diff options
Diffstat (limited to 'keystore')
| -rw-r--r-- | keystore/java/android/security/AndroidKeyStoreMaintenance.java | 25 | ||||
| -rw-r--r-- | keystore/java/android/security/KeyStore.java | 4 | ||||
| -rw-r--r-- | keystore/java/android/security/KeyStore2.java | 45 |
3 files changed, 71 insertions, 3 deletions
diff --git a/keystore/java/android/security/AndroidKeyStoreMaintenance.java b/keystore/java/android/security/AndroidKeyStoreMaintenance.java index c81c8c54d88a..ed789f03f9ba 100644 --- a/keystore/java/android/security/AndroidKeyStoreMaintenance.java +++ b/keystore/java/android/security/AndroidKeyStoreMaintenance.java @@ -21,6 +21,7 @@ import android.annotation.Nullable; import android.os.ServiceManager; import android.os.ServiceSpecificException; import android.security.usermanager.IKeystoreUserManager; +import android.system.keystore2.Domain; import android.system.keystore2.ResponseCode; import android.util.Log; @@ -39,7 +40,7 @@ public class AndroidKeyStoreMaintenance { } /** - * Informs keystore2 about adding a user + * Informs Keystore 2.0 about adding a user * * @param userId - Android user id of the user being added * @return 0 if successful or a {@code ResponseCode} @@ -60,7 +61,7 @@ public class AndroidKeyStoreMaintenance { } /** - * Informs keystore2 about removing a usergit mer + * Informs Keystore 2.0 about removing a usergit mer * * @param userId - Android user id of the user being removed * @return 0 if successful or a {@code ResponseCode} @@ -81,7 +82,7 @@ public class AndroidKeyStoreMaintenance { } /** - * Informs keystore2 about changing user's password + * Informs Keystore 2.0 about changing user's password * * @param userId - Android user id of the user * @param password - a secret derived from the synthetic password provided by the @@ -102,4 +103,22 @@ public class AndroidKeyStoreMaintenance { return SYSTEM_ERROR; } } + + /** + * Informs Keystore 2.0 that an app was uninstalled and the corresponding namspace is to + * be cleared. + */ + public static int clearNamespace(@Domain int domain, long namespace) { + if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0; + try { + getService().clearNamespace(domain, namespace); + return 0; + } catch (ServiceSpecificException e) { + Log.e(TAG, "clearNamespace failed", e); + return e.errorCode; + } catch (Exception e) { + Log.e(TAG, "Can not connect to keystore", e); + return SYSTEM_ERROR; + } + } } diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java index 198df40c7d7b..93658e69eac8 100644 --- a/keystore/java/android/security/KeyStore.java +++ b/keystore/java/android/security/KeyStore.java @@ -43,6 +43,7 @@ import android.security.keystore.KeyPermanentlyInvalidatedException; import android.security.keystore.KeyProperties; import android.security.keystore.KeystoreResponse; import android.security.keystore.UserNotAuthenticatedException; +import android.system.keystore2.Domain; import android.util.Log; import com.android.internal.org.bouncycastle.asn1.ASN1InputStream; @@ -466,6 +467,9 @@ public class KeyStore { public boolean clearUid(int uid) { try { + if (android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) { + return AndroidKeyStoreMaintenance.clearNamespace(Domain.APP, uid) == 0; + } return mBinder.clear_uid(uid) == NO_ERROR; } catch (RemoteException e) { Log.w(TAG, "Cannot connect to keystore", e); diff --git a/keystore/java/android/security/KeyStore2.java b/keystore/java/android/security/KeyStore2.java index 476e4d7b7b18..6ac3821d0f9c 100644 --- a/keystore/java/android/security/KeyStore2.java +++ b/keystore/java/android/security/KeyStore2.java @@ -24,6 +24,7 @@ import android.os.RemoteException; import android.os.ServiceManager; import android.os.ServiceSpecificException; import android.security.keymaster.KeymasterDefs; +import android.system.keystore2.Domain; import android.system.keystore2.IKeystoreService; import android.system.keystore2.KeyDescriptor; import android.system.keystore2.KeyEntryResponse; @@ -157,6 +158,50 @@ public class KeyStore2 { } /** + * Grant string prefix as used by the keystore boringssl engine. Must be kept in sync + * with system/security/keystore-engine. Note: The prefix here includes the 0x which + * std::stringstream used in keystore-engine needs to identify the number as hex represented. + * Here we include it in the prefix, because Long#parseUnsignedLong does not understand it + * and gets the radix as explicit argument. + * @hide + */ + private static final String KEYSTORE_ENGINE_GRANT_ALIAS_PREFIX = + "ks2_keystore-engine_grant_id:0x"; + + /** + * This function turns a grant identifier into a specific string that is understood by the + * keystore-engine in system/security/keystore-engine. Is only used by VPN and WI-FI components + * to allow certain system components like racoon or vendor components like WPA supplicant + * to use keystore keys with boring ssl. + * + * @param grantId the grant id as returned by {@link #grant} in the {@code nspace} filed of + * the resulting {@code KeyDescriptor}. + * @return The grant descriptor string. + * @hide + */ + public static String makeKeystoreEngineGrantString(long grantId) { + return String.format("%s%016X", KEYSTORE_ENGINE_GRANT_ALIAS_PREFIX, grantId); + } + + /** + * Convenience function to turn a keystore engine grant string as returned by + * {@link #makeKeystoreEngineGrantString(long)} back into a grant KeyDescriptor. + * + * @param grantString As string returned by {@link #makeKeystoreEngineGrantString(long)} + * @return The grant key descriptor. + * @hide + */ + public static KeyDescriptor keystoreEngineGrantString2KeyDescriptor(String grantString) { + KeyDescriptor key = new KeyDescriptor(); + key.domain = Domain.GRANT; + key.nspace = Long.parseUnsignedLong( + grantString.substring(KEYSTORE_ENGINE_GRANT_ALIAS_PREFIX.length()), 16); + key.alias = null; + key.blob = null; + return key; + } + + /** * Create a grant that allows the grantee identified by {@code granteeUid} to use * the key specified by {@code descriptor} withint the restrictions given by * {@code accessVectore}. |