Merge "Prefer GCM to CBC or CTR in documentation." into mnc-dev
diff --git a/keystore/java/android/security/keystore/KeyGenParameterSpec.java b/keystore/java/android/security/keystore/KeyGenParameterSpec.java
index 5775a87..1732db9 100644
--- a/keystore/java/android/security/keystore/KeyGenParameterSpec.java
+++ b/keystore/java/android/security/keystore/KeyGenParameterSpec.java
@@ -112,7 +112,7 @@
  *
  * <p><h3>Example: Symmetric key</h3>
  * The following example illustrates how to generate an AES key in the Android KeyStore system under
- * alias {@code key2} authorized to be used only for encryption/decryption in CBC mode with PKCS#7
+ * alias {@code key2} authorized to be used only for encryption/decryption in GCM mode with no
  * padding.
  * <pre> {@code
  * KeyGenerator keyGenerator = KeyGenerator.getInstance(
@@ -121,8 +121,8 @@
  * keyGenerator.initialize(
  *         new KeyGenParameterSpec.Builder("key2",
  *                 KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
- *                 .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
- *                 .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+ *                 .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
+ *                 .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
  *                 .build());
  * SecretKey key = keyGenerator.generateKey();
  *
@@ -377,7 +377,7 @@
     }
 
     /**
-     * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used
+     * Gets the set of block modes (e.g., {@code GCM}, {@code CBC}) with which the key can be used
      * when encrypting/decrypting. Attempts to use the key with any other block modes will be
      * rejected.
      *
@@ -694,11 +694,11 @@
         }
 
         /**
-         * Sets the set of block modes (e.g., {@code CBC}, {@code CTR}, {@code ECB}) with which the
-         * key can be used when encrypting/decrypting. Attempts to use the key with any other block
-         * modes will be rejected.
+         * Sets the set of block modes (e.g., {@code GCM}, {@code CBC}) with which the key can be
+         * used when encrypting/decrypting. Attempts to use the key with any other block modes will
+         * be rejected.
          *
-         * <p>This must be specified for encryption/decryption keys.
+         * <p>This must be specified for symmetric encryption/decryption keys.
          *
          * <p>See {@link KeyProperties}.{@code BLOCK_MODE} constants.
          */
@@ -724,7 +724,7 @@
          * <li>encryption/decryption transformation which do not offer {@code IND-CPA}, such as
          * {@code ECB} with a symmetric encryption algorithm, or RSA encryption/decryption without
          * padding, are prohibited;</li>
-         * <li>in block modes which use an IV, such as {@code CBC}, {@code CTR}, and {@code GCM},
+         * <li>in block modes which use an IV, such as {@code GCM}, {@code CBC}, and {@code CTR},
          * caller-provided IVs are rejected when encrypting, to ensure that only random IVs are
          * used.</li>
          * </ul>
diff --git a/keystore/java/android/security/keystore/KeyInfo.java b/keystore/java/android/security/keystore/KeyInfo.java
index 91a9a70..785ec15 100644
--- a/keystore/java/android/security/keystore/KeyInfo.java
+++ b/keystore/java/android/security/keystore/KeyInfo.java
@@ -30,7 +30,7 @@
  * Keystore system</a>. This class describes whether the key material is available in
  * plaintext outside of secure hardware, whether user authentication is required for using the key
  * and whether this requirement is enforced by secure hardware, the key's origin, what uses the key
- * is authorized for (e.g., only in {@code CBC} mode, or signing only), whether the key should be
+ * is authorized for (e.g., only in {@code GCM} mode, or signing only), whether the key should be
  * encrypted at rest, the key's and validity start and end dates.
  *
  * <p>Instances of this class are immutable.
@@ -191,7 +191,7 @@
     }
 
