Add KeyChain.KEY_ALIAS_SELECTION_DENIED constant.
Add KEY_ALIAS_SELECTION_DENIED contant to flag that no private key alias has
been chosen in onChoosePrivateKeyAlias, but no KeyChainActivity selection dialog
should be presented to the user.
Bug: 136649900
Test: run cts --test MixedManagedProfileOwnerTest#testDelegationCertSelection
Change-Id: I9aeea7be0c2a6172ca054f91d49183c843ecfa6e
diff --git a/api/current.txt b/api/current.txt
index b4d110e..877e243 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -40789,6 +40789,7 @@
field public static final String EXTRA_KEY_ALIAS = "android.security.extra.KEY_ALIAS";
field public static final String EXTRA_NAME = "name";
field public static final String EXTRA_PKCS12 = "PKCS12";
+ field public static final String KEY_ALIAS_SELECTION_DENIED = "alias-selection-denied-ef829e15-210a-409d-96c9-ee684fc41972";
}
public interface KeyChainAliasCallback {
diff --git a/core/java/android/app/admin/DelegatedAdminReceiver.java b/core/java/android/app/admin/DelegatedAdminReceiver.java
index f66de8d..25b8eab 100644
--- a/core/java/android/app/admin/DelegatedAdminReceiver.java
+++ b/core/java/android/app/admin/DelegatedAdminReceiver.java
@@ -63,6 +63,10 @@
* Allows this receiver to select the alias for a private key and certificate pair for
* authentication. If this method returns null, the default {@link android.app.Activity} will
* be shown that lets the user pick a private key and certificate pair.
+ * If this method returns {@link KeyChain#KEY_ALIAS_SELECTION_DENIED},
+ * the default {@link android.app.Activity} will not be shown and the user will not be allowed
+ * to pick anything. And the app, that called {@link KeyChain#choosePrivateKeyAlias}, will
+ * receive {@code null} back.
*
* <p> This callback is only applicable if the delegated app has
* {@link DevicePolicyManager#DELEGATION_CERT_SELECTION} capability. Additionally, it must
diff --git a/core/java/android/app/admin/DeviceAdminReceiver.java b/core/java/android/app/admin/DeviceAdminReceiver.java
index 0c500da..d175a66 100644
--- a/core/java/android/app/admin/DeviceAdminReceiver.java
+++ b/core/java/android/app/admin/DeviceAdminReceiver.java
@@ -791,6 +791,10 @@
* Allows this receiver to select the alias for a private key and certificate pair for
* authentication. If this method returns null, the default {@link android.app.Activity} will be
* shown that lets the user pick a private key and certificate pair.
+ * If this method returns {@link KeyChain#KEY_ALIAS_SELECTION_DENIED},
+ * the default {@link android.app.Activity} will not be shown and the user will not be allowed
+ * to pick anything. And the app, that called {@link KeyChain#choosePrivateKeyAlias}, will
+ * receive {@code null} back.
*
* @param context The running context as per {@link #onReceive}.
* @param intent The received intent as per {@link #onReceive}.
diff --git a/keystore/java/android/security/KeyChain.java b/keystore/java/android/security/KeyChain.java
index 1829d2f..bf23634 100644
--- a/keystore/java/android/security/KeyChain.java
+++ b/keystore/java/android/security/KeyChain.java
@@ -343,6 +343,16 @@
public static final int KEY_ATTESTATION_FAILURE = 4;
/**
+ * Used by DPC or delegated app in
+ * {@link android.app.admin.DeviceAdminReceiver#onChoosePrivateKeyAlias} or
+ * {@link android.app.admin.DelegatedAdminReceiver#onChoosePrivateKeyAlias} to identify that
+ * the requesting app is not granted access to any key, and nor will the user be able to grant
+ * access manually.
+ */
+ public static final String KEY_ALIAS_SELECTION_DENIED =
+ "alias-selection-denied-ef829e15-210a-409d-96c9-ee684fc41972";
+
+ /**
* Returns an {@code Intent} that can be used for credential
* installation. The intent may be used without any extras, in
* which case the user will be able to install credentials from