Keystore 2.0 SPI: Install legacy Keystore provider as AndroidKeyStoreLegacy

With this patch we install the old Keystore provider as AndroidKeyStoreLegacy when the Keystore 2.0 provider is installed as AndroidKeyStore. This allows system components to keep using the old keystore while we can run CTS tests against the new provider. The tests are still mostly failing at this point. Installing the new SPI can be enabled by setting the property ro.android.security.keystore2.enable=true Bug: 159476414 Test: This enables running CTS tests against Keystore 2.0. Change-Id: I9731d9783ccf8f2705a5ca7335e00c8f4c8debba
author: Janis Danisevskis <jdanis@google.com> 2020-10-20 08:16:52 -0700
committer: Janis Danisevskis <jdanis@google.com> 2020-11-13 19:55:41 -0800
commit: 4392c6977ce935a084ab30baeed511f170a606d5 (patch)
tree: 032379fac886c4bebe706dc5e897ef4975d3bb0c
parent: 6180e85e369c5554c62a7a87c9f946f1801f3202 (diff)
3 files changed, 48 insertions, 6 deletions
diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreBCWorkaroundProvider.java b/keystore/java/android/security/keystore/AndroidKeyStoreBCWorkaroundProvider.java
index 624321cbf5ea..5730234184ab 100644
--- a/keystore/java/android/security/keystore/AndroidKeyStoreBCWorkaroundProvider.java
+++ b/keystore/java/android/security/keystore/AndroidKeyStoreBCWorkaroundProvider.java
@@ -34,7 +34,7 @@ import java.security.Provider;
  *
  * @hide
  */
-class AndroidKeyStoreBCWorkaroundProvider extends Provider {
+public class AndroidKeyStoreBCWorkaroundProvider extends Provider {
 
     // IMPLEMENTATION NOTE: Class names are hard-coded in this provider to avoid loading these
     // classes when this provider is instantiated and installed early on during each app's
@@ -50,8 +50,14 @@ class AndroidKeyStoreBCWorkaroundProvider extends Provider {
 
     private static final String DESEDE_SYSTEM_PROPERTY = "ro.hardware.keystore_desede";
 
-    AndroidKeyStoreBCWorkaroundProvider() {
-        super("AndroidKeyStoreBCWorkaround",
+    /** @hide */
+    public AndroidKeyStoreBCWorkaroundProvider() {
+        this("AndroidKeyStoreBCWorkaround");
+    }
+
+    /** @hide **/
+    public AndroidKeyStoreBCWorkaroundProvider(String providerName) {
+        super(providerName,
                 1.0,
                 "Android KeyStore security provider to work around Bouncy Castle");
 
diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java b/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java
index d1b4464c1aed..3ac9d68d5a9f 100644
--- a/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java
+++ b/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java
@@ -71,14 +71,20 @@ public class AndroidKeyStoreProvider extends Provider {
     private static final String DESEDE_SYSTEM_PROPERTY =
             "ro.hardware.keystore_desede";
 
-    /** @hide **/
+    /** @hide */
     public AndroidKeyStoreProvider() {
-        super(PROVIDER_NAME, 1.0, "Android KeyStore security provider");
+        this(PROVIDER_NAME);
+    }
+
+    /** @hide **/
+    public AndroidKeyStoreProvider(String providerName) {
+        super(providerName, 1.0, "Android KeyStore security provider");
 
         boolean supports3DES = "true".equals(android.os.SystemProperties.get(DESEDE_SYSTEM_PROPERTY));
 
         // java.security.KeyStore
         put("KeyStore.AndroidKeyStore", PACKAGE_NAME + ".AndroidKeyStoreSpi");
+        put("alg.alias.KeyStore.AndroidKeyStoreLegacy", "AndroidKeyStore");
 
         // java.security.KeyPairGenerator
         put("KeyPairGenerator.EC", PACKAGE_NAME + ".AndroidKeyStoreKeyPairGeneratorSpi$EC");
@@ -438,8 +444,12 @@ public class AndroidKeyStoreProvider extends Provider {
     @NonNull
     public static java.security.KeyStore getKeyStoreForUid(int uid)
             throws KeyStoreException, NoSuchProviderException {
+        String providerName = PROVIDER_NAME;
+        if (android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) {
+            providerName = "AndroidKeyStoreLegacy";
+        }
         java.security.KeyStore result =
-                java.security.KeyStore.getInstance("AndroidKeyStore", PROVIDER_NAME);
+                java.security.KeyStore.getInstance(providerName);
         try {
             result.load(new AndroidKeyStoreLoadStoreParameter(uid));
         } catch (NoSuchAlgorithmException | CertificateException | IOException e) {
diff --git a/keystore/java/android/security/keystore2/AndroidKeyStoreProvider.java b/keystore/java/android/security/keystore2/AndroidKeyStoreProvider.java
index e7fcbdb84ab3..b2e32a3175e3 100644
--- a/keystore/java/android/security/keystore2/AndroidKeyStoreProvider.java
+++ b/keystore/java/android/security/keystore2/AndroidKeyStoreProvider.java
@@ -110,6 +110,23 @@ public class AndroidKeyStoreProvider extends Provider {
         putSecretKeyFactoryImpl("HmacSHA512");
     }
 
+    private static boolean sInstalled = false;
+
+    /**
+     * This function indicates whether or not this provider was installed. This is manly used
+     * as indicator for
+     * {@link android.security.keystore.AndroidKeyStoreProvider#getKeyStoreForUid(int)}
+     * to whether or not to retrieve the Keystore provider by "AndroidKeyStoreLegacy".
+     * This function can be removed once the transition to Keystore 2.0 is complete.
+     * b/171305684
+     *
+     * @return true if this provider was installed.
+     * @hide
+     */
+    public static boolean isInstalled() {
+        return sInstalled;
+    }
+
     /**
      * Installs a new instance of this provider (and the
      * {@link AndroidKeyStoreBCWorkaroundProvider}).
@@ -125,17 +142,26 @@ public class AndroidKeyStoreProvider extends Provider {
                 break;
             }
         }
+        sInstalled = true;
 
         Security.addProvider(new AndroidKeyStoreProvider());
+        Security.addProvider(
+                new android.security.keystore.AndroidKeyStoreProvider(
+                        "AndroidKeyStoreLegacy"));
         Provider workaroundProvider = new AndroidKeyStoreBCWorkaroundProvider();
+        Provider legacyWorkaroundProvider =
+                new android.security.keystore.AndroidKeyStoreBCWorkaroundProvider(
+                        "AndroidKeyStoreBCWorkaroundLegacy");
         if (bcProviderIndex != -1) {
             // Bouncy Castle provider found -- install the workaround provider above it.
             // insertProviderAt uses 1-based positions.
+            Security.insertProviderAt(legacyWorkaroundProvider, bcProviderIndex + 1);
             Security.insertProviderAt(workaroundProvider, bcProviderIndex + 1);
         } else {
             // Bouncy Castle provider not found -- install the workaround provider at lowest
             // priority.
             Security.addProvider(workaroundProvider);
+            Security.addProvider(legacyWorkaroundProvider);
         }
     }
author	Janis Danisevskis <jdanis@google.com>	2020-10-20 08:16:52 -0700
committer	Janis Danisevskis <jdanis@google.com>	2020-11-13 19:55:41 -0800
commit	4392c6977ce935a084ab30baeed511f170a606d5 (patch)
tree	032379fac886c4bebe706dc5e897ef4975d3bb0c
parent	6180e85e369c5554c62a7a87c9f946f1801f3202 (diff)