From 64338c0e4d0ec64c55abc34c0559d94ee352723c Mon Sep 17 00:00:00 2001 From: Janis Danisevskis Date: Wed, 19 Apr 2017 09:17:17 -0700 Subject: Consolidate Keystore alias prefixes. Currently, the keystore SPI assigns different prefixes to user key entries depending on the algorithm. Symmetric keys (secret keys) get the prefix USERSKEY_ and asymmetric keys (private keys) get the prefix USERPKEY_. This distinction is superfluous, as the information can always be retrieved from the key characteristics. Also moving forward it is desirable to be able to import keys the nature of which is not known a priori. In these cases the prefix cannot be chosen meaningfully. This patch deprecates one of the prefixes (i.e. USERSKEY_) and uses the other for both types of keys. Legacy keys with the old prefix can still be used, but all new keys will have the prefix USERPKEY_. Bug: 63931634 Test: CTS test and Manual upgrade test with KeyStoreTool app Also performed upgrade test with device PIN set Change-Id: I5b4bb0b0d2b82c276659d55b862150326bb68d5d --- keystore/java/android/security/Credentials.java | 34 ++++++++++--------------- 1 file changed, 14 insertions(+), 20 deletions(-) (limited to 'keystore/java/android/security/Credentials.java') diff --git a/keystore/java/android/security/Credentials.java b/keystore/java/android/security/Credentials.java index 6830a7487dbc..57db20be1145 100644 --- a/keystore/java/android/security/Credentials.java +++ b/keystore/java/android/security/Credentials.java @@ -60,10 +60,12 @@ public class Credentials { /** Key prefix for user certificates. */ public static final String USER_CERTIFICATE = "USRCERT_"; - /** Key prefix for user private keys. */ + /** Key prefix for user private and secret keys. */ public static final String USER_PRIVATE_KEY = "USRPKEY_"; - /** Key prefix for user secret keys. */ + /** Key prefix for user secret keys. + * @deprecated use {@code USER_PRIVATE_KEY} for this category instead. + */ public static final String USER_SECRET_KEY = "USRSKEY_"; /** Key prefix for VPN. */ @@ -235,8 +237,7 @@ public class Credentials { * Make sure every type is deleted. There can be all three types, so * don't use a conditional here. */ - return deletePrivateKeyTypeForAlias(keystore, alias, uid) - & deleteSecretKeyTypeForAlias(keystore, alias, uid) + return deleteUserKeyTypeForAlias(keystore, alias, uid) & deleteCertificateTypesForAlias(keystore, alias, uid); } @@ -264,34 +265,27 @@ public class Credentials { } /** - * Delete private key for a particular {@code alias}. - * Returns {@code true} if the entry no longer exists. - */ - static boolean deletePrivateKeyTypeForAlias(KeyStore keystore, String alias) { - return deletePrivateKeyTypeForAlias(keystore, alias, KeyStore.UID_SELF); - } - - /** - * Delete private key for a particular {@code alias}. + * Delete user key for a particular {@code alias}. * Returns {@code true} if the entry no longer exists. */ - static boolean deletePrivateKeyTypeForAlias(KeyStore keystore, String alias, int uid) { - return keystore.delete(Credentials.USER_PRIVATE_KEY + alias, uid); + public static boolean deleteUserKeyTypeForAlias(KeyStore keystore, String alias) { + return deleteUserKeyTypeForAlias(keystore, alias, KeyStore.UID_SELF); } /** - * Delete secret key for a particular {@code alias}. + * Delete user key for a particular {@code alias}. * Returns {@code true} if the entry no longer exists. */ - public static boolean deleteSecretKeyTypeForAlias(KeyStore keystore, String alias) { - return deleteSecretKeyTypeForAlias(keystore, alias, KeyStore.UID_SELF); + public static boolean deleteUserKeyTypeForAlias(KeyStore keystore, String alias, int uid) { + return keystore.delete(Credentials.USER_PRIVATE_KEY + alias, uid) || + keystore.delete(Credentials.USER_SECRET_KEY + alias, uid); } /** - * Delete secret key for a particular {@code alias}. + * Delete legacy prefixed entry for a particular {@code alias} * Returns {@code true} if the entry no longer exists. */ - public static boolean deleteSecretKeyTypeForAlias(KeyStore keystore, String alias, int uid) { + public static boolean deleteLegacyKeyForAlias(KeyStore keystore, String alias, int uid) { return keystore.delete(Credentials.USER_SECRET_KEY + alias, uid); } } -- cgit v1.2.3