Add an API to keystore daemon to query what kind of storage is currently
in use.
(cherry picked from commit a738e2a1aee26e0be3944c11820724aeca313f83)
Change-Id: I52c84449a27b1cefc49372a6406b7132c2bbddee
We need the ability to install from the system UID to wifi UID
to explicitly bind WiFi credentials to the WiFi profile. This adds the
ability for Wifi Settings to invoke installation of a PKCS12 file for
the wifi UID.
Bug: 8183258
Change-Id: I652b7e6fa93deda6d6d310be33f224e5a356c787
After discussion, it was determined that duplicate would be less
disruptive and it still fit in the current HAL model.
Change-Id: I2f9cae48d38ec7146511e876450fa39fc92cda55
To support the WiFi service, we need to support migration from the
system UID to the wifi UID. This adds a command to achieve the
migration.
Bug: 8122243
Change-Id: I65f7a91504c1d2a2aac22b9c3051adffd28d66c1
In previous commits, we added the ability to specify which UID we want to
target on certain operations. This commit adds the ability to reach those
binder calls from the KeyStore class.
Also fix a problem where saw() was not reading all the values returned via
the Binder call. This changes the semantics to return a null instead of
failing silently when it's not possible to search.
Change-Id: I32098dc0eb42e09ace89f6b7455766842a72e9f4
The API documentation says it will return null if the key isn't found.
We get null back from the keystore daemon when it can't retrieve the
data, so just return null back to the API caller.
Change-Id: I42248bd50cbc5f76864bd762aae3faab1c50529d
Instead of blindly multiplying return value by 1000 to convert to
milliseconds, check to see if it's an error condition first.
Change-Id: I8eab1e7a86d78c13458fcbbc79d590e452fc9791
Existing KeyStore implementations throw NullPointerExceptions beacuse
the KeyStoreSpi doesn't check these arguments for null. Add in checks so
we don't accidentally check some bogus values.
Also switch a RuntimeException to a KeyStoreException
Change-Id: I18f4d4474d607cb2057ea8069b901e0992275e78
Adds support for always-on VPN profiles, also called "lockdown." When
enabled, LockdownVpnTracker manages the netd firewall to prevent
unencrypted traffic from leaving the device. It creates narrow rules
to only allow traffic to the selected VPN server. When an egress
network becomes available, LockdownVpnTracker will try bringing up
the VPN connection, and will reconnect if disconnected.
ConnectivityService augments any NetworkInfo based on the lockdown
VPN status to help apps wait until the VPN is connected.
This feature requires that VPN profiles use an IP address for both
VPN server and DNS. It also blocks non-default APN access when
enabled. Waits for USER_PRESENT after boot to check KeyStore status.
Bug: 5756357
Change-Id: If615f206b1634000d78a8350a17e88bfcac8e0d0
For the AndroidKeyStore API, allow entries to have their certificate
chain replaced without destroying the underlying PrivateKey. Since
entries are backed by unexportable private keys, requiring them to be
supplied again doesn't make sense and is impossible.
Change-Id: I629ce2a625315c8d8020a082892650ac5eba22ae
This allows end-users to generate keys in the keystore without the
private part of the key ever needing to leave the device. The generation
process also generates a self-signed certificate.
Change-Id: I114ffb8e0cbe3b1edaae7e69e8aa578cb835efc9
This introduces a public API for the Android keystore that is accessible
via java.security.KeyStore API. This allows programs to store
PrivateKeyEntry and TrustedCertificateEntry items visible only to
themselves.
Future work should include:
* Implement KeyStore.CallbackHandlerProtection parameter to allow the
caller to request that the keystore daemon unlock itself via the
system password input dialog.
* Implement SecretKeyEntry once that support is in keystore daemon
Change-Id: I382ffdf742d3f9f7647c5f5a429244a340b6bb0a
java.security.KeyStore requires that you be able to get the creation
date for any given entry. We'll approximate that through using the mtime
of the file in the keystore.
Change-Id: I16f74354a6c2e78a1a0b4dc2ae720c5391274e6f
Move chain building to TrustedCertificateStore since it has more
information about the certificates.
Change-Id: I3030e94eb1abb8a2047a4151bdaad9922706dd0f
Change the keystore to keep the private keys in keystore. When returned,
it uses the OpenSSL representation of the key to allow users to use it
in various operations through the OpenSSL ENGINE that connects to
keystore.