     /**
-     * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used
+     * Gets the set of block modes (e.g., {@code GCM}, {@code CBC}) with which the key can be used
      * when encrypting/decrypting. Attempts to use the key with any other block modes will be
      * rejected.
      *
diff --git a/keystore/java/android/security/keystore/KeyProtection.java b/keystore/java/android/security/keystore/KeyProtection.java
index cd46afa..b7a2a0b 100644
--- a/keystore/java/android/security/keystore/KeyProtection.java
+++ b/keystore/java/android/security/keystore/KeyProtection.java
@@ -35,7 +35,7 @@
  * Specification of how a key or key pair is secured when imported into the
  * <a href="{@docRoot}training/articles/keystore.html">Android KeyStore facility</a>. This class
  * specifies parameters such as whether user authentication is required for using the key, what uses
- * the key is authorized for (e.g., only in {@code CTR} mode, or only for signing -- decryption not
+ * the key is authorized for (e.g., only in {@code GCM} mode, or only for signing -- decryption not
  * permitted), the key's and validity start and end dates.
  *
  * <p>To import a key or key pair into the Android KeyStore, create an instance of this class using
@@ -55,8 +55,8 @@
  *
  * <p><h3>Example: Symmetric Key</h3>
  * The following example illustrates how to import an AES key into the Android KeyStore under alias
- * {@code key1} authorized to be used only for encryption/decryption in CBC mode with PKCS#7
- * padding. The key must export its key material via {@link Key#getEncoded()} in {@code RAW} format.
+ * {@code key1} authorized to be used only for encryption/decryption in GCM mode with no padding.
+ * The key must export its key material via {@link Key#getEncoded()} in {@code RAW} format.
  * <pre> {@code
  * SecretKey key = ...; // AES key
  *
@@ -66,8 +66,8 @@
  *         "key1",
  *         new KeyStore.SecretKeyEntry(key),
  *         new KeyProtection.Builder(KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
- *                 .setBlockMode(KeyProperties.BLOCK_MODE_CBC)
- *                 .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+ *                 .setBlockMode(KeyProperties.BLOCK_MODE_GCM)
+ *                 .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
  *                 .build());
  * // Key imported, obtain a reference to it.
  * SecretKey keyStoreKey = (SecretKey) keyStore.getKey("key1", null);
@@ -236,7 +236,7 @@
     }
 
     /**
-     * Gets the set of block modes (e.g., {@code CBC}, {@code CTR}) with which the key can be used
+     * Gets the set of block modes (e.g., {@code GCM}, {@code CBC}) with which the key can be used
      * when encrypting/decrypting. Attempts to use the key with any other block modes will be
      * rejected.
      *
@@ -438,11 +438,11 @@
         }
 
         /**
-         * Sets the set of block modes (e.g., {@code CBC}, {@code CTR}, {@code ECB}) with which the
-         * key can be used when encrypting/decrypting. Attempts to use the key with any other block
-         * modes will be rejected.
+         * Sets the set of block modes (e.g., {@code GCM}, {@code CBC}) with which the key can be
+         * used when encrypting/decrypting. Attempts to use the key with any other block modes will
+         * be rejected.
          *
-         * <p>This must be specified for encryption/decryption keys.
+         * <p>This must be specified for symmetric encryption/decryption keys.
          *
          * <p>See {@link KeyProperties}.{@code BLOCK_MODE} constants.
          */
@@ -467,8 +467,8 @@
          * <ul>
          * <li>transformation which do not offer {@code IND-CPA}, such as symmetric ciphers using
          * {@code ECB} mode or RSA encryption without padding, are prohibited;</li>
-         * <li>in transformations which use an IV, such as symmetric ciphers in {@code CBC},
-         * {@code CTR}, and {@code GCM} block modes, caller-provided IVs are rejected when
+         * <li>in transformations which use an IV, such as symmetric ciphers in {@code GCM},
+         * {@code CBC}, and {@code CTR} block modes, caller-provided IVs are rejected when
          * encrypting, to ensure that only random IVs are used.</li>
          *
          * <p>Before disabling this requirement, consider the following approaches instead: