KeyProperties


public abstract class KeyProperties
extends Object

java.lang.Object
   ↳ android.security.keystore.KeyProperties


Properties of Android Keystore keys.

Summary

Constants

int AUTH_BIOMETRIC_STRONG

Any biometric (e.g. fingerprint, iris, or face) on the device that meets or exceeds the requirements for Strong, as defined by the Android CDD.

int AUTH_DEVICE_CREDENTIAL

The non-biometric credential used to secure the device (i.e., PIN, pattern, or password)

String BLOCK_MODE_CBC

Cipher Block Chaining (CBC) block mode.

String BLOCK_MODE_CTR

Counter (CTR) block mode.

String BLOCK_MODE_ECB

Electronic Codebook (ECB) block mode.

String BLOCK_MODE_GCM

Galois/Counter Mode (GCM) block mode.

String DIGEST_MD5

MD5 digest.

String DIGEST_NONE

No digest: sign/authenticate the raw message.

String DIGEST_SHA1

SHA-1 digest.

String DIGEST_SHA224

SHA-2 224 (aka SHA-224) digest.

String DIGEST_SHA256

SHA-2 256 (aka SHA-256) digest.

String DIGEST_SHA384

SHA-2 384 (aka SHA-384) digest.

String DIGEST_SHA512

SHA-2 512 (aka SHA-512) digest.

String ENCRYPTION_PADDING_NONE

No encryption padding.

String ENCRYPTION_PADDING_PKCS7

PKCS#7 encryption padding scheme.

String ENCRYPTION_PADDING_RSA_OAEP

RSA Optimal Asymmetric Encryption Padding (OAEP) scheme.

String ENCRYPTION_PADDING_RSA_PKCS1

RSA PKCS#1 v1.5 padding scheme for encryption.

String KEY_ALGORITHM_3DES

This constant was deprecated in API level 28. Included for interoperability with legacy systems. Prefer KEY_ALGORITHM_AES for new development.

String KEY_ALGORITHM_AES

Advanced Encryption Standard (AES) key.

String KEY_ALGORITHM_EC

Elliptic Curve (EC) Cryptography key.

String KEY_ALGORITHM_HMAC_SHA1

Keyed-Hash Message Authentication Code (HMAC) key using SHA-1 as the hash.

String KEY_ALGORITHM_HMAC_SHA224

Keyed-Hash Message Authentication Code (HMAC) key using SHA-224 as the hash.

String KEY_ALGORITHM_HMAC_SHA256

Keyed-Hash Message Authentication Code (HMAC) key using SHA-256 as the hash.

String KEY_ALGORITHM_HMAC_SHA384

Keyed-Hash Message Authentication Code (HMAC) key using SHA-384 as the hash.

String KEY_ALGORITHM_HMAC_SHA512

Keyed-Hash Message Authentication Code (HMAC) key using SHA-512 as the hash.

String KEY_ALGORITHM_RSA

Rivest Shamir Adleman (RSA) key.

int ORIGIN_GENERATED

Key was generated inside AndroidKeyStore.

int ORIGIN_IMPORTED

Key was imported into AndroidKeyStore.

int ORIGIN_SECURELY_IMPORTED

Key was imported into the AndroidKeyStore in an encrypted wrapper.

int ORIGIN_UNKNOWN

Origin of the key is unknown.

int PURPOSE_AGREE_KEY

Purpose of key: creating a shared ECDH secret through key agreement.

int PURPOSE_ATTEST_KEY

Purpose of key: Signing attestaions.

int PURPOSE_DECRYPT

Purpose of key: decryption.

int PURPOSE_ENCRYPT

Purpose of key: encryption.

int PURPOSE_SIGN

Purpose of key: signing or generating a Message Authentication Code (MAC).

int PURPOSE_VERIFY

Purpose of key: signature or Message Authentication Code (MAC) verification.

