Since: API level 20
public class

UniversalCredentialUtil

extends Object
java.lang.Object
   ↳ com.samsung.android.knox.ucm.core.UniversalCredentialUtil

Class Overview

This class provides API's to fetch all providers, validate UCM URI and communicate with plugin/applet.

Since
API level 20
KNOX 2.7

Summary

Constants
String AGENT_ID Provider string property - Identifier string for storage.
String AGENT_ISMANAGEABLE Provider boolean property - Is Storage manageable by Configurator app.
String AGENT_IS_GENERATE_PASSWORD_AVAILABLE Provider boolean property - Is Password Generation Supported by storage.
String AGENT_IS_ODE_SUPPORTED Provider boolean property - Is Device Encryption Supported by storage.
String AGENT_IS_PUK_SUPPORTED Provider boolean property - Is PUK supported.
String AGENT_PACKAGENAME Provider String property - Storage package name.
String AGENT_SUMMARY Provider string property - Summary of storage.
String AGENT_TITLE Provider string property - Title of storage.
String AGENT_VENDORID Provider string property - Vendor ID of storage.
String ODE_ENABLED Provider boolean property - Is device encrypted with UCM.
String ODE_SIGNATURE Provider byte array property - signature of plugin used for device encryption.
String UNIQUE_ID Provider string property - Identifier string which uniquely identify storage.
Public Methods
Bundle APDUCommand(String uri, byte[] apdu, Bundle extra)
API to send APDU command to applet.
Bundle changePin(String uri, String oldPin, String newPin)
API to change applet pin.
Bundle getInfo(String uri)
API to get plugin/applet information.
static UniversalCredentialUtil getInstance()
Retrieve UniversalCredentialUtil Instance which can interact with KNOX Credential Storage.
static String getKeychainUri(String source, String alias)
Retrieve URI string that representing the credential storage and its resource from keychain.
Provider[] getProviders()
Retrieve available UCM Plugin KeyStore Providers.
static String getRawAlias(String uri)
Retrieve the raw Alias name from the URI.
static String getSource(String uri)
Retrieve the credential storage source identifier from the URI.
static boolean isValidUri(String uri)
Check if the uri has valid URI scheme for UCM
void notifyPluginResult(Bundle data)
API to notify result from UCM plugin.
void refreshUCMPlugin()
API to update UCM plugin service binding.
[Expand]
Inherited Methods
From class java.lang.Object

Constants

public static final String AGENT_ID

Since: API level 20

Provider string property - Identifier string for storage.

Since
API level 20
KNOX 2.7
Constant Value: "id"

public static final String AGENT_ISMANAGEABLE

Since: API level 20

Provider boolean property - Is Storage manageable by Configurator app.

Since
API level 20
KNOX 2.7
Constant Value: "isManageable"

public static final String AGENT_IS_GENERATE_PASSWORD_AVAILABLE

Since: API level 20

Provider boolean property - Is Password Generation Supported by storage.

Since
API level 20
KNOX 2.7
Constant Value: "isGeneratePasswordAvailable"

public static final String AGENT_IS_ODE_SUPPORTED

Since: API level 22

Provider boolean property - Is Device Encryption Supported by storage.

Since
API level 22
KNOX 2.8
Constant Value: "isODESupport"

public static final String AGENT_IS_PUK_SUPPORTED

Since: API level 20

Provider boolean property - Is PUK supported.

Since
API level 20
KNOX 2.7
Constant Value: "isPUKSupported"

public static final String AGENT_PACKAGENAME

Since: API level 20

Provider String property - Storage package name.

Since
API level 20
KNOX 2.7
Constant Value: "packageName"

public static final String AGENT_SUMMARY

Since: API level 20

Provider string property - Summary of storage.

Since
API level 20
KNOX 2.7
Constant Value: "summary"

public static final String AGENT_TITLE

Since: API level 20

Provider string property - Title of storage.

