Loading api/current.txt +2 −0 Original line number Diff line number Diff line Loading @@ -6800,6 +6800,7 @@ package android.app.admin { method public boolean isResetPasswordTokenActive(android.content.ComponentName); method public boolean isSecurityLoggingEnabled(@Nullable android.content.ComponentName); method public boolean isUninstallBlocked(@Nullable android.content.ComponentName, String); method public boolean isUniqueDeviceAttestationSupported(); method public boolean isUsingUnifiedPassword(@NonNull android.content.ComponentName); method public void lockNow(); method public void lockNow(int); Loading Loading @@ -6981,6 +6982,7 @@ package android.app.admin { field public static final int FLAG_PARENT_CAN_ACCESS_MANAGED = 1; // 0x1 field public static final int ID_TYPE_BASE_INFO = 1; // 0x1 field public static final int ID_TYPE_IMEI = 4; // 0x4 field public static final int ID_TYPE_INDIVIDUAL_ATTESTATION = 16; // 0x10 field public static final int ID_TYPE_MEID = 8; // 0x8 field public static final int ID_TYPE_SERIAL = 2; // 0x2 field public static final int INSTALLKEY_REQUEST_CREDENTIALS_ACCESS = 1; // 0x1 api/system-current.txt +1 −0 Original line number Diff line number Diff line Loading @@ -6180,6 +6180,7 @@ package android.security.keystore { field public static final int ID_TYPE_IMEI = 2; // 0x2 field public static final int ID_TYPE_MEID = 3; // 0x3 field public static final int ID_TYPE_SERIAL = 1; // 0x1 field public static final int USE_INDIVIDUAL_ATTESTATION = 4; // 0x4 } public class DeviceIdAttestationException extends java.lang.Exception { Loading api/test-current.txt +1 −0 Original line number Diff line number Diff line Loading @@ -2435,6 +2435,7 @@ package android.security.keystore { field public static final int ID_TYPE_IMEI = 2; // 0x2 field public static final int ID_TYPE_MEID = 3; // 0x3 field public static final int ID_TYPE_SERIAL = 1; // 0x1 field public static final int USE_INDIVIDUAL_ATTESTATION = 4; // 0x4 } public class DeviceIdAttestationException extends java.lang.Exception { Loading core/java/android/app/admin/DevicePolicyManager.java +60 −13 Original line number Diff line number Diff line Loading @@ -2079,7 +2079,8 @@ public class DevicePolicyManager { ID_TYPE_BASE_INFO, ID_TYPE_SERIAL, ID_TYPE_IMEI, ID_TYPE_MEID ID_TYPE_MEID, ID_TYPE_INDIVIDUAL_ATTESTATION }) public @interface AttestationIdType {} Loading Loading @@ -2113,6 +2114,14 @@ public class DevicePolicyManager { */ public static final int ID_TYPE_MEID = 8; /** * Specifies that the device should attest using an individual attestation certificate. * For use with {@link #generateKeyPair}. * * @see #generateKeyPair */ public static final int ID_TYPE_INDIVIDUAL_ATTESTATION = 16; /** * Service-specific error code for {@link #generateKeyPair}: * Indicates the call has failed due to StrongBox unavailability. Loading Loading @@ -4892,25 +4901,48 @@ public class DevicePolicyManager { * have been given to access the key and certificates associated with this alias will be * revoked. * * @param admin Which {@link DeviceAdminReceiver} this request is associated with, or * {@code null} if calling from a delegated certificate installer. * @param algorithm The key generation algorithm, see {@link java.security.KeyPairGenerator}. * @param keySpec Specification of the key to generate, see * {@link java.security.KeyPairGenerator}. * @param idAttestationFlags A bitmask of all the identifiers that should be included in the * attestation record ({@code ID_TYPE_BASE_INFO}, {@code ID_TYPE_SERIAL}, * {@code ID_TYPE_IMEI} and {@code ID_TYPE_MEID}), or {@code 0} if no device * identification is required in the attestation record. * Device owner, profile owner and their delegated certificate installer can use * <p>Attestation: to enable attestation, set an attestation challenge in {@code keySpec} via * {@link KeyGenParameterSpec.Builder#setAttestationChallenge}. By specifying flags to the * {@code idAttestationFlags} parameter, it is possible to request the device's unique * identity to be included in the attestation record. * * <p>Specific identifiers can be included in the attestation record, and an individual * attestation certificate can be used to sign the attestation record. To find out if the device * supports these features, refer to {@link #isDeviceIdAttestationSupported()} and * {@link #isUniqueDeviceAttestationSupported()}. * * <p>Device owner, profile owner and their delegated certificate installer can use * {@link #ID_TYPE_BASE_INFO} to request inclusion of the general