From ce10b5edf0ba19b2bf74423c45d6640ab345ced4 Mon Sep 17 00:00:00 2001
From: Chad Brubaker <cbrubaker@google.com>
Date: Thu, 21 May 2015 15:57:24 -0700
Subject: [PATCH] Clear only keystore credential entires

Instead of reseting the whole user only clear the uids that are used
for credential storage. These are limited to only WIFI, VPN, ROOT and
System. This prevents applications that use keystore for crypto keys
from losing their keys when the user clears credentials.

Previously when reset was called the next time the user unlocked the
keystore it would be reinitialized with the user's password however this
behavior was removed from keystore causing a loop of unlock prompts from
CredentialStorage when trying to install a new certificate after clearing
the storage.

Additionally this makes clear credentials clear any managed profiles as
well, previously it only cleared the current user.

Bug:21373935
Change-Id: Id86ec0bc66a4f6c0d5e649bead007007e2fc8268
---
 src/com/android/settings/CredentialStorage.java | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/com/android/settings/CredentialStorage.java b/src/com/android/settings/CredentialStorage.java
index 5415ccf1345..90efd58967f 100644
--- a/src/com/android/settings/CredentialStorage.java
+++ b/src/com/android/settings/CredentialStorage.java
@@ -104,6 +104,12 @@ public final class CredentialStorage extends Activity {
 
     private final KeyStore mKeyStore = KeyStore.getInstance();
 
+    /**
+     * The UIDs that are used for system credential storage in keystore.
+     */
+    private static final int[] SYSTEM_CREDENTIAL_UIDS = {Process.WIFI_UID, Process.VPN_UID,
+        Process.ROOT_UID, Process.SYSTEM_UID};
+
     /**
      * When non-null, the bundle containing credentials to install.
      */
@@ -333,7 +339,14 @@ public final class CredentialStorage extends Activity {
 
         @Override protected Boolean doInBackground(Void... unused) {
 
-            mKeyStore.reset();
+            // Clear all the users credentials could have been installed in for this user.
+            final UserManager um = (UserManager) getSystemService(USER_SERVICE);
+            for (UserInfo pi : um.getProfiles(UserHandle.getUserId(Process.myUid()))) {
+                for (int uid : SYSTEM_CREDENTIAL_UIDS) {
+                    mKeyStore.clearUid(UserHandle.getUid(pi.id, uid));
+                }
+            }
+
 
             try {
                 KeyChainConnection keyChainConnection = KeyChain.bind(CredentialStorage.this);