public
final
class
KeyChain
extends Object
| java.lang.Object | |
| ↳ | android.security.KeyChain |
The KeyChain class provides access to private keys and
their corresponding certificate chains in credential storage.
Applications accessing the KeyChain normally go through
these steps:
Developers
X509KeyManager that a private key is requested.
choosePrivateKeyAlias to allow the user to select from a
list of currently available private keys and corresponding
certificate chains. The chosen alias will be returned by the
callback alias(String), or null if no private
key is available or the user cancels the request.
getPrivateKey(Context, String) and getCertificateChain(Context, String) to
retrieve the credentials to return to the corresponding X509KeyManager callbacks.
An application may remember the value of a selected alias to
avoid prompting the user with choosePrivateKeyAlias on subsequent connections. If the alias is
no longer valid, null will be returned on lookups using that value
An application can request the installation of private keys and
certificates via the Intent provided by createInstallIntent(). Private keys installed via this Intent will be accessible via choosePrivateKeyAlias(Activity, KeyChainAliasCallback, String[], Principal[], Uri, String) while
Certificate Authority (CA) certificates will be trusted by all
applications through the default X509TrustManager.
Constants | |
|---|---|
String |
ACTION_STORAGE_CHANGED
Broadcast Action: Indicates the trusted storage has changed. |
String |
EXTRA_CERTIFICATE
Optional extra to specify an X.509 certificate to install on
the |
String |
EXTRA_NAME
Optional extra to specify a |
String |
EXTRA_PKCS12
Optional extra for use with the |
Public constructors | |
|---|---|
KeyChain()
|
|
Public methods | |
|---|---|
static
void
|
choosePrivateKeyAlias(Activity activity, KeyChainAliasCallback response, String[] keyTypes, Principal[] issuers, String host, int port, String alias)
Launches an |
static
void
|
choosePrivateKeyAlias(Activity activity, KeyChainAliasCallback response, String[] keyTypes, Principal[] issuers, Uri uri, String alias)
Launches an |
static
Intent
|
createInstallIntent()
Returns an |
static
X509Certificate[]
|
getCertificateChain(Context context, String alias)
Returns the |
static
PrivateKey
|
getPrivateKey(Context context, String alias)
Returns the |
static
boolean
|
isBoundKeyAlgorithm(String algorithm)
This method was deprecated
in API level 23.
Whether the key is bound to the secure hardware is known only
once the key has been imported. To find out, use:
|
static
boolean
|
isKeyAlgorithmSupported(String algorithm)
Returns |
Inherited methods | |
|---|---|
 From
class
java.lang.Object
| |
String ACTION_STORAGE_CHANGED
Broadcast Action: Indicates the trusted storage has changed. Sent when one of this happens:
Constant Value: "android.security.STORAGE_CHANGED"
String EXTRA_CERTIFICATE
Optional extra to specify an X.509 certificate to install on
the Intent returned by createInstallIntent().
The extra value should be a PEM or ASN.1 DER encoded byte[]. An X509Certificate can be converted to DER
encoded bytes with getEncoded().
EXTRA_NAME may be used to provide a default alias
name for the installed certificate.
Constant Value: "CERT"
String EXTRA_NAME
Optional extra to specify a String credential name on
the Intent returned by createInstallIntent().
Constant Value: "name"
String EXTRA_PKCS12
Optional extra for use with the Intent returned by
createInstallIntent() to specify a PKCS#12 key store to
install. The extra value should be a byte[]. The bytes
may come from an external source or be generated with store(OutputStream, char[]) on a "PKCS12" instance.
The user will be prompted for the password to load the key store.
The key store will be scanned for KeyStore.PrivateKeyEntry entries and both the
private key and associated certificate chain will be installed.
EXTRA_NAME may be used to provide a default alias
name for the installed credentials.
Constant Value: "PKCS12"
void choosePrivateKeyAlias (Activity activity, KeyChainAliasCallback response, String[] keyTypes, Principal[] issuers, String host, int port, String alias)
Launches an Activity for the user to select the alias
for a private key and certificate pair for authentication. The
selected alias or null will be returned via the
KeyChainAliasCallback callback.
The device or profile owner can intercept this before the activity is shown, to pick a specific private key alias.
keyTypes and issuers may be used to
highlight suggested choices to the user, although to cope with
sometimes erroneous values provided by servers, the user may be
able to override these suggestions.
host and port may be used to give the user
more context about the server requesting the credentials.
alias allows the chooser to preselect an existing
alias which will still be subject to user confirmation.
| Parameters | |
|---|---|
activity |
Activity:
The Activity context to use for
launching the new sub-Activity to prompt the user to select
a private key; used only to call startActivity(); must not
be null. |
response |
KeyChainAliasCallback:
Callback to invoke when the request completes;
must not be null |
keyTypes |
String:
The acceptable types of asymmetric keys such as
"RSA" or "DSA", or a null array. |
issuers |
Principal:
The acceptable certificate issuers for the
certificate matching the private key, or null. |
host |
String:
The host name of the server requesting the
certificate, or null if unavailable. |
port |
int:
The port number of the server requesting the
certificate, or -1 if unavailable. |
alias |
String:
The alias to preselect if available, or null if
unavailable.
|
void choosePrivateKeyAlias (Activity activity, KeyChainAliasCallback response, String[] keyTypes, Principal[] issuers, Uri uri, String alias)
Launches an Activity for the user to select the alias
for a private key and certificate pair for authentication. The
selected alias or null will be returned via the
KeyChainAliasCallback callback.
