69 Commits

Author SHA1 Message Date
Fred Quintana
ab8b84ad38 Make the KeyChain handled its own grants rather than having
AccountManagerService handle them.

Change-Id: I89d272b22766f85019c1f947153d69e6dbb74c68
2011-07-13 22:45:07 -07:00
Brian Carlstrom
74e6bd7b77 Merge "New KeyChain API for credential installation" 2011-07-06 14:59:21 -07:00
Brian Carlstrom
db93b78385 Build cert chain in KeyChain.getCertificateChain
Bug: 4970298
Change-Id: Id91391233528edc2a4da5ebe92ec85d381f170de
2011-07-01 14:41:56 -07:00
Brian Carlstrom
ca43c458ad New KeyChain API for credential installation
Bug: 3497064
Change-Id: Ie5c20e87a436b7ab66258d08b719ab8bb1f1d86d
2011-06-29 20:32:54 -07:00
Brian Carlstrom
a00a2b33cc KeyChain API for credential installation
Bug: 3497064
Change-Id: I4ac4d8b5559496b1632d63c2129e2bafd240893f
2011-06-29 18:46:56 -07:00
Brian Carlstrom
bef5e5aabc Add KeyStoreTest.testGet
Now that system user can read keystore, add KeyStoreTest.testGet and update other tests to use KeyStore.get

Change-Id: I364866d52c2ecf550ff26aadc6e85126318889fa
2011-06-27 17:22:02 -07:00
Brian Carlstrom
6da0033447 Moving ssl_certificate layout, resources, and helper code to SslCertificate
Add IKeyChainService.deleteCaCertificate

Change-Id: If42341bc732efcfe4f958c00cdd6c0fec11a3c75
2011-06-27 12:14:25 -07:00
Brian Carlstrom
67c30dfe8e Replace KeyChainActivity placeholder UI with more polished dialog (1 of 5)
frameworks/base

    Extended KeyChain.chooserPrivateKeyAlias to allow caller to supply
    preferred choice to be selected in chooser. This allows Email
    settings to highlight the current choice when allowing user to
    change settings.
	keystore/java/android/security/KeyChain.java
	api/current.txt

    Implemented KeyChain functionality to pass host and port
    information to KeyChainActivity for display.
	keystore/java/android/security/KeyChain.java

    KeyChain now sends a PendingIntent as part of the Intent it sends
    to the KeyChainActivity which can be used to identify the caller
    in reliable way.
	keystore/java/android/security/KeyChain.java

    Moved .pfx/.p12/.cer/.crt constants to Credentials for reuse.
    Added Credentials.install variant with no value for use from KeyChainActivity
	keystore/java/android/security/Credentials.java

packages/apps/CertInstaller
    Source of extension constants now in Credentials
	src/com/android/certinstaller/CertFile.java

packages/apps/Browser
    Have browser supply host and port information to KeyChain.choosePrivateKeyAlias
    Tracking KeyChain.choosePrivateKeyAlias API change
	src/com/android/browser/Tab.java

packages/apps/Email
    Tracking KeyChain.choosePrivateKeyAlias API change
	src/com/android/email/view/CertificateSelector.java

packages/apps/KeyChain

    KeyChain now depends on bouncycastle X509Name for formatting
    X500Principals, since the 4 X500Principal formatting options could
    not format emailAddress attributes in a human readable way and its
    the most important attribute to display for client certificates in
    most cases.
	Android.mk

    Changing the UI to a dialog, make the activity style transparent.
	AndroidManifest.xml
	res/values/styles.xml

    Layout for chooser dialog
	res/layout/cert_chooser.xml

    Layout for list items in chooser
	res/layout/cert_item.xml

    New resources for dialog including comments for translators.
	res/values/strings.xml

    New dialog based KeyChainActivity. Now also shows requesting app
    and requesting server. Now can preselect a specified alias. New
    link directly to CertInstaller.

	src/com/android/keychain/KeyChainActivity.java

    Fix KeyChainTestActivity to work with TestKeyStore changes that
    were causing network activity on the UI to look up the name of
    localhost. Also track KeyChain.choosePrivateKeyAlias API change.

	tests/src/com/android/keychain/tests/KeyChainTestActivity.java

Change-Id: I07128fba8750f9a6bcb9c6be5da04df992403d69
2011-06-25 16:48:25 -07:00
Brian Carlstrom
42f6528b98 New KeyChain API for application access to keystore credentials
The KeyChain API is Currently in use by Browser and validated by Email
for client certificate authentication.

