Class used to personalize a new identity credential.
Credentials cannot be updated or modified after creation; any changes require deletion and
IdentityCredentialStore.createCredential(String, String) to create a new credential.
Generates and returns an X.509 certificate chain for the CredentialKey which identifies this credential to the issuing authority.
Stores all of the data in the credential, with the specified access control profiles.
public abstract Collection<X509Certificate> getCredentialKeyCertificateChain (byte challenge)
Generates and returns an X.509 certificate chain for the CredentialKey which identifies this credential to the issuing authority. The certificate contains an Android Keystore attestation extension which describes the key and the security hardware in which it lives.
The issuer MUST carefully examine this certificate chain including (but not limited to) checking that the root certificate is well-known, whether the tag Tag::IDENTITY_CREDENTIAL_KEY is present, the passed in challenge is present, the tag Tag::ATTESTATION_APPLICATION_ID is set to the expected Android application, the device has verified boot enabled, each certificate in the chain is signed by its successor, none of the certificates have been revoked, and so on.
WritableIdentityCredential is not hardware-backed the credential is
implemented using Android Keystore and the attestation extension will
not contain the tag Tag::IDENTITY_CREDENTIAL_KEY. Otherwise if this tag is present
it signals that
WritableIdentityCredential is hardware-backed and CredentialKey
and corresponding authentication keys can only sign/MAC very specific
messages. This is in contrast to Android Keystore key which can be used to
It is not strictly necessary to use this method to provision a credential if the issuing
authority doesn't care about the nature of the security hardware. If called, however, this
method must be called before