Since
API level 20
KNOX 2.7
Constant Value: "title"

public static final String AGENT_VENDORID

Since: API level 20

Provider string property - Vendor ID of storage.

Since
API level 20
KNOX 2.7
Constant Value: "vendorId"

public static final String ODE_ENABLED

Since: API level 22

Provider boolean property - Is device encrypted with UCM.

Since
API level 22
KNOX 2.8
Constant Value: "odeEnabled"

public static final String ODE_SIGNATURE

Since: API level 22

Provider byte array property - signature of plugin used for device encryption.

Since
API level 22
KNOX 2.8
Constant Value: "odeSignature"

public static final String UNIQUE_ID

Since: API level 20

Provider string property - Identifier string which uniquely identify storage.

Since
API level 20
KNOX 2.7
Constant Value: "uniqueId"

Public Methods

public Bundle APDUCommand (String uri, byte[] apdu, Bundle extra)

Since: API level 20

API to send APDU command to applet.

Parameters
apdu byte array of apdu command
Returns
  • Bundle
Throws
SecurityException If caller does not have required permissions
Usage

An application can use this API to send APDU command to applet. Calling application should send correct command which Applet can process. Plugin will return response in Bundle which can use one or more Bundle keys : PLUGIN_ERROR_CODE, PLUGIN_BOOLEAN_RESPONSE,PLUGIN_BUNDLE_RESPONSE,PLUGIN_BYTEARRAY_RESPONSE,PLUGIN_INT_RESPONSE, ,PLUGIN_STRINGARRAY_RESPONSE ,PLUGIN_STRING_RESPONSE.

 UniversalCredentialUtil ucmUtil = UniversalCredentialUtil.getInstance();
 
 try {
   String ucmUri = ucmUtil.getKeychainUri("Vendor Credential Storage Name", "");
   Bundle pluginData = ucmUtil.APDUCommand(ucmUri, byte, bundle);
   int errorCode = pluginData.getInt(PLUGIN_ERROR_CODE);
   byte[] response = pluginData.getByteArray(PLUGIN_BYTEARRAY_RESPONSE);
 } catch (SecurityException e) {
   Log.w(TAG, "SecurityException: " + e);
 }
 

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_UCM_MGMT" permission which has a protection level of signature.

Since
API level 20
KNOX 2.7
Multiuser Environment
Global Scope

public Bundle changePin (String uri, String oldPin, String newPin)

Since: API level 20

API to change applet pin.

Parameters
oldPin current PIN
newPin new PIN
Returns
  • Bundle
Throws
SecurityException If caller does not have required permissions
Usage

An application can use this API to change applet pin. Plugin will return response in Bundle which can use one or more Bundle keys : PLUGIN_ERROR_CODE, PLUGIN_BOOLEAN_RESPONSE, PLUGIN_BUNDLE_RESPONSE, PLUGIN_BYTEARRAY_RESPONSE, PLUGIN_INT_RESPONSE, , PLUGIN_STRINGARRAY_RESPONSE , PLUGIN_STRING_RESPONSE.

 UniversalCredentialUtil ucmUtil = UniversalCredentialUtil.getInstance();
 
 try {
   String ucmUri = ucmUtil.getKeychainUri("Vendor Credential Storage Name", "");
   Bundle response = ucmUtil.changePin(ucmUri, "1234", "5678");
   int errorCode = pluginData.getInt(PLUGIN_ERROR_CODE);
   boolean status = pluginData.getBoolean(PLUGIN_BOOLEAN_RESPONSE);
 } catch (SecurityException e) {
   Log.w(TAG, "SecurityException: " + e);
 }
 

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_UCM_MGMT" permission which has a protection level of signature.

Since
API level 20
KNOX 2.7
Multiuser Environment
Global Scope

public Bundle getInfo (String uri)

Since: API level 20

API to get plugin/applet information.

