Make the new AndroidKeyStore API conformant.

This makes the new AndroidKeyStore API conform with the latest
Keymaster API changes as well as the latest Android framework API
design guidelines.

Keymaster changes:
* Multiple paddings, block modes, and digests can be set on a key.
* "max uses per boot" and "min seconds between use" restrictions will
  not be exposed in the framework API.
* Padding scheme ZERO will not be exposed.

Changes due to Android framework design guidelines:
* Sets of enum values have been replaced with bitsets represented as
  ints.
* Integer has been replaced with int, with null being represented
  with a special value (e.g., -1 or 0) where possible.

Bug: 18088752
Change-Id: Ib21739aa9b42d48895cb7a681e836a5c6d972ac6

1 files changed, 42 insertions, 78 deletions

diff --git a/keystore/java/android/security/KeyStoreKeySpec.java b/keystore/java/android/security/KeyStoreKeySpec.java
index ddeefbd246c2..df4c958f1de3 100644
--- a/keystore/java/android/security/KeyStoreKeySpec.java
+++ b/keystore/java/android/security/KeyStoreKeySpec.java
@@ -17,10 +17,7 @@
 package android.security;
 
 import java.security.spec.KeySpec;
-import java.util.Collections;
 import java.util.Date;
-import java.util.HashSet;
-import java.util.Set;
 
 /**
  * Information about a key from the <a href="{@docRoot}training/articles/keystore.html">Android
@@ -37,14 +34,12 @@ public class KeyStoreKeySpec implements KeySpec {
     private final Date mKeyValidityForConsumptionEnd;
     private final @KeyStoreKeyConstraints.PurposeEnum int mPurposes;
     private final @KeyStoreKeyConstraints.AlgorithmEnum int mAlgorithm;
-    private final @KeyStoreKeyConstraints.PaddingEnum Integer mPadding;
-    private final @KeyStoreKeyConstraints.DigestEnum Integer mDigest;
-    private final @KeyStoreKeyConstraints.BlockModeEnum Integer mBlockMode;
-    private final Integer mMinSecondsBetweenOperations;
-    private final Integer mMaxUsesPerBoot;
-    private final Set<Integer> mUserAuthenticators;
-    private final Set<Integer> mTeeBackedUserAuthenticators;
-    private final Integer mUserAuthenticationValidityDurationSeconds;
+    private final @KeyStoreKeyConstraints.PaddingEnum int mPaddings;
+    private final @KeyStoreKeyConstraints.DigestEnum int mDigests;
+    private final @KeyStoreKeyConstraints.BlockModeEnum int mBlockModes;
+    private final @KeyStoreKeyConstraints.UserAuthenticatorEnum int mUserAuthenticators;
+    private final @KeyStoreKeyConstraints.UserAuthenticatorEnum int mTeeEnforcedUserAuthenticators;
+    private final int mUserAuthenticationValidityDurationSeconds;
 
 
     /**
@@ -52,18 +47,18 @@ public class KeyStoreKeySpec implements KeySpec {
      */
     KeyStoreKeySpec(String keystoreKeyAlias,
             @KeyStoreKeyCharacteristics.OriginEnum int origin,
-            int keySize, Date keyValidityStart, Date keyValidityForOriginationEnd,
+            int keySize,
+            Date keyValidityStart,
+            Date keyValidityForOriginationEnd,
             Date keyValidityForConsumptionEnd,
             @KeyStoreKeyConstraints.PurposeEnum int purposes,
             @KeyStoreKeyConstraints.AlgorithmEnum int algorithm,
-            @KeyStoreKeyConstraints.PaddingEnum Integer padding,
-            @KeyStoreKeyConstraints.DigestEnum Integer digest,
-            @KeyStoreKeyConstraints.BlockModeEnum Integer blockMode,
-            Integer minSecondsBetweenOperations,
-            Integer maxUsesPerBoot,
-            Set<Integer> userAuthenticators,
-            Set<Integer> teeBackedUserAuthenticators,
-            Integer userAuthenticationValidityDurationSeconds) {
+            @KeyStoreKeyConstraints.PaddingEnum int paddings,
+            @KeyStoreKeyConstraints.DigestEnum int digests,
+            @KeyStoreKeyConstraints.BlockModeEnum int blockModes,
+            @KeyStoreKeyConstraints.UserAuthenticatorEnum int userAuthenticators,
+            @KeyStoreKeyConstraints.UserAuthenticatorEnum int teeEnforcedUserAuthenticators,
+            int userAuthenticationValidityDurationSeconds) {
         mKeystoreAlias = keystoreKeyAlias;
         mOrigin = origin;
         mKeySize = keySize;
@@ -72,17 +67,11 @@ public class KeyStoreKeySpec implements KeySpec {
         mKeyValidityForConsumptionEnd = keyValidityForConsumptionEnd;
         mPurposes = purposes;
         mAlgorithm = algorithm;
-        mPadding = padding;
-        mDigest = digest;
-        mBlockMode = blockMode;
-        mMinSecondsBetweenOperations = minSecondsBetweenOperations;
-        mMaxUsesPerBoot = maxUsesPerBoot;
-        mUserAuthenticators = (userAuthenticators != null)
-                ? new HashSet<Integer>(userAuthenticators)
-                : Collections.<Integer>emptySet();
-        mTeeBackedUserAuthenticators = (teeBackedUserAuthenticators != null)
-                ? new HashSet<Integer>(teeBackedUserAuthenticators)
-                : Collections.<Integer>emptySet();
+        mPaddings = paddings;
+        mDigests = digests;
+        mBlockModes = blockModes;
+        mUserAuthenticators = userAuthenticators;
+        mTeeEnforcedUserAuthenticators = teeEnforcedUserAuthenticators;
         mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds;
     }
 
