diff options
| -rw-r--r-- | api/system-current.txt | 8 | ||||
| -rw-r--r-- | keystore/java/android/security/keystore/AndroidKeyStoreProvider.java | 14 | ||||
| -rw-r--r-- | keystore/java/android/security/keystore/KeyGenParameterSpec.java | 5 |
3 files changed, 26 insertions, 1 deletions
diff --git a/api/system-current.txt b/api/system-current.txt index d5f544c5757a..c73a525310df 100644 --- a/api/system-current.txt +++ b/api/system-current.txt @@ -6410,6 +6410,10 @@ package android.provider { package android.security.keystore { + public class AndroidKeyStoreProvider extends java.security.Provider { + method @NonNull public static java.security.KeyStore getKeyStoreForUid(int) throws java.security.KeyStoreException, java.security.NoSuchProviderException; + } + public abstract class AttestationUtils { method @NonNull @RequiresPermission(android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE) public static java.security.cert.X509Certificate[] attestDeviceIds(android.content.Context, @NonNull int[], @NonNull byte[]) throws android.security.keystore.DeviceIdAttestationException; field public static final int ID_TYPE_IMEI = 2; // 0x2 @@ -6423,6 +6427,10 @@ package android.security.keystore { ctor public DeviceIdAttestationException(@Nullable String, @Nullable Throwable); } + public static final class KeyGenParameterSpec.Builder { + method @NonNull public android.security.keystore.KeyGenParameterSpec.Builder setUid(int); + } + } package android.security.keystore.recovery { diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java b/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java index 234615d9c81d..2cdd00049242 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java @@ -17,6 +17,7 @@ package android.security.keystore; import android.annotation.NonNull; +import android.annotation.SystemApi; import android.annotation.UnsupportedAppUsage; import android.security.KeyStore; import android.security.keymaster.ExportResult; @@ -52,8 +53,9 @@ import javax.crypto.Mac; * * @hide */ +@SystemApi public class AndroidKeyStoreProvider extends Provider { - public static final String PROVIDER_NAME = "AndroidKeyStore"; + private static final String PROVIDER_NAME = "AndroidKeyStore"; // IMPLEMENTATION NOTE: Class names are hard-coded in this provider to avoid loading these // classes when this provider is instantiated and installed early on during each app's @@ -68,6 +70,7 @@ public class AndroidKeyStoreProvider extends Provider { private static final String DESEDE_SYSTEM_PROPERTY = "ro.hardware.keystore_desede"; + /** @hide **/ public AndroidKeyStoreProvider() { super(PROVIDER_NAME, 1.0, "Android KeyStore security provider"); @@ -111,6 +114,7 @@ public class AndroidKeyStoreProvider extends Provider { /** * Installs a new instance of this provider (and the * {@link AndroidKeyStoreBCWorkaroundProvider}). + * @hide */ public static void install() { Provider[] providers = Security.getProviders(); @@ -156,6 +160,7 @@ public class AndroidKeyStoreProvider extends Provider { * @throws IllegalArgumentException if the provided primitive is not supported or is not backed * by AndroidKeyStore provider. * @throws IllegalStateException if the provided primitive is not initialized. + * @hide */ @UnsupportedAppUsage public static long getKeyStoreOperationHandle(Object cryptoPrimitive) { @@ -183,6 +188,7 @@ public class AndroidKeyStoreProvider extends Provider { return ((KeyStoreCryptoOperation) spi).getOperationHandle(); } + /** @hide **/ @NonNull public static AndroidKeyStorePublicKey getAndroidKeyStorePublicKey( @NonNull String alias, @@ -279,6 +285,7 @@ public class AndroidKeyStoreProvider extends Provider { privateKeyAlias, uid, jcaKeyAlgorithm, x509EncodedPublicKey); } + /** @hide **/ @NonNull public static AndroidKeyStorePublicKey loadAndroidKeyStorePublicKeyFromKeystore( @NonNull KeyStore keyStore, @NonNull String privateKeyAlias, int uid) @@ -300,6 +307,7 @@ public class AndroidKeyStoreProvider extends Provider { return new KeyPair(publicKey, privateKey); } + /** @hide **/ @NonNull public static KeyPair loadAndroidKeyStoreKeyPairFromKeystore( @NonNull KeyStore keyStore, @NonNull String privateKeyAlias, int uid) @@ -318,6 +326,7 @@ public class AndroidKeyStoreProvider extends Provider { return (AndroidKeyStorePrivateKey) keyPair.getPrivate(); } + /** @hide **/ @NonNull public static AndroidKeyStorePrivateKey loadAndroidKeyStorePrivateKeyFromKeystore( @NonNull KeyStore keyStore, @NonNull String privateKeyAlias, int uid) @@ -357,6 +366,7 @@ public class AndroidKeyStoreProvider extends Provider { return new AndroidKeyStoreSecretKey(secretKeyAlias, uid, keyAlgorithmString); } + /** @hide **/ @NonNull public static AndroidKeyStoreKey loadAndroidKeyStoreKeyFromKeystore( @NonNull KeyStore keyStore, @NonNull String userKeyAlias, int uid) @@ -390,7 +400,9 @@ public class AndroidKeyStoreProvider extends Provider { * * <p>Note: the returned {@code KeyStore} is already initialized/loaded. Thus, there is * no need to invoke {@code load} on it. + * @hide */ + @SystemApi @NonNull public static java.security.KeyStore getKeyStoreForUid(int uid) throws KeyStoreException, NoSuchProviderException { diff --git a/keystore/java/android/security/keystore/KeyGenParameterSpec.java b/keystore/java/android/security/keystore/KeyGenParameterSpec.java index bd6ce7ec6a3b..2ad87e6695fe 100644 --- a/keystore/java/android/security/keystore/KeyGenParameterSpec.java +++ b/keystore/java/android/security/keystore/KeyGenParameterSpec.java @@ -19,6 +19,7 @@ package android.security.keystore; import android.annotation.IntRange; import android.annotation.NonNull; import android.annotation.Nullable; +import android.annotation.SystemApi; import android.annotation.TestApi; import android.annotation.UnsupportedAppUsage; import android.app.KeyguardManager; @@ -808,10 +809,14 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu /** * Sets the UID which will own the key. * + * Such cross-UID access is permitted to a few system UIDs and only to a few other UIDs + * (e.g., Wi-Fi, VPN) all of which are system. + * * @param uid UID or {@code -1} for the UID of the current process. * * @hide */ + @SystemApi @NonNull public Builder setUid(int uid) { mUid = uid; |