Change-Id: Ifeab416be594457a05747406e31656e71795cb53
2011-06-10 10:43:02 -07:00
Brian Carlstrom
93201f545b KeyChain API refinements
Change-Id: I177ab4642e6cd1aa13526c14f0a707175fd79655
2011-06-09 21:11:06 -07:00
Brian Carlstrom
9d7faa91be Change KeyChain to assume PEM encoded keystore entries
Summary:
- Changed KeyChain to assume PEM encoded keystore entries
- Moved convertToPem from CertInstaller for reuse with other Credentials helpers
- Added convertFromPem for use decoding keystore entries

Change-Id: I340168b88aefa458d01e81324824e2e08b1d7c4e
2011-06-07 15:33:09 -07:00
Brian Carlstrom
7e4b1a488d Restore ResponseCodes for use with getLastError
Change-Id: I41b5bc9cbb6c05672c92d5864e889fd2b0186141
2011-06-01 15:29:29 -07:00
Brian Carlstrom
5cfee3fabb Integrating keystore with keyguard (Part 1 of 4)
Summary:

frameworks/base
  keystore rewrite
  keyguard integration with keystore on keyguard entry or keyguard change
  KeyStore API simplification

packages/apps/Settings
  Removed com.android.credentials.SET_PASSWORD intent support
  Added keyguard requirement for keystore use

packages/apps/CertInstaller
  Tracking KeyStore API changes
  Fix for NPE in CertInstaller when certificate lacks basic constraints

packages/apps/KeyChain
  Tracking KeyStore API changes

Details:

frameworks/base

   Move keystore from C to C++ while rewriting password
   implementation. Removed global variables. Added many comments.

	cmds/keystore/Android.mk
	cmds/keystore/keystore.h
	cmds/keystore/keystore.c => cmds/keystore/keystore.cpp
	cmds/keystore/keystore_cli.c => cmds/keystore/keystore_cli.cpp

   Changed saveLockPattern and saveLockPassword to notify the keystore
   on changes so that the keystore master key can be reencrypted when
   the keyguard changes.

	core/java/com/android/internal/widget/LockPatternUtils.java

   Changed unlock screens to pass values for keystore unlock or initialization

	policy/src/com/android/internal/policy/impl/PasswordUnlockScreen.java
	policy/src/com/android/internal/policy/impl/PatternUnlockScreen.java

   KeyStore API changes
   - renamed test() to state(), which now return a State enum
   - made APIs with byte[] key arguments private
   - added new KeyStore.isEmpty used to determine if a keyguard is required

	keystore/java/android/security/KeyStore.java

   In addition to tracking KeyStore API changes, added new testIsEmpty
   and improved some existing tests to validate expect values.

	keystore/tests/src/android/security/KeyStoreTest.java

packages/apps/Settings

    Removing com.android.credentials.SET_PASSWORD intent with the
    removal of the ability to set an explicit keystore password now
    that the keyguard value is used. Changed to ensure keyguard is
    enabled for keystore install or unlock. Cleaned up interwoven
    dialog handing into discrete dialog helper classes.

