Skip to content

Most visited

Recently visited

navigation

KeyChain

public final class KeyChain
extends Object

java.lang.Object
   ↳ android.security.KeyChain


The KeyChain class provides access to private keys and their corresponding certificate chains in credential storage.

Applications accessing the KeyChain normally go through these steps:

  1. Receive a callback from an X509KeyManager that a private key is requested.
  2. Call choosePrivateKeyAlias to allow the user to select from a list of currently available private keys and corresponding certificate chains. The chosen alias will be returned by the callback alias(String), or null if no private key is available or the user cancels the request.
  3. Call getPrivateKey(Context, String) and getCertificateChain(Context, String) to retrieve the credentials to return to the corresponding X509KeyManager callbacks.

An application may remember the value of a selected alias to avoid prompting the user with choosePrivateKeyAlias on subsequent connections. If the alias is no longer valid, null will be returned on lookups using that value

An application can request the installation of private keys and certificates via the Intent provided by createInstallIntent(). Private keys installed via this Intent will be accessible via choosePrivateKeyAlias(Activity, KeyChainAliasCallback, String[], Principal[], Uri, String) while Certificate Authority (CA) certificates will be trusted by all applications through the default X509TrustManager.

Summary

Constants

String ACTION_STORAGE_CHANGED

Broadcast Action: Indicates the trusted storage has changed.

String EXTRA_CERTIFICATE

Optional extra to specify an X.509 certificate to install on the Intent returned by createInstallIntent().

String EXTRA_NAME

Optional extra to specify a String credential name on the Intent returned by createInstallIntent().

String EXTRA_PKCS12

Optional extra for use with the Intent returned by createInstallIntent() to specify a PKCS#12 key store to install.

Public constructors

KeyChain()

Public methods

static void choosePrivateKeyAlias(Activity activity, KeyChainAliasCallback response, String[] keyTypes, Principal[] issuers, String host, int port, String alias)

Launches an Activity for the user to select the alias for a private key and certificate pair for authentication.

static void choosePrivateKeyAlias(Activity activity, KeyChainAliasCallback response, String[] keyTypes, Principal[] issuers, Uri uri, String alias)

Launches an Activity for the user to select the alias for a private key and certificate pair for authentication.

static Intent createInstallIntent()

Returns an Intent that can be used for credential installation.

static X509Certificate[] getCertificateChain(Context context, String alias)

Returns the X509Certificate chain for the requested alias, or null if there is no result.

static PrivateKey getPrivateKey(Context context, String alias)

Returns the PrivateKey for the requested alias, or null if there is no result.

static boolean isBoundKeyAlgorithm(String algorithm)

This method was deprecated in API level 23. Whether the key is bound to the secure hardware is known only once the key has been imported. To find out, use:

PrivateKey key = ...; // private key from KeyChain

 KeyFactory keyFactory =
     KeyFactory.getInstance(key.getAlgorithm(), "AndroidKeyStore");
 KeyInfo keyInfo = keyFactory.getKeySpec(key, KeyInfo.class);
 if (keyInfo.isInsideSecureHardware()) {
     // The key is bound to the secure hardware of this Android
 }

static boolean isKeyAlgorithmSupported(String algorithm)

Returns true if the current device's KeyChain supports a specific PrivateKey type indicated by algorithm (e.g., "RSA").

Inherited methods

From class java.lang.Object

Constants

ACTION_STORAGE_CHANGED

Added in API level 16
String ACTION_STORAGE_CHANGED

Broadcast Action: Indicates the trusted storage has changed. Sent when one of this happens:

  • a new CA is added,
  • an existing CA is removed or disabled,
  • a disabled CA is enabled,
  • trusted storage is reset (all user certs are cleared),
  • when permission to access a private key is changed.

Constant Value: "android.security.STORAGE_CHANGED"

EXTRA_CERTIFICATE

Added in API level 14
String EXTRA_CERTIFICATE

Optional extra to specify an X.509 certificate to install on the Intent returned by createInstallIntent(). The extra value should be a PEM or ASN.1 DER encoded byte[]. An X509Certificate can be converted to DER encoded bytes with getEncoded().

EXTRA_NAME may be used to provide a default alias name for the installed certificate.

Constant Value: "CERT"

EXTRA_NAME

Added in API level 14
String EXTRA_NAME

Optional extra to specify a String credential name on the Intent returned by createInstallIntent().

Constant Value: "name"

EXTRA_PKCS12

Added in API level 14
String EXTRA_PKCS12

Optional extra for use with the Intent returned by createInstallIntent() to specify a PKCS#12 key store to install. The extra value should be a byte[]. The bytes may come from an external source or be generated with store(OutputStream, char[]) on a "PKCS12" instance.

The user will be prompted for the password to load the key store.

The key store will be scanned for KeyStore.PrivateKeyEntry entries and both the private key and associated certificate chain will be installed.

EXTRA_NAME may be used to provide a default alias name for the installed credentials.

Constant Value: "PKCS12"

Public constructors

KeyChain

Added in API level 14
KeyChain ()

Public methods

choosePrivateKeyAlias

Added in API level 14
void choosePrivateKeyAlias (Activity activity, 
                KeyChainAliasCallback response, 
                String[] keyTypes, 
                Principal[] issuers, 
                String host, 
                int port, 
                String alias)

Launches an Activity for the user to select the alias for a private key and certificate pair for authentication. The selected alias or null will be returned via the KeyChainAliasCallback callback.

