public class KeyStore extends Object
Modifier and Type | Class and Description |
---|---|
static class |
KeyStore.State |
Modifier and Type | Field and Description |
---|---|
static int |
FLAG_ENCRYPTED
Indicates that this key (or key pair) must be encrypted at rest.
|
static int |
FLAG_NONE |
static int |
KEY_NOT_FOUND |
static int |
LOCKED |
static int |
NO_ERROR |
static int |
OP_AUTH_NEEDED
Per operation authentication is needed before this operation is valid.
|
static int |
PERMISSION_DENIED |
static int |
PROTOCOL_ERROR |
static int |
SYSTEM_ERROR |
static int |
UID_SELF |
static int |
UNDEFINED_ACTION |
static int |
UNINITIALIZED |
static int |
VALUE_CORRUPTED |
static int |
WRONG_PASSWORD |
Modifier and Type | Method and Description |
---|---|
int |
abort(IBinder token) |
int |
addAuthToken(byte[] authToken)
Add an authentication record to the keystore authorization table.
|
boolean |
addRngEntropy(byte[] data) |
int |
attestKey(String alias,
KeymasterArguments params,
KeymasterCertificateChain outChain) |
OperationResult |
begin(String alias,
int purpose,
boolean pruneable,
KeymasterArguments args,
byte[] entropy) |
OperationResult |
begin(String alias,
int purpose,
boolean pruneable,
KeymasterArguments args,
byte[] entropy,
int uid) |
boolean |
clearUid(int uid) |
boolean |
contains(String key) |
boolean |
contains(String key,
int uid) |
boolean |
delete(String key) |
boolean |
delete(String key,
int uid) |
boolean |
duplicate(String srcKey,
int srcUid,
String destKey,
int destUid) |
ExportResult |
exportKey(String alias,
int format,
KeymasterBlob clientId,
KeymasterBlob appId) |
ExportResult |
exportKey(String alias,
int format,
KeymasterBlob clientId,
KeymasterBlob appId,
int uid) |
OperationResult |
finish(IBinder token,
KeymasterArguments arguments,
byte[] signature) |
OperationResult |
finish(IBinder token,
KeymasterArguments arguments,
byte[] signature,
byte[] entropy) |
boolean |
generate(String key,
int uid,
int keyType,
int keySize,
int flags,
byte[][] args) |
int |
generateKey(String alias,
KeymasterArguments args,
byte[] entropy,
int uid,
int flags,
KeyCharacteristics outCharacteristics) |
int |
generateKey(String alias,
KeymasterArguments args,
byte[] entropy,
int flags,
KeyCharacteristics outCharacteristics) |
byte[] |
get(String key) |
byte[] |
get(String key,
int uid) |
static Context |
getApplicationContext() |
static KeyStore |
getInstance() |
InvalidKeyException |
getInvalidKeyException(String keystoreKeyAlias,
int uid,
int errorCode)
Returns an
InvalidKeyException corresponding to the provided keystore/keymaster error
code. |
InvalidKeyException |
getInvalidKeyException(String keystoreKeyAlias,
int uid,
KeyStoreException e)
Returns an
InvalidKeyException corresponding to the provided
KeyStoreException . |
int |
getKeyCharacteristics(String alias,
KeymasterBlob clientId,
KeymasterBlob appId,
int uid,
KeyCharacteristics outCharacteristics) |
int |
getKeyCharacteristics(String alias,
KeymasterBlob clientId,
KeymasterBlob appId,
KeyCharacteristics outCharacteristics) |
static KeyStoreException |
getKeyStoreException(int errorCode)
Returns a
KeyStoreException corresponding to the provided keystore/keymaster error
code. |
int |
getLastError() |
long |
getmtime(String key) |
long |
getmtime(String key,
int uid)
Returns the last modification time of the key in milliseconds since the
epoch.
