KeyStoreManager


class KeyStoreManager
kotlin.Any
   ↳ android.security.keystore.KeyStoreManager

This class provides methods for interacting with keys stored within the Android Keystore.

Summary

Constants
static Int

When passed into getSupplementaryAttestationInfo, getSupplementaryAttestationInfo returns the DER-encoded structure corresponding to the `Modules` schema described in the KeyMint HAL's KeyCreationResult.

Public methods
MutableList<X509Certificate!>

Returns a List of X509Certificate instances representing the certificate chain for the key that was previously shared with the app under the provided id.

Key

Returns the key with the specified id that was previously shared with the app.

KeyPair

Returns a KeyPair containing the public and private key associated with the key that was previously shared with the app under the provided id.

Long
grantKeyAccess(alias: String, uid: Int)

Grants access to the key owned by the calling app stored under the specified alias to another app on the device with the provided uid.

Unit
revokeKeyAccess(alias: String, uid: Int)

Revokes access to the key in the app's namespace stored under the specified alias that was previously granted to another app on the device with the provided uid.

Constants

MODULE_HASH

static val MODULE_HASH: Int

When passed into getSupplementaryAttestationInfo, getSupplementaryAttestationInfo returns the DER-encoded structure corresponding to the `Modules` schema described in the KeyMint HAL's KeyCreationResult.aidl. The SHA-256 hash of this encoded structure is what's included with the tag in attestations.

Value: -1879047468

Public methods

getGrantedCertificateChainFromId

fun getGrantedCertificateChainFromId(id: Long): MutableList<X509Certificate!>

Returns a List of X509Certificate instances representing the certificate chain for the key that was previously shared with the app under the provided id.

If a java.security.PrivateKey has not been granted to the caller with the specified id, then an UnrecoverableKeyException is thrown.

Parameters
id Long: the ID of the asymmetric key that was shared with the app
Return
MutableList<X509Certificate!> a List of X509Certificates with the certificate at index 0 corresponding to the private key shared with the app This value cannot be null.
Exceptions
java.security.UnrecoverableKeyException if the specified key cannot be recovered
android.security.keystore.KeyPermanentlyInvalidatedException if the specified key was authorized to only be used if the user has been authenticated and a change has been made to the users lockscreen or biometric enrollment that permanently invalidates the key

getGrantedKeyFromId

fun getGrantedKeyFromId(id: Long): Key

Returns the key with the specified id that was previously shared with the app.

This method can return instances of both javax.crypto.SecretKey and . If a key with the provide id has not been granted to the caller, then an UnrecoverableKeyException is thrown.

Parameters
id Long: the ID of the key that was shared with the app
Return
Key the Key that was shared with the app This value cannot be null.
Exceptions
java.security.UnrecoverableKeyException if the specified key cannot be recovered
android.security.keystore.KeyPermanentlyInvalidatedException if the specified key was authorized to only be used if the user has been authenticated and a change has been made to the users lockscreen or biometric enrollment that permanently invalidates the key

getGrantedKeyPairFromId

fun getGrantedKeyPairFromId(id: Long): KeyPair

Returns a KeyPair containing the public and private key associated with the key that was previously shared with the app under the provided id.

If a java.security.PrivateKey has not been granted to the caller with the specified id, then an UnrecoverableKeyException is thrown.

Parameters
id Long: the ID of the private key that was shared with the app
Return
KeyPair a KeyPair containing the public and private key shared with the app This value cannot be null.
Exceptions
java.security.UnrecoverableKeyException if the specified key cannot be recovered
android.security.keystore.KeyPermanentlyInvalidatedException if the specified key was authorized to only be used if the user has been authenticated and a change has been made to the users lockscreen or biometric enrollment that permanently invalidates the key

grantKeyAccess

fun grantKeyAccess(
    alias: String,
    uid: Int
): Long

Grants access to the key owned by the calling app stored under the specified alias to another app on the device with the provided uid.

This method supports granting access to instances of both javax.crypto.SecretKey and java.security.PrivateKey. The resulting ID will persist across reboots and can be used by the grantee app for the life of the key or until access is revoked with revokeKeyAccess(java.lang.String,int).

If the provided alias does not correspond to a key in the Android KeyStore, then an UnrecoverableKeyException is thrown.

Parameters
alias String: the alias of the key to be granted to another app This value cannot be null.
uid Int: the uid of the app to which the key should be granted
Return
Long the ID of the granted key; this can be shared with the specified app, and that app can use getGrantedKeyFromId(long) to access the key
Exceptions
java.security.UnrecoverableKeyException if the specified key cannot be recovered
android.security.KeyStoreException if an error is encountered when attempting to grant access to the key

revokeKeyAccess

fun revokeKeyAccess(
    alias: String,
    uid: Int
): Unit

Revokes access to the key in the app's namespace stored under the specified alias that was previously granted to another app on the device with the provided uid.

If the provided alias does not correspond to a key in the Android KeyStore, then an UnrecoverableKeyException is thrown.

Parameters
alias String: the alias of the key to be revoked from another app This value cannot be null.
uid Int: the uid of the app from which the key access should be revoked
Exceptions
java.security.UnrecoverableKeyException if the specified key cannot be recovered
android.security.KeyStoreException if an error is encountered when attempting to revoke access to the key