Keystore 2.0: Update Wifi settings to use mostly public keystore API.

Test: N/A Bug: 171305607 Bug: 171305388 Merged-In: Ib794c5f2d904c2b187d7d5fd00b81afc852d0052 Change-Id: Ib794c5f2d904c2b187d7d5fd00b81afc852d0052
2021-01-25 14:56:47 -08:00
parent 6b94f5ac81
commit e92bcb3287
5 changed files with 167 additions and 89 deletions
--- a/src/com/android/settings/utils/AndroidKeystoreAliasLoader.java
+++ b/src/com/android/settings/utils/AndroidKeystoreAliasLoader.java
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.utils;
+
+import android.os.Process;
+import android.security.keystore.AndroidKeyStoreProvider;
+import android.security.keystore.KeyProperties;
+import android.security.keystore2.AndroidKeyStoreLoadStoreParameter;
+import android.util.Log;
+
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.UnrecoverableKeyException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Enumeration;
+
+/**
+ * