The source code

/**@class android.security.keystore.KeyProtection
 implements java.security.KeyStore.ProtectionParameter

 implements android.security.keystore.UserAuthArgs

@extends java.lang.Object

 Specification of how a key or key pair is secured when imported into the
 <a href="{@docRoot}training/articles/keystore.html">Android Keystore system</a>. This class
 specifies authorized uses of the imported key, such as whether user authentication is required
 for using the key, what operations the key is authorized for (e.g., decryption, but not signing)
 with what parameters (e.g., only with a particular padding scheme or digest), and the key's
 validity start and end dates. Key use authorizations expressed in this class apply only to secret
 keys and private keys -- public keys can be used for any supported operations.

 <p>To import a key or key pair into the Android Keystore, create an instance of this class using
 the {@link android.security.keystore.KeyGenParameterSpec.Builder} and pass the instance into {@link java.security.KeyStore#setEntry(String, java.security.KeyStore.Entry, ProtectionParameter) KeyStore.setEntry}
 with the key or key pair being imported.

 <p>To obtain the secret/symmetric or private key from the Android Keystore use
 {@link java.security.KeyStore#getKey(String, char[]) KeyStore.getKey(String, null)} or
 {@link java.security.KeyStore#getEntry(String, java.security.KeyStore.ProtectionParameter) KeyStore.getEntry(String, null)}.
 To obtain the public key from the Android Keystore use
 {@link java.security.KeyStore#getCertificate(String)} and then
 {@link Certificate#getPublicKey()}.

 <p>To help obtain algorithm-specific public parameters of key pairs stored in the Android
 Keystore, its private keys implement {@link java.security.interfaces.ECKey} or
 {@link java.security.interfaces.RSAKey} interfaces whereas its public keys implement
 {@link java.security.interfaces.ECPublicKey} or {@link java.security.interfaces.RSAPublicKey}
 interfaces.

 <p>NOTE: The key material of keys stored in the Android Keystore is not accessible.

 <p>Instances of this class are immutable.

 <p><h3>Known issues</h3>
 A known bug in Android 6.0 (API Level 23) causes user authentication-related authorizations to be
 enforced even for public keys. To work around this issue extract the public key material to use
 outside of Android Keystore. For example:
 <pre> {@code
 PublicKey unrestrictedPublicKey =
         KeyFactory.getInstance(publicKey.getAlgorithm()).generatePublic(
                 new X509EncodedKeySpec(publicKey.getEncoded()));
 }</pre>

 <p><h3>Example: AES key for encryption/decryption in GCM mode</h3>
 This example illustrates how to import an AES key into the Android KeyStore under alias
 {@code key1} authorized to be used only for encryption/decryption in GCM mode with no padding.
 The key must export its key material via {@link Key#getEncoded()} in {@code RAW} format.
 <pre> {@code
 SecretKey key = ...; // AES key

 KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
 keyStore.load(null);
 keyStore.setEntry(
         "key1",
         new KeyStore.SecretKeyEntry(key),
         new KeyProtection.Builder(KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
                 .setBlockMode(KeyProperties.BLOCK_MODE_GCM)
                 .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
                 .build());
 // Key imported, obtain a reference to it.
 SecretKey keyStoreKey = (SecretKey) keyStore.getKey("key1", null);
 // The original key can now be discarded.

 Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
 cipher.init(Cipher.ENCRYPT_MODE, keyStoreKey);
 ...
 }</pre>

 <p><h3>Example: HMAC key for generating MACs using SHA-512</h3>
 This example illustrates how to import an HMAC key into the Android KeyStore under alias
 {@code key1} authorized to be used only for generating MACs using SHA-512 digest. The key must
 export its key material via {@link Key#getEncoded()} in {@code RAW} format.
 <pre> {@code
 SecretKey key = ...; // HMAC key of algorithm "HmacSHA512".

 KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
 keyStore.load(null);
 keyStore.setEntry(
         "key1",
         new KeyStore.SecretKeyEntry(key),
         new KeyProtection.Builder(KeyProperties.PURPOSE_SIGN).build());
 // Key imported, obtain a reference to it.
 SecretKey keyStoreKey = (SecretKey) keyStore.getKey("key1", null);
 // The original key can now be discarded.

