Keystore SPI: Deprecate encryption flag.

The encryption-required flag is only available in already deprecated
API KeyPairGeneratorSpec and KeyStoreParameter will be ignored from
Android S. Keys are and have been encrypted by default for a long time
and if additional binding to the LSKF is desired it can be requested
by KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean).

Test: None
Change-Id: I5bd4acb4bba276decd1930ae2e96a55f95627e10

1 files changed, 16 insertions, 12 deletions

diff --git a/keystore/java/android/security/KeyStoreParameter.java b/keystore/java/android/security/KeyStoreParameter.java
index 66c87ed2ec1e..51d29b13ce80 100644
--- a/keystore/java/android/security/KeyStoreParameter.java
+++ b/keystore/java/android/security/KeyStoreParameter.java
@@ -48,18 +48,16 @@ import java.security.KeyStore.ProtectionParameter;
  */
 @Deprecated
 public final class KeyStoreParameter implements ProtectionParameter {
-    private final int mFlags;
 
     private KeyStoreParameter(
             int flags) {
-        mFlags = flags;
     }
 
     /**
      * @hide
      */
     public int getFlags() {
-        return mFlags;
+        return 0;
     }
 
     /**
@@ -74,9 +72,16 @@ public final class KeyStoreParameter implements ProtectionParameter {
      * screen after boot.
      *
      * @see KeyguardManager#isDeviceSecure()
+     *
+     * @deprecated Data at rest encryption is enabled by default. If extra binding to the
+     *             lockscreen credential is desired, use
+     *             {@link android.security.keystore.KeyGenParameterSpec
+     *             .Builder#setUserAuthenticationRequired(boolean)}.
+     *             This flag will be ignored from Android S.
      */
+    @Deprecated
     public boolean isEncryptionRequired() {
-        return (mFlags & KeyStore.FLAG_ENCRYPTED) != 0;
+        return false;
     }
 
     /**
@@ -100,7 +105,6 @@ public final class KeyStoreParameter implements ProtectionParameter {
      */
     @Deprecated
     public final static class Builder {
-        private int mFlags;
 
         /**
          * Creates a new instance of the {@code Builder} with the given
@@ -126,14 +130,15 @@ public final class KeyStoreParameter implements ProtectionParameter {
          * the user unlocks the secure lock screen after boot.
          *
          * @see KeyguardManager#isDeviceSecure()
+         *
+         * @deprecated Data at rest encryption is enabled by default. If extra binding to the
+         *             lockscreen credential is desired, use
+         *             {@link android.security.keystore.KeyGenParameterSpec
+         *             .Builder#setUserAuthenticationRequired(boolean)}.
+         *             This flag will be ignored from Android S.
          */
         @NonNull
         public Builder setEncryptionRequired(boolean required) {
-            if (required) {
-                mFlags |= KeyStore.FLAG_ENCRYPTED;
-            } else {
-                mFlags &= ~KeyStore.FLAG_ENCRYPTED;
-            }
             return this;
         }
 
@@ -145,8 +150,7 @@ public final class KeyStoreParameter implements ProtectionParameter {
          */
         @NonNull
         public KeyStoreParameter build() {
-            return new KeyStoreParameter(
-                    mFlags);
+            return new KeyStoreParameter(0 /* flags */);
         }
     }
 }