device information * including manufacturer, model, brand, device and product in the attestation record. * Only device owner and their delegated certificate installer can use * {@link #ID_TYPE_SERIAL}, {@link #ID_TYPE_IMEI} and {@link #ID_TYPE_MEID} to request * unique device identifiers to be attested. * unique device identifiers to be attested (the serial number, IMEI and MEID correspondingly), * if supported by the device (see {@link #isDeviceIdAttestationSupported()}). * Additionally, device owner and their delegated certificate installer can also request the * attestation record to be signed using an individual attestation certificate by specifying * the {@link #ID_TYPE_INDIVIDUAL_ATTESTATION} flag (if supported by the device, see * {@link #isUniqueDeviceAttestationSupported()}). * <p> * If any of {@link #ID_TYPE_SERIAL}, {@link #ID_TYPE_IMEI} and {@link #ID_TYPE_MEID} * is set, it is implicitly assumed that {@link #ID_TYPE_BASE_INFO} is also set. * <p> * Attestation using {@link #ID_TYPE_INDIVIDUAL_ATTESTATION} can only be requested if * key generation is done in StrongBox. * * @param admin Which {@link DeviceAdminReceiver} this request is associated with, or * {@code null} if calling from a delegated certificate installer. * @param algorithm The key generation algorithm, see {@link java.security.KeyPairGenerator}. * @param keySpec Specification of the key to generate, see * {@link java.security.KeyPairGenerator}. * @param idAttestationFlags A bitmask of the identifiers that should be included in the * attestation record ({@code ID_TYPE_BASE_INFO}, {@code ID_TYPE_SERIAL}, * {@code ID_TYPE_IMEI} and {@code ID_TYPE_MEID}), and * {@code ID_TYPE_INDIVIDUAL_ATTESTATION} if the attestation record should be signed * using an individual attestation certificate. * <p> * {@code 0} should be passed in if no device identification is required in the * attestation record and the batch attestation certificate should be used. * <p> * If any flag is specified, then an attestation challenge must be included in the * {@code keySpec}. * @return A non-null {@code AttestedKeyPair} if the key generation succeeded, null otherwise. Loading Loading @@ -5051,7 +5083,8 @@ public class DevicePolicyManager { /** * Returns {@code true} if the device supports attestation of device identifiers in addition * to key attestation. * to key attestation. See * {@link #generateKeyPair(ComponentName, String, KeyGenParameterSpec, int)} * @return {@code true} if Device ID attestation is supported. */ public boolean isDeviceIdAttestationSupported() { Loading @@ -5059,6 +5092,20 @@ public class DevicePolicyManager { return pm.hasSystemFeature(PackageManager.FEATURE_DEVICE_ID_ATTESTATION); } /** * Returns {@code true} if the StrongBox Keymaster implementation on the device was provisioned * with an individual attestation certificate and can sign attestation records using it (as * attestation using an individual attestation certificate is a feature only Keymaster * implementations with StrongBox security level can implement). * For use prior to calling * {@link #generateKeyPair(ComponentName, String, KeyGenParameterSpec, int)}. * @return {@code true} if individual attestation is supported. */ public boolean isUniqueDeviceAttestationSupported() { PackageManager pm = mContext.getPackageManager(); return pm.hasSystemFeature(PackageManager.FEATURE_DEVICE_UNIQUE_ATTESTATION); } /** * Called by a device or profile owner, or delegated certificate installer, to associate * certificates with a key pair that was generated using {@link #generateKeyPair}, and Loading core/java/android/content/pm/PackageManager.java +11 −0 Original line number Diff line number Diff line Loading @@ -2847,6 +2847,17 @@ public abstract class PackageManager { public static final String FEATURE_STRONGBOX_KEYSTORE = "android.hardware.strongbox_keystore"; /** * Feature for {@link #getSystemAvailableFeatures} and {@link #hasSystemFeature}: * The device supports device-unique Keystore attestations. Only available on devices that * also support {@link #FEATURE_STRONGBOX_KEYSTORE}, and can only be used by device owner * apps (see {@link android.app.admin.DevicePolicyManager#generateKeyPair}). * @hide */ @SdkConstant(SdkConstantType.FEATURE) public static final String FEATURE_DEVICE_UNIQUE_ATTESTATION = "android.hardware.device_unique_attestation"; /** * Feature for {@link #getSystemAvailableFeatures} and {@link #hasSystemFeature}: * The device has a Keymaster implementation that supports Device ID attestation. Loading Loading
