Convert to new KeyStore format
Change-Id: I531ca8fbf8c7008383488cba1dd73f59537edb01
diff --git a/src/com/android/keychain/KeyChainService.java b/src/com/android/keychain/KeyChainService.java
index 1ab3ad3..8d26643 100644
--- a/src/com/android/keychain/KeyChainService.java
+++ b/src/com/android/keychain/KeyChainService.java
@@ -25,7 +25,9 @@
import android.database.DatabaseUtils;
import android.database.sqlite.SQLiteDatabase;
import android.database.sqlite.SQLiteOpenHelper;
+import android.os.Binder;
import android.os.IBinder;
+import android.os.Process;
import android.security.Credentials;
import android.security.IKeyChainService;
import android.security.KeyChain;
@@ -82,15 +84,30 @@
private final TrustedCertificateStore mTrustedCertificateStore
= new TrustedCertificateStore();
- @Override public byte[] getPrivateKey(String alias) {
- return getKeyStoreEntry(Credentials.USER_PRIVATE_KEY, alias);
+ @Override
+ public String requestPrivateKey(String alias) {
+ checkArgs(alias);
+
+ final String keystoreAlias = Credentials.USER_PRIVATE_KEY + alias;
+ final int uid = Binder.getCallingUid();
+ if (!mKeyStore.grant(keystoreAlias, uid)) {
+ return null;
+ }
+
+ final StringBuilder sb = new StringBuilder();
+ sb.append(Process.SYSTEM_UID);
+ sb.append('_');
+ sb.append(keystoreAlias);
+
+ return sb.toString();
}
@Override public byte[] getCertificate(String alias) {
- return getKeyStoreEntry(Credentials.USER_CERTIFICATE, alias);
+ checkArgs(alias);
+ return mKeyStore.get(Credentials.USER_CERTIFICATE + alias);
}
- private byte[] getKeyStoreEntry(String type, String alias) {
+ private void checkArgs(String alias) {
if (alias == null) {
throw new NullPointerException("alias == null");
}
@@ -102,12 +119,6 @@
throw new IllegalStateException("uid " + callingUid
+ " doesn't have permission to access the requested alias");
}
- String key = type + alias;
- byte[] bytes = mKeyStore.get(key);
- if (bytes == null) {
- return null;
- }
- return bytes;
}
private boolean isKeyStoreUnlocked() {
diff --git a/support/src/com/android/keychain/tests/support/IKeyChainServiceTestSupport.aidl b/support/src/com/android/keychain/tests/support/IKeyChainServiceTestSupport.aidl
index ba85b68..0921f2e 100644
--- a/support/src/com/android/keychain/tests/support/IKeyChainServiceTestSupport.aidl
+++ b/support/src/com/android/keychain/tests/support/IKeyChainServiceTestSupport.aidl
@@ -33,6 +33,7 @@
boolean keystoreReset();
boolean keystorePassword(String password);
boolean keystorePut(String key, in byte[] value);
+ boolean keystoreImportKey(String key, in byte[] value);
void revokeAppPermission(int uid, String alias);
void grantAppPermission(int uid, String alias);
}
diff --git a/support/src/com/android/keychain/tests/support/KeyChainServiceTestSupport.java b/support/src/com/android/keychain/tests/support/KeyChainServiceTestSupport.java
index 9216d67..843c18c 100644
--- a/support/src/com/android/keychain/tests/support/KeyChainServiceTestSupport.java
+++ b/support/src/com/android/keychain/tests/support/KeyChainServiceTestSupport.java
@@ -43,6 +43,10 @@
Log.d(TAG, "keystorePut");
return mKeyStore.put(key, value);
}
+ @Override public boolean keystoreImportKey(String key, byte[] value) {
+ Log.d(TAG, "keystoreImport");
+ return mKeyStore.importKey(key, value);
+ }
@Override public void revokeAppPermission(final int uid, final String alias)
throws RemoteException {
diff --git a/tests/src/com/android/keychain/tests/KeyChainServiceTest.java b/tests/src/com/android/keychain/tests/KeyChainServiceTest.java
index 1da100c..e8236aa 100644
--- a/tests/src/com/android/keychain/tests/KeyChainServiceTest.java
+++ b/tests/src/com/android/keychain/tests/KeyChainServiceTest.java
@@ -172,16 +172,16 @@
Certificate intermediate2 = pke2.getCertificateChain()[1];
Certificate root2 = TestKeyStore.getServer().getRootCertificate("RSA");
- assertTrue(mSupport.keystorePut(alias1Pkey,
- Credentials.convertToPem(pke1.getPrivateKey())));
+ assertTrue(mSupport.keystoreImportKey(alias1Pkey,
+ pke1.getPrivateKey().getEncoded()));
assertTrue(mSupport.keystorePut(alias1Cert,
Credentials.convertToPem(pke1.getCertificate())));
assertTrue(mSupport.keystorePut(alias1ICert,
Credentials.convertToPem(intermediate1)));
assertTrue(mSupport.keystorePut(alias1RCert,
Credentials.convertToPem(root1)));
- assertTrue(mSupport.keystorePut(alias2Pkey,
- Credentials.convertToPem(pke2.getPrivateKey())));
+ assertTrue(mSupport.keystoreImportKey(alias2Pkey,
+ pke2.getPrivateKey().getEncoded()));
assertTrue(mSupport.keystorePut(alias2Cert,
Credentials.convertToPem(pke2.getCertificate())));
assertTrue(mSupport.keystorePut(alias2ICert,
@@ -204,10 +204,8 @@
mSupport.grantAppPermission(getApplicationInfo().uid, alias1);
// don't grant alias2, so it can be done manually with KeyChainTestActivity
Log.d(TAG, "test_KeyChainService positive testing");
- byte[] privateKey = mService.getPrivateKey(alias1);
- assertNotNull(privateKey);
- assertEquals(Arrays.toString(Credentials.convertToPem(pke1.getPrivateKey())),
- Arrays.toString(privateKey));
+ assertNotNull("Requesting private key should succeed",
+ mService.requestPrivateKey(alias1));
byte[] certificate = mService.getCertificate(alias1);
assertNotNull(certificate);
@@ -217,7 +215,7 @@
Log.d(TAG, "test_KeyChainService negative testing");
mSupport.revokeAppPermission(getApplicationInfo().uid, alias2);
try {
- mService.getPrivateKey(alias2);
+ mService.requestPrivateKey(alias2);
fail();
} catch (IllegalStateException expected) {
}