	AndroidManifest.xml
	src/com/android/settings/CredentialStorage.java

    Remove layout for entering new password

	res/layout/credentials_dialog.xml

    Remove enable credentials checkbox

	res/xml/security_settings_misc.xml
	src/com/android/settings/SecuritySettings.java

    Added ability to specify minimum quality key to ChooseLockGeneric
    Activity. Used by CredentialStorage, but could also be used by
    CryptKeeperSettings. Changed ChooseLockGeneric to understand
    minimum quality for keystore in addition to DPM and device
    encryption.

	src/com/android/settings/ChooseLockGeneric.java

    Changed to use getActivePasswordQuality from
    getKeyguardStoredPasswordQuality based on experience in
    CredentialStorage. Removed bogus class javadoc.

	src/com/android/settings/CryptKeeperSettings.java

    Tracking KeyStore API changes

	src/com/android/settings/vpn/VpnSettings.java
	src/com/android/settings/wifi/WifiSettings.java

   Removing now unused string resources

	res/values-af/strings.xml
	res/values-am/strings.xml
	res/values-ar/strings.xml
	res/values-bg/strings.xml
	res/values-ca/strings.xml
	res/values-cs/strings.xml
	res/values-da/strings.xml
	res/values-de/strings.xml
	res/values-el/strings.xml
	res/values-en-rGB/strings.xml
	res/values-es-rUS/strings.xml
	res/values-es/strings.xml
	res/values-fa/strings.xml
	res/values-fi/strings.xml
	res/values-fr/strings.xml
	res/values-hr/strings.xml
	res/values-hu/strings.xml
	res/values-in/strings.xml
	res/values-it/strings.xml
	res/values-iw/strings.xml
	res/values-ja/strings.xml
	res/values-ko/strings.xml
	res/values-lt/strings.xml
	res/values-lv/strings.xml
	res/values-ms/strings.xml
	res/values-nb/strings.xml
	res/values-nl/strings.xml
	res/values-pl/strings.xml
	res/values-pt-rPT/strings.xml
	res/values-pt/strings.xml
	res/values-rm/strings.xml
	res/values-ro/strings.xml
	res/values-ru/strings.xml
	res/values-sk/strings.xml
	res/values-sl/strings.xml
	res/values-sr/strings.xml
	res/values-sv/strings.xml
	res/values-sw/strings.xml
	res/values-th/strings.xml
	res/values-tl/strings.xml
	res/values-tr/strings.xml
	res/values-uk/strings.xml
	res/values-vi/strings.xml
	res/values-zh-rCN/strings.xml
	res/values-zh-rTW/strings.xml
	res/values-zu/strings.xml
	res/values/strings.xml

packages/apps/CertInstaller

  Tracking KeyStore API changes
	src/com/android/certinstaller/CertInstaller.java

  Fix for NPE in CertInstaller when certificate lacks basic constraints
	src/com/android/certinstaller/CredentialHelper.java

packages/apps/KeyChain

  Tracking KeyStore API changes
	src/com/android/keychain/KeyChainActivity.java
	src/com/android/keychain/KeyChainService.java
	support/src/com/android/keychain/tests/support/IKeyChainServiceTestSupport.aidl
	support/src/com/android/keychain/tests/support/KeyChainServiceTestSupport.java
	tests/src/com/android/keychain/tests/KeyChainServiceTest.java

Change-Id: Ic141fb5d4b43d12fe62cb1e29c7cbd891b4be35d
2011-06-01 14:29:59 -07:00
Brian Carlstrom
ba1a667b1d Remove need for onActivityResult from KeyChain API
Change-Id: I97bb9db06978f6dc039d22bfee116671d7b3e336
2011-05-25 10:27:46 -07:00
Brian Carlstrom
d752472d9a Move to KeyChain.bind
Change-Id: Ic3c6e0e9be9bcfdc882cf97cec38cca70b23d0a1
2011-05-17 16:20:36 -07:00
Brian Carlstrom
8e9929c4d0 Simplify KeyChain API by removing now unneeded CA certificate lookup (1 of 3)
frameworks/base

   Remove getCaCertificates and findIssuer from IKeyChainService,
   these are now done via libcore's TrustedCertificateStore (as part
   of the default TrustManager implementation)

	keystore/java/android/security/IKeyChainService.aidl

   Simplify KeyChain API. Now that the CA certificates are visible
   through the default TrustManager, the KeyChain is solely focused on
   retrieving PrivateKeys and their associated certificates. The
   calling API for KeyChain to simply a single KeyChain.get() call
   that returns a KeyChainResult, removing the need for a KeyChain
   instance that needs to be closed.