Returns
  • Bundle
Throws
SecurityException If caller does not have required permissions
Usage

An application can use this API to get information from plugin/applet. Plugin will return response in Bundle which can use one or more Bundle keys : PLUGIN_ERROR_CODE, PLUGIN_BOOLEAN_RESPONSE,PLUGIN_BUNDLE_RESPONSE,PLUGIN_BYTEARRAY_RESPONSE,PLUGIN_INT_RESPONSE, ,PLUGIN_STRINGARRAY_RESPONSE ,PLUGIN_STRING_RESPONSE.

 UniversalCredentialUtil ucmUtil = UniversalCredentialUtil.getInstance();
 
 try {
   String ucmUri = ucmUtil.getKeychainUri("Vendor Credential Storage Name", "");
   Bundle response = ucmUtil.getInfo(ucmUri);
   int errorCode = pluginData.getInt(PLUGIN_ERROR_CODE);
   String data = pluginData.getString(PLUGIN_STRING_RESPONSE);
 } catch (SecurityException e) {
   Log.w(TAG, "SecurityException: " + e);
 }
 

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_UCM_MGMT" permission which has a protection level of signature.

Since
API level 20
KNOX 2.7
Multiuser Environment
Global Scope

public static UniversalCredentialUtil getInstance ()

Since: API level 20

Retrieve UniversalCredentialUtil Instance which can interact with KNOX Credential Storage.

Returns
  • UniversalCredentialUtil instance.
Since
API level 20
KNOX 2.7

public static String getKeychainUri (String source, String alias)

Since: API level 20

Retrieve URI string that representing the credential storage and its resource from keychain.

Parameters
source The KNOX credential Storage Identifier.
alias The resource's alias requested.
Returns
  • uri string for representing the credential storage and its resources.
Usage

Retrieve URI string that representing the credential storage and its resource from keychain. The return URI will be in format ("ucmkeychain://version/SOURCE/ResourceId/UID/ALIAS").
version represent UCM URI version and ResourceId represent Certificate type e.g Keychain, WIFI etc.

Since
API level 20
KNOX 2.7

public Provider[] getProviders ()

Since: API level 20

Retrieve available UCM Plugin KeyStore Providers.

Returns
  • Arrays of Available KNOX KeyStore Providers
Usage

Retrieve available UCM Plugin KeyStore Providers. Will return the list of available UCM Plugin backend Providers that can be used as keystore. Caller need to add the required KeyStore Provider into the Java Security Infrastructure before usage. To use the UCM Plugin KeyStore backend, provide the Keystore type as "KNOX" and if there is multiple UCM Plugin KeyStore backend being used, need to provide the Provider name.

 UniversalCredentialUtil ucmUtil = UniversalCredentialUtil.getInstance();
 Provider[] providers = ucmUtil.getProviders();
 
 for (Provider provider: providers) {
   String providerName = provider.getName();
   if (!providerName.contains("Vendor Credential Storage Name")) {
     continue;
   }

   Log.d(TAG, "providername = " + providerName);
   Log.d(TAG, "AGENT_ID = " + provider.getProperty(UniversalCredentialUtil.AGENT_ID));
   Log.d(TAG, "AGENT_SUMMARY = " + provider.getProperty(UniversalCredentialUtil.AGENT_SUMMARY));
   Log.d(TAG, "AGENT_TITLE = " + provider.getProperty(UniversalCredentialUtil.AGENT_TITLE));
   Log.d(TAG, "AGENT_VENDORID = " + provider.getProperty(UniversalCredentialUtil.AGENT_VENDORID));
   Log.d(TAG, "AGENT_PACKAGENAME = " + provider.getProperty(UniversalCredentialUtil.AGENT_PACKAGENAME));
   Log.d(TAG, "AGENT_IS_GENERATE_PASSWORD_AVAILABLE = " + provider.getProperty(UniversalCredentialUtil.AGENT_IS_GENERATE_PASSWORD_AVAILABLE));
   Log.d(TAG, "AGENT_IS_PUK_SUPPORTED = " + provider.getProperty(UniversalCredentialUtil.AGENT_IS_PUK_SUPPORTED));
 
   if (Security.getProvider(providerName) == null) {
     int result = Security.addProvider(provider);
     Log.d("providerName result= " + result);
   }
 
   try {
     KeyStore ks = KeyStore.getInstance("KNOX", providerName);
     ks.load(null);
   } catch(Exception e){
     Log.w(TAG, "Exception: " + e);
   }
 }
 