api/current.txt +2 −0 Original line number Diff line number Diff line Loading @@ -6800,6 +6800,7 @@ package android.app.admin { method public boolean isResetPasswordTokenActive(android.content.ComponentName); method public boolean isSecurityLoggingEnabled(@Nullable android.content.ComponentName); method public boolean isUninstallBlocked(@Nullable android.content.ComponentName, String); method public boolean isUniqueDeviceAttestationSupported(); method public boolean isUsingUnifiedPassword(@NonNull android.content.ComponentName); method public void lockNow(); method public void lockNow(int); Loading Loading @@ -6981,6 +6982,7 @@ package android.app.admin { field public static final int FLAG_PARENT_CAN_ACCESS_MANAGED = 1; // 0x1 field public static final int ID_TYPE_BASE_INFO = 1; // 0x1 field public static final int ID_TYPE_IMEI = 4; // 0x4 field public static final int ID_TYPE_INDIVIDUAL_ATTESTATION = 16; // 0x10 field public static final int ID_TYPE_MEID = 8; // 0x8 field public static final int ID_TYPE_SERIAL = 2; // 0x2 field public static final int INSTALLKEY_REQUEST_CREDENTIALS_ACCESS = 1; // 0x1
api/system-current.txt +1 −0 Original line number Diff line number Diff line Loading @@ -6180,6 +6180,7 @@ package android.security.keystore { field public static final int ID_TYPE_IMEI = 2; // 0x2 field public static final int ID_TYPE_MEID = 3; // 0x3 field public static final int ID_TYPE_SERIAL = 1; // 0x1 field public static final int USE_INDIVIDUAL_ATTESTATION = 4; // 0x4 } public class DeviceIdAttestationException extends java.lang.Exception { Loading
api/test-current.txt +1 −0 Original line number Diff line number Diff line Loading @@ -2435,6 +2435,7 @@ package android.security.keystore { field public static final int ID_TYPE_IMEI = 2; // 0x2 field public static final int ID_TYPE_MEID = 3; // 0x3 field public static final int ID_TYPE_SERIAL = 1; // 0x1 field public static final int USE_INDIVIDUAL_ATTESTATION = 4; // 0x4 } public class DeviceIdAttestationException extends java.lang.Exception { Loading
core/java/android/app/admin/DevicePolicyManager.java +60 −13 Original line number Diff line number Diff line Loading @@ -2079,7 +2079,8 @@ public class DevicePolicyManager { ID_TYPE_BASE_INFO, ID_TYPE_SERIAL, ID_TYPE_IMEI, ID_TYPE_MEID ID_TYPE_MEID, ID_TYPE_INDIVIDUAL_ATTESTATION }) public @interface AttestationIdType {} Loading Loading @@ -2113,6 +2114,14 @@ public class DevicePolicyManager { */ public static final int ID_TYPE_MEID = 8; /** * Specifies that the device should attest using an individual attestation certificate. * For use with {@link #generateKeyPair}. * * @see #generateKeyPair */ public static final int ID_TYPE_INDIVIDUAL_ATTESTATION = 16; /** * Service-specific error code for {@link #generateKeyPair}: * Indicates the call has failed due to StrongBox unavailability. Loading Loading @@ -4892,25 +4901,48 @@ public class DevicePolicyManager { * have been given to access the key and certificates associated with this alias will be * revoked. * * @param admin Which {@link DeviceAdminReceiver} this request is associated with, or * {@code null} if calling from a delegated certificate installer. * @param algorithm The key generation algorithm, see {@link java.security.KeyPairGenerator}. * @param keySpec Specification of the key to generate, see * {@link java.security.KeyPairGenerator}. * @param idAttestationFlags A bitmask of all the identifiers that should be included in the * attestation record ({@code ID_TYPE_BASE_INFO}, {@code ID_TYPE_SERIAL}, * {@code ID_TYPE_IMEI} and {@code ID_TYPE_MEID}), or {@code 0} if no device * identification is required in the attestation record. * Device owner, profile owner and their delegated certificate installer can use * <p>Attestation: to enable attestation, set an attestation challenge in {@code keySpec} via * {@link KeyGenParameterSpec.Builder#setAttestationChallenge}. By specifying flags to the * {@code idAttestationFlags} parameter, it is possible to request the device's unique * identity to be included in the attestation record. * * <p>Specific identifiers can be included in the attestation record, and an individual * attestation certificate can be used to sign the attestation record. To find out if the device * supports these features, refer to {@link #isDeviceIdAttestationSupported()} and * {@link #isUniqueDeviceAttestationSupported()}. * * <p>Device owner, profile owner and their delegated certificate installer can use * {@link #ID_TYPE_BASE_INFO} to request inclusion of the general