Merge "Document what algorithms Android Keystore supports." into mnc-dev
diff --git a/docs/html/training/articles/keystore.jd b/docs/html/training/articles/keystore.jd
index 52cb13e..aa1ed0a 100644
--- a/docs/html/training/articles/keystore.jd
+++ b/docs/html/training/articles/keystore.jd
@@ -7,14 +7,15 @@
<ol>
<li><a href="#SecurityFeatures">Security Features</a></li>
<li><a href="#WhichShouldIUse">Choosing Between a Keychain or the Android Keystore Provider</a></li>
- <li><a href="#UsingAndroidKeyStore">Using Android Keystore Provider
- </a></li>
+ <li><a href="#UsingAndroidKeyStore">Using Android Keystore Provider</a>
<ol>
<li><a href="#GeneratingANewPrivateKey">Generating a New Private Key</a></li>
<li><a href="#WorkingWithKeyStoreEntries">Working with Keystore Entries</a></li>
<li><a href="#ListingEntries">Listing Entries</a></li>
<li><a href="#SigningAndVerifyingData">Signing and Verifying Data</a></li>
</ol>
+ </li>
+ <li><a href="#SupportedAlgorithms">Supported Algorithms</a></li>
</ol>
<h2>Blog articles</h2>
@@ -27,6 +28,14 @@
</div>
</div>
+<style type="text/css">
+ tr.deprecated {
+ background-color: #ccc;
+ color: #999;
+ font-style: italic;
+ }
+</style>
+
<p>The Android Keystore system lets you store cryptographic keys in a container
to make it more difficult to extract from the device. Once keys are in the
keystore, they can be used for cryptographic operations with the key material
@@ -213,4 +222,456 @@
{@link android.hardware.fingerprint.FingerprintManager#hasEnrolledFingerprints() FingerprintManager.hasEnrolledFingerprints}).
These keys become permanently invalidated once a new fingerprint is enrolled or all fingerprints
are unenrolled.</li>
-</ul>
\ No newline at end of file
+</ul>
+
+<h2 id="SupportedAlgorithms">Supported Algorithms</h2>
+
+<ul>
+ <li><a href="#SupportedCiphers">{@code Cipher}</a></li>
+ <li><a href="#SupportedKeyGenerators">{@code KeyGenerator}</a></li>
+ <li><a href="#SupportedKeyFactories">{@code KeyFactory}</a></li>
+ <li><a href="#SupportedKeyPairGenerators">{@code KeyPairGenerator}</a></li>
+ <li><a href="#SupportedMacs">{@code Mac}</a></li>
+ <li><a href="#SupportedSignatures">{@code Signature}</a></li>
+ <li><a href="#SupportedSecretKeyFactories">{@code SecretKeyFactory}</a></li>
+</ul>
+
+<h3 id="SupportedCiphers">Cipher</h3>
+<table>
+ <thead>
+ <tr>
+ <th>Algorithm</th>
+ <th>Supported (API Levels)</th>
+ <th>Notes</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>AES/CBC/NoPadding</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>AES/CBC/PKCS7Padding</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>AES/CTR/NoPadding</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>AES/ECB/NoPadding</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>AES/ECB/PKCS7Padding</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>AES/GCM/NoPadding</td>
+ <td>23+</td>
+ <td>Only 12-byte long IVs supported.</td>
+ </tr>
+ <tr>
+ <td>RSA/ECB/NoPadding</td>
+ <td>18+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>RSA/ECB/PKCS1Padding</td>
+ <td>18+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>RSA/ECB/OAEPWithSHA-1AndMGF1Padding</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>RSA/ECB/OAEPWithSHA-224AndMGF1Padding</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>RSA/ECB/OAEPWithSHA-256AndMGF1Padding</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>RSA/ECB/OAEPWithSHA-384AndMGF1Padding</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>RSA/ECB/OAEPWithSHA-512AndMGF1Padding</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>RSA/ECB/OAEPPadding</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ </tbody>
+</table>
+
+<h3 id="SupportedKeyGenerators">KeyGenerator</h3>
+<table>
+ <thead>
+ <tr>
+ <th>Algorithm</th>
+ <th>Supported (API Levels)</th>
+ <th>Notes</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>AES</td>
+ <td>23+</td>
+ <td>Supported sizes: 128, 192, 256</td>
+ </tr>
+ <tr>
+ <td>HmacSHA1</td>
+ <td>23+</td>
+ <td>
+ <ul>
+ <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li>
+ <li>Default size: 160</li>
+ <ul>
+ </td>
+ </tr>
+ <tr>
+ <td>HmacSHA224</td>
+ <td>23+</td>
+ <td>
+ <ul>
+ <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li>
+ <li>Default size: 224</li>
+ <ul>
+ </td>
+ </tr>
+ <tr>
+ <td>HmacSHA256</td>
+ <td>23+</td>
+ <td>
+ <ul>
+ <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li>
+ <li>Default size: 256</li>
+ <ul>
+ </td>
+ </tr>
+ <tr>
+ <td>HmacSHA384</td>
+ <td>23+</td>
+ <td>
+ <ul>
+ <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li>
+ <li>Default size: 384</li>
+ <ul>
+ </td>
+ </tr>
+ <tr>
+ <td>HmacSHA512</td>
+ <td>23+</td>
+ <td>
+ <ul>
+ <li>Supported sizes: 8--1024 (inclusive), must be multiple of 8</li>
+ <li>Default size: 512</li>
+ <ul>
+ </td>
+ </tr>
+ </tbody>
+</table>
+
+<h3 id="SupportedKeyFactories">KeyFactory</h3>
+<table>
+ <thead>
+ <tr>
+ <th>Algorithm</th>
+ <th>Supported (API Levels)</th>
+ <th>Notes</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>EC</td>
+ <td>23+</td>
+ <td>Supported key specs: {@link android.security.keystore.KeyInfo} (private key only),
+ {@link java.security.spec.ECPublicKeySpec} (public key only),
+ {@link java.security.spec.X509EncodedKeySpec} (public key only)
+ </td>
+ </tr>
+ <tr>
+ <td>RSA</td>
+ <td>23+</td>
+ <td>Supported key specs: {@link android.security.keystore.KeyInfo} (private key only),
+ {@link java.security.spec.RSAPublicKeySpec} (public key only),
+ {@link java.security.spec.X509EncodedKeySpec} (public key only)
+ </td>
+ </tr>
+ </tbody>
+</table>
+
+<h3 id="SupportedKeyStoreKeys">KeyStore</h3>
+KeyStore supports the same key types as
+<a href="#SupportedKeyPairGenerators">{@code KeyPairGenerator}</a> and
+<a href="#SupportedKeyGenerators">{@code KeyGenerator}</a>.
