WrappedKeyEntry


public class WrappedKeyEntry
extends Object implements KeyStore.Entry

java.lang.Object
   ↳ android.security.keystore.WrappedKeyEntry


An Entry that holds a wrapped key. Wrapped keys contain encrypted key data and description information that can be used to securely import key material into a hardware-backed Keystore.

The wrapped key is in DER-encoded ASN.1 format, specified by the following schema:

     KeyDescription ::= SEQUENCE(
         keyFormat INTEGER,                   # Values from KeyFormat enum.
         keyParams AuthorizationList,
     )

     SecureKeyWrapper ::= SEQUENCE(
         version INTEGER,                     # Contains value 0
         encryptedTransportKey OCTET_STRING,
         initializationVector OCTET_STRING,
         keyDescription KeyDescription,
         encryptedKey OCTET_STRING,
         tag OCTET_STRING
     )
 
  • keyFormat is an integer from the KeyFormat enum, defining the format of the plaintext key material.
  • keyParams is the characteristics of the key to be imported (as with generateKey or importKey). If the secure import is successful, these characteristics must be associated with the key exactly as if the key material had been insecurely imported with importKey. See Key Attestation for the AuthorizationList format.
  • encryptedTransportKey is a 256-bit AES key, XORed with a masking key and then encrypted in RSA-OAEP mode (SHA-256 digest, SHA-1 MGF1 digest) with the wrapping key specified by wrappingKeyBlob.
  • keyDescription is a KeyDescription, above.
  • encryptedKey is the key material of the key to be imported, in format keyFormat, and encrypted with encryptedEphemeralKey in AES-GCM mode, with the DER-encoded representation of keyDescription provided as additional authenticated data.
  • tag is the tag produced by the AES-GCM encryption of encryptedKey.

Imported wrapped keys will have KeymasterDefs.KM_ORIGIN_SECURELY_IMPORTED

Summary

Public constructors

WrappedKeyEntry(byte[] wrappedKeyBytes, String wrappingKeyAlias, String transformation, AlgorithmParameterSpec algorithmParameterSpec)

Constructs a WrappedKeyEntry with a binary wrapped key.

Inherited methods

Object clone()

Creates and returns a copy of this object.

boolean equals(Object obj)

Indicates whether some other object is "equal to" this one.

void finalize()

Called by the garbage collector on an object when garbage collection determines that there are no more references to the object.

final Class<?> getClass()

Returns the runtime class of this Object.

int hashCode()

Returns a hash code value for the object.

final void notify()

Wakes up a single thread that is waiting on this object's monitor.

final void notifyAll()

Wakes up all threads that are waiting on this object's monitor.

String toString()

Returns a string representation of the object.

final void wait(long timeoutMillis, int nanos)

Causes the current thread to wait until it is awakened, typically by being notified or interrupted, or until a certain amount of real time has elapsed.

final void wait(long timeoutMillis)

Causes the current thread to wait until it is awakened, typically by being notified or interrupted, or until a certain amount of real time has elapsed.

final void wait()

Causes the current thread to wait until it is awakened, typically by being notified or interrupted.

default Set<KeyStore.Entry.Attribute> getAttributes()

Retrieves the attributes associated with an entry.

Public constructors

WrappedKeyEntry

Added in API level 28
public WrappedKeyEntry (byte[] wrappedKeyBytes, 
                String wrappingKeyAlias, 
                String transformation, 
                AlgorithmParameterSpec algorithmParameterSpec)

Constructs a WrappedKeyEntry with a binary wrapped key.

Parameters
wrappedKeyBytes byte: ASN.1 DER encoded wrapped key

wrappingKeyAlias String: identifies the private key that can unwrap the wrapped key

transformation String: used to unwrap the key. ex: "RSA/ECB/OAEPPadding"

algorithmParameterSpec AlgorithmParameterSpec: spec for the private key used to unwrap the wrapped key

Public methods

getAlgorithmParameterSpec

Added in API level 28
public AlgorithmParameterSpec getAlgorithmParameterSpec ()

getTransformation

Added in API level 28
public String getTransformation ()

Returns
String

getWrappedKeyBytes

Added in API level 28
public byte[] getWrappedKeyBytes ()

Returns
byte[]

getWrappingKeyAlias

Added in API level 28
public String getWrappingKeyAlias ()

Returns
String