{@code keyTypes} and {@code issuers} may be used to - * highlight suggested choices to the user, although to cope with - * sometimes erroneous values provided by servers, the user may be - * able to override these suggestions. + * narrow down suggested choices to the user. If either {@code keyTypes} + * or {@code issuers} is specified and non-empty, and there are no + * matching certificates in the KeyChain, then the certificate + * selection prompt would be suppressed entirely. * *
{@code host} and {@code port} may be used to give the user * more context about the server requesting the credentials. @@ -382,7 +398,7 @@ public final class KeyChain { * @param response Callback to invoke when the request completes; * must not be null. * @param keyTypes The acceptable types of asymmetric keys such as - * "RSA" or "DSA", or null. + * "RSA", "EC" or null. * @param issuers The acceptable certificate issuers for the * certificate matching the private key, or null. * @param host The host name of the server requesting the @@ -419,9 +435,10 @@ public final class KeyChain { * onChoosePrivateKeyAlias}. * *
{@code keyTypes} and {@code issuers} may be used to - * highlight suggested choices to the user, although to cope with - * sometimes erroneous values provided by servers, the user may be - * able to override these suggestions. + * narrow down suggested choices to the user. If either {@code keyTypes} + * or {@code issuers} is specified and non-empty, and there are no + * matching certificates in the KeyChain, then the certificate + * selection prompt would be suppressed entirely. * *
{@code uri} may be used to give the user more context about
* the server requesting the credentials.
@@ -436,13 +453,15 @@ public final class KeyChain {
* @param response Callback to invoke when the request completes;
* must not be null.
* @param keyTypes The acceptable types of asymmetric keys such as
- * "EC" or "RSA", or null.
+ * "RSA", "EC" or null.
* @param issuers The acceptable certificate issuers for the
* certificate matching the private key, or null.
* @param uri The full URI the server is requesting the certificate
* for, or null if unavailable.
* @param alias The alias to preselect if available, or null if
* unavailable.
+ * @throws IllegalArgumentException if the specified issuers are not
+ * of type {@code X500Principal}.
*/
public static void choosePrivateKeyAlias(@NonNull Activity activity,
@NonNull KeyChainAliasCallback response,
@@ -450,20 +469,21 @@ public final class KeyChain {
@Nullable Principal[] issuers,
@Nullable Uri uri, @Nullable String alias) {
/*
- * TODO currently keyTypes, issuers are unused. They are meant
- * to follow the semantics and purpose of X509KeyManager
- * method arguments.
+ * Specifying keyTypes excludes certificates with different key types
+ * from the list of certificates presented to the user.
+ * In practice today, most servers would require RSA or EC
+ * certificates.
*
- * keyTypes would allow the list to be filtered and typically
- * will be set correctly by the server. In practice today,
- * most all users will want only RSA or EC, and usually
- * only a small number of certs will be available.
- *
- * issuers is typically not useful. Some servers historically
- * will send the entire list of public CAs known to the
- * server. Others will send none. If this is used, if there
- * are no matches after applying the constraint, it should be
- * ignored.
+ * Specifying issuers narrows down the list by filtering out
+ * certificates with issuers which are not matching the provided ones.
+ * This has been reported to Chrome several times (crbug.com/731769).
+ * There's no concrete description on what to do when the client has no
+ * certificates that match the provided issuers.
+ * To be conservative, Android will not present the user with any
+ * certificates to choose from.
+ * If the list of issuers is empty then the client may send any
+ * certificate, see:
+ * https://tools.ietf.org/html/rfc5246#section-7.4.4
*/
if (activity == null) {
throw new NullPointerException("activity == null");
@@ -476,6 +496,26 @@ public final class KeyChain {
intent.putExtra(EXTRA_RESPONSE, new AliasResponse(response));
intent.putExtra(EXTRA_URI, uri);
intent.putExtra(EXTRA_ALIAS, alias);
+ intent.putExtra(EXTRA_KEY_TYPES, keyTypes);
+ ArrayList