java.lang.Object | |
↳ | android.security.KeyChain |
The KeyChain
class provides access to private keys and
their corresponding certificate chains in credential storage.
Applications accessing the KeyChain
normally go through
these steps:
X509KeyManager
that a private key is requested.
choosePrivateKeyAlias
to allow the user to select from a
list of currently available private keys and corresponding
certificate chains. The chosen alias will be returned by the
callback alias(String)
, or null if no private
key is available or the user cancels the request.
getPrivateKey(Context, String)
and getCertificateChain(Context, String)
to
retrieve the credentials to return to the corresponding X509KeyManager
callbacks.
An application may remember the value of a selected alias to
avoid prompting the user with choosePrivateKeyAlias
on subsequent connections. If the alias is
no longer valid, null will be returned on lookups using that value
An application can request the installation of private keys and
certificates via the Intent
provided by createInstallIntent()
. Private keys installed via this Intent
will be accessible via choosePrivateKeyAlias(Activity, KeyChainAliasCallback, String[], Principal[], String, int, String)
while
Certificate Authority (CA) certificates will be trusted by all
applications through the default X509TrustManager
.
Constants | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
String | ACTION_STORAGE_CHANGED | Broadcast Action: Indicates the trusted storage has changed. | |||||||||
String | EXTRA_CERTIFICATE | Optional extra to specify an X.509 certificate to install on
the Intent returned by createInstallIntent() . |
|||||||||
String | EXTRA_NAME | Optional extra to specify a String credential name on
the Intent returned by createInstallIntent() . |
|||||||||
String | EXTRA_PKCS12 | Optional extra for use with the Intent returned by
createInstallIntent() to specify a PKCS#12 key store to
install. |
Public Constructors | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Public Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Launches an
Activity for the user to select the alias
for a private key and certificate pair for authentication. | |||||||||||
Returns an
Intent that can be used for credential
installation. | |||||||||||
Returns the
X509Certificate chain for the requested
alias, or null if no there is no result. | |||||||||||
Returns the
PrivateKey for the requested alias, or null
if no there is no result. | |||||||||||
Returns
true if the current device's KeyChain binds any
PrivateKey of the given algorithm to the device once
imported or generated. | |||||||||||
Returns
true if the current device's KeyChain supports a
specific PrivateKey type indicated by algorithm (e.g.,
"RSA"). |
[Expand]
Inherited Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
java.lang.Object
|
Broadcast Action: Indicates the trusted storage has changed. Sent when one of this happens:
Optional extra to specify an X.509 certificate to install on
the Intent
returned by createInstallIntent()
.
The extra value should be a PEM or ASN.1 DER encoded byte[]
. An X509Certificate
can be converted to DER
encoded bytes with getEncoded()
.
EXTRA_NAME
may be used to provide a default alias
name for the installed certificate.
Optional extra to specify a String
credential name on
the Intent
returned by createInstallIntent()
.
Optional extra for use with the Intent
returned by
createInstallIntent()
to specify a PKCS#12 key store to
install. The extra value should be a byte[]
. The bytes
may come from an external source or be generated with store(OutputStream, char[])
on a "PKCS12" instance.
The user will be prompted for the password to load the key store.
The key store will be scanned for KeyStore.PrivateKeyEntry
entries and both the
private key and associated certificate chain will be installed.
EXTRA_NAME
may be used to provide a default alias
name for the installed credentials.
Launches an Activity
for the user to select the alias
for a private key and certificate pair for authentication. The
selected alias or null will be returned via the
KeyChainAliasCallback callback.
keyTypes
and issuers
may be used to
highlight suggested choices to the user, although to cope with
sometimes erroneous values provided by servers, the user may be
able to override these suggestions.
host
and port
may be used to give the user
more context about the server requesting the credentials.
alias
allows the chooser to preselect an existing
alias which will still be subject to user confirmation.
activity | The Activity context to use for
launching the new sub-Activity to prompt the user to select
a private key; used only to call startActivity(); must not
be null. |
---|---|
response | Callback to invoke when the request completes; must not be null |
keyTypes | The acceptable types of asymmetric keys such as "RSA" or "DSA", or a null array. |
issuers | The acceptable certificate issuers for the certificate matching the private key, or null. |
host | The host name of the server requesting the certificate, or null if unavailable. |
port | The port number of the server requesting the certificate, or -1 if unavailable. |
alias | The alias to preselect if available, or null if unavailable. |
Returns an Intent
that can be used for credential
installation. The intent may be used without any extras, in
which case the user will be able to install credentials from
their own source.
Alternatively, EXTRA_CERTIFICATE
or EXTRA_PKCS12
maybe used to specify the bytes of an X.509
certificate or a PKCS#12 key store for installation. These
extras may be combined with EXTRA_NAME
to provide a
default alias name for credentials being installed.
When used with startActivityForResult(Intent, int)
,
RESULT_OK
will be returned if a credential was
successfully installed, otherwise RESULT_CANCELED
will be returned.
Returns the X509Certificate
chain for the requested
alias, or null if no there is no result.
alias | The alias of the desired certificate chain, typically
returned via alias(String) . |
---|
KeyChainException | if the alias was valid but there was some problem accessing it. |
---|---|
InterruptedException |
Returns the PrivateKey
for the requested alias, or null
if no there is no result.
alias | The alias of the desired private key, typically
returned via alias(String) . |
---|
KeyChainException | if the alias was valid but there was some problem accessing it. |
---|---|
InterruptedException |
Returns true
if the current device's KeyChain
binds any
PrivateKey
of the given algorithm
to the device once
imported or generated. This can be used to tell if there is special
hardware support that can be used to bind keys to the device in a way
that makes it non-exportable.
Returns true
if the current device's KeyChain
supports a
specific PrivateKey
type indicated by algorithm
(e.g.,
"RSA").