WrappedKeyEntry

public class WrappedKeyEntry
extends Object implements KeyStore.Entry

java.lang.Object
   ↳ android.security.keystore.WrappedKeyEntry


An Entry that holds a wrapped key. Wrapped keys contain encrypted key data and description information that can be used to securely import key material into a hardware-backed Keystore.

The wrapped key is in DER-encoded ASN.1 format, specified by the following schema:

     KeyDescription ::= SEQUENCE(
         keyFormat INTEGER,                   # Values from KeyFormat enum.
         keyParams AuthorizationList,
     )

     SecureKeyWrapper ::= SEQUENCE(
         version INTEGER,                     # Contains value 0
         encryptedTransportKey OCTET_STRING,
         initializationVector OCTET_STRING,
         keyDescription KeyDescription,
         encryptedKey OCTET_STRING,
         tag OCTET_STRING
     )
 
  • keyFormat is an integer from the KeyFormat enum, defining the format of the plaintext key material.
  • keyParams is the characteristics of the key to be imported (as with generateKey or importKey). If the secure import is successful, these characteristics must be associated with the key exactly as if the key material had been insecurely imported with importKey. See Key Attestation for the AuthorizationList format.
  • encryptedTransportKey is a 256-bit AES key, XORed with a masking key and then encrypted in RSA-OAEP mode (SHA-256 digest, SHA-1 MGF1 digest) with the wrapping key specified by wrappingKeyBlob.
  • keyDescription is a KeyDescription, above.
  • encryptedKey is the key material of the key to be imported, in format keyFormat, and encrypted with encryptedEphemeralKey in AES-GCM mode, with the DER-encoded representation of keyDescription provided as additional authenticated data.
  • tag is the tag produced by the AES-GCM encryption of encryptedKey.

Imported wrapped keys will have KeymasterDefs.KM_ORIGIN_SECURELY_IMPORTED

Summary

Public constructors

WrappedKeyEntry(byte[] wrappedKeyBytes, String wrappingKeyAlias, String transformation, AlgorithmParameterSpec algorithmParameterSpec)

Constructs a WrappedKeyEntry with a binary wrapped key.

Public methods

AlgorithmParameterSpec getAlgorithmParameterSpec()
String getTransformation()
byte[] getWrappedKeyBytes()
String getWrappingKeyAlias()

Inherited methods

Public constructors

WrappedKeyEntry

Added in API level 28
public WrappedKeyEntry (byte[] wrappedKeyBytes, 
                String wrappingKeyAlias, 
                String transformation, 
                AlgorithmParameterSpec algorithmParameterSpec)

Constructs a WrappedKeyEntry with a binary wrapped key.

Parameters
wrappedKeyBytes byte: ASN.1 DER encoded wrapped key

wrappingKeyAlias String: identifies the private key that can unwrap the wrapped key

transformation String: used to unwrap the key. ex: "RSA/ECB/OAEPPadding"

algorithmParameterSpec AlgorithmParameterSpec: spec for the private key used to unwrap the wrapped key

Public methods

getAlgorithmParameterSpec

Added in API level 28
public AlgorithmParameterSpec getAlgorithmParameterSpec ()

Returns
AlgorithmParameterSpec

getTransformation

Added in API level 28
public String getTransformation ()

Returns
String

getWrappedKeyBytes

Added in API level 28
public byte[] getWrappedKeyBytes ()

Returns
byte[]

getWrappingKeyAlias

Added in API level 28
public String getWrappingKeyAlias ()

Returns
String