KeyChain: Unify manual and programmatic key installation flows

Unify the manual certificate installation flow (via "Install from storage" in the Settings app) with the programmatic one (using DevicePolicyManager.installKeyPair). The unification is achieved by extending the KeyChainService API to take in the UID for which the key is designated (so WiFi keys can be installed with the unified flow), and making the CredentialStorage activity call the KeyChainService rather than poke into Keystore directly. Framework-related changes to support this: * Add new constant for specifying the key alias as an extra to the install activity, and remove obsolete constants from the Credentials class. * Make KeyChainService definition include key destination UID. * Make the call to KeyChainService.installKeyPair from the DevicePolicyManagerService specify the "self" UID. Test: Manual CtsVerifier tests: KeyChain Storage Test, CA Cert Notification Test Test: cts-tradefed run commandAndExit cts-dev -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.MixedDeviceOwnerTest#testKeyManagement Bug: 138375478 Change-Id: Ib317f85fa6719c70ee3b1da4255c44754fbfa789
author: Eran Messeri <eranm@google.com> 2019-09-10 17:23:48 +0100
committer: Eran Messeri <eranm@google.com> 2019-09-12 16:02:36 +0100
commit: d6ee4aae9bf1ff631f52ba12a105798af614aa06 (patch)
tree: 08b5100dae05ae110f50a246d22115e996b7f4f5
parent: f986b4e9bb3763cad0e318a82908290814826ff0 (diff)
3 files changed, 7 insertions, 15 deletions
diff --git a/keystore/java/android/security/Credentials.java b/keystore/java/android/security/Credentials.java
index 08f417662523..54995ac9d050 100644
--- a/keystore/java/android/security/Credentials.java
+++ b/keystore/java/android/security/Credentials.java
@@ -16,11 +16,12 @@
 
 package android.security;
 
+import android.annotation.UnsupportedAppUsage;
+
 import com.android.org.bouncycastle.util.io.pem.PemObject;
 import com.android.org.bouncycastle.util.io.pem.PemReader;
 import com.android.org.bouncycastle.util.io.pem.PemWriter;
 
-import android.annotation.UnsupportedAppUsage;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@@ -90,9 +91,9 @@ public class Credentials {
     public static final String EXTRA_INSTALL_AS_UID = "install_as_uid";
 
     /**
-     * Intent extra: name for the user's private key.
+     * Intent extra: name for the user's key pair.
      */
-    public static final String EXTRA_USER_PRIVATE_KEY_NAME = "user_private_key_name";
+    public static final String EXTRA_USER_KEY_ALIAS = "user_key_pair_name";
 
     /**
      * Intent extra: data for the user's private key in PEM-encoded PKCS#8.
@@ -100,21 +101,11 @@ public class Credentials {
     public static final String EXTRA_USER_PRIVATE_KEY_DATA = "user_private_key_data";
 
     /**
-     * Intent extra: name for the user's certificate.
-     */
-    public static final String EXTRA_USER_CERTIFICATE_NAME = "user_certificate_name";
-
-    /**
      * Intent extra: data for the user's certificate in PEM-encoded X.509.
      */
     public static final String EXTRA_USER_CERTIFICATE_DATA = "user_certificate_data";
 
     /**
-     * Intent extra: name for CA certificate chain
-     */
-    public static final String EXTRA_CA_CERTIFICATES_NAME = "ca_certificates_name";
-
-    /**
      * Intent extra: data for CA certificate chain in PEM-encoded X.509.
      */
     public static final String EXTRA_CA_CERTIFICATES_DATA = "ca_certificates_data";
diff --git a/keystore/java/android/security/IKeyChainService.aidl b/keystore/java/android/security/IKeyChainService.aidl
index b3cdff7eedf7..97da3cc6f80f 100644
--- a/keystore/java/android/security/IKeyChainService.aidl
+++ b/keystore/java/android/security/IKeyChainService.aidl
@@ -43,7 +43,8 @@ interface IKeyChainService {
     String installCaCertificate(in byte[] caCertificate);
 
     // APIs used by DevicePolicyManager
-    boolean installKeyPair(in byte[] privateKey, in byte[] userCert, in byte[] certChain, String alias);
+    boolean installKeyPair(
+        in byte[] privateKey, in byte[] userCert, in byte[] certChain, String alias, int uid);
     boolean removeKeyPair(String alias);
 
     // APIs used by Settings
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 478bc88fe815..9f111187b0b3 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -5659,7 +5659,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
                     KeyChain.bindAsUser(mContext, UserHandle.getUserHandleForUid(callingUid));
             try {
                 IKeyChainService keyChain = keyChainConnection.getService();
-                if (!keyChain.installKeyPair(privKey, cert, chain, alias)) {
+                if (!keyChain.installKeyPair(privKey, cert, chain, alias, KeyStore.UID_SELF)) {
                     return false;
                 }
                 if (requestAccess) {
author	Eran Messeri <eranm@google.com>	2019-09-10 17:23:48 +0100
committer	Eran Messeri <eranm@google.com>	2019-09-12 16:02:36 +0100
commit	d6ee4aae9bf1ff631f52ba12a105798af614aa06 (patch)
tree	08b5100dae05ae110f50a246d22115e996b7f4f5
parent	f986b4e9bb3763cad0e318a82908290814826ff0 (diff)