Change-Id: I3681f98cb2ec49ffc4a49f3821909313b4ab5735
Bug: 6009802
When the credential storage changes, (adding/removing certs,
resetting the storage, enabling/disabling trusted CAs, etc), the
applications that use the storage has to be made aware of the
fact that the storage changed, so they can clear any cached state,
close connections or take any other actions. Internally, this
applies to webview. However, applications, potentially including
3rd party browsers, also need this information.
Change-Id: I765b97a3f38f45247ee3f6e127b490388d373847
Bug: 6009802
Cherry pick fcd93b72a3dde2b20fa0d8b04d3f47311b0856a1
Listen to credential storage updates and clean state when necessary.
Change-Id: I2c63e6771e9373da8b39781fdcf3d21583c4e3b2
frameworks/base
Extended KeyChain.chooserPrivateKeyAlias to allow caller to supply
preferred choice to be selected in chooser. This allows Email
settings to highlight the current choice when allowing user to
change settings.
keystore/java/android/security/KeyChain.java
api/current.txt
Implemented KeyChain functionality to pass host and port
information to KeyChainActivity for display.
keystore/java/android/security/KeyChain.java
KeyChain now sends a PendingIntent as part of the Intent it sends
to the KeyChainActivity which can be used to identify the caller
in reliable way.
keystore/java/android/security/KeyChain.java
Moved .pfx/.p12/.cer/.crt constants to Credentials for reuse.
Added Credentials.install variant with no value for use from KeyChainActivity
keystore/java/android/security/Credentials.java
packages/apps/CertInstaller
Source of extension constants now in Credentials
src/com/android/certinstaller/CertFile.java
packages/apps/Browser
Have browser supply host and port information to KeyChain.choosePrivateKeyAlias
Tracking KeyChain.choosePrivateKeyAlias API change
src/com/android/browser/Tab.java
packages/apps/Email
Tracking KeyChain.choosePrivateKeyAlias API change
src/com/android/email/view/CertificateSelector.java
packages/apps/KeyChain
KeyChain now depends on bouncycastle X509Name for formatting
X500Principals, since the 4 X500Principal formatting options could
not format emailAddress attributes in a human readable way and its
the most important attribute to display for client certificates in
most cases.
Android.mk
Changing the UI to a dialog, make the activity style transparent.
AndroidManifest.xml
res/values/styles.xml
Layout for chooser dialog
res/layout/cert_chooser.xml
Layout for list items in chooser
res/layout/cert_item.xml
New resources for dialog including comments for translators.
res/values/strings.xml
New dialog based KeyChainActivity. Now also shows requesting app
and requesting server. Now can preselect a specified alias. New
link directly to CertInstaller.
src/com/android/keychain/KeyChainActivity.java
Fix KeyChainTestActivity to work with TestKeyStore changes that
were causing network activity on the UI to look up the name of
localhost. Also track KeyChain.choosePrivateKeyAlias API change.
tests/src/com/android/keychain/tests/KeyChainTestActivity.java
Change-Id: I07128fba8750f9a6bcb9c6be5da04df992403d69
The KeyChain API is Currently in use by Browser and validated by Email
for client certificate authentication.
Change-Id: Ifeab416be594457a05747406e31656e71795cb53
Summary:
- Changed KeyChain to assume PEM encoded keystore entries
- Moved convertToPem from CertInstaller for reuse with other Credentials helpers
- Added convertFromPem for use decoding keystore entries
Change-Id: I340168b88aefa458d01e81324824e2e08b1d7c4e
Summary:
frameworks/base
keystore rewrite
keyguard integration with keystore on keyguard entry or keyguard change
KeyStore API simplification
packages/apps/Settings
Removed com.android.credentials.SET_PASSWORD intent support
Added keyguard requirement for keystore use
packages/apps/CertInstaller
Tracking KeyStore API changes
Fix for NPE in CertInstaller when certificate lacks basic constraints
packages/apps/KeyChain
Tracking KeyStore API changes
Details:
frameworks/base
Move keystore from C to C++ while rewriting password
implementation. Removed global variables. Added many comments.
cmds/keystore/Android.mk
cmds/keystore/keystore.h
cmds/keystore/keystore.c => cmds/keystore/keystore.cpp
cmds/keystore/keystore_cli.c => cmds/keystore/keystore_cli.cpp
Changed saveLockPattern and saveLockPassword to notify the keystore
on changes so that the keystore master key can be reencrypted when
the keyguard changes.