|
boolean |
grant(String key,
int uid) |
boolean |
importKey(String keyName,
byte[] key,
int uid,
int flags) |
int |
importKey(String alias,
KeymasterArguments args,
int format,
byte[] keyData,
int uid,
int flags,
KeyCharacteristics outCharacteristics) |
int |
importKey(String alias,
KeymasterArguments args,
int format,
byte[] keyData,
int flags,
KeyCharacteristics outCharacteristics) |
int |
insert(String key,
byte[] value,
int uid,
int flags) |
boolean |
isEmpty() |
boolean |
isEmpty(int userId)
Check if the keystore for
userId is empty. |
boolean |
isHardwareBacked() |
boolean |
isHardwareBacked(String keyType) |
boolean |
isOperationAuthorized(IBinder token)
Check if the operation referenced by
token is currently authorized. |
boolean |
isUnlocked() |
String[] |
list(String prefix) |
String[] |
list(String prefix,
int uid)
List all entries in the keystore for
uid starting with prefix . |
boolean |
lock() |
boolean |
lock(int userId)
Attempt to lock the keystore for
user . |
void |
onUserAdded(int userId)
Notify keystore that a user was added.
|
void |
onUserAdded(int userId,
int parentId)
Notify keystore that a user was added.
|
boolean |
onUserPasswordChanged(int userId,
String newPassword)
Notify keystore that a user's password has changed.
|
boolean |
onUserPasswordChanged(String newPassword) |
void |
onUserRemoved(int userId)
Notify keystore that a user was removed.
|
boolean |
put(String key,
byte[] value,
int uid,
int flags) |
boolean |
reset() |
byte[] |
sign(String key,
byte[] data) |
KeyStore.State |
state() |
KeyStore.State |
state(int userId) |
boolean |
ungrant(String key,
int uid) |
boolean |
unlock(int userId,
String password)
Attempt to unlock the keystore for
user with the password password . |
boolean |
unlock(String password) |
OperationResult |
update(IBinder token,
KeymasterArguments arguments,
byte[] input) |
boolean |
verify(String key,
byte[] data,
byte[] signature) |
public static final int NO_ERROR
public static final int LOCKED
public static final int UNINITIALIZED
public static final int SYSTEM_ERROR
public static final int PROTOCOL_ERROR
public static final int PERMISSION_DENIED
public static final int KEY_NOT_FOUND
public static final int VALUE_CORRUPTED
public static final int UNDEFINED_ACTION
public static final int WRONG_PASSWORD
public static final int OP_AUTH_NEEDED
begin(java.lang.String, int, boolean, android.security.keymaster.KeymasterArguments, byte[], int)
when begin succeeds but the operation uses
per-operation authentication and must authenticate before calling update(android.os.IBinder, android.security.keymaster.KeymasterArguments, byte[])
or
finish(android.os.IBinder, android.security.keymaster.KeymasterArguments, byte[], byte[])
.public static final int UID_SELF
public static final int FLAG_NONE
public static final int FLAG_ENCRYPTED
Note that this requires that the secure lock screen (e.g., password, PIN, pattern) is set up, otherwise key (or key pair) generation or import will fail. Moreover, this key (or key pair) will be deleted when the secure lock screen is disabled or reset (e.g., by the user or a Device Administrator). Finally, this key (or key pair) cannot be used until the user unlocks the secure lock screen after boot.
public static Context getApplicationContext()
public static KeyStore getInstance()
public KeyStore.State state(int userId)
public KeyStore.State state()
public boolean isUnlocked()
public byte[] get(String key, int uid)
public byte[] get(String key)
public boolean put(String key, byte[] value, int uid, int flags)
public int insert(String key, byte[] value, int uid, int flags)
public boolean delete(String key, int uid)
public boolean delete(String key)
public boolean contains(String key, int uid)
public boolean contains(String key)
public String[] list(String prefix, int uid)
uid
starting with prefix
.public boolean reset()
public boolean lock(int userId)
user
.user
- Android user to lock.user
's keystore was locked.public boolean lock()
public boolean unlock(int userId, String password)
user
with the password password
.
