}
/**
+ * Table holding encrypted snapshots of the recoverable key store.
+ */
+ static class SnapshotsEntry implements BaseColumns {
+ static final String TABLE_NAME = "snapshots";
+
+ /**
+ * The version number of the snapshot.
+ */
+ static final String COLUMN_NAME_VERSION = "version";
+
+ /**
+ * The ID of the user whose keystore was snapshotted.
+ */
+ static final String COLUMN_NAME_USER_ID = "user_id";
+
+ /**
+ * The UID of the app that owns the snapshot (i.e., the recovery agent).
+ */
+ static final String COLUMN_NAME_UID = "uid";
+
+ /**
+ * The maximum number of attempts allowed to attempt to decrypt the recovery key.
+ */
+ static final String COLUMN_NAME_MAX_ATTEMPTS = "max_attempts";
+
+ /**
+ * The ID of the counter in the trusted hardware module.
+ */
+ static final String COLUMN_NAME_COUNTER_ID = "counter_id";
+
+ /**
+ * Server parameters used to help identify the device (during recovery).
+ */
+ static final String SERVER_PARAMS = "server_params";
+
+ /**
+ * The public key of the trusted hardware module. This key has been used to encrypt the
+ * snapshot, to ensure that it can only be read by the trusted module.
+ */
+ static final String TRUSTED_HARDWARE_PUBLIC_KEY = "thm_public_key";
+
+ /**
+ * {@link java.security.cert.CertPath} signing the trusted hardware module to whose public
+ * key this snapshot is encrypted.
+ */
+ static final String CERT_PATH = "cert_path";
+
+ /**
+ * The recovery key, encrypted with the user's lock screen and the trusted hardware module's
+ * public key.
+ */
+ static final String ENCRYPTED_RECOVERY_KEY = "encrypted_recovery_key";
+ }
+
+ /**
+ * Table holding encrypted keys belonging to a particular snapshot.
+ */
+ static class SnapshotKeysEntry implements BaseColumns {
+ static final String TABLE_NAME = "snapshot_keys";
+
+ /**
+ * ID of the associated snapshot entry in {@link SnapshotsEntry}.
+ */
+ static final String COLUMN_NAME_SNAPSHOT_ID = "snapshot_id";
+
+ /**
+ * Alias of the key.
+ */
+ static final String COLUMN_NAME_ALIAS = "alias";
+
+ /**
+ * Key material, encrypted with the recovery key from the snapshot.
+ */
+ static final String COLUMN_NAME_ENCRYPTED_BYTES = "encrypted_key_bytes";
+ }
+
+ /**
+ * A layer of protection associated with a snapshot.
+ */
+ static class SnapshotProtectionParams implements BaseColumns {
+ static final String TABLE_NAME = "snapshot_protection_params";
+
+ /**
+ * ID of the associated snapshot entry in {@link SnapshotsEntry}.
+ */
+ static final String COLUMN_NAME_SNAPSHOT_ID = "snapshot_id";
+
+ /**
+ * Type of secret used to generate recovery key. One of
+ * {@link android.security.keystore.recovery.KeyChainProtectionParams#TYPE_LOCKSCREEN} or
+ * {@link android.security.keystore.recovery.KeyChainProtectionParams#TYPE_CUSTOM_PASSWORD}.
+ */
+ static final String COLUMN_NAME_SECRET_TYPE = "secret_type";
+
+ /**
+ * If a lock screen, the type of UI used. One of
+ * {@link android.security.keystore.recovery.KeyChainProtectionParams#UI_FORMAT_PATTERN},
+ * {@link android.security.keystore.recovery.KeyChainProtectionParams#UI_FORMAT_PIN}, or
+ * {@link android.security.keystore.recovery.KeyChainProtectionParams#UI_FORMAT_PASSWORD}.
+ */
+ static final String COLUMN_NAME_LOCKSCREEN_UI_TYPE = "lock_screen_ui_type";
+
+ /**
+ * The algorithm used to derive cryptographic material from the key and salt. One of
+ * {@link android.security.keystore.recovery.KeyDerivationParams#ALGORITHM_SHA256} or
+ * {@link android.security.keystore.recovery.KeyDerivationParams#ALGORITHM_ARGON2ID}.
+ */
+ static final String COLUMN_NAME_KEY_DERIVATION_ALGORITHM = "key_derivation_algorithm";
+
+ /**
+ * The salt used along with the secret to generate cryptographic material.
+ */
+ static final String COLUMN_NAME_KEY_DERIVATION_SALT = "key_derivation_salt";
+ }
+
+ /**
* Recoverable KeyStore metadata for a specific user profile.
*/
static class UserMetadataEntry implements BaseColumns {
OSDN Git Service
