KeyStoreManager

Kotlin |Java

class KeyStoreManager

kotlin.Any
↳	android.security.keystore.KeyStoreManager

This class provides methods for interacting with keys stored within the Android Keystore.

Summary

Public methods
MutableList<X509Certificate!>	`getGrantedCertificateChainFromId(id: Long)` Returns a `List` of `X509Certificate` instances representing the certificate chain for the key that was previously shared with the app under the provided `id`.
Key	`getGrantedKeyFromId(id: Long)` Returns the key with the specified `id` that was previously shared with the app.
KeyPair	`getGrantedKeyPairFromId(id: Long)` Returns a `KeyPair` containing the public and private key associated with the key that was previously shared with the app under the provided `id`.
Long	`grantKeyAccess(alias: String, uid: Int)` Grants access to the key owned by the calling app stored under the specified `alias` to another app on the device with the provided `uid`.
Unit	`revokeKeyAccess(alias: String, uid: Int)` Revokes access to the key in the app's namespace stored under the specified `alias` that was previously granted to another app on the device with the provided `uid`.

Public methods

getGrantedCertificateChainFromId

Added in API level Baklava

fun getGrantedCertificateChainFromId(id: Long): MutableList<X509Certificate!>

Returns a List of X509Certificate instances representing the certificate chain for the key that was previously shared with the app under the provided id.

If a java.security.PrivateKey has not been granted to the caller with the specified id, then an UnrecoverableKeyException is thrown.

Parameters
`id`	Long: the ID of the asymmetric key that was shared with the app

Return
`MutableList<X509Certificate!>`	a List of X509Certificates with the certificate at index 0 corresponding to the private key shared with the app This value cannot be `null`.

Exceptions
`java.security.UnrecoverableKeyException`	if the specified key cannot be recovered
`android.security.keystore.KeyPermanentlyInvalidatedException`	if the specified key was authorized to only be used if the user has been authenticated and a change has been made to the users lockscreen or biometric enrollment that permanently invalidates the key

See Also

#grantKeyAccess(String, int)

getGrantedKeyFromId

Added in API level Baklava

fun getGrantedKeyFromId(id: Long): Key

Returns the key with the specified id that was previously shared with the app.

This method can return instances of both javax.crypto.SecretKey and . If a key with the provide id has not been granted to the caller, then an UnrecoverableKeyException is thrown.

Parameters
`id`	Long: the ID of the key that was shared with the app

Return
`Key`	the `Key` that was shared with the app This value cannot be `null`.

Exceptions
`java.security.UnrecoverableKeyException`	if the specified key cannot be recovered
`android.security.keystore.KeyPermanentlyInvalidatedException`	if the specified key was authorized to only be used if the user has been authenticated and a change has been made to the users lockscreen or biometric enrollment that permanently invalidates the key

See Also

#grantKeyAccess(String, int)

getGrantedKeyPairFromId

Added in API level Baklava

fun getGrantedKeyPairFromId(id: Long): KeyPair

Returns a KeyPair containing the public and private key associated with the key that was previously shared with the app under the provided id.

If a java.security.PrivateKey has not been granted to the caller with the specified id, then an UnrecoverableKeyException is thrown.

Parameters
`id`	Long: the ID of the private key that was shared with the app

Return
`KeyPair`	a KeyPair containing the public and private key shared with the app This value cannot be `null`.

Exceptions
`java.security.UnrecoverableKeyException`	if the specified key cannot be recovered
`android.security.keystore.KeyPermanentlyInvalidatedException`	if the specified key was authorized to only be used if the user has been authenticated and a change has been made to the users lockscreen or biometric enrollment that permanently invalidates the key

grantKeyAccess

Added in API level Baklava

fun grantKeyAccess(
    alias: String, 
    uid: Int
): Long

Grants access to the key owned by the calling app stored under the specified alias to another app on the device with the provided uid.

This method supports granting access to instances of both javax.crypto.SecretKey and java.security.PrivateKey. The resulting ID will persist across reboots and can be used by the grantee app for the life of the key or until access is revoked with revokeKeyAccess(java.lang.String,int).

If the provided alias does not correspond to a key in the Android KeyStore, then an UnrecoverableKeyException is thrown.

Parameters
`alias`	String: the alias of the key to be granted to another app This value cannot be `null`.
`uid`	Int: the uid of the app to which the key should be granted

Return
`Long`	the ID of the granted key; this can be shared with the specified app, and that app can use `getGrantedKeyFromId(long)` to access the key

Exceptions
`java.security.UnrecoverableKeyException`	if the specified key cannot be recovered
`android.security.KeyStoreException`	if an error is encountered when attempting to grant access to the key

See Also

#getGrantedKeyFromId(long)

revokeKeyAccess

Added in API level Baklava

fun revokeKeyAccess(
    alias: String, 
    uid: Int
): Unit

Revokes access to the key in the app's namespace stored under the specified alias that was previously granted to another app on the device with the provided uid.

If the provided alias does not correspond to a key in the Android KeyStore, then an UnrecoverableKeyException is thrown.

Parameters
`alias`	String: the alias of the key to be revoked from another app This value cannot be `null`.
`uid`	Int: the uid of the app from which the key access should be revoked

Exceptions
`java.security.UnrecoverableKeyException`	if the specified key cannot be recovered
`android.security.KeyStoreException`	if an error is encountered when attempting to revoke access to the key