keystore: Expose @SystemApi's to wifi mainline module
Two @SystemApi's being added to allow wifi mainline module to access
formal API's:
a) KeyGenParameterSpec.Builder.setUid() to allow wifi to create/store keys
with WIFI_UID.
b) AndroidKeyStoreProvider.getKeyStoreForUid() to allow wifi to get/put
any keys stored with WIFI_UID.
Both of these API's are already permission protected in the lower
layers. There is a map of euid's stored in the native keystore which
limits which uid is allowed to access which other uid's data.
Bug: 142089671
Test: make system-api-stubs-docs-update-current-api
Change-Id: I39b92d2293bcdc26bb0a4a48a1d1e4cc0b20ad0b
diff --git a/api/system-current.txt b/api/system-current.txt
index d5f544c..c73a525 100644
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -6410,6 +6410,10 @@
package android.security.keystore {
+ public class AndroidKeyStoreProvider extends java.security.Provider {
+ method @NonNull public static java.security.KeyStore getKeyStoreForUid(int) throws java.security.KeyStoreException, java.security.NoSuchProviderException;
+ }
+
public abstract class AttestationUtils {
method @NonNull @RequiresPermission(android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE) public static java.security.cert.X509Certificate[] attestDeviceIds(android.content.Context, @NonNull int[], @NonNull byte[]) throws android.security.keystore.DeviceIdAttestationException;
field public static final int ID_TYPE_IMEI = 2; // 0x2
@@ -6423,6 +6427,10 @@
ctor public DeviceIdAttestationException(@Nullable String, @Nullable Throwable);
}
+ public static final class KeyGenParameterSpec.Builder {
+ method @NonNull public android.security.keystore.KeyGenParameterSpec.Builder setUid(int);
+ }
+
}
package android.security.keystore.recovery {
diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java b/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java
index 234615d..2cdd000 100644
--- a/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java
+++ b/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java
@@ -17,6 +17,7 @@
package android.security.keystore;
import android.annotation.NonNull;
+import android.annotation.SystemApi;
import android.annotation.UnsupportedAppUsage;
import android.security.KeyStore;
import android.security.keymaster.ExportResult;
@@ -52,8 +53,9 @@
*
* @hide
*/
+@SystemApi
public class AndroidKeyStoreProvider extends Provider {
- public static final String PROVIDER_NAME = "AndroidKeyStore";
+ private static final String PROVIDER_NAME = "AndroidKeyStore";
// IMPLEMENTATION NOTE: Class names are hard-coded in this provider to avoid loading these
// classes when this provider is instantiated and installed early on during each app's
@@ -68,6 +70,7 @@
private static final String DESEDE_SYSTEM_PROPERTY =
"ro.hardware.keystore_desede";
+ /** @hide **/
public AndroidKeyStoreProvider() {
super(PROVIDER_NAME, 1.0, "Android KeyStore security provider");
@@ -111,6 +114,7 @@
/**
* Installs a new instance of this provider (and the
* {@link AndroidKeyStoreBCWorkaroundProvider}).
+ * @hide
*/
public static void install() {
Provider[] providers = Security.getProviders();
@@ -156,6 +160,7 @@
* @throws IllegalArgumentException if the provided primitive is not supported or is not backed
* by AndroidKeyStore provider.
* @throws IllegalStateException if the provided primitive is not initialized.
+ * @hide
*/
@UnsupportedAppUsage
public static long getKeyStoreOperationHandle(Object cryptoPrimitive) {
@@ -183,6 +188,7 @@
return ((KeyStoreCryptoOperation) spi).getOperationHandle();
}
+ /** @hide **/
@NonNull
public static AndroidKeyStorePublicKey getAndroidKeyStorePublicKey(
@NonNull String alias,
@@ -279,6 +285,7 @@
privateKeyAlias, uid, jcaKeyAlgorithm, x509EncodedPublicKey);
}
+ /** @hide **/
@NonNull
public static AndroidKeyStorePublicKey loadAndroidKeyStorePublicKeyFromKeystore(
@NonNull KeyStore keyStore, @NonNull String privateKeyAlias, int uid)
@@ -300,6 +307,7 @@
return new KeyPair(publicKey, privateKey);
}
+ /** @hide **/
@NonNull
public static KeyPair loadAndroidKeyStoreKeyPairFromKeystore(
@NonNull KeyStore keyStore, @NonNull String privateKeyAlias, int uid)
@@ -318,6 +326,7 @@
return (AndroidKeyStorePrivateKey) keyPair.getPrivate();
}
+ /** @hide **/
@NonNull
public static AndroidKeyStorePrivateKey loadAndroidKeyStorePrivateKeyFromKeystore(
@NonNull KeyStore keyStore, @NonNull String privateKeyAlias, int uid)
@@ -357,6 +366,7 @@
return new AndroidKeyStoreSecretKey(secretKeyAlias, uid, keyAlgorithmString);
}
+ /** @hide **/
@NonNull
public static AndroidKeyStoreKey loadAndroidKeyStoreKeyFromKeystore(
@NonNull KeyStore keyStore, @NonNull String userKeyAlias, int uid)
@@ -390,7 +400,9 @@
*
* <p>Note: the returned {@code KeyStore} is already initialized/loaded. Thus, there is
* no need to invoke {@code load} on it.
+ * @hide
*/
+ @SystemApi
@NonNull
public static java.security.KeyStore getKeyStoreForUid(int uid)
throws KeyStoreException, NoSuchProviderException {
diff --git a/keystore/java/android/security/keystore/KeyGenParameterSpec.java b/keystore/java/android/security/keystore/KeyGenParameterSpec.java
index bd6ce7e..2ad87e6 100644
--- a/keystore/java/android/security/keystore/KeyGenParameterSpec.java
+++ b/keystore/java/android/security/keystore/KeyGenParameterSpec.java
@@ -19,6 +19,7 @@
import android.annotation.IntRange;
import android.annotation.NonNull;
import android.annotation.Nullable;
+import android.annotation.SystemApi;
import android.annotation.TestApi;
import android.annotation.UnsupportedAppUsage;
import android.app.KeyguardManager;
@@ -808,10 +809,14 @@
/**
* Sets the UID which will own the key.
*
+ * Such cross-UID access is permitted to a few system UIDs and only to a few other UIDs
+ * (e.g., Wi-Fi, VPN) all of which are system.
+ *
* @param uid UID or {@code -1} for the UID of the current process.
*
* @hide
*/
+ @SystemApi
@NonNull
public Builder setUid(int uid) {
mUid = uid;