Since
API level 20
KNOX 2.7

public static String getRawAlias (String uri)

Since: API level 20

Retrieve the raw Alias name from the URI.

Returns
  • raw alias
Usage

Retrieve the raw Alias name from the URI. UCM URI is in form of ucmkeychain://version/SOURCE/ResourceId/UID/ALIAS.
version represent UCM URI version and ResourceId represent Certificate type e.g Keychain, WIFI etc.

Since
API level 20
KNOX 2.7

public static String getSource (String uri)

Since: API level 20

Retrieve the credential storage source identifier from the URI.

Returns
  • source
Usage

Retrieve the credential storage source identifier from the URI. UCM URI is in form of ucmkeychain://version/SOURCE/ResourceId/UID/ALIAS.
version represent UCM URI version and ResourceId represent Certificate type e.g Keychain, WIFI etc.

Since
API level 20
KNOX 2.7

public static boolean isValidUri (String uri)

Since: API level 20

Check if the uri has valid URI scheme for UCM

Returns
  • true if successful, else false
Usage

Check if the uri has valid URI scheme for UCM

Since
API level 20
KNOX 2.7

public void notifyPluginResult (Bundle data)

Since: API level 37

API to notify result from UCM plugin.

Usage

Notify the results for the asynchronous API. And admin can receive results from Plugin. Only managed plugins can notify the results to the EMM.

 Bundle data = new Bundle();
 data.putInt(UcmAgentService.REQUEST_ID, requestId);
 data.putInt(UcmAgentService.ADMIN_UID, adminUid);
 data.putInt(UcmAgentService.STATUS_CODE, statusCode);
 data.putString("RESPONSE_DATA", responseCode);
 UniversalCredentialUtil ucmUtil = UniversalCredentialUtil.getInstance();
 ucmUtil.notifyPluginResult(data);
 

Since
API level 37
KNOX 3.10
Multiuser Environment
Global Scope

public void refreshUCMPlugin ()

Since: API level 26

API to update UCM plugin service binding.

Usage

Until Knox 3.1, UCM plugin service should have plugin permission to be bound with UCM framework. So the plugin service need Knox license activation logic, and the plugin is bound after license activation.
But plugin service can be bound with UCM framework without plugin permission from Knox 3.2 device. Because of this license activation removal, Configurator or plugin application should call this API to trigger installed UCM plugin binding.
After all plugin binding is done, caller application can receive the completion intent from UCM framework.

 BroadcastReceiver mRefreshReceiver = new BroadcastReceiver() {
   public void onReceive(Context context, Intent intent) {
     Log.d(TAG, "Received : " + intent.getAction());
     if ("com.samsung.android.knox.intent.action.UCM_REFRESH_AGENT_DONE".equals(intent.getAction())) {
       Toast.makeText(getApplicationContext(), "Plugin refresh is done", Toast.LENGTH_LONG).show();
       Log.d(TAG, "Plugin refresh is done");
     }
   }
 };
 
 IntentFilter intentFilter = new IntentFilter(UniversalCredentialManager.ACTION_UCM_REFRESH_AGENT_DONE);
 registerReceiver(mRefreshReceiver, intentFilter);
 
 UniversalCredentialUtil ucmUtil = UniversalCredentialUtil.getInstance();
 ucmUtil.refreshUCMPlugin();
 

Since
API level 26
KNOX 3.2
Multiuser Environment
Global Scope