diff --git a/src/com/android/settings/CredentialStorage.java b/src/com/android/settings/CredentialStorage.java index 5ab543f65d9..0485a0f7730 100644 --- a/src/com/android/settings/CredentialStorage.java +++ b/src/com/android/settings/CredentialStorage.java @@ -55,40 +55,7 @@ import sun.security.util.ObjectIdentifier; import sun.security.x509.AlgorithmId; /** - * CredentialStorage handles KeyStore reset, unlock, and install. - * - * CredentialStorage has a pretty convoluted state machine to migrate - * from the old style separate keystore password to a new key guard - * based password, as well as to deal with setting up the key guard if - * necessary. - * - * KeyStore: UNINITALIZED - * KeyGuard: OFF - * Action: set up key guard - * Notes: factory state - * - * KeyStore: UNINITALIZED - * KeyGuard: ON - * Action: confirm key guard - * Notes: user had key guard but no keystore and upgraded from pre-ICS - * OR user had key guard and pre-ICS keystore password which was then reset - * - * KeyStore: LOCKED - * KeyGuard: OFF/ON - * Action: confirm key guard - * Notes: request normal unlock to unlock the keystore. - * if unlock, ensure key guard before install. - * if reset, treat as UNINITALIZED/OFF - * - * KeyStore: UNLOCKED - * KeyGuard: OFF - * Action: set up key guard - * Notes: ensure key guard, then proceed - * - * KeyStore: UNLOCKED - * keyguard: ON - * Action: normal unlock/install - * Notes: this is the common case + * CredentialStorage handles resetting and installing keys into KeyStore. */ public final class CredentialStorage extends FragmentActivity { @@ -102,8 +69,7 @@ public final class CredentialStorage extends FragmentActivity { // lower than this, keystore should not be activated. public static final int MIN_PASSWORD_QUALITY = DevicePolicyManager.PASSWORD_QUALITY_SOMETHING; - private static final int CONFIRM_KEY_GUARD_REQUEST = 1; - private static final int CONFIRM_CLEAR_SYSTEM_CREDENTIAL_REQUEST = 2; + private static final int CONFIRM_CLEAR_SYSTEM_CREDENTIAL_REQUEST = 1; private final KeyStore mKeyStore = KeyStore.getInstance(); private LockPatternUtils mUtils; @@ -133,75 +99,26 @@ public final class CredentialStorage extends FragmentActivity { if (ACTION_INSTALL.equals(action) && checkCallerIsCertInstallerOrSelfInProfile()) { mInstallBundle = intent.getExtras(); } - // ACTION_UNLOCK also handled here in addition to ACTION_INSTALL - handleUnlockOrInstall(); + handleInstall(); } } else { - // Users can set a screen lock if there is none even if they can't modify the - // credentials store. - if (ACTION_UNLOCK.equals(action) && mKeyStore.state() == KeyStore.State.UNINITIALIZED) { - ensureKeyGuard(); - } else { - finish(); - } + finish(); } } /** - * Based on the current state of the KeyStore and key guard, try to - * make progress on unlocking or installing to the keystore. + * Install credentials from mInstallBundle into Keystore. */ - private void handleUnlockOrInstall() { + private void handleInstall() { // something already decided we are done, do not proceed if (isFinishing()) { return; } - switch (mKeyStore.state()) { - case UNINITIALIZED: { - ensureKeyGuard(); - return; - } - case LOCKED: { - // Force key guard confirmation - confirmKeyGuard(CONFIRM_KEY_GUARD_REQUEST); - return; - } - case UNLOCKED: { - if (!mUtils.isSecure(UserHandle.myUserId())) { - final ConfigureKeyGuardDialog dialog = new ConfigureKeyGuardDialog(); - dialog.show(getSupportFragmentManager(), ConfigureKeyGuardDialog.TAG); - return; - } - if (installIfAvailable()) { - finish(); - } - return; - } + if (installIfAvailable()) { + finish(); } } - /** - * Make sure the user enters the key guard to set or change the - * keystore password. This can be used in UNINITIALIZED to set the - * keystore password or UNLOCKED to change the password (as is the - * case after unlocking with an old-style password). - */ - private void ensureKeyGuard() { - if (!mUtils.isSecure(UserHandle.myUserId())) { - // key guard not setup, doing so will initialize keystore - final ConfigureKeyGuardDialog dialog = new ConfigureKeyGuardDialog(); - dialog.show(getSupportFragmentManager(), ConfigureKeyGuardDialog.TAG); - // will return to onResume after Activity - return; - } - // force key guard confirmation - if (confirmKeyGuard(CONFIRM_KEY_GUARD_REQUEST)) { - // will return password value via onActivityResult - return; - } - finish(); - } - private boolean isHardwareBackedKey(byte[] keyData) { try { final ASN1InputStream bIn = new ASN1InputStream(new ByteArrayInputStream(keyData)); @@ -254,15 +171,7 @@ public final class CredentialStorage extends FragmentActivity { final String key = bundle.getString(Credentials.EXTRA_USER_PRIVATE_KEY_NAME); final byte[] value = bundle.getByteArray(Credentials.EXTRA_USER_PRIVATE_KEY_DATA); - int flags = KeyStore.FLAG_ENCRYPTED; - if (uid == Process.WIFI_UID && isHardwareBackedKey(value)) { - // Hardware backed keystore is secure enough to allow for WIFI stack - // to enable access to secure networks without user intervention - Log.d(TAG, "Saving private key with FLAG_NONE for WIFI_UID"); - flags = KeyStore.FLAG_NONE; - } - - if (!mKeyStore.importKey(key, value, uid, flags)) { + if (!mKeyStore.importKey(key, value, uid, KeyStore.FLAG_NONE)) { Log.e(TAG, "Failed to install " + key + " as uid " + uid); return true; } @@ -475,20 +384,7 @@ public final class CredentialStorage extends FragmentActivity { @Override public void onActivityResult(int requestCode, int resultCode, Intent data) { super.onActivityResult(requestCode, resultCode, data); - // Receive key guard password initiated by confirmKeyGuard. - if (requestCode == CONFIRM_KEY_GUARD_REQUEST) { - if (resultCode == Activity.RESULT_OK) { - final String password = data.getStringExtra(ChooseLockSettingsHelper.EXTRA_KEY_PASSWORD); - if (!TextUtils.isEmpty(password)) { - // success - mKeyStore.unlock(password); - // return to onResume - return; - } - } - // failed confirmation, bail - finish(); - } else if (requestCode == CONFIRM_CLEAR_SYSTEM_CREDENTIAL_REQUEST) { + if (requestCode == CONFIRM_CLEAR_SYSTEM_CREDENTIAL_REQUEST) { if (resultCode == Activity.RESULT_OK) { new ResetKeyStoreAndKeyChain().execute(); return;