+
+<h3 id="SupportedKeyPairGenerators">KeyPairGenerator</h3>
+<table>
+ <thead>
+ <tr>
+ <th>Algorithm</th>
+ <th>Supported (API Levels)</th>
+ <th>Notes</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr class="deprecated">
+ <td>DSA</td>
+ <td>19–22</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>EC</td>
+ <td>23+</td>
+ <td>
+ <ul>
+ <li>Supported sizes: 224, 256, 384, 521</li>
+ <li>Supported named curves: P-224 (secp256r1), P-256 (aka secp256r1 and prime256v1), P-384
+ (aka secp384r1), P-521 (aka secp521r1)</li>
+ </ul>
+
+ <p>Prior to API Level 23, EC keys can be generated using KeyPairGenerator of algorithm "RSA"
+ initialized {@link android.security.KeyPairGeneratorSpec} whose key type is set to "EC"
+ using {@link android.security.KeyPairGeneratorSpec.Builder#setKeyType(String)}. EC curve
+ name cannot be specified using this method -- a NIST P-curve is automatically chosen based
+ on the requested key size.
+ </td>
+ </tr>
+ <tr>
+ <td>RSA</td>
+ <td>18+</td>
+ <td>
+ <ul>
+ <li>Supported sizes: 512, 768, 1024, 2048, 3072, 4096</li>
+ <li>Supported public exponents: 3, 65537</li>
+ <li>Default public exponent: 65537</li>
+ </ul>
+ </td>
+ </tr>
+ </tbody>
+</table>
+
+<h3 id="SupportedMacs">Mac</h3>
+<table>
+ <thead>
+ <tr>
+ <th>Algorithm</th>
+ <th>Supported (API Levels)</th>
+ <th>Notes</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>HmacSHA1</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>HmacSHA224</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>HmacSHA256</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>HmacSHA384</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>HmacSHA512</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ </tbody>
+</table>
+
+<h3 id="SupportedSignatures">Signature</h3>
+<table>
+ <thead>
+ <tr>
+ <th>Algorithm</th>
+ <th>Supported (API Levels)</th>
+ <th>Notes</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>MD5withRSA</td>
+ <td>18+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>NONEwithECDSA</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>NONEwithRSA</td>
+ <td>18+</td>
+ <td></td>
+ </tr>
+ <tr class="deprecated">
+ <td>SHA1withDSA</td>
+ <td>19–22</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>SHA1withECDSA</td>
+ <td>19+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>SHA1withRSA</td>
+ <td>18+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>SHA1withRSA/PSS</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr class="deprecated">
+ <td>SHA224withDSA</td>
+ <td>20–22</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>SHA224withECDSA</td>
+ <td>20+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>SHA224withRSA</td>
+ <td>20+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>SHA224withRSA/PSS</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr class="deprecated">
+ <td>SHA256withDSA</td>
+ <td>19–22</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>SHA256withECDSA</td>
+ <td>19+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>SHA256withRSA</td>
+ <td>18+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>SHA256withRSA/PSS</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr class="deprecated">
+ <td>SHA384withDSA</td>
+ <td>19–22</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>SHA384withECDSA</td>
+ <td>19+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>SHA384withRSA</td>
+ <td>18+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>SHA384withRSA/PSS</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ <tr class="deprecated">
+ <td>SHA512withDSA</td>
+ <td>19–22</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>SHA512withECDSA</td>
+ <td>19+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>SHA512withRSA</td>
+ <td>18+</td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>SHA512withRSA/PSS</td>
+ <td>23+</td>
+ <td></td>
+ </tr>
+ </tbody>
+</table>
+
+<h3 id="SupportedSecretKeyFactories">SecretKeyFactory</h3>
+<table>
+ <thead>
+ <tr>
+ <th>Algorithm</th>
+ <th>Supported (API Levels)</th>
+ <th>Notes</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>AES</td>
+ <td>23+</td>
+ <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
+ </tr>
+ <tr>
+ <td>HmacSHA1</td>
+ <td>23+</td>
+ <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
+ </tr>
+ <tr>
+ <td>HmacSHA224</td>
+ <td>23+</td>
+ <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
+ </tr>
+ <tr>
+ <td>HmacSHA256</td>
+ <td>23+</td>
+ <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
+ </tr>
+ <tr>
+ <td>HmacSHA384</td>
+ <td>23+</td>
+ <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
+ </tr>
+ <tr>
+ <td>HmacSHA512</td>
+ <td>23+</td>
+ <td>Supported key specs: {@link android.security.keystore.KeyInfo}</td>
+ </tr>
+ </tbody>
+</table>
\ No newline at end of file