This is required before keystore entries created with FLAG_ENCRYPTED can be accessed or
created.user
- Android user ID to operate onpassword
- user's keystore password. Should be the most recent value passed to
onUserPasswordChanged(int, java.lang.String)
for the user.public boolean unlock(String password)
public boolean isEmpty(int userId)
userId
is empty.public boolean isEmpty()
public boolean generate(String key, int uid, int keyType, int keySize, int flags, byte[][] args)
public boolean importKey(String keyName, byte[] key, int uid, int flags)
public byte[] sign(String key, byte[] data)
public boolean verify(String key, byte[] data, byte[] signature)
public boolean grant(String key, int uid)
public boolean ungrant(String key, int uid)
public long getmtime(String key, int uid)
public long getmtime(String key)
public boolean isHardwareBacked()
public boolean isHardwareBacked(String keyType)
public boolean clearUid(int uid)
public int getLastError()
public boolean addRngEntropy(byte[] data)
public int generateKey(String alias, KeymasterArguments args, byte[] entropy, int uid, int flags, KeyCharacteristics outCharacteristics)
public int generateKey(String alias, KeymasterArguments args, byte[] entropy, int flags, KeyCharacteristics outCharacteristics)
public int getKeyCharacteristics(String alias, KeymasterBlob clientId, KeymasterBlob appId, int uid, KeyCharacteristics outCharacteristics)
public int getKeyCharacteristics(String alias, KeymasterBlob clientId, KeymasterBlob appId, KeyCharacteristics outCharacteristics)
public int importKey(String alias, KeymasterArguments args, int format, byte[] keyData, int uid, int flags, KeyCharacteristics outCharacteristics)
public int importKey(String alias, KeymasterArguments args, int format, byte[] keyData, int flags, KeyCharacteristics outCharacteristics)
public ExportResult exportKey(String alias, int format, KeymasterBlob clientId, KeymasterBlob appId, int uid)
public ExportResult exportKey(String alias, int format, KeymasterBlob clientId, KeymasterBlob appId)
public OperationResult begin(String alias, int purpose, boolean pruneable, KeymasterArguments args, byte[] entropy, int uid)
public OperationResult begin(String alias, int purpose, boolean pruneable, KeymasterArguments args, byte[] entropy)
public OperationResult update(IBinder token, KeymasterArguments arguments, byte[] input)
public OperationResult finish(IBinder token, KeymasterArguments arguments, byte[] signature, byte[] entropy)
public OperationResult finish(IBinder token, KeymasterArguments arguments, byte[] signature)
public int abort(IBinder token)
public boolean isOperationAuthorized(IBinder token)
token
is currently authorized.token
- An operation token returned by a call to
begin
.public int addAuthToken(byte[] authToken)
authToken
- The packed bytes of a hw_auth_token_t to be provided to keymaster.KeyStore.NO_ERROR
on success, otherwise an error value corresponding to
a KeymasterDefs.KM_ERROR_
value or KeyStore
ResponseCode.public boolean onUserPasswordChanged(int userId, String newPassword)
userId
- the user whose password changed.newPassword
- the new password or "" if the password was removed.public void onUserAdded(int userId, int parentId)
userId
- the new user.parentId
- the parent of the new user, or -1 if the user has no parent. If parentId is
specified then the new user's keystore will be intialized with the same secure lockscreen
password as the parent.public void onUserAdded(int userId)
userId
- the new user.public void onUserRemoved(int userId)
userId
- the removed user.public boolean onUserPasswordChanged(String newPassword)
public int attestKey(String alias, KeymasterArguments params, KeymasterCertificateChain outChain)
public static KeyStoreException getKeyStoreException(int errorCode)
KeyStoreException
corresponding to the provided keystore/keymaster error
code.public InvalidKeyException getInvalidKeyException(String keystoreKeyAlias, int uid, KeyStoreException e)
InvalidKeyException
corresponding to the provided
KeyStoreException
.public InvalidKeyException getInvalidKeyException(String keystoreKeyAlias, int uid, int errorCode)
InvalidKeyException
corresponding to the provided keystore/keymaster error
code.