The device or profile owner can intercept this before the activity is shown, to pick a specific private key alias.

keyTypes and issuers may be used to highlight suggested choices to the user, although to cope with sometimes erroneous values provided by servers, the user may be able to override these suggestions.

host and port may be used to give the user more context about the server requesting the credentials.

alias allows the chooser to preselect an existing alias which will still be subject to user confirmation.

Parameters
activity Activity: The Activity context to use for launching the new sub-Activity to prompt the user to select a private key; used only to call startActivity(); must not be null.
response KeyChainAliasCallback: Callback to invoke when the request completes; must not be null
keyTypes String: The acceptable types of asymmetric keys such as "RSA" or "DSA", or a null array.
issuers Principal: The acceptable certificate issuers for the certificate matching the private key, or null.
host String: The host name of the server requesting the certificate, or null if unavailable.
port int: The port number of the server requesting the certificate, or -1 if unavailable.
alias String: The alias to preselect if available, or null if unavailable.

choosePrivateKeyAlias

Added in API level 23
void choosePrivateKeyAlias (Activity activity, 
                KeyChainAliasCallback response, 
                String[] keyTypes, 
                Principal[] issuers, 
                Uri uri, 
                String alias)

Launches an Activity for the user to select the alias for a private key and certificate pair for authentication. The selected alias or null will be returned via the KeyChainAliasCallback callback.

The device or profile owner can intercept this before the activity is shown, to pick a specific private key alias.

keyTypes and issuers may be used to highlight suggested choices to the user, although to cope with sometimes erroneous values provided by servers, the user may be able to override these suggestions.

host and port may be used to give the user more context about the server requesting the credentials.

alias allows the chooser to preselect an existing alias which will still be subject to user confirmation.

Parameters
activity Activity: The Activity context to use for launching the new sub-Activity to prompt the user to select a private key; used only to call startActivity(); must not be null.
response KeyChainAliasCallback: Callback to invoke when the request completes; must not be null
keyTypes String: The acceptable types of asymmetric keys such as "EC" or "RSA", or a null array.
issuers Principal: The acceptable certificate issuers for the certificate matching the private key, or null.
uri Uri: The full URI the server is requesting the certificate for, or null if unavailable.
alias String: The alias to preselect if available, or null if unavailable.

createInstallIntent

Added in API level 14
Intent createInstallIntent ()

Returns an Intent that can be used for credential installation. The intent may be used without any extras, in which case the user will be able to install credentials from their own source.

Alternatively, EXTRA_CERTIFICATE or EXTRA_PKCS12 maybe used to specify the bytes of an X.509 certificate or a PKCS#12 key store for installation. These extras may be combined with EXTRA_NAME to provide a default alias name for credentials being installed.

When used with startActivityForResult(Intent, int), RESULT_OK will be returned if a credential was successfully installed, otherwise RESULT_CANCELED will be returned.

Returns
Intent

getCertificateChain

Added in API level 14
X509Certificate[] getCertificateChain (Context context, 
                String alias)

Returns the X509Certificate chain for the requested alias, or null if there is no result.

Note: If a certificate chain was explicitly specified when the alias was installed, this method will return that chain. If only the client certificate was specified at the installation time, this method will try to build a certificate chain using all available trust anchors (preinstalled and user-added).

This method may block while waiting for a connection to another process, and must never be called from the main thread.

Parameters
context Context
alias String: The alias of the desired certificate chain, typically returned via alias(String).
Returns
X509Certificate[]
Throws
KeyChainException if the alias was valid but there was some problem accessing it.
IllegalStateException if called from the main thread.
InterruptedException

getPrivateKey

Added in API level 14
PrivateKey getPrivateKey (Context context, 
                String alias)

Returns the PrivateKey for the requested alias, or null if there is no result.

This method may block while waiting for a connection to another process, and must never be called from the main thread.

Parameters
context Context
alias String: The alias of the desired private key, typically returned via alias(String).
Returns
PrivateKey
Throws
KeyChainException if the alias was valid but there was some problem accessing it.
IllegalStateException if called from the main thread.
InterruptedException

isBoundKeyAlgorithm

Added in API level 18
boolean isBoundKeyAlgorithm (String algorithm)

This method was deprecated in API level 23.
Whether the key is bound to the secure hardware is known only once the key has been imported. To find out, use:

PrivateKey key = ...; // private key from KeyChain

 KeyFactory keyFactory =
     KeyFactory.getInstance(key.getAlgorithm(), "AndroidKeyStore");
 KeyInfo keyInfo = keyFactory.getKeySpec(key, KeyInfo.class);
 if (keyInfo.isInsideSecureHardware()) {
     // The key is bound to the secure hardware of this Android
 }

Returns true if the current device's KeyChain binds any PrivateKey of the given algorithm to the device once imported or generated. This can be used to tell if there is special hardware support that can be used to bind keys to the device in a way that makes it non-exportable.

Parameters
algorithm String
Returns
boolean

isKeyAlgorithmSupported

Added in API level 18
boolean isKeyAlgorithmSupported (String algorithm)

Returns true if the current device's KeyChain supports a specific PrivateKey type indicated by algorithm (e.g., "RSA").

Parameters
algorithm String
Returns
boolean
This site uses cookies to store your preferences for site-specific language and display options.

Hooray!

This class requires API level or higher

This doc is hidden because your selected API level for the documentation is . You can change the documentation API level with the selector above the left navigation.

For more information about specifying the API level your app requires, read Supporting Different Platform Versions.