The device or profile owner can intercept this before the activity is shown, to pick a specific private key alias.
keyTypes and issuers may be used to
highlight suggested choices to the user, although to cope with
sometimes erroneous values provided by servers, the user may be
able to override these suggestions.
host and port may be used to give the user
more context about the server requesting the credentials.
alias allows the chooser to preselect an existing
alias which will still be subject to user confirmation.
| Parameters | |
|---|---|
activity |
Activity:
The Activity context to use for
launching the new sub-Activity to prompt the user to select
a private key; used only to call startActivity(); must not
be null. |
response |
KeyChainAliasCallback:
Callback to invoke when the request completes;
must not be null |
keyTypes |
String:
The acceptable types of asymmetric keys such as
"EC" or "RSA", or a null array. |
issuers |
Principal:
The acceptable certificate issuers for the
certificate matching the private key, or null. |
uri |
Uri:
The full URI the server is requesting the certificate
for, or null if unavailable. |
alias |
String:
The alias to preselect if available, or null if
unavailable.
|
Intent createInstallIntent ()
Returns an Intent that can be used for credential
installation. The intent may be used without any extras, in
which case the user will be able to install credentials from
their own source.
Alternatively, EXTRA_CERTIFICATE or EXTRA_PKCS12 maybe used to specify the bytes of an X.509
certificate or a PKCS#12 key store for installation. These
extras may be combined with EXTRA_NAME to provide a
default alias name for credentials being installed.
When used with startActivityForResult(Intent, int),
RESULT_OK will be returned if a credential was
successfully installed, otherwise RESULT_CANCELED will be returned.
| Returns | |
|---|---|
Intent |
|
X509Certificate[] getCertificateChain (Context context, String alias)
Returns the X509Certificate chain for the requested
alias, or null if there is no result.
Note: If a certificate chain was explicitly specified when the alias was installed, this method will return that chain. If only the client certificate was specified at the installation time, this method will try to build a certificate chain using all available trust anchors (preinstalled and user-added).
This method may block while waiting for a connection to another process, and must never be called from the main thread.
| Parameters | |
|---|---|
context |
Context
|
alias |
String:
The alias of the desired certificate chain, typically
returned via alias(String). |
| Returns | |
|---|---|
X509Certificate[] |
|
| Throws | |
|---|---|
KeyChainException |
if the alias was valid but there was some problem accessing it. |
IllegalStateException |
if called from the main thread. |
InterruptedException |
|
PrivateKey getPrivateKey (Context context, String alias)
Returns the PrivateKey for the requested alias, or null
if there is no result.
This method may block while waiting for a connection to another process, and must never be called from the main thread.
| Parameters | |
|---|---|
context |
Context
|
alias |
String:
The alias of the desired private key, typically returned via
alias(String). |
| Returns | |
|---|---|
PrivateKey |
|
| Throws | |
|---|---|
KeyChainException |
if the alias was valid but there was some problem accessing it. |
IllegalStateException |
if called from the main thread. |
InterruptedException |
|
boolean isBoundKeyAlgorithm (String algorithm)
This method was deprecated
in API level 23.
Whether the key is bound to the secure hardware is known only
once the key has been imported. To find out, use:
PrivateKey key = ...; // private key from KeyChain
KeyFactory keyFactory =
KeyFactory.getInstance(key.getAlgorithm(), "AndroidKeyStore");
KeyInfo keyInfo = keyFactory.getKeySpec(key, KeyInfo.class);
if (keyInfo.isInsideSecureHardware()) {
// The key is bound to the secure hardware of this Android
}Returns true if the current device's KeyChain binds any
PrivateKey of the given algorithm to the device once
imported or generated. This can be used to tell if there is special
hardware support that can be used to bind keys to the device in a way
that makes it non-exportable.
| Parameters | |
|---|---|
algorithm |
String
|
| Returns | |
|---|---|
boolean |
|
boolean isKeyAlgorithmSupported (String algorithm)
Returns true if the current device's KeyChain supports a
specific PrivateKey type indicated by algorithm (e.g.,
"RSA").
| Parameters | |
|---|---|
algorithm |
String
|
| Returns | |
|---|---|
boolean |
|