device information * including manufacturer, model, brand, device and product in the attestation record. * Only device owner and their delegated certificate installer can use * {@link #ID_TYPE_SERIAL}, {@link #ID_TYPE_IMEI} and {@link #ID_TYPE_MEID} to request * unique device identifiers to be attested. * unique device identifiers to be attested (the serial number, IMEI and MEID correspondingly), * if supported by the device (see {@link #isDeviceIdAttestationSupported()}). * Additionally, device owner and their delegated certificate installer can also request the * attestation record to be signed using an individual attestation certificate by specifying * the {@link #ID_TYPE_INDIVIDUAL_ATTESTATION} flag (if supported by the device, see * {@link #isUniqueDeviceAttestationSupported()}). * <p> * If any of {@link #ID_TYPE_SERIAL}, {@link #ID_TYPE_IMEI} and {@link #ID_TYPE_MEID} * is set, it is implicitly assumed that {@link #ID_TYPE_BASE_INFO} is also set. * <p> * Attestation using {@link #ID_TYPE_INDIVIDUAL_ATTESTATION} can only be requested if * key generation is done in StrongBox. * * @param admin Which {@link DeviceAdminReceiver} this request is associated with, or * {@code null} if calling from a delegated certificate installer. * @param algorithm The key generation algorithm, see {@link java.security.KeyPairGenerator}. * @param keySpec Specification of the key to generate, see * {@link java.security.KeyPairGenerator}. * @param idAttestationFlags A bitmask of the identifiers that should be included in the * attestation record ({@code ID_TYPE_BASE_INFO}, {@code ID_TYPE_SERIAL}, * {@code ID_TYPE_IMEI} and {@code ID_TYPE_MEID}), and * {@code ID_TYPE_INDIVIDUAL_ATTESTATION} if the attestation record should be signed * using an individual attestation certificate. * <p> * {@code 0} should be passed in if no device identification is required in the * attestation record and the batch attestation certificate should be used. * <p> * If any flag is specified, then an attestation challenge must be included in the * {@code keySpec}. * @return A non-null {@code AttestedKeyPair} if the key generation succeeded, null otherwise. Loading Loading @@ -5051,7 +5083,8 @@ public class DevicePolicyManager { /** * Returns {@code true} if the device supports attestation of device identifiers in addition * to key attestation. * to key attestation. See * {@link #generateKeyPair(ComponentName, String, KeyGenParameterSpec, int)} * @return {@code true} if Device ID attestation is supported. */ public boolean isDeviceIdAttestationSupported() { Loading @@ -5059,6 +5092,20 @@ public class DevicePolicyManager { return pm.hasSystemFeature(PackageManager.FEATURE_DEVICE_ID_ATTESTATION); } /** * Returns {@code true} if the StrongBox Keymaster implementation on the device was provisioned * with an individual attestation certificate and can sign attestation records using it (as * attestation using an individual attestation certificate is a feature only Keymaster * implementations with StrongBox security level can implement). * For use prior to calling * {@link #generateKeyPair(ComponentName, String, KeyGenParameterSpec, int)}. * @return {@code true} if individual attestation is supported. */ public boolean isUniqueDeviceAttestationSupported() { PackageManager pm = mContext.getPackageManager(); return pm.hasSystemFeature(PackageManager.FEATURE_DEVICE_UNIQUE_ATTESTATION); } /** * Called by a device or profile owner, or delegated certificate installer, to associate * certificates with a key pair that was generated using {@link #generateKeyPair}, and Loading
core/java/android/content/pm/PackageManager.java +11 −0 Original line number Diff line number Diff line Loading @@ -2847,6 +2847,17 @@ public abstract class PackageManager { public static final String FEATURE_STRONGBOX_KEYSTORE = "android.hardware.strongbox_keystore"; /** * Feature for {@link #getSystemAvailableFeatures} and {@link #hasSystemFeature}: * The device supports device-unique Keystore attestations. Only available on devices that * also support {@link #FEATURE_STRONGBOX_KEYSTORE}, and can only be used by device owner * apps (see {@link android.app.admin.DevicePolicyManager#generateKeyPair}). * @hide */ @SdkConstant(SdkConstantType.FEATURE) public static final String FEATURE_DEVICE_UNIQUE_ATTESTATION = "android.hardware.device_unique_attestation"; /** * Feature for {@link #getSystemAvailableFeatures} and {@link #hasSystemFeature}: * The device has a Keymaster implementation that supports Device ID attestation. Loading