 Mac mac = Mac.getInstance("HmacSHA512");
 mac.init(keyStoreKey);
 ...
 }</pre>

 <p><h3>Example: EC key pair for signing/verification using ECDSA</h3>
 This example illustrates how to import an EC key pair into the Android KeyStore under alias
 {@code key2} with the private key authorized to be used only for signing with SHA-256 or SHA-512
 digests. The use of the public key is unrestricted. Both the private and the public key must
 export their key material via {@link Key#getEncoded()} in {@code PKCS#8} and {@code X.509} format
 respectively.
 <pre> {@code
 PrivateKey privateKey = ...;   // EC private key
 Certificate[] certChain = ...; // Certificate chain with the first certificate
                                // containing the corresponding EC public key.

 KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
 keyStore.load(null);
 keyStore.setEntry(
         "key2",
         new KeyStore.PrivateKeyEntry(privateKey, certChain),
         new KeyProtection.Builder(KeyProperties.PURPOSE_SIGN)
                 .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512)
                 .build());
 // Key pair imported, obtain a reference to it.
 PrivateKey keyStorePrivateKey = (PrivateKey) keyStore.getKey("key2", null);
 PublicKey publicKey = keyStore.getCertificate("key2").getPublicKey();
 // The original private key can now be discarded.

 Signature signature = Signature.getInstance("SHA256withECDSA");
 signature.initSign(keyStorePrivateKey);
 ...
 }</pre>

 <p><h3>Example: RSA key pair for signing/verification using PKCS#1 padding</h3>
 This example illustrates how to import an RSA key pair into the Android KeyStore under alias
 {@code key2} with the private key authorized to be used only for signing using the PKCS#1
 signature padding scheme with SHA-256 digest and only if the user has been authenticated within
 the last ten minutes. The use of the public key is unrestricted (see Known Issues). Both the
 private and the public key must export their key material via {@link Key#getEncoded()} in
 {@code PKCS#8} and {@code X.509} format respectively.
 <pre> {@code
 PrivateKey privateKey = ...;   // RSA private key
 Certificate[] certChain = ...; // Certificate chain with the first certificate
                                // containing the corresponding RSA public key.

 KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
 keyStore.load(null);
 keyStore.setEntry(
         "key2",
         new KeyStore.PrivateKeyEntry(privateKey, certChain),
         new KeyProtection.Builder(KeyProperties.PURPOSE_SIGN)
                 .setDigests(KeyProperties.DIGEST_SHA256)
                 .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1)
                 // Only permit this key to be used if the user
                 // authenticated within the last ten minutes.
                 .setUserAuthenticationRequired(true)
                 .setUserAuthenticationValidityDurationSeconds(10 * 60)
                 .build());
 // Key pair imported, obtain a reference to it.
 PrivateKey keyStorePrivateKey = (PrivateKey) keyStore.getKey("key2", null);
 PublicKey publicKey = keyStore.getCertificate("key2").getPublicKey();
 // The original private key can now be discarded.

 Signature signature = Signature.getInstance("SHA256withRSA");
 signature.initSign(keyStorePrivateKey);
 ...
 }</pre>

 <p><h3>Example: RSA key pair for encryption/decryption using PKCS#1 padding</h3>
 This example illustrates how to import an RSA key pair into the Android KeyStore under alias
 {@code key2} with the private key authorized to be used only for decryption using the PKCS#1
 encryption padding scheme. The use of public key is unrestricted, thus permitting encryption
 using any padding schemes and digests. Both the private and the public key must export their key
 material via {@link Key#getEncoded()} in {@code PKCS#8} and {@code X.509} format respectively.
 <pre> {@code
 PrivateKey privateKey = ...;   // RSA private key
 Certificate[] certChain = ...; // Certificate chain with the first certificate
                                // containing the corresponding RSA public key.

 KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
 keyStore.load(null);
 keyStore.setEntry(
         "key2",
         new KeyStore.PrivateKeyEntry(privateKey, certChain),
         new KeyProtection.Builder(KeyProperties.PURPOSE_DECRYPT)
                 .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1)
                 .build());
 // Key pair imported, obtain a reference to it.
 PrivateKey keyStorePrivateKey = (PrivateKey) keyStore.getKey("key2", null);
 PublicKey publicKey = keyStore.getCertificate("key2").getPublicKey();
 // The original private key can now be discarded.

 Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
 cipher.init(Cipher.DECRYPT_MODE, keyStorePrivateKey);
 ...
 }</pre>
*/
var KeyProtection = {

/**Gets the time instant before which the key is not yet valid.
@return {Object {java.util.Date}} instant or {@code null} if not restricted.
*/
getKeyValidityStart : function(  ) {},

/**Gets the time instant after which the key is no long valid for decryption and verification.
@return {Object {java.util.Date}} instant or {@code null} if not restricted.
*/
getKeyValidityForConsumptionEnd : function(  ) {},

/**Gets the time instant after which the key is no long valid for encryption and signing.
@return {Object {java.util.Date}} instant or {@code null} if not restricted.
*/
getKeyValidityForOriginationEnd : function(  ) {},

/**Gets the set of purposes (e.g., encrypt, decrypt, sign) for which the key can be used.
 Attempts to use the key for any other purpose will be rejected.

 <p>See {@link android.security.keystore.KeyProperties}.{@code PURPOSE} flags.
*/
getPurposes : function(  ) {},

/**Gets the set of padding schemes (e.g., {@code PKCS7Padding}, {@code PKCS1Padding},
 {@code NoPadding}) with which the key can be used when encrypting/decrypting. Attempts to use
 the key with any other padding scheme will be rejected.

 <p>See {@link android.security.keystore.KeyProperties}.{@code ENCRYPTION_PADDING} constants.
*/
getEncryptionPaddings : function(  ) {},

/**Gets the set of padding schemes (e.g., {@code PSS}, {@code PKCS#1}) with which the key
 can be used when signing/verifying. Attempts to use the key with any other padding scheme
 will be rejected.

 <p>See {@link android.security.keystore.KeyProperties}.{@code SIGNATURE_PADDING} constants.
*/
getSignaturePaddings : function(  ) {},

/**Gets the set of digest algorithms (e.g., {@code SHA-256}, {@code SHA-384}) with which the key
 can be used.

 <p>See {@link android.security.keystore.KeyProperties}.{@code DIGEST} constants.
@throws IllegalStateException if this set has not been specified.
@see #isDigestsSpecified()
*/
getDigests : function(  ) {},

/**Returns {@code true} if the set of digest algorithms with which the key can be used has been
 specified.
@see #getDigests()
*/
isDigestsSpecified : function(  ) {},

/**Gets the set of block modes (e.g., {@code GCM}, {@code CBC}) with which the key can be used
 when encrypting/decrypting. Attempts to use the key with any other block modes will be
 rejected.

 <p>See {@link android.security.keystore.KeyProperties}.{@code BLOCK_MODE} constants.
*/
getBlockModes : function(  ) {},

/**Returns {@code true} if encryption using this key must be sufficiently randomized to produce
 different ciphertexts for the same plaintext every time. The formal cryptographic property
 being required is <em>indistinguishability under chosen-plaintext attack ({@code
 IND-CPA})</em>. This property is important because it mitigates several classes of
 weaknesses due to which ciphertext may leak information about plaintext. For example, if a
 given plaintext always produces the same ciphertext, an attacker may see the repeated
 ciphertexts and be able to deduce something about the plaintext.
*/
isRandomizedEncryptionRequired : function(  ) {},

/**Returns {@code true} if the key is authorized to be used only if the user has been
 authenticated.

 <p>This authorization applies only to secret key and private key operations. Public key
 operations are not restricted.
@see #getUserAuthenticationValidityDurationSeconds()
@see Builder#setUserAuthenticationRequired(boolean)
*/
isUserAuthenticationRequired : function(  ) {},

/**Returns {@code true} if the key is authorized to be used only for messages confirmed by the
 user.

