Object: com.flyfishxu.kadb.cert.KadbCert
KadbCert uses a private-key-first identity model:
- Private key is the persisted source of truth.
- Certificate is always generated from the private key at runtime.
- Importing a certificate only affects the current in-memory identity; persistence stores the private key only.
val store = OkioFilePrivateKeyStore(
privateKeyPath = "/path/to/private_key.pem".toPath()
)
KadbCert.configure(
store = store,
policy = KadbCertPolicy(),
additionalPrivateKeysPem = emptyList()
)KadbCert.ensureReady(): KadbIdentitySnapshot
KadbCert.rotate(): KadbIdentitySnapshot
KadbCert.importIdentity(privateKeyPem: ByteArray, certificatePem: ByteArray? = null): KadbIdentitySnapshot
KadbCert.importPrivateKey(privateKeyPem: ByteArray): KadbIdentitySnapshot
KadbCert.exportIdentityOrNull(): KadbIdentitySnapshot?
KadbCert.exportPrivateKeyOrNull(): ByteArray?
KadbCert.clear()KadbPrivateKeyStore is intentionally minimal:
readPrivateKeyPem()writePrivateKeyPemAtomic(...)clear()
Kadb persists only the private key. X.509 certificates are derived on demand from that key.
additionalPrivateKeysPem is an in-memory-only host key ring. It lets Kadb mirror AOSP host behavior more closely:
- classic
AUTHwill try every configured private key before sending the default user public key - TLS client auth will prefer the key requested by the device CA issuer list when a match exists
- pairing still uses the default persisted user key, matching current AOSP host behavior
- malformed optional keys are ignored; they do not block the default persisted key from being used
KadbCertPolicy defaults:
keySizeBits = 2048certValidityDays = 3650autoHealInvalidPrivateKey = true- Subject defaults aligned with AOSP profile:
C=US, O=Android, CN=Adb
Generated certificate profile:
- Serial number:
1 - Validity:
nowtonow + 10 years - Signature:
SHA256withRSA - Extensions:
BasicConstraints,KeyUsage,SubjectKeyIdentifier
Kadb.create()/Kadb.pair()APIs are unchanged.SslUtilscache is keyed by certificate fingerprint, so certificate rotation/invalidation rebuildsSSLContext.KadbIdentitySnapshotis a runtime materialization. With the same persisted private key,certificatePem,fingerprintSha256, andnotAfterEpochMilliscan change if the certificate generation policy changes.additionalPrivateKeysPemdoes not changeKadbIdentitySnapshot; the snapshot always describes the default persisted key.