KeyStoreManager
class KeyStoreManager
kotlin.Any | |
↳ | android.security.keystore.KeyStoreManager |
This class provides methods for interacting with keys stored within the Android Keystore.
Summary
Constants | |
---|---|
static Int |
When passed into getSupplementaryAttestationInfo, getSupplementaryAttestationInfo returns the DER-encoded structure corresponding to the `Modules` schema described in the KeyMint HAL's KeyCreationResult. |
Public methods | |
---|---|
MutableList<X509Certificate!> |
Returns a |
Key |
getGrantedKeyFromId(id: Long) Returns the key with the specified |
KeyPair |
Returns a |
Long |
grantKeyAccess(alias: String, uid: Int) Grants access to the key owned by the calling app stored under the specified |
Unit |
revokeKeyAccess(alias: String, uid: Int) Revokes access to the key in the app's namespace stored under the specified |
Constants
MODULE_HASH
static val MODULE_HASH: Int
When passed into getSupplementaryAttestationInfo, getSupplementaryAttestationInfo returns the DER-encoded structure corresponding to the `Modules` schema described in the KeyMint HAL's KeyCreationResult.aidl. The SHA-256 hash of this encoded structure is what's included with the tag in attestations.
Value: -1879047468
Public methods
getGrantedCertificateChainFromId
fun getGrantedCertificateChainFromId(id: Long): MutableList<X509Certificate!>
Returns a List
of X509Certificate
instances representing the certificate chain for the key that was previously shared with the app under the provided id
.
If a java.security.PrivateKey
has not been granted to the caller with the specified id
, then an UnrecoverableKeyException
is thrown.
Parameters | |
---|---|
id |
Long: the ID of the asymmetric key that was shared with the app |
Return | |
---|---|
MutableList<X509Certificate!> |
a List of X509Certificates with the certificate at index 0 corresponding to the private key shared with the app This value cannot be null . |
Exceptions | |
---|---|
java.security.UnrecoverableKeyException |
if the specified key cannot be recovered |
android.security.keystore.KeyPermanentlyInvalidatedException |
if the specified key was authorized to only be used if the user has been authenticated and a change has been made to the users lockscreen or biometric enrollment that permanently invalidates the key |
See Also
getGrantedKeyFromId
fun getGrantedKeyFromId(id: Long): Key
Returns the key with the specified id
that was previously shared with the app.
This method can return instances of both javax.crypto.SecretKey
and . If a key with the provide id
has not been granted to the caller, then an UnrecoverableKeyException
is thrown.
Parameters | |
---|---|
id |
Long: the ID of the key that was shared with the app |
Return | |
---|---|
Key |
the Key that was shared with the app This value cannot be null . |
Exceptions | |
---|---|
java.security.UnrecoverableKeyException |
if the specified key cannot be recovered |
android.security.keystore.KeyPermanentlyInvalidatedException |
if the specified key was authorized to only be used if the user has been authenticated and a change has been made to the users lockscreen or biometric enrollment that permanently invalidates the key |
See Also
getGrantedKeyPairFromId
fun getGrantedKeyPairFromId(id: Long): KeyPair
Returns a KeyPair
containing the public and private key associated with the key that was previously shared with the app under the provided id
.
If a java.security.PrivateKey
has not been granted to the caller with the specified id
, then an UnrecoverableKeyException
is thrown.
Parameters | |
---|---|
id |
Long: the ID of the private key that was shared with the app |
Return | |
---|---|
KeyPair |
a KeyPair containing the public and private key shared with the app This value cannot be null . |
Exceptions | |
---|---|
java.security.UnrecoverableKeyException |
if the specified key cannot be recovered |
android.security.keystore.KeyPermanentlyInvalidatedException |
if the specified key was authorized to only be used if the user has been authenticated and a change has been made to the users lockscreen or biometric enrollment that permanently invalidates the key |
grantKeyAccess
fun grantKeyAccess(
alias: String,
uid: Int
): Long
Grants access to the key owned by the calling app stored under the specified alias
to another app on the device with the provided uid
.
This method supports granting access to instances of both javax.crypto.SecretKey
and java.security.PrivateKey
. The resulting ID will persist across reboots and can be used by the grantee app for the life of the key or until access is revoked with revokeKeyAccess(java.lang.String,int)
.
If the provided alias
does not correspond to a key in the Android KeyStore, then an UnrecoverableKeyException
is thrown.
Parameters | |
---|---|
alias |
String: the alias of the key to be granted to another app This value cannot be null . |
uid |
Int: the uid of the app to which the key should be granted |
Return | |
---|---|
Long |
the ID of the granted key; this can be shared with the specified app, and that app can use getGrantedKeyFromId(long) to access the key |
Exceptions | |
---|---|
java.security.UnrecoverableKeyException |
if the specified key cannot be recovered |
android.security.KeyStoreException |
if an error is encountered when attempting to grant access to the key |
See Also
revokeKeyAccess
fun revokeKeyAccess(
alias: String,
uid: Int
): Unit
Revokes access to the key in the app's namespace stored under the specified alias
that was previously granted to another app on the device with the provided uid
.
If the provided alias
does not correspond to a key in the Android KeyStore, then an UnrecoverableKeyException
is thrown.
Parameters | |
---|---|
alias |
String: the alias of the key to be revoked from another app This value cannot be null . |
uid |
Int: the uid of the app from which the key access should be revoked |
Exceptions | |
---|---|
java.security.UnrecoverableKeyException |
if the specified key cannot be recovered |
android.security.KeyStoreException |
if an error is encountered when attempting to revoke access to the key |