Home | History | Annotate | Download | only in security 
      1 /*
      2  * Copyright (C) 2017 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 package android.security;
     18 
     19 import java.security.KeyPair;
     20 import java.security.cert.Certificate;
     21 import java.util.ArrayList;
     22 import java.util.Arrays;
     23 import java.util.List;
     24 
     25 /**
     26  * The {@code AttestedKeyPair} class contains a {@code KeyPair} instance of
     27  * keys generated by Keystore and owned by KeyChain, as well as an attestation
     28  * record for the key.
     29  *
     30  * <p>Such keys can be obtained by calling
     31  * {@link android.app.admin.DevicePolicyManager#generateKeyPair}.
     32  */
     33 
     34 public final class AttestedKeyPair {
     35     private final KeyPair mKeyPair;
     36     private final Certificate[] mAttestationRecord;
     37 
     38     /**
     39      * @hide Only created by the platform, no need to expose as public API.
     40      */
     41     public AttestedKeyPair(KeyPair keyPair, Certificate[] attestationRecord) {
     42         mKeyPair = keyPair;
     43         mAttestationRecord = attestationRecord;
     44     }
     45 
     46     /**
     47      * Returns the generated key pair associated with the attestation record
     48      * in this instance.
     49      */
     50     public KeyPair getKeyPair() {
     51         return mKeyPair;
     52     }
     53 
     54     /**
     55      * Returns the attestation record for the key pair in this instance.
     56      *
     57      * The attestation record is a chain of certificates. The leaf certificate links to the public
     58      * key of this key pair and other properties of the key or the device. If the key is in secure
     59      * hardware, and if the secure hardware supports attestation, the leaf certificate will be
     60      * signed by a chain of certificates rooted at a trustworthy CA key. Otherwise the chain will be
     61      * rooted at an untrusted certificate.
     62      *
     63      * The attestation record could be for properties of the key, or include device identifiers.
     64      *
     65      * See {@link android.security.keystore.KeyGenParameterSpec.Builder#setAttestationChallenge}
     66      * and  <a href="https://developer.android.com/training/articles/security-key-attestation.html">
     67      * Key Attestation</a> for the format of the attestation record inside the certificate.
     68      */
     69     public List<Certificate> getAttestationRecord() {
     70         if (mAttestationRecord == null) {
     71             return new ArrayList();
     72         }
     73         return Arrays.asList(mAttestationRecord);
     74     }
     75 }
     76