int PURPOSE_WRAP_KEY

Purpose of key: wrapping and unwrapping wrapped keys for secure import.

int SECURITY_LEVEL_SOFTWARE

Indicates enforcement by system software.

int SECURITY_LEVEL_STRONGBOX

Indicates enforcement by environment meeting the Strongbox security profile, such as a secure element.

int SECURITY_LEVEL_TRUSTED_ENVIRONMENT

Indicates enforcement by a trusted execution environment.

int SECURITY_LEVEL_UNKNOWN

This security level indicates that no assumptions can be made about the security level of the respective key.

int SECURITY_LEVEL_UNKNOWN_SECURE

This security level indicates that due to the target API level of the caller no exact statement can be made about the security level of the key, however, the security level can be considered is at least equivalent to SECURITY_LEVEL_TRUSTED_ENVIRONMENT.

String SIGNATURE_PADDING_RSA_PKCS1

RSA PKCS#1 v1.5 padding for signatures.

String SIGNATURE_PADDING_RSA_PSS

RSA PKCS#1 v2.1 Probabilistic Signature Scheme (PSS) padding.

int UNRESTRICTED_USAGE_COUNT

This value indicates that there is no restriction on the number of times the key can be used.

Inherited methods

Constants

AUTH_BIOMETRIC_STRONG

Added in API level 30
public static final int AUTH_BIOMETRIC_STRONG

Any biometric (e.g. fingerprint, iris, or face) on the device that meets or exceeds the requirements for Strong, as defined by the Android CDD.

Constant Value: 2 (0x00000002)

AUTH_DEVICE_CREDENTIAL

Added in API level 30
public static final int AUTH_DEVICE_CREDENTIAL

The non-biometric credential used to secure the device (i.e., PIN, pattern, or password)

Constant Value: 1 (0x00000001)

BLOCK_MODE_CBC

Added in API level 23
public static final String BLOCK_MODE_CBC

Cipher Block Chaining (CBC) block mode.

Constant Value: "CBC"

BLOCK_MODE_CTR

Added in API level 23
public static final String BLOCK_MODE_CTR

Counter (CTR) block mode.

Constant Value: "CTR"

BLOCK_MODE_ECB

Added in API level 23
public static final String BLOCK_MODE_ECB

Electronic Codebook (ECB) block mode.

Constant Value: "ECB"

BLOCK_MODE_GCM

Added in API level 23
public static final String BLOCK_MODE_GCM

Galois/Counter Mode (GCM) block mode.

Constant Value: "GCM"

DIGEST_MD5

Added in API level 23
public static final String DIGEST_MD5

MD5 digest.

Constant Value: "MD5"

DIGEST_NONE

Added in API level 23
public static final String DIGEST_NONE

No digest: sign/authenticate the raw message.

Constant Value: "NONE"

DIGEST_SHA1

Added in API level 23
public static final String DIGEST_SHA1

SHA-1 digest.

Constant Value: "SHA-1"

DIGEST_SHA224

Added in API level 23
public static final String DIGEST_SHA224

SHA-2 224 (aka SHA-224) digest.

Constant Value: "SHA-224"

DIGEST_SHA256

Added in API level 23
public static final String DIGEST_SHA256

SHA-2 256 (aka SHA-256) digest.

Constant Value: "SHA-256"

DIGEST_SHA384

Added in API level 23
public static final String DIGEST_SHA384

SHA-2 384 (aka SHA-384) digest.

Constant Value: "SHA-384"

DIGEST_SHA512

Added in API level 23
public static final String DIGEST_SHA512

SHA-2 512 (aka SHA-512) digest.

Constant Value: "SHA-512"

ENCRYPTION_PADDING_NONE

Added in API level 23
public static final String ENCRYPTION_PADDING_NONE

No encryption padding.

Constant Value: "NoPadding"

ENCRYPTION_PADDING_PKCS7

Added in API level 23
public static final String ENCRYPTION_PADDING_PKCS7

PKCS#7 encryption padding scheme.

Constant Value: "PKCS7Padding"

ENCRYPTION_PADDING_RSA_OAEP

Added in API level 23
public static final String ENCRYPTION_PADDING_RSA_OAEP

RSA Optimal Asymmetric Encryption Padding (OAEP) scheme.

Constant Value: "OAEPPadding"

ENCRYPTION_PADDING_RSA_PKCS1

Added in API level 23
public static final String ENCRYPTION_PADDING_RSA_PKCS1

RSA PKCS#1 v1.5 padding scheme for encryption.

Constant Value: "PKCS1Padding"

KEY_ALGORITHM_3DES

Added in API level 28
Deprecated in API level 28
public static final String KEY_ALGORITHM_3DES

This constant was deprecated in API level 28.
Included for interoperability with legacy systems. Prefer KEY_ALGORITHM_AES for new development.

Triple Data Encryption Algorithm (3DES) key.

Constant Value: "DESede"

KEY_ALGORITHM_AES

Added in API level 23
public static final String KEY_ALGORITHM_AES

Advanced Encryption Standard (AES) key.

Constant Value: "AES"

KEY_ALGORITHM_EC

Added in API level 23
public static final String KEY_ALGORITHM_EC

Elliptic Curve (EC) Cryptography key.

Constant Value: "EC"

KEY_ALGORITHM_HMAC_SHA1

Added in API level 23
public static final String KEY_ALGORITHM_HMAC_SHA1

Keyed-Hash Message Authentication Code (HMAC) key using SHA-1 as the hash.

Constant Value: "HmacSHA1"

KEY_ALGORITHM_HMAC_SHA224

Added in API level 23
public static final String KEY_ALGORITHM_HMAC_SHA224

Keyed-Hash Message Authentication Code (HMAC) key using SHA-224 as the hash.

Constant Value: "HmacSHA224"

KEY_ALGORITHM_HMAC_SHA256

Added in API level 23
public static final String KEY_ALGORITHM_HMAC_SHA256

Keyed-Hash Message Authentication Code (HMAC) key using SHA-256 as the hash.

Constant Value: "HmacSHA256"

KEY_ALGORITHM_HMAC_SHA384

Added in API level 23
public static final String KEY_ALGORITHM_HMAC_SHA384

Keyed-Hash Message Authentication Code (HMAC) key using SHA-384 as the hash.

Constant Value: "HmacSHA384"

KEY_ALGORITHM_HMAC_SHA512

Added in API level 23
public static final String KEY_ALGORITHM_HMAC_SHA512

Keyed-Hash Message Authentication Code (HMAC) key using SHA-512 as the hash.

Constant Value: "HmacSHA512"

KEY_ALGORITHM_RSA

Added in API level 23
public static final String KEY_ALGORITHM_RSA

Rivest Shamir Adleman (RSA) key.

Constant Value: "RSA"

ORIGIN_GENERATED

Added in API level 23
public static final int ORIGIN_GENERATED

Key was generated inside AndroidKeyStore.

Constant Value: 1 (0x00000001)

ORIGIN_IMPORTED

Added in API level 23
public static final int ORIGIN_IMPORTED

Key was imported into AndroidKeyStore.

Constant Value: 2 (0x00000002)

ORIGIN_SECURELY_IMPORTED

Added in API level 28
public static final int ORIGIN_SECURELY_IMPORTED

Key was imported into the AndroidKeyStore in an encrypted wrapper. Unlike imported keys, securely imported keys can be imported without appearing as plaintext in the device's host memory.

Constant Value: 8 (0x00000008)

ORIGIN_UNKNOWN

Added in API level 23
public static final int ORIGIN_UNKNOWN

Origin of the key is unknown. This can occur only for keys backed by an old TEE-backed implementation which does not record origin information.