	keystore/java/android/security/KeyChain.java
	keystore/java/android/security/KeyChainResult.java

master/libcore

    Remove getDefaultIndexedPKIXParameters and
    getIndexedPKIXParameters which was used as part of the prototype
    of looking up CAs via the KeyChain but is obsoleted by the new
    default TrustManager implementation.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java

packages/apps/KeyChain

    Tracking simplified IKeyChainService, removing now unneeded
    implementation, updating tests.

	src/com/android/keychain/KeyChainService.java
	tests/src/com/android/keychain/tests/KeyChainServiceTest.java
	tests/src/com/android/keychain/tests/KeyChainTestActivity.java

Change-Id: I847b28c2f467c85f24d2b693a2fecc1cb46426b4
2011-05-17 11:33:37 -07:00
Brian Carlstrom
2627d53f65 Make CertInstaller installed CA certs trusted by applications via default TrustManager (1 of 6)
frameworks/base

    Adding IKeyChainService APIs for CertInstaller and Settings use
	keystore/java/android/security/IKeyChainService.aidl

libcore

    Improve exceptions to include more information
	luni/src/main/java/javax/security/auth/x500/X500Principal.java

    Move guts of RootKeyStoreSpi to TrustedCertificateStore, leaving only KeyStoreSpi methods.
    Added support for adding user CAs in a separate directroy for system.
    Added support for removeing system CAs by placing a copy in a sytem directory
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStore.java

    Formerly static methods on RootKeyStoreSpi are now instance methods on TrustedCertificateStore
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java

    Added test for NativeCrypto.X509_NAME_hash_old and X509_NAME_hash
    to make sure the implementing algortims doe not change since
    TrustedCertificateStore depend on X509_NAME_hash_old (OpenSSL
    changed the algorithm from MD5 to SHA1 when moving from 0.9.8 to
    1.0.0)

	luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java

    Extensive test of new TrustedCertificateStore behavior
	luni/src/test/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStoreTest.java

    TestKeyStore improvements
    - Refactored TestKeyStore to provide simpler createCA method (and
      internal createCertificate)
    - Cleaned up to remove use of BouncyCastle specific X509Principal
      in the TestKeyStore API when the public X500Principal would do.
    - Cleaned up TestKeyStore support methods to not throw Exception
      to remove need for static blocks for catch clauses in tests.

	support/src/test/java/libcore/java/security/TestKeyStore.java
	luni/src/test/java/libcore/java/security/KeyStoreTest.java
	luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java

packages/apps/CertInstaller

    Change CertInstaller to call IKeyChainService.installCertificate
    for CA certs to pass them to the KeyChainServiceTest which will
    make them available to all apps through the
    TrustedCertificateStore. Change PKCS12 extraction to use AsyncTask.

	src/com/android/certinstaller/CertInstaller.java

    Added installCaCertsToKeyChain and hasCaCerts accessor for use by
    CertInstaller. Use hasUserCertificate() internally. Cleanup coding
    style.

	src/com/android/certinstaller/CredentialHelper.java

packages/apps/KeyChain

    Added MANAGE_ACCOUNTS so that IKeyChainService.reset
    implementation can remove KeyChain accounts.

	AndroidManifest.xml

    Implement new IKeyChainService methods:
    - Added IKeyChainService.installCaCertificate to install certs
      provided by CertInstaller using the TrustedCertificateStore.
    - Added IKeyChainService.reset to allow Settings to remove the
      KeyChain accounts so that any app granted access to keystore
      credentials are revoked when the keystore is reset.

	src/com/android/keychain/KeyChainService.java

packages/apps/Settings

    Changed com.android.credentials.RESET credential reset action to
    also call IKeyChainService.reset to remove any installed user CAs
    and remove KeyChain accounts to have AccountManager revoke
    credential granted to private keys removed during the RESET.