core/java/com/android/internal/widget/LockPatternUtils.java
Changed unlock screens to pass values for keystore unlock or initialization
policy/src/com/android/internal/policy/impl/PasswordUnlockScreen.java
policy/src/com/android/internal/policy/impl/PatternUnlockScreen.java
KeyStore API changes
- renamed test() to state(), which now return a State enum
- made APIs with byte[] key arguments private
- added new KeyStore.isEmpty used to determine if a keyguard is required
keystore/java/android/security/KeyStore.java
In addition to tracking KeyStore API changes, added new testIsEmpty
and improved some existing tests to validate expect values.
keystore/tests/src/android/security/KeyStoreTest.java
packages/apps/Settings
Removing com.android.credentials.SET_PASSWORD intent with the
removal of the ability to set an explicit keystore password now
that the keyguard value is used. Changed to ensure keyguard is
enabled for keystore install or unlock. Cleaned up interwoven
dialog handing into discrete dialog helper classes.
AndroidManifest.xml
src/com/android/settings/CredentialStorage.java
Remove layout for entering new password
res/layout/credentials_dialog.xml
Remove enable credentials checkbox
res/xml/security_settings_misc.xml
src/com/android/settings/SecuritySettings.java
Added ability to specify minimum quality key to ChooseLockGeneric
Activity. Used by CredentialStorage, but could also be used by
CryptKeeperSettings. Changed ChooseLockGeneric to understand
minimum quality for keystore in addition to DPM and device
encryption.
src/com/android/settings/ChooseLockGeneric.java
Changed to use getActivePasswordQuality from
getKeyguardStoredPasswordQuality based on experience in
CredentialStorage. Removed bogus class javadoc.
src/com/android/settings/CryptKeeperSettings.java
Tracking KeyStore API changes
src/com/android/settings/vpn/VpnSettings.java
src/com/android/settings/wifi/WifiSettings.java
Removing now unused string resources
res/values-af/strings.xml
res/values-am/strings.xml
res/values-ar/strings.xml
res/values-bg/strings.xml
res/values-ca/strings.xml
res/values-cs/strings.xml
res/values-da/strings.xml
res/values-de/strings.xml
res/values-el/strings.xml
res/values-en-rGB/strings.xml
res/values-es-rUS/strings.xml
res/values-es/strings.xml
res/values-fa/strings.xml
res/values-fi/strings.xml
res/values-fr/strings.xml
res/values-hr/strings.xml
res/values-hu/strings.xml
res/values-in/strings.xml
res/values-it/strings.xml
res/values-iw/strings.xml
res/values-ja/strings.xml
res/values-ko/strings.xml
res/values-lt/strings.xml
res/values-lv/strings.xml
res/values-ms/strings.xml
res/values-nb/strings.xml
res/values-nl/strings.xml
res/values-pl/strings.xml
res/values-pt-rPT/strings.xml
res/values-pt/strings.xml
res/values-rm/strings.xml
res/values-ro/strings.xml
res/values-ru/strings.xml
res/values-sk/strings.xml
res/values-sl/strings.xml
res/values-sr/strings.xml
res/values-sv/strings.xml
res/values-sw/strings.xml
res/values-th/strings.xml
res/values-tl/strings.xml
res/values-tr/strings.xml
res/values-uk/strings.xml
res/values-vi/strings.xml
res/values-zh-rCN/strings.xml
res/values-zh-rTW/strings.xml
res/values-zu/strings.xml
res/values/strings.xml
packages/apps/CertInstaller
Tracking KeyStore API changes
src/com/android/certinstaller/CertInstaller.java
Fix for NPE in CertInstaller when certificate lacks basic constraints
src/com/android/certinstaller/CredentialHelper.java
packages/apps/KeyChain
Tracking KeyStore API changes
src/com/android/keychain/KeyChainActivity.java
src/com/android/keychain/KeyChainService.java
support/src/com/android/keychain/tests/support/IKeyChainServiceTestSupport.aidl
support/src/com/android/keychain/tests/support/KeyChainServiceTestSupport.java
tests/src/com/android/keychain/tests/KeyChainServiceTest.java
Change-Id: Ic141fb5d4b43d12fe62cb1e29c7cbd891b4be35d
