Reliably delete keys if key generation fails. (4bbfeb48) · Commits · e / os / android_frameworks_base

keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java

+26 −12

Original line number	Diff line number	Diff line
		@@ -296,8 +296,15 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi {
		int flags = 0;
		String keyAliasInKeystore = Credentials.USER_SECRET_KEY + spec.getKeystoreAlias();
		KeyCharacteristics resultingKeyCharacteristics = new KeyCharacteristics();
		boolean success = false;
		try {
		Credentials.deleteAllTypesForAlias(mKeyStore, spec.getKeystoreAlias());
		int errorCode = mKeyStore.generateKey(
		keyAliasInKeystore, args, additionalEntropy, flags, resultingKeyCharacteristics);
		keyAliasInKeystore,
		args,
		additionalEntropy,
		flags,
		resultingKeyCharacteristics);
		if (errorCode != KeyStore.NO_ERROR) {
		throw new ProviderException(
		"Keystore operation failed", KeyStore.getKeyStoreException(errorCode));
		@@ -309,6 +316,13 @@ public abstract class AndroidKeyStoreKeyGeneratorSpi extends KeyGeneratorSpi {
		} catch (IllegalArgumentException e) {
		throw new ProviderException("Failed to obtain JCA secret key algorithm name", e);
		}
		return new AndroidKeyStoreSecretKey(keyAliasInKeystore, keyAlgorithmJCA);
		SecretKey result = new AndroidKeyStoreSecretKey(keyAliasInKeystore, keyAlgorithmJCA);
		success = true;
		return result;
		} finally {
		if (!success) {
		Credentials.deleteAllTypesForAlias(mKeyStore, spec.getKeystoreAlias());
		}
		}
		}
		}

keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java

+47 −45

Original line number	Diff line number	Diff line
		@@ -121,7 +121,6 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
		public KeyPair generateKeyPair() {
		if (mKeyStore == null \|\| mSpec == null) {
		throw new IllegalStateException("Not initialized");

		}

		final int flags = (mEncryptionAtRestRequired) ? KeyStore.FLAG_ENCRYPTED : 0;
		@@ -134,19 +133,18 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato

		final String alias = mSpec.getKeystoreAlias();

		Credentials.deleteAllTypesForAlias(mKeyStore, alias);

		byte[][] args = getArgsForKeyType(mKeyType, mSpec.getAlgorithmParameterSpec());

		final String privateKeyAlias = Credentials.USER_PRIVATE_KEY + alias;

		boolean success = false;
		try {
		Credentials.deleteAllTypesForAlias(mKeyStore, alias);
		if (!mKeyStore.generate(privateKeyAlias, KeyStore.UID_SELF, mKeyType, mKeySize,
		flags, args)) {
		throw new IllegalStateException("could not generate key in keystore");
		}

		Credentials.deleteSecretKeyTypeForAlias(mKeyStore, alias);

		final PrivateKey privKey;
		final OpenSSLEngine engine = OpenSSLEngine.getInstance("keystore");
		try {
		@@ -171,7 +169,6 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
		try {
		cert = generateCertificate(privKey, pubKey);
		} catch (Exception e) {
		Credentials.deleteAllTypesForAlias(mKeyStore, alias);
		throw new IllegalStateException("Can't generate certificate", e);
		}

		@@ -179,17 +176,22 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato
		try {
		certBytes = cert.getEncoded();
		} catch (CertificateEncodingException e) {
		Credentials.deleteAllTypesForAlias(mKeyStore, alias);
		throw new IllegalStateException("Can't get encoding of certificate", e);
		}

		if (!mKeyStore.put(Credentials.USER_CERTIFICATE + alias, certBytes, KeyStore.UID_SELF,
		flags)) {
		Credentials.deleteAllTypesForAlias(mKeyStore, alias);
		throw new IllegalStateException("Can't store certificate in AndroidKeyStore");
		}

		return new KeyPair(pubKey, privKey);
		KeyPair result = new KeyPair(pubKey, privKey);
		success = true;
		return result;
		} finally {
		if (!success) {
		Credentials.deleteAllTypesForAlias(mKeyStore, alias);
		}
		}
		}

		@SuppressWarnings("deprecation")