Merge "Add fingerprint-specific API to KeyPairGeneratorSpec."

author: Alex Klyubin <klyubin@google.com> 2015-04-03 19:12:16 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2015-04-03 19:12:17 +0000
commit: 7e3a19ac85d30abade971d8d0a948b4599d97c9e (patch)
tree: f4727b6f9b0b84b6ffa6e6290e3805dcfb1cf8f3
parent: 51ce5c16d559251a1a29affb971acce22ee5477e (diff)
parent: 36662ba6aef74816d1876e4e13127bf7f12f372b (diff)
1 files changed, 39 insertions, 3 deletions
diff --git a/keystore/java/android/security/KeyPairGeneratorSpec.java b/keystore/java/android/security/KeyPairGeneratorSpec.java
index 00016040a11f..dd62e9a76c11 100644
--- a/keystore/java/android/security/KeyPairGeneratorSpec.java
+++ b/keystore/java/android/security/KeyPairGeneratorSpec.java
@@ -97,6 +97,8 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
 
     private final Integer mUserAuthenticationValidityDurationSeconds;
 
+    private final boolean mInvalidatedOnNewFingerprintEnrolled;
+
     /**
      * Parameter specification for the "{@code AndroidKeyPairGenerator}"
      * instance of the {@link java.security.KeyPairGenerator} API. The
@@ -142,7 +144,8 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
             Integer minSecondsBetweenOperations,
             Integer maxUsesPerBoot,
             Set<Integer> userAuthenticators,
-            Integer userAuthenticationValidityDurationSeconds) {
+            Integer userAuthenticationValidityDurationSeconds,
+            boolean invalidatedOnNewFingerprintEnrolled) {
         if (context == null) {
             throw new IllegalArgumentException("context == null");
         } else if (TextUtils.isEmpty(keyStoreAlias)) {
@@ -186,6 +189,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
                 ? new HashSet<Integer>(userAuthenticators)
                 : Collections.<Integer>emptySet();
         mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds;
+        mInvalidatedOnNewFingerprintEnrolled = invalidatedOnNewFingerprintEnrolled;
     }
 
     /**
@@ -197,7 +201,7 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
             Date startDate, Date endDate, int flags) {
         this(context, keyStoreAlias, keyType, keySize, spec, subjectDN, serialNumber, startDate,
                 endDate, flags, startDate, endDate, endDate, null, null, null, null, null, null,
-                null, null);
+                null, null, false);
     }
 
     /**
@@ -426,6 +430,19 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
     }
 
     /**
+     * Returns {@code true} if this key must be permanently invalidated once a new fingerprint is
+     * enrolled. This constraint only has effect if fingerprint reader is one of the user
+     * authenticators protecting access to this key.
+     *
+     * @see #getUserAuthenticators()
+     *
+     * @hide
+     */
+    public boolean isInvalidatedOnNewFingerprintEnrolled() {
+        return mInvalidatedOnNewFingerprintEnrolled;
+    }
+
+    /**
      * Builder class for {@link KeyPairGeneratorSpec} objects.
      * <p>
      * This will build a parameter spec for use with the <a href="{@docRoot}
@@ -489,6 +506,8 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
 
         private Integer mUserAuthenticationValidityDurationSeconds;
 
+        private boolean mInvalidatedOnNewFingerprintEnrolled;
+
         /**
          * Creates a new instance of the {@code Builder} with the given
          * {@code context}. The {@code context} passed in may be used to pop up
@@ -800,6 +819,22 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
         }
 
         /**
+         * Sets whether this key must be invalidated (permanently) once a new fingerprint is
+         * enrolled. This only has effect if fingerprint reader is one of the user authenticators
+         * protecting access to the key.
+         *
+         * <p>By default, enrolling a new fingerprint does not invalidate the key.
+         *
+         * @see #setUserAuthenticators(Set)
+         *
+         * @hide
+         */
+        public Builder setInvalidatedOnNewFingerprintEnrolled(boolean invalidated) {
+            mInvalidatedOnNewFingerprintEnrolled = invalidated;
+            return this;
+        }
+
+        /**
          * Builds the instance of the {@code KeyPairGeneratorSpec}.
          *
          * @throws IllegalArgumentException if a required field is missing
@@ -826,7 +861,8 @@ public final class KeyPairGeneratorSpec implements AlgorithmParameterSpec {
                     mMinSecondsBetweenOperations,
                     mMaxUsesPerBoot,
                     mUserAuthenticators,
-                    mUserAuthenticationValidityDurationSeconds);
+                    mUserAuthenticationValidityDurationSeconds,
+                    mInvalidatedOnNewFingerprintEnrolled);
         }
     }
 }
author	Alex Klyubin <klyubin@google.com>	2015-04-03 19:12:16 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2015-04-03 19:12:17 +0000
commit	7e3a19ac85d30abade971d8d0a948b4599d97c9e (patch)
tree	f4727b6f9b0b84b6ffa6e6290e3805dcfb1cf8f3
parent	51ce5c16d559251a1a29affb971acce22ee5477e (diff)
parent	36662ba6aef74816d1876e4e13127bf7f12f372b (diff)