1 files changed, 23 insertions, 12 deletions

diff --git a/keystore/java/android/security/KeyStoreParameter.java b/keystore/java/android/security/KeyStoreParameter.java
index b1b638f3beb2..88bd6b400094 100644
--- a/keystore/java/android/security/KeyStoreParameter.java
+++ b/keystore/java/android/security/KeyStoreParameter.java
@@ -61,8 +61,10 @@ public final class KeyStoreParameter implements ProtectionParameter {
     private final Integer mUserAuthenticationValidityDurationSeconds;
     private final boolean mInvalidatedOnNewFingerprintEnrolled;
 
-    private KeyStoreParameter(int flags, Date keyValidityStart,
-            Date keyValidityForOriginationEnd, Date keyValidityForConsumptionEnd,
+    private KeyStoreParameter(int flags,
+            Date keyValidityStart,
+            Date keyValidityForOriginationEnd,
+            Date keyValidityForConsumptionEnd,
             @KeyStoreKeyConstraints.PurposeEnum Integer purposes,
             @KeyStoreKeyConstraints.AlgorithmEnum Integer algorithm,
             @KeyStoreKeyConstraints.PaddingEnum Integer padding,
@@ -177,8 +179,8 @@ public final class KeyStoreParameter implements ProtectionParameter {
     }
 
     /**
-     * Gets the digest to which the key is restricted when generating Message Authentication Codes
-     * (MACs).
+     * Gets the digest to which the key is restricted when generating signatures or Message
+     * Authentication Codes (MACs).
      *
      * @return digest or {@code null} if the digest is not restricted.
      *
@@ -421,12 +423,13 @@ public final class KeyStoreParameter implements ProtectionParameter {
         }
 
         /**
-         * Restricts the key to being used only with the provided digest when generating Message
-         * Authentication Codes (MACs). Attempts to use the key with any other digest will be
-         * rejected.
+         * Restricts the key to being used only with the provided digest when generating signatures
+         * or Message Authentication Codes (MACs). Attempts to use the key with any other digest
+         * will be rejected.
          *
          * <p>For MAC keys, the default is to restrict to the digest specified in the key algorithm
-         * name.
+         * name. For asymmetric signing keys this constraint must be specified because there is no
+         * default.
          *
          * @see java.security.Key#getAlgorithm()
          *
@@ -535,10 +538,18 @@ public final class KeyStoreParameter implements ProtectionParameter {
          * @return built instance of {@code KeyStoreParameter}
          */
         public KeyStoreParameter build() {
-            return new KeyStoreParameter(mFlags, mKeyValidityStart,
-                    mKeyValidityForOriginationEnd, mKeyValidityForConsumptionEnd, mPurposes,
-                    mAlgorithm, mPadding, mDigest, mBlockMode, mMinSecondsBetweenOperations,
-                    mMaxUsesPerBoot, mUserAuthenticators,
+            return new KeyStoreParameter(mFlags,
+                    mKeyValidityStart,
+                    mKeyValidityForOriginationEnd,
+                    mKeyValidityForConsumptionEnd,
+                    mPurposes,
+                    mAlgorithm,
+                    mPadding,
+                    mDigest,
+                    mBlockMode,
+                    mMinSecondsBetweenOperations,
+                    mMaxUsesPerBoot,
+                    mUserAuthenticators,
                     mUserAuthenticationValidityDurationSeconds,
                     mInvalidatedOnNewFingerprintEnrolled);
         }