Share via


WritableIdentityCredential.GetCredentialKeyCertificateChain(Byte[]) Method

Definition

Generates and returns an X.

[Android.Runtime.Register("getCredentialKeyCertificateChain", "([B)Ljava/util/Collection;", "GetGetCredentialKeyCertificateChain_arrayBHandler", ApiSince=30)]
public abstract System.Collections.Generic.ICollection<Java.Security.Cert.X509Certificate> GetCredentialKeyCertificateChain (byte[] challenge);
[<Android.Runtime.Register("getCredentialKeyCertificateChain", "([B)Ljava/util/Collection;", "GetGetCredentialKeyCertificateChain_arrayBHandler", ApiSince=30)>]
abstract member GetCredentialKeyCertificateChain : byte[] -> System.Collections.Generic.ICollection<Java.Security.Cert.X509Certificate>

Parameters

challenge
Byte[]

is a non-empty byte array whose contents should be unique, fresh and provided by the issuing authority. The value provided is embedded in the attestation extension and enables the issuing authority to verify that the attestation certificate is fresh. Implementations are required to support challenges at least 32 bytes of length.

Returns

the X.509 certificate for this credential's CredentialKey.

Attributes

Remarks

Generates and returns an X.509 certificate chain for the CredentialKey which identifies this credential to the issuing authority. The certificate contains an Android Keystore attestation extension which describes the key and the security hardware in which it lives.

Additionally, the attestation extension will contain the tag Tag::IDENTITY_CREDENTIAL_KEY which indicates it is an Identity Credential key (which can only sign/MAC very specific messages) and not an Android Keystore key (which can be used to sign/MAC anything).

The issuer <b>MUST</b> carefully examine this certificate chain including (but not limited to) checking that the root certificate is well-known, the tag Tag::IDENTITY_CREDENTIAL_KEY present, the passed in challenge is present, the tag Tag::ATTESTATION_APPLICATION_ID is set to the expected Android application, the device has verified boot enabled, each certificate in the chain is signed by its successor, none of the certificates have been revoked, and so on.

It is not strictly necessary to use this method to provision a credential if the issuing authority doesn't care about the nature of the security hardware. If called, however, this method must be called before #personalize(PersonalizationData).

Java documentation for android.security.identity.WritableIdentityCredential.getCredentialKeyCertificateChain(byte[]).

Portions of this page are modifications based on work created and shared by the Android Open Source Project and used according to terms described in the Creative Commons 2.5 Attribution License.

Applies to