="SupportedSignatures">Signature</h3>
<table>
<thead>
<tr>
<th>Algorithm</th>
<th>Supported (API Levels)</th>
<th>Notes</th>
</tr>
</thead>
<tbody>
<tr>
<td>MD5withRSA</td>
<td>18+</td>
<td></td>
</tr>
<tr>
<td>NONEwithECDSA</td>
<td>23+</td>
<td></td>
</tr>
<tr>
<td>NONEwithRSA</td>
<td>18+</td>
<td></td>
</tr>
<tr class="deprecated">
<td>SHA1withDSA</td>
<td>19&ndash;22</td>
<td></td>
</tr>
<tr>
<td>SHA1withECDSA</td>
<td>19+</td>
<td></td>
</tr>
<tr>
<td>SHA1withRSA</td>
<td>18+</td>
<td></td>
</tr>
<tr>
<td>SHA1withRSA/PSS</td>
<td>23+</td>
<td></td>
</tr>
<tr class="deprecated">
<td>SHA224withDSA</td>
<td>20&ndash;22</td>
<td></td>
</tr>
<tr>
<td>SHA224withECDSA</td>
<td>20+</td>
<td></td>
</tr>
<tr>
<td>SHA224withRSA</td>
<td>20+</td>
<td></td>
</tr>
<tr>
<td>SHA224withRSA/PSS</td>
<td>23+</td>
<td></td>
</tr>
<tr class="deprecated">
<td>SHA256withDSA</td>
<td>19&ndash;22</td>
<td></td>
</tr>
<tr>
<td>SHA256withECDSA</td>
<td>19+</td>
<td></td>
</tr>
<tr>
<td>SHA256withRSA</td>
<td>18+</td>
<td></td>
</tr>
<tr>
<td>SHA256withRSA/PSS</td>
<td>23+</td>
<td></td>
</tr>
<tr class="deprecated">
<td>SHA384withDSA</td>
<td>19&ndash;22</td>
<td></td>
</tr>
<tr>
<td>SHA384withECDSA</td>
<td>19+</td>
<td></td>
</tr>
<tr>
<td>SHA384withRSA</td>
<td>18+</td>
<td></td>
</tr>
<tr>
<td>SHA384withRSA/PSS</td>
<td>23+</td>
<td></td>
</tr>
<tr class="deprecated">
<td>SHA512withDSA</td>
<td>19&ndash;22</td>
<td></td>
</tr>
<tr>
<td>SHA512withECDSA</td>
<td>19+</td>
<td></td>
</tr>
<tr>
<td>SHA512withRSA</td>
<td>18+</td>
<td></td>
</tr>
<tr>
<td>SHA512withRSA/PSS</td>
<td>23+</td>
<td></td>
</tr>
</tbody>
</table>
<h3 id="SupportedSecretKeyFactories">SecretKeyFactory</h3>
<table>
<thead>
<tr>
<th>Algorithm</th>
<th>Supported (API Levels)</th>
<th>Notes</th>
</tr>
</thead>
<tbody>
<tr>
<td>AES</td>
<td>23+</td>
<td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
</tr>
<tr>
<td>HmacSHA1</td>
<td>23+</td>
<td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
</tr>
<tr>
<td>HmacSHA224</td>
<td>23+</td>
<td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
</tr>
<tr>
<td>HmacSHA256</td>
<td>23+</td>
<td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
</tr>
<tr>
<td>HmacSHA384</td>
<td>23+</td>
<td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
</tr>
<tr>
<td>HmacSHA512</td>
<td>23+</td>
<td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
</tr>
</tbody>
</table>