getAuthKeysNeedingCertification

Gets a collection of dynamic authentication keys that need certification.

When there aren't enough certified dynamic authentication keys (either because the key count has been increased, one or more keys have reached their usage count, or keys have expired), this method will generate replacement keys and certificates and return them for issuer certification. The issuer certificates and associated static authentication data must then be provided back to the IdentityCredential using storeStaticAuthenticationData.

Each X.509 certificate is signed by CredentialKey. The certificate chain for CredentialKey can be obtained using the getCredentialKeyCertificateChain method.

The following non-optional fields for the X.509 certificate are set as follows:

• version: INTEGER 2 (means v3 certificate).
• serialNumber: INTEGER 1 (fixed value: same on all certs).
• signature: must be set to ECDSA.
• subject: CN shall be set to "Android Identity Credential Authentication Key" (fixed value: same on all certs).
• issuer: CN shall be set to "Android Identity Credential Key" (fixed value: same on all certs).
• validity: should be from current time and one year in the future (365 days).
• subjectPublicKeyInfo: must contain attested public key.

If running on a store with FEATURE_VERSION_202101 or later, each X.509 certificate contains an X.509 extension at OID 1.3.6.1.4.1.11129.2.1.26 which contains a DER encoded OCTET STRING with the bytes of the CBOR with the following CDDL:

  ProofOfBinding = [
    "ProofOfBinding",
    bstr,              // Contains SHA-256(ProofOfProvisioning)
  ]

This CBOR enables an issuer to determine the exact state of the credential it returns issuer-signed data for.