From 455a911df39ac0c55f80c191a1a8c11c4aa08268 Mon Sep 17 00:00:00 2001 From: Kenny Root Date: Wed, 21 Mar 2012 14:59:32 -0700 Subject: [PATCH] Switch VPN to use keystore ENGINE The VPN client will no longer receive the private key material directly from the caller. Instead it will use the keystore OpenSSL ENGINE to request that keystore does private key operations on its behalf. We only pass the keystore key alias to the private key instead of the private key itself now. Change-Id: I4ea2abda5ab7dec7d7ef5f451b96fef5bc92d811 --- src/com/android/settings/vpn2/VpnSettings.java | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/com/android/settings/vpn2/VpnSettings.java b/src/com/android/settings/vpn2/VpnSettings.java index 975f8071098..5db434ca286 100644 --- a/src/com/android/settings/vpn2/VpnSettings.java +++ b/src/com/android/settings/vpn2/VpnSettings.java @@ -360,9 +360,12 @@ public class VpnSettings extends SettingsPreferenceFragment implements String caCert = ""; String serverCert = ""; if (!profile.ipsecUserCert.isEmpty()) { - byte[] value = mKeyStore.get(Credentials.USER_PRIVATE_KEY + profile.ipsecUserCert); - privateKey = (value == null) ? null : new String(value, Charsets.UTF_8); - value = mKeyStore.get(Credentials.USER_CERTIFICATE + profile.ipsecUserCert); + /* + * VPN has a special exception in keystore to allow it to use system + * UID certs. + */ + privateKey = Credentials.USER_PRIVATE_KEY + profile.ipsecUserCert; + byte[] value = mKeyStore.get(Credentials.USER_CERTIFICATE + profile.ipsecUserCert); userCert = (value == null) ? null : new String(value, Charsets.UTF_8); } if (!profile.ipsecCaCert.isEmpty()) {