	src/com/android/settings/CredentialStorage.java

    Added toast text value for failure case

	res/values/strings.xml

system/core

    Have init create world readable /data/misc/keychain to allow apps
    to access user added CA certificates installed by the CertInstaller.

	rootdir/init.rc

Change-Id: I2e4b169cbb35d32d97f5d6a00d988fa389eadcb2
2011-05-14 23:45:16 -07:00
Brian Carlstrom
4a9e1a2494 Expose Credentials.UNLOCK_ACTION for callers that want to use startActivityForResult
Change-Id: I729b2d8257bda3e7ff7858741ebd5415404880e7
2011-04-22 15:45:22 -07:00
Brian Carlstrom
b9a07c18e6 Adding KeyChain API and IKeyChainService
Change-Id: Id3eaa2d1315481f199777b50e875811e3532988a
2011-04-20 13:35:31 -07:00
Brian Carlstrom
46703b0995 Tolerate missing AccountManager resource, not just missing resource name
In addition to the primary change in the subject, also some minor cleanup of javadoc, typos, CloseGuard warning, etc found while working on a new AbstractAccountAuthenticator.

Change-Id: I73f3408773a43a0021a15f8d051fd3dbbdf898a5
2011-04-07 11:58:37 -07:00
Chia-chi Yeh
527f01e76d Update the path of the intent to unlock keystore.
Change-Id: Ia81d0c172f2be6d04cba4db6e6798058f321605d
2011-01-20 20:23:59 +08:00
Elliott Hughes
460c26e987 Use deliberately public API rather than org.apache cruft.
InputStreamHelper is scheduled for deletion. As a bonus, the new code is more
efficient.

Change-Id: Ied8b87fa24f8506cf748b0d4c99ee7e2ae201483
2010-11-11 16:42:09 -08:00
Dianne Hackborn
8bdf5935c0 Work on issue #3101415: Crespo apps seem to have their UID changed over time.
fsync!

Change-Id: Ie6c5397202579935ac69bf61d3e7b3081ecf269c
2010-10-15 14:46:33 -07:00
Hung-ying Tyan
c5e630a004 Use explicit intent for installing credentials.
http://b/issue?id=3020049

Change-Id: I429c5b2c9f3b876e6197894a9437952d71d5c472
2010-10-08 08:21:17 +08:00
Rich Cannings
8d578836dc Remove the use of FileInputStream.available()
Bug: 2976294
Change-Id: I34b13cedbf1d2338163ef74454817c318a3a24f5
2010-09-09 16:28:48 -07:00
Nick Kralevich
34c47c8558 Don't rely on the system locale for converting to/from bytes.
By default, when java converts Strings to bytes, it uses the
default system locale.  This can be specified by the -Dfile.encoding
option.  If no file encoding is specified, java uses ISO8859_1.

Unfortunately, not all unicode characters can be mapped to
ISO8859_1.  Unmappable characters may be replaced by a byte
within ISO8859_1, which may change the meaning of the String.
This is especially problematic for password strings, and has
been used to compromise the security of passwords in the
past.

Thankfully, Android uses UTF-8 by default, so this bug doesn't
effect Android devices.  However, it's recommended to explicitly
list the character set when converting to/from bytes to
avoid the potential ambiguity.

