Loading keystore/java/android/security/KeyStore2.java +45 −0 Original line number Diff line number Diff line Loading @@ -24,6 +24,7 @@ import android.os.RemoteException; import android.os.ServiceManager; import android.os.ServiceSpecificException; import android.security.keymaster.KeymasterDefs; import android.system.keystore2.Domain; import android.system.keystore2.IKeystoreService; import android.system.keystore2.KeyDescriptor; import android.system.keystore2.KeyEntryResponse; Loading Loading @@ -156,6 +157,50 @@ public class KeyStore2 { return handleRemoteExceptionWithRetry((service) -> service.listEntries(domain, namespace)); } /** * Grant string prefix as used by the keystore boringssl engine. Must be kept in sync * with system/security/keystore-engine. Note: The prefix here includes the 0x which * std::stringstream used in keystore-engine needs to identify the number as hex represented. * Here we include it in the prefix, because Long#parseUnsignedLong does not understand it * and gets the radix as explicit argument. * @hide */ private static final String KEYSTORE_ENGINE_GRANT_ALIAS_PREFIX = "ks2_keystore-engine_grant_id:0x"; /** * This function turns a grant identifier into a specific string that is understood by the * keystore-engine in system/security/keystore-engine. Is only used by VPN and WI-FI components * to allow certain system components like racoon or vendor components like WPA supplicant * to use keystore keys with boring ssl. * * @param grantId the grant id as returned by {@link #grant} in the {@code nspace} filed of * the resulting {@code KeyDescriptor}. * @return The grant descriptor string. * @hide */ public static String makeKeystoreEngineGrantString(long grantId) { return String.format("%s%016X", KEYSTORE_ENGINE_GRANT_ALIAS_PREFIX, grantId); } /** * Convenience function to turn a keystore engine grant string as returned by * {@link #makeKeystoreEngineGrantString(long)} back into a grant KeyDescriptor. * * @param grantString As string returned by {@link #makeKeystoreEngineGrantString(long)} * @return The grant key descriptor. * @hide */ public static KeyDescriptor keystoreEngineGrantString2KeyDescriptor(String grantString) { KeyDescriptor key = new KeyDescriptor(); key.domain = Domain.GRANT; key.nspace = Long.parseUnsignedLong( grantString.substring(KEYSTORE_ENGINE_GRANT_ALIAS_PREFIX.length()), 16); key.alias = null; key.blob = null; return key; } /** * Create a grant that allows the grantee identified by {@code granteeUid} to use * the key specified by {@code descriptor} withint the restrictions given by Loading Loading
keystore/java/android/security/KeyStore2.java +45 −0 Original line number Diff line number Diff line Loading @@ -24,6 +24,7 @@ import android.os.RemoteException; import android.os.ServiceManager; import android.os.ServiceSpecificException; import android.security.keymaster.KeymasterDefs; import android.system.keystore2.Domain; import android.system.keystore2.IKeystoreService; import android.system.keystore2.KeyDescriptor; import android.system.keystore2.KeyEntryResponse; Loading Loading @@ -156,6 +157,50 @@ public class KeyStore2 { return handleRemoteExceptionWithRetry((service) -> service.listEntries(domain, namespace)); } /** * Grant string prefix as used by the keystore boringssl engine. Must be kept in sync * with system/security/keystore-engine. Note: The prefix here includes the 0x which * std::stringstream used in keystore-engine needs to identify the number as hex represented. * Here we include it in the prefix, because Long#parseUnsignedLong does not understand it * and gets the radix as explicit argument. * @hide */ private static final String KEYSTORE_ENGINE_GRANT_ALIAS_PREFIX = "ks2_keystore-engine_grant_id:0x"; /** * This function turns a grant identifier into a specific string that is understood by the * keystore-engine in system/security/keystore-engine. Is only used by VPN and WI-FI components * to allow certain system components like racoon or vendor components like WPA supplicant * to use keystore keys with boring ssl. * * @param grantId the grant id as returned by {@link #grant} in the {@code nspace} filed of * the resulting {@code KeyDescriptor}. * @return The grant descriptor string. * @hide */ public static String makeKeystoreEngineGrantString(long grantId) { return String.format("%s%016X", KEYSTORE_ENGINE_GRANT_ALIAS_PREFIX, grantId); } /** * Convenience function to turn a keystore engine grant string as returned by * {@link #makeKeystoreEngineGrantString(long)} back into a grant KeyDescriptor. * * @param grantString As string returned by {@link #makeKeystoreEngineGrantString(long)} * @return The grant key descriptor. * @hide */ public static KeyDescriptor keystoreEngineGrantString2KeyDescriptor(String grantString) { KeyDescriptor key = new KeyDescriptor(); key.domain = Domain.GRANT; key.nspace = Long.parseUnsignedLong( grantString.substring(KEYSTORE_ENGINE_GRANT_ALIAS_PREFIX.length()), 16); key.alias = null; key.blob = null; return key; } /** * Create a grant that allows the grantee identified by {@code granteeUid} to use * the key specified by {@code descriptor} withint the restrictions given by Loading