IdentityCredentialStore
public
abstract
class
IdentityCredentialStore
extends Object
java.lang.Object | |
↳ | android.security.identity.IdentityCredentialStore |
An interface to a secure store for user identity documents.
This interface is deliberately fairly general and abstract. To the extent possible, specification of the message formats and semantics of communication with credential verification devices and issuing authorities (IAs) is out of scope. It provides the interface with secure storage but a credential-specific Android application will be required to implement the presentation and verification protocols and processes appropriate for the specific credential type.
Multiple credentials can be created. Each credential comprises:
- A document type, which is a string.
- A set of namespaces, which serve to disambiguate value names. It is recommended that namespaces be structured as reverse domain names so that IANA effectively serves as the namespace registrar.
- For each namespace, a set of name/value pairs, each with an associated set of access control profile IDs. Names are strings and values are typed and can be any value supported by CBOR.
- A set of access control profiles (up to 32), each with a profile ID and a specification of the conditions which satisfy the profile's requirements.
- An asymmetric key pair which is used to authenticate the credential to the Issuing Authority, called the CredentialKey.
- A set of zero or more named reader authentication public keys, which are used to authenticate an authorized reader to the credential.
- A set of named signing keys, which are used to sign collections of values and session transcripts.
Implementing support for user identity documents in secure storage requires dedicated hardware-backed support and may not always be available.
Two different credential stores exist - the default store and the direct access store. Most often credentials will be accessed through the default store but that requires that the Android device be powered up and fully functional. It is desirable to allow identity credential usage when the Android device's battery is too low to boot the Android operating system, so direct access to the secure hardware via NFC may allow data retrieval, if the secure hardware chooses to implement it.
Credentials provisioned to the direct access store should always use reader authentication to protect data elements. The reason for this is user authentication or user approval of data release is not possible when the device is off.
The Identity Credential API is designed to be able to evolve and change over time
but still provide 100% backwards compatibility. This is complicated by the fact that
there may be a version skew between the API used by the application and the version
implemented in secure hardware. To solve this problem, the API provides for a way
for the application to query which feature version the hardware implements (if any
at all) using
android.content.pm
and
android.content.pm
.
Methods which only work on certain feature versions are clearly documented as
such.
Summary
Constants | |
---|---|
int |
CIPHERSUITE_ECDHE_HKDF_ECDSA_WITH_AES_256_GCM_SHA256
Specifies that the cipher suite that will be used to secure communications between the reader and the prover is using the following primitives
|
Public methods | |
---|---|
abstract
WritableIdentityCredential
|
createCredential(String credentialName, String docType)
Creates a new credential. |
PresentationSession
|
createPresentationSession(int cipherSuite)
Creates a new presentation session. |
abstract
byte[]
|
deleteCredentialByName(String credentialName)
This method was deprecated
in API level 31.
Use |
abstract
IdentityCredential
|
getCredentialByName(String credentialName, int cipherSuite)
Retrieve a named credential. |
static
IdentityCredentialStore
|
getDirectAccessInstance(Context context)
Gets the |
static
IdentityCredentialStore
|
getInstance(Context context)
Gets the default |
abstract
String[]
|
getSupportedDocTypes()
Gets a list of supported document types. |
Inherited methods | |
---|---|
Constants
CIPHERSUITE_ECDHE_HKDF_ECDSA_WITH_AES_256_GCM_SHA256
public static final int CIPHERSUITE_ECDHE_HKDF_ECDSA_WITH_AES_256_GCM_SHA256
Specifies that the cipher suite that will be used to secure communications between the reader and the prover is using the following primitives
- ECKA-DH (Elliptic Curve Key Agreement Algorithm - Diffie-Hellman, see BSI TR-03111).
- HKDF-SHA-256 (see RFC 5869).
- AES-256-GCM (see NIST SP 800-38D).
- HMAC-SHA-256 (see RFC 2104).
The exact way these primitives are combined to derive the session key is specified in section 9.2.1.4 of ISO/IEC 18013-5 (see description of cipher suite '1').
At present this is the only supported cipher suite.
Constant Value: 1 (0x00000001)
Public methods
createCredential
public abstract WritableIdentityCredential createCredential (String credentialName, String docType)
Creates a new credential.
