public class KeyStoreHelper
extends java.lang.Object
SHA512withRSA
algorithm on a Nexus 5x with
Android 6
https://code.google.com/p/android/issues/detail?id=210237, we use
SHA256withRSA
Constructor and Description |
---|
KeyStoreHelper() |
Modifier and Type | Method and Description |
---|---|
boolean |
checkKeyPairExists(java.lang.String keyName)
Returns true if the keystore could be loaded and a key with keyName found.
|
void |
createKeyPair(java.lang.String keyName,
boolean authenticationRequired,
IKeyStoreHelperCallbackHandleResult callback)
Generates a private and public key to sign data.
|
static void |
deleteKeyPair(java.lang.String keyName,
IKeyStoreHelperCallbackHandleDelKeyPair callback)
Delete a private and public key from the KeyStore.
|
static java.lang.String |
exportPublicKey(java.lang.String keyName)
Returns the public key retrieved from the keystore in Privacy Enhanced Mail (PEM) format.
|
static java.lang.String |
exportPublicKey(java.lang.String keyName,
int base64EncodingOptions)
Returns the public key retrieved from the keystore in Privacy Enhanced Mail (PEM) format.
|
static java.lang.String |
getKeystoreType()
Returns the type of keystore.
|
static java.lang.String |
getSignatureAlgorithm()
Returns the standard name of the algorithm requested
|
static boolean |
hasAuthenticationSettingsChanged(java.lang.String keyNameForChangeCheck)
Checks if the authentication settings have changed since the key was created.
|
java.lang.String |
signData(android.hardware.fingerprint.FingerprintManager.AuthenticationResult authenticationResult,
java.lang.String value,
int base64EncodingOptions)
Using an authorozed key generated by the device to sign the value and return the encrypted result.
|
static java.lang.String |
signData(java.lang.String keyName,
java.lang.String value)
Using a key generated by the device to sign the value and return the encrypted result.
|
static java.lang.String |
signData(java.lang.String keyName,
java.lang.String value,
int base64EncodingOptions)
Using a key generated by the device to sign the value and return the encrypted result.
|
public static java.lang.String getKeystoreType()
public static java.lang.String getSignatureAlgorithm()
public static java.lang.String exportPublicKey(java.lang.String keyName)
keyName
- the unique identifier of the tenant and the type of IEnrollment
Base64.DEFAULT
encodingpublic static java.lang.String exportPublicKey(java.lang.String keyName, int base64EncodingOptions)
keyName
- the unique identifier of the tenant and the type of IEnrollment
base64EncodingOptions
- the flag controls certain features of the encoded outputpublic void createKeyPair(java.lang.String keyName, boolean authenticationRequired, IKeyStoreHelperCallbackHandleResult callback)
keyName
- the unique identifier of the tenant and the type of IEnrollment
authenticationRequired
- indicates whether the generated key requires authentication
(fingerprint) in order to get access to it. Only valid
if API level >= 23.callback
- the function delegate that is invoked with the
PublicKey
tenantId.enrollment.type
. The size is 2,048 bits.
For API level >= 23: the key is valid for 10 years. See also
KeyPairGeneratorSpec.getEndDate()
public static void deleteKeyPair(java.lang.String keyName, IKeyStoreHelperCallbackHandleDelKeyPair callback)
keyName
- the unique identifier of the tenant and the type of IEnrollment
callback
- the function delegate that is invoked with the success flag indicate if
the key pair has been deletedpublic static java.lang.String signData(java.lang.String keyName, java.lang.String value)
keyName
- the unique identifier of the tenant and the type of IEnrollment
value
- the string to encryptpublic static java.lang.String signData(java.lang.String keyName, java.lang.String value, int base64EncodingOptions)
keyName
- the unique identifier of the tenant and the type of IEnrollment
value
- the string to encryptbase64EncodingOptions
- the flag controls certain features of the encoded outputpublic java.lang.String signData(android.hardware.fingerprint.FingerprintManager.AuthenticationResult authenticationResult, java.lang.String value, int base64EncodingOptions)
authenticationResult
- the FingerprintManager.AuthenticationResult
instance that holds the authorized key for the signingvalue
- the string to encryptbase64EncodingOptions
- the flag controls certain features of the encoded outputpublic static boolean hasAuthenticationSettingsChanged(java.lang.String keyNameForChangeCheck)
KeyPermanentlyInvalidatedException
as an indication
whether the user has done one of the following:
KeyProperties#PURPOSE_SIGN
KeyGenParameterSpec.Builder#setUserAuthenticationRequired(boolean)
as true
KeyGenParameterSpec.Builder#setUserAuthenticationValidityDurationSeconds(int)
as -1
KeyGenParameterSpec.Builder#setInvalidatedByBiometricEnrollment(boolean)
as true
createKeyPair(String, boolean, IKeyStoreHelperCallbackHandleResult)
will
create a key that fulfills these requirements.
The observed behaviour through testing is not in line with the documentation here. Apparently the key gets only permanently invalidated when a fingerprint is added, but not when all fingerprints have been removed nor when the Secure Lock Screen has been disabled. As long as this state remains, these settings can be checked with isDeviceSecure and hasEnrolledFingerprint.
keyNameForChangeCheck
- the name of the key used for the checking.public boolean checkKeyPairExists(java.lang.String keyName)
keyName
- the unique identifier of the key.