 Confirmation is separate from user authentication (see
 {@link #isUserAuthenticationRequired}()). Keys can be created that require confirmation but
 not user authentication, or user authentication but not confirmation, or both. Confirmation
 verifies that some user with physical possession of the device has approved a displayed
 message. User authentication verifies that the correct user is present and has
 authenticated.

 <p>This authorization applies only to secret key and private key operations. Public key
 operations are not restricted.
@see Builder#setUserConfirmationRequired(boolean)
*/
isUserConfirmationRequired : function(  ) {},

/**Gets the duration of time (seconds) for which this key is authorized to be used after the
 user is successfully authenticated. This has effect only if user authentication is required
 (see {@link #isUserAuthenticationRequired}()).

 <p>This authorization applies only to secret key and private key operations. Public key
 operations are not restricted.
@return {Number} duration in seconds or {@code -1} if authentication is required for every use of the
         key.
@see #isUserAuthenticationRequired()
@see Builder#setUserAuthenticationValidityDurationSeconds(int)
*/
getUserAuthenticationValidityDurationSeconds : function(  ) {},

/**Returns {@code true} if the key is authorized to be used only if a test of user presence has
 been performed between the {@code Signature.initSign()} and {@code Signature.sign()} calls.
 It requires that the KeyStore implementation have a direct way to validate the user presence
 for example a KeyStore hardware backed strongbox can use a button press that is observable
 in hardware. A test for user presence is tangential to authentication. The test can be part
 of an authentication step as long as this step can be validated by the hardware protecting
 the key and cannot be spoofed. For example, a physical button press can be used as a test of
 user presence if the other pins connected to the button are not able to simulate a button
 press. There must be no way for the primary processor to fake a button press, or that
 button must not be used as a test of user presence.
*/
isUserPresenceRequired : function(  ) {},

/**Returns {@code true} if the key will be de-authorized when the device is removed from the
 user's body.  This option has no effect on keys that don't have an authentication validity
 duration, and has no effect if the device lacks an on-body sensor.

 <p>Authorization applies only to secret key and private key operations. Public key operations
 are not restricted.
@see #isUserAuthenticationRequired()
@see #getUserAuthenticationValidityDurationSeconds()
@see Builder#setUserAuthenticationValidWhileOnBody(boolean)
*/
isUserAuthenticationValidWhileOnBody : function(  ) {},

/**Returns {@code true} if the key is irreversibly invalidated when a new biometric is
 enrolled or all enrolled biometrics are removed. This has effect only for keys that
 require biometric user authentication for every use.
@see #isUserAuthenticationRequired()
@see #getUserAuthenticationValidityDurationSeconds()
@see Builder#setInvalidatedByBiometricEnrollment(boolean)
*/
isInvalidatedByBiometricEnrollment : function(  ) {},

/**Return the secure user id that this key should be bound to.

 Normally an authentication-bound key is tied to the secure user id of the current user
 (either the root SID from GateKeeper for auth-bound keys with a timeout, or the authenticator
 id of the current biometric set for keys requiring explicit biometric authorization).
 If this parameter is set (this method returning non-zero value), the key should be tied to
 the specified secure user id, overriding the logic above.

 This is only applicable when {@link #isUserAuthenticationRequired} is {@code true}
@see KeymasterUtils#addUserAuthArgs
@hide 
*/
getBoundToSpecificSecureUserId : function(  ) {},

/**Return whether this key is critical to the device encryption flow.
@see android.security.KeyStore#FLAG_CRITICAL_TO_DEVICE_ENCRYPTION
@hide 
*/
isCriticalToDeviceEncryption : function(  ) {},

/**Returns {@code true} if the screen must be unlocked for this key to be used for decryption or
 signing. Encryption and signature verification will still be available when the screen is
 locked.
@see Builder#setUnlockedDeviceRequired(boolean)
*/
isUnlockedDeviceRequired : function(  ) {},

/**Returns {@code true} if the key is protected by a Strongbox security chip.
@hide 
*/
isStrongBoxBacked : function(  ) {},


};