Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4392c697 authored by Janis Danisevskis's avatar Janis Danisevskis
Browse files

Keystore 2.0 SPI: Install legacy Keystore provider as AndroidKeyStoreLegacy 

With this patch we install the old Keystore provider as
AndroidKeyStoreLegacy when the Keystore 2.0 provider is installed as
AndroidKeyStore. This allows system components to keep using the old
keystore while we can run CTS tests against the new provider.

The tests are still mostly failing at this point. Installing the new SPI
can be enabled by setting the property
ro.android.security.keystore2.enable=true

Bug: 159476414
Test: This enables running CTS tests against Keystore 2.0.
Change-Id: I9731d9783ccf8f2705a5ca7335e00c8f4c8debba
parent 6180e85e

keystore/java/android/security/keystore/AndroidKeyStoreBCWorkaroundProvider.java

+9 −3
Original line number Diff line number Diff line
@@ -34,7 +34,7 @@ import java.security.Provider; 
 *

 * @hide

 */

class AndroidKeyStoreBCWorkaroundProvider extends Provider {

public class AndroidKeyStoreBCWorkaroundProvider extends Provider {



    // IMPLEMENTATION NOTE: Class names are hard-coded in this provider to avoid loading these

    // classes when this provider is instantiated and installed early on during each app's
@@ -50,8 +50,14 @@ class AndroidKeyStoreBCWorkaroundProvider extends Provider { 


    private static final String DESEDE_SYSTEM_PROPERTY = "ro.hardware.keystore_desede";



    AndroidKeyStoreBCWorkaroundProvider() {

        super("AndroidKeyStoreBCWorkaround",

    /** @hide */

    public AndroidKeyStoreBCWorkaroundProvider() {

        this("AndroidKeyStoreBCWorkaround");

    }



    /** @hide **/

    public AndroidKeyStoreBCWorkaroundProvider(String providerName) {

        super(providerName,

                1.0,

                "Android KeyStore security provider to work around Bouncy Castle");

keystore/java/android/security/keystore/AndroidKeyStoreProvider.java

+13 −3
Original line number Diff line number Diff line
@@ -71,14 +71,20 @@ public class AndroidKeyStoreProvider extends Provider { 
    private static final String DESEDE_SYSTEM_PROPERTY =

            "ro.hardware.keystore_desede";



    /** @hide **/

    /** @hide */

    public AndroidKeyStoreProvider() {

        super(PROVIDER_NAME, 1.0, "Android KeyStore security provider");

        this(PROVIDER_NAME);

    }



    /** @hide **/

    public AndroidKeyStoreProvider(String providerName) {

        super(providerName, 1.0, "Android KeyStore security provider");



        boolean supports3DES = "true".equals(android.os.SystemProperties.get(DESEDE_SYSTEM_PROPERTY));



        // java.security.KeyStore

        put("KeyStore.AndroidKeyStore", PACKAGE_NAME + ".AndroidKeyStoreSpi");

        put("alg.alias.KeyStore.AndroidKeyStoreLegacy", "AndroidKeyStore");



        // java.security.KeyPairGenerator

        put("KeyPairGenerator.EC", PACKAGE_NAME + ".AndroidKeyStoreKeyPairGeneratorSpi$EC");
@@ -438,8 +444,12 @@ public class AndroidKeyStoreProvider extends Provider { 
    @NonNull

    public static java.security.KeyStore getKeyStoreForUid(int uid)

            throws KeyStoreException, NoSuchProviderException {

        String providerName = PROVIDER_NAME;

        if (android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) {

            providerName = "AndroidKeyStoreLegacy";

        }

        java.security.KeyStore result =

                java.security.KeyStore.getInstance("AndroidKeyStore", PROVIDER_NAME);

                java.security.KeyStore.getInstance(providerName);

        try {

            result.load(new AndroidKeyStoreLoadStoreParameter(uid));

        } catch (NoSuchAlgorithmException | CertificateException | IOException e) {

keystore/java/android/security/keystore2/AndroidKeyStoreProvider.java

+26 −0
Original line number Diff line number Diff line
@@ -110,6 +110,23 @@ public class AndroidKeyStoreProvider extends Provider { 
        putSecretKeyFactoryImpl("HmacSHA512");

    }



    private static boolean sInstalled = false;



    /**

     * This function indicates whether or not this provider was installed. This is manly used

     * as indicator for

     * {@link android.security.keystore.AndroidKeyStoreProvider#getKeyStoreForUid(int)}

     * to whether or not to retrieve the Keystore provider by "AndroidKeyStoreLegacy".

     * This function can be removed once the transition to Keystore 2.0 is complete.

     * b/171305684

     *

     * @return true if this provider was installed.

     * @hide

     */

    public static boolean isInstalled() {

        return sInstalled;

    }



    /**

     * Installs a new instance of this provider (and the

     * {@link AndroidKeyStoreBCWorkaroundProvider}).
@@ -125,17 +142,26 @@ public class AndroidKeyStoreProvider extends Provider { 
                break;

            }

        }

        sInstalled = true;



        Security.addProvider(new AndroidKeyStoreProvider());

        Security.addProvider(

                new android.security.keystore.AndroidKeyStoreProvider(

                        "AndroidKeyStoreLegacy"));

        Provider workaroundProvider = new AndroidKeyStoreBCWorkaroundProvider();

        Provider legacyWorkaroundProvider =

                new android.security.keystore.AndroidKeyStoreBCWorkaroundProvider(

                        "AndroidKeyStoreBCWorkaroundLegacy");

        if (bcProviderIndex != -1) {

            // Bouncy Castle provider found -- install the workaround provider above it.

            // insertProviderAt uses 1-based positions.

            Security.insertProviderAt(legacyWorkaroundProvider, bcProviderIndex + 1);

            Security.insertProviderAt(workaroundProvider, bcProviderIndex + 1);

        } else {

            // Bouncy Castle provider not found -- install the workaround provider at lowest

            // priority.

            Security.addProvider(workaroundProvider);

            Security.addProvider(legacyWorkaroundProvider);

        }

    }