Merge "Convert to new KeyStore format"

4 files changed, 33 insertions, 19 deletions

diff --git a/src/com/android/keychain/KeyChainService.java b/src/com/android/keychain/KeyChainService.java
index 1ab3ad3..8d26643 100644
--- a/src/com/android/keychain/KeyChainService.java
+++ b/src/com/android/keychain/KeyChainService.java
@@ -25,7 +25,9 @@ import android.database.Cursor;
 import android.database.DatabaseUtils;
 import android.database.sqlite.SQLiteDatabase;
 import android.database.sqlite.SQLiteOpenHelper;
+import android.os.Binder;
 import android.os.IBinder;
+import android.os.Process;
 import android.security.Credentials;
 import android.security.IKeyChainService;
 import android.security.KeyChain;
@@ -82,15 +84,30 @@ public class KeyChainService extends IntentService {
         private final TrustedCertificateStore mTrustedCertificateStore
                 = new TrustedCertificateStore();
 
-        @Override public byte[] getPrivateKey(String alias) {
-            return getKeyStoreEntry(Credentials.USER_PRIVATE_KEY, alias);
+        @Override
+        public String requestPrivateKey(String alias) {
+            checkArgs(alias);
+
+            final String keystoreAlias = Credentials.USER_PRIVATE_KEY + alias;
+            final int uid = Binder.getCallingUid();
+            if (!mKeyStore.grant(keystoreAlias, uid)) {
+                return null;
+            }
+
+            final StringBuilder sb = new StringBuilder();
+            sb.append(Process.SYSTEM_UID);
+            sb.append('_');
+            sb.append(keystoreAlias);
+
+            return sb.toString();
         }
 
         @Override public byte[] getCertificate(String alias) {
-            return getKeyStoreEntry(Credentials.USER_CERTIFICATE, alias);
+            checkArgs(alias);
+            return mKeyStore.get(Credentials.USER_CERTIFICATE + alias);
         }
 
-        private byte[] getKeyStoreEntry(String type, String alias) {
+        private void checkArgs(String alias) {
             if (alias == null) {
                 throw new NullPointerException("alias == null");
             }
@@ -102,12 +119,6 @@ public class KeyChainService extends IntentService {
                 throw new IllegalStateException("uid " + callingUid
                         + " doesn't have permission to access the requested alias");
             }
-            String key = type + alias;
-            byte[] bytes =  mKeyStore.get(key);
-            if (bytes == null) {
-                return null;
-            }
-            return bytes;
         }
 
         private boolean isKeyStoreUnlocked() {
diff --git a/support/src/com/android/keychain/tests/support/IKeyChainServiceTestSupport.aidl b/support/src/com/android/keychain/tests/support/IKeyChainServiceTestSupport.aidl
index ba85b68..0921f2e 100644
--- a/support/src/com/android/keychain/tests/support/IKeyChainServiceTestSupport.aidl
+++ b/support/src/com/android/keychain/tests/support/IKeyChainServiceTestSupport.aidl
@@ -33,6 +33,7 @@ interface IKeyChainServiceTestSupport {
     boolean keystoreReset();
     boolean keystorePassword(String password);
     boolean keystorePut(String key, in byte[] value);
+    boolean keystoreImportKey(String key, in byte[] value);
     void revokeAppPermission(int uid, String alias);
     void grantAppPermission(int uid, String alias);
 }
diff --git a/support/src/com/android/keychain/tests/support/KeyChainServiceTestSupport.java b/support/src/com/android/keychain/tests/support/KeyChainServiceTestSupport.java
index 9216d67..843c18c 100644
--- a/support/src/com/android/keychain/tests/support/KeyChainServiceTestSupport.java
+++ b/support/src/com/android/keychain/tests/support/KeyChainServiceTestSupport.java
@@ -43,6 +43,10 @@ public class KeyChainServiceTestSupport extends Service {
             Log.d(TAG, "keystorePut");
             return mKeyStore.put(key, value);
         }
+        @Override public boolean keystoreImportKey(String key, byte[] value) {
+            Log.d(TAG, "keystoreImport");
+            return mKeyStore.importKey(key, value);
+        }
 
         @Override public void revokeAppPermission(final int uid, final String alias)
                 throws RemoteException {
diff --git a/tests/src/com/android/keychain/tests/KeyChainServiceTest.java b/tests/src/com/android/keychain/tests/KeyChainServiceTest.java
index 1da100c..e8236aa 100644
--- a/tests/src/com/android/keychain/tests/KeyChainServiceTest.java
+++ b/tests/src/com/android/keychain/tests/KeyChainServiceTest.java
@@ -172,16 +172,16 @@ public class KeyChainServiceTest extends Service {
             Certificate intermediate2 = pke2.getCertificateChain()[1];
             Certificate root2 = TestKeyStore.getServer().getRootCertificate("RSA");
 
-            assertTrue(mSupport.keystorePut(alias1Pkey,
-                                            Credentials.convertToPem(pke1.getPrivateKey())));
+            assertTrue(mSupport.keystoreImportKey(alias1Pkey,
+                                           pke1.getPrivateKey().getEncoded()));
             assertTrue(mSupport.keystorePut(alias1Cert,
                                             Credentials.convertToPem(pke1.getCertificate())));
             assertTrue(mSupport.keystorePut(alias1ICert,
                                             Credentials.convertToPem(intermediate1)));
             assertTrue(mSupport.keystorePut(alias1RCert,
                                             Credentials.convertToPem(root1)));
-            assertTrue(mSupport.keystorePut(alias2Pkey,
-                                            Credentials.convertToPem(pke2.getPrivateKey())));
+            assertTrue(mSupport.keystoreImportKey(alias2Pkey,
+                                            pke2.getPrivateKey().getEncoded()));
             assertTrue(mSupport.keystorePut(alias2Cert,
                                             Credentials.convertToPem(pke2.getCertificate())));
             assertTrue(mSupport.keystorePut(alias2ICert,
@@ -204,10 +204,8 @@ public class KeyChainServiceTest extends Service {
             mSupport.grantAppPermission(getApplicationInfo().uid, alias1);
             // don't grant alias2, so it can be done manually with KeyChainTestActivity
             Log.d(TAG, "test_KeyChainService positive testing");
-            byte[] privateKey = mService.getPrivateKey(alias1);
-            assertNotNull(privateKey);
-            assertEquals(Arrays.toString(Credentials.convertToPem(pke1.getPrivateKey())),
-                         Arrays.toString(privateKey));
+            assertNotNull("Requesting private key should succeed",
+                    mService.requestPrivateKey(alias1));
 
             byte[] certificate = mService.getCertificate(alias1);
             assertNotNull(certificate);
@@ -217,7 +215,7 @@ public class KeyChainServiceTest extends Service {
             Log.d(TAG, "test_KeyChainService negative testing");
             mSupport.revokeAppPermission(getApplicationInfo().uid, alias2);
             try {
-                mService.getPrivateKey(alias2);
+                mService.requestPrivateKey(alias2);
                 fail();
             } catch (IllegalStateException expected) {
             }