Constant Value: 4 (0x00000004)

PURPOSE_AGREE_KEY

Added in API level 31
public static final int PURPOSE_AGREE_KEY

Purpose of key: creating a shared ECDH secret through key agreement.

A key having this purpose can be combined with the elliptic curve public key of another party to establish a shared secret over an insecure channel. It should be used as a parameter to KeyAgreement.init(java.security.Key) (a complete example is available here). See this article for a more detailed explanation.

Constant Value: 64 (0x00000040)

PURPOSE_ATTEST_KEY

Added in API level 31
public static final int PURPOSE_ATTEST_KEY

Purpose of key: Signing attestaions. This purpose is incompatible with all others, meaning that when generating a key with PURPOSE_ATTEST_KEY, no other purposes may be specified. In addition, PURPOSE_ATTEST_KEY may not be specified for imported keys.

Constant Value: 128 (0x00000080)

PURPOSE_DECRYPT

Added in API level 23
public static final int PURPOSE_DECRYPT

Purpose of key: decryption.

Constant Value: 2 (0x00000002)

PURPOSE_ENCRYPT

Added in API level 23
public static final int PURPOSE_ENCRYPT

Purpose of key: encryption.

Constant Value: 1 (0x00000001)

PURPOSE_SIGN

Added in API level 23
public static final int PURPOSE_SIGN

Purpose of key: signing or generating a Message Authentication Code (MAC).

Constant Value: 4 (0x00000004)

PURPOSE_VERIFY

Added in API level 23
public static final int PURPOSE_VERIFY

Purpose of key: signature or Message Authentication Code (MAC) verification.

Constant Value: 8 (0x00000008)

PURPOSE_WRAP_KEY

Added in API level 28
public static final int PURPOSE_WRAP_KEY

Purpose of key: wrapping and unwrapping wrapped keys for secure import.

Constant Value: 32 (0x00000020)

SECURITY_LEVEL_SOFTWARE

Added in API level 31
public static final int SECURITY_LEVEL_SOFTWARE

Indicates enforcement by system software.

Constant Value: 0 (0x00000000)

SECURITY_LEVEL_STRONGBOX

Added in API level 31
public static final int SECURITY_LEVEL_STRONGBOX

Indicates enforcement by environment meeting the Strongbox security profile, such as a secure element.

Constant Value: 2 (0x00000002)

SECURITY_LEVEL_TRUSTED_ENVIRONMENT

Added in API level 31
public static final int SECURITY_LEVEL_TRUSTED_ENVIRONMENT

Indicates enforcement by a trusted execution environment.

Constant Value: 1 (0x00000001)

SECURITY_LEVEL_UNKNOWN

Added in API level 31
public static final int SECURITY_LEVEL_UNKNOWN

This security level indicates that no assumptions can be made about the security level of the respective key.

Constant Value: -2 (0xfffffffe)

SECURITY_LEVEL_UNKNOWN_SECURE

Added in API level 31
public static final int SECURITY_LEVEL_UNKNOWN_SECURE

This security level indicates that due to the target API level of the caller no exact statement can be made about the security level of the key, however, the security level can be considered is at least equivalent to SECURITY_LEVEL_TRUSTED_ENVIRONMENT.

Constant Value: -1 (0xffffffff)

SIGNATURE_PADDING_RSA_PKCS1

Added in API level 23
public static final String SIGNATURE_PADDING_RSA_PKCS1

RSA PKCS#1 v1.5 padding for signatures.

Constant Value: "PKCS1"

SIGNATURE_PADDING_RSA_PSS

Added in API level 23
public static final String SIGNATURE_PADDING_RSA_PSS

RSA PKCS#1 v2.1 Probabilistic Signature Scheme (PSS) padding.

Constant Value: "PSS"

UNRESTRICTED_USAGE_COUNT

Added in API level 31
public static final int UNRESTRICTED_USAGE_COUNT

This value indicates that there is no restriction on the number of times the key can be used.

Constant Value: -1 (0xffffffff)