Change-Id: Iec927e27ed3fc103696c439f6bd3e8779a37ade8
2010-03-10 11:25:53 -08:00
Oscar Montemayor
1ff8fee7c8 Better file permissions enforcement on system keystore. 2010-02-22 11:17:38 -08:00
Oscar Montemayor
64ef1ce936 Fix for bug 2427961 android.security.tests.SystemKeyStoreTest:testBasicAccess is failing.
Fixed issues in test.
2010-02-09 15:48:03 -08:00
Chia-chi Yeh
d12feb9766 KeyStore: minor improvements.
Make constants final.
Only converts ArrayLists to arrays when necessary.
2010-02-06 10:43:22 +08:00
Oscar Montemayor
d02546b415 Apps on SD card.
Added support for retrieving and generating keys as Hex Strings.
Using keys to mount encrypted FS.
2010-01-15 15:08:06 -08:00
Oscar Montemayor
b62e8132df Apps on SD card.
Added support for retrieving and generating keys as Hex Strings.
2010-01-15 11:16:31 -08:00
Oscar Montemayor
8da98e30d8 Apps on SD card project.
A simple keystore to store system-only key material, by leveraging file system access permissions.
2010-01-06 16:23:57 -08:00
Chung-yih Wang
f35e9663d7 Add unit test for the new keystore.
Since we need to test the keystore with user system in order to test
the reset(), password(), lock() and unlock(), we have to take advantage
of the ActivityUnitTestCase to run the test with the user 'system'.
2009-09-29 15:20:24 +08:00
Chia-chi Yeh
8c596c6cce KeyStore: remove classes used by old keystore. 2009-09-24 13:32:40 +08:00
Chia-chi Yeh
f1ece5d0c1 KeyStore: return null when response code indicates an error. 2009-09-24 13:29:58 +08:00
Hung-ying Tyan
ec05c46ea9 Remove old keystore and related files. 2009-09-24 13:13:44 +08:00
Chia-chi Yeh
613fcc8506 KeyStore: rename scan() to saw(). 2009-09-22 03:04:46 +08:00
Chia-chi Yeh
4403917262 KeyStore: add java interface. 2009-09-21 15:52:00 +08:00
Chia-chi Yeh
9b7a3f1a64 Add a helper class to send out credentials.
Change-Id: I9a550c6edc55d5c2c601223c011922b183cb4d30
2009-09-18 12:03:04 +08:00
Hung-ying Tyan
5b680802b6 Fix a minor bug in is_alnum_string()...
and remove some verbose logging
2009-09-17 12:17:29 +08:00
Hung-ying Tyan
a7df557aa2 Add tests and misc fixes on keystore.
* Refactor netkeystore.c to make client and server code testable.
* Add a client test for setting new passwd and changing passwd.
* Exclude "." and ".." from reset_keystore().
* Change ServerCommand.executeCommand() to accept variable length of
  arguments and add convert() to marshalling the args to bytes.
* Keystore.java is revised accordingly.
2009-09-11 19:30:13 +08:00
Hung-ying Tyan
9249cc69b8 Add two CertTool helper classes.
Also add the unlock action string to Keystore.
2009-09-10 12:51:07 +08:00
Chia-chi Yeh
37062b93dc keystore: remove "#include <openssl/engine.h>". 2009-09-10 03:56:04 +08:00
Chung-yih Wang
801b73f661 Replace the delimiter whitespace with '\0'.
+ Use '\0' as the delimiter.
+ Allow whitespace character for keystore password.

In previous implementation, we use space as the delimiter. That
will stop user from using passphrase with whitespace character.
2009-09-09 15:00:43 +08:00
Chung-yih Wang
60c821c8ee Print error message if the buffer size is too small. 2009-09-02 11:54:24 +08:00
Chung-yih Wang
09960230bf Store CA certificate chain into one single key entry with PEM format.
Extract all CA certificates in a PKCS12 keystore into a single entry in keystore with multiple PEMs.
2009-09-01 16:45:13 +08:00
Android (Google) Code Review
d21a04c06c Merge change 21259 into eclair
* changes:
  Make certificate-handling-related constants public
2009-08-26 20:29:17 -07:00
Jean-Baptiste Queru
969c2eaa3a am c8ab08aa: Merge change 21124 into donut
Merge commit 'c8ab08aa86aea3b693f731c9e817eeb71ab4c1cd' into eclair

* commit 'c8ab08aa86aea3b693f731c9e817eeb71ab4c1cd':
  Add license-related files
2009-08-18 08:44:43 -07:00
Hung-ying Tyan
20a1156c6f Make certificate-handling-related constants public 2009-08-14 18:35:44 +08:00
Jean-Baptiste Queru
979b142fa5 Add license-related files
BUG=1573996
2009-08-13 10:58:11 -07:00