@@ -101,7 +90,7 @@ public class KeyStoreKeySpec implements KeySpec {
     }
 
     /**
-     * Gets the key's size in bits.
+     * Gets the size of the key in bits.
      */
     public int getKeySize() {
         return mKeySize;
@@ -149,78 +138,53 @@ public class KeyStoreKeySpec implements KeySpec {
     }
 
     /**
-     * Gets the only block mode with which the key can be used.
-     *
-     * @return block mode or {@code null} if the block mode is not restricted.
+     * Gets the set of block modes with which the key can be used.
      */
-    public @KeyStoreKeyConstraints.BlockModeEnum Integer getBlockMode() {
-        return mBlockMode;
+    public @KeyStoreKeyConstraints.BlockModeEnum int getBlockModes() {
+        return mBlockModes;
     }
 
     /**
-     * Gets the only padding mode with which the key can be used.
-     *
-     * @return padding mode or {@code null} if the padding mode is not restricted.
-     */
-    public @KeyStoreKeyConstraints.PaddingEnum Integer getPadding() {
-        return mPadding;
-    }
-
-    /**
-     * Gets the only digest algorithm with which the key can be used.
-     *
-     * @return digest algorithm or {@code null} if the digest algorithm is not restricted.
+     * Gets the set of padding modes with which the key can be used.
      */
-    public @KeyStoreKeyConstraints.DigestEnum Integer getDigest() {
-        return mDigest;
+    public @KeyStoreKeyConstraints.PaddingEnum int getPaddings() {
+        return mPaddings;
     }
 
     /**
-     * Gets the minimum number of seconds that must expire since the most recent use of the key
-     * before it can be used again.
-     *
-     * @return number of seconds or {@code null} if there is no restriction on how frequently a key
-     *         can be used.
-     */
-    public Integer getMinSecondsBetweenOperations() {
-        return mMinSecondsBetweenOperations;
-    }
-
-    /**
-     * Gets the number of times the key can be used without rebooting the device.
-     *
-     * @return maximum number of times or {@code null} if there is no restriction.
+     * Gets the set of digest algorithms with which the key can be used.
      */
-    public Integer getMaxUsesPerBoot() {
-        return mMaxUsesPerBoot;
+    public @KeyStoreKeyConstraints.DigestEnum int getDigests() {
+        return mDigests;
     }
 
     /**
-     * Gets the user authenticators which protect access to the key. The key can only be used iff
-     * the user has authenticated to at least one of these user authenticators.
+     * Gets the set of user authenticators which protect access to the key. The key can only be used
+     * iff the user has authenticated to at least one of these user authenticators.
      *
-     * @return user authenticators or empty set if the key can be used without user authentication.
+     * @return user authenticators or {@code 0} if the key can be used without user authentication.
      */
-    public Set<Integer> getUserAuthenticators() {
-        return new HashSet<Integer>(mUserAuthenticators);
+    public @KeyStoreKeyConstraints.UserAuthenticatorEnum int getUserAuthenticators() {
+        return mUserAuthenticators;
     }
 
     /**
-     * Gets the TEE-backed user authenticators which protect access to the key. This is a subset of
-     * the user authentications returned by {@link #getUserAuthenticators()}.
+     * Gets the set of user authenticators for which the TEE enforces access restrictions for this
+     * key. This is a subset of the user authentications returned by
+     * {@link #getUserAuthenticators()}.
      */
-    public Set<Integer> getTeeBackedUserAuthenticators() {
-        return new HashSet<Integer>(mTeeBackedUserAuthenticators);
+    public @KeyStoreKeyConstraints.UserAuthenticatorEnum int getTeeEnforcedUserAuthenticators() {
+        return mTeeEnforcedUserAuthenticators;
     }
 
     /**
      * Gets the duration of time (seconds) for which the key can be used after the user
      * successfully authenticates to one of the associated user authenticators.
      *
-     * @return duration in seconds or {@code null} if not restricted. {@code 0} means authentication
+     * @return duration in seconds or {@code -1} if not restricted. {@code 0} means authentication
      *         is required for every use of the key.
      */
-    public Integer getUserAuthenticationValidityDurationSeconds() {
+    public int getUserAuthenticationValidityDurationSeconds() {
         return mUserAuthenticationValidityDurationSeconds;
     }
 }