When a credential is created, a cryptographic key-pair - CredentialKey - is created which
is used to authenticate the store to the Issuing Authority. The private part of this
key-pair never leaves secure hardware and the public part can be obtained using
WritableIdentityCredential#getCredentialKeyCertificateChain(byte[])
on the
returned object.
In addition, all of the Credential data content is imported and a certificate for the CredentialKey and a signature produced with the CredentialKey are created. These latter values may be checked by an issuing authority to verify that the data was imported into secure hardware and that it was imported unmodified.
Parameters | |
---|---|
credentialName |
String : The name used to identify the credential.
This value cannot be null . |
docType |
String : The document type for the credential.
This value cannot be null . |
Returns | |
---|---|
WritableIdentityCredential |
A WritableIdentityCredential that can be used to create a new credential.
This value cannot be null . |
Throws | |
---|---|
AlreadyPersonalizedException |
if a credential with the given name already exists. |
DocTypeNotSupportedException |
if the given document type isn't supported by the store. |
createPresentationSession
public PresentationSession createPresentationSession (int cipherSuite)
Creates a new presentation session.
This method gets an object to be used for interaction with a remote verifier for presentation of one or more credentials.
This is only implemented in feature version 202201 or later. If not implemented, the call
fails with UnsupportedOperationException
. See
PackageManager.FEATURE_IDENTITY_CREDENTIAL_HARDWARE
for known
feature versions.
Parameters | |
---|---|
cipherSuite |
int : the cipher suite to use for communicating with the verifier.
Value is CIPHERSUITE_ECDHE_HKDF_ECDSA_WITH_AES_256_GCM_SHA256 |
Returns | |
---|---|
PresentationSession |
The presentation session.
This value cannot be null . |
Throws | |
---|---|
CipherSuiteNotSupportedException |
deleteCredentialByName
public abstract byte[] deleteCredentialByName (String credentialName)
This method was deprecated
in API level 31.
Use IdentityCredential#delete(byte[])
instead.
Delete a named credential.
This method returns a COSE_Sign1 data structure signed by the CredentialKey
with payload set to ProofOfDeletion
as defined below:
ProofOfDeletion = [ "ProofOfDeletion", ; tstr tstr, ; DocType bool ; true if this is a test credential, should ; always be false. ]
Parameters | |
---|---|
credentialName |
String : the name of the credential to delete.
This value cannot be null . |
Returns | |
---|---|
byte[] |
null if the credential was not found, the COSE_Sign1 data structure above
if the credential was found and deleted. |
getCredentialByName
public abstract IdentityCredential getCredentialByName (String credentialName, int cipherSuite)
Retrieve a named credential.
The cipher suite used to communicate with the remote verifier must also be specified. Currently only a single cipher-suite is supported. Support for other cipher suites may be added in a future version of this API.
Parameters | |
---|---|
credentialName |
String : the name of the credential to retrieve.
This value cannot be null . |
cipherSuite |
int : the cipher suite to use for communicating with the verifier.
Value is CIPHERSUITE_ECDHE_HKDF_ECDSA_WITH_AES_256_GCM_SHA256 |
Returns | |
---|---|
IdentityCredential |
The named credential, or null if not found. |
Throws | |
---|---|
CipherSuiteNotSupportedException |
getDirectAccessInstance
public static IdentityCredentialStore getDirectAccessInstance (Context context)
Gets the IdentityCredentialStore
for direct access.
Direct access requires specialized NFC hardware and may not be supported on all devices even if default store is available. Credentials provisioned to the direct access store should always use reader authentication to protect data elements.
Parameters | |
---|---|
context |
Context : the application context.
This value cannot be null . |
Returns | |
---|---|
IdentityCredentialStore |
the IdentityCredentialStore or null if direct access is not
supported on this device. |
getInstance
public static IdentityCredentialStore getInstance (Context context)
Gets the default IdentityCredentialStore
.
Parameters | |
---|---|
context |
Context : the application context.
This value cannot be null . |
Returns | |
---|---|
IdentityCredentialStore |
the IdentityCredentialStore or null if the device doesn't
have hardware-backed support for secure storage of user identity documents. |
getSupportedDocTypes
public abstract String[] getSupportedDocTypes ()
Gets a list of supported document types.
Only the direct-access store may restrict the kind of document types that can be used for credentials. The default store always supports any document type.
Returns | |
---|---|
String[] |
The supported document types or the empty array if any document type is supported.
This value cannot be null . |