summaryrefslogtreecommitdiff
path: root/keystore/java/android/security/KeyStore2.java
diff options
context:
space:
mode:
authorScott Lobdell <slobdell@google.com>2021-03-23 20:33:04 +0000
committerScott Lobdell <slobdell@google.com>2021-03-24 02:40:01 +0000
commit757dbb836469bbdd7eb8312deaf584fe0c99c17d (patch)
treea678b33ad5f0f024d0f942f127b91665f0616193 /keystore/java/android/security/KeyStore2.java
parent7710a95746be8dba8c6ffe7172f9c01334a2ca81 (diff)
parentf022dd1e6827ebf7c52b06aa40f2059a3f0f5cad (diff)
Merge SP1A.210311.001
Change-Id: Id1a205bf3f0609c0b13e4bea377056c3b06299fa
Diffstat (limited to 'keystore/java/android/security/KeyStore2.java')
-rw-r--r--keystore/java/android/security/KeyStore2.java45
1 files changed, 45 insertions, 0 deletions
diff --git a/keystore/java/android/security/KeyStore2.java b/keystore/java/android/security/KeyStore2.java
index 476e4d7b7b18..6ac3821d0f9c 100644
--- a/keystore/java/android/security/KeyStore2.java
+++ b/keystore/java/android/security/KeyStore2.java
@@ -24,6 +24,7 @@ import android.os.RemoteException;
import android.os.ServiceManager;
import android.os.ServiceSpecificException;
import android.security.keymaster.KeymasterDefs;
+import android.system.keystore2.Domain;
import android.system.keystore2.IKeystoreService;
import android.system.keystore2.KeyDescriptor;
import android.system.keystore2.KeyEntryResponse;
@@ -157,6 +158,50 @@ public class KeyStore2 {
}
/**
+ * Grant string prefix as used by the keystore boringssl engine. Must be kept in sync
+ * with system/security/keystore-engine. Note: The prefix here includes the 0x which
+ * std::stringstream used in keystore-engine needs to identify the number as hex represented.
+ * Here we include it in the prefix, because Long#parseUnsignedLong does not understand it
+ * and gets the radix as explicit argument.
+ * @hide
+ */
+ private static final String KEYSTORE_ENGINE_GRANT_ALIAS_PREFIX =
+ "ks2_keystore-engine_grant_id:0x";
+
+ /**
+ * This function turns a grant identifier into a specific string that is understood by the
+ * keystore-engine in system/security/keystore-engine. Is only used by VPN and WI-FI components
+ * to allow certain system components like racoon or vendor components like WPA supplicant
+ * to use keystore keys with boring ssl.
+ *
+ * @param grantId the grant id as returned by {@link #grant} in the {@code nspace} filed of
+ * the resulting {@code KeyDescriptor}.
+ * @return The grant descriptor string.
+ * @hide
+ */
+ public static String makeKeystoreEngineGrantString(long grantId) {
+ return String.format("%s%016X", KEYSTORE_ENGINE_GRANT_ALIAS_PREFIX, grantId);
+ }
+
+ /**
+ * Convenience function to turn a keystore engine grant string as returned by
+ * {@link #makeKeystoreEngineGrantString(long)} back into a grant KeyDescriptor.
+ *
+ * @param grantString As string returned by {@link #makeKeystoreEngineGrantString(long)}
+ * @return The grant key descriptor.
+ * @hide
+ */
+ public static KeyDescriptor keystoreEngineGrantString2KeyDescriptor(String grantString) {
+ KeyDescriptor key = new KeyDescriptor();
+ key.domain = Domain.GRANT;
+ key.nspace = Long.parseUnsignedLong(
+ grantString.substring(KEYSTORE_ENGINE_GRANT_ALIAS_PREFIX.length()), 16);
+ key.alias = null;
+ key.blob = null;
+ return key;
+ }
+
+ /**
* Create a grant that allows the grantee identified by {@code granteeUid} to use
* the key specified by {@code descriptor} withint the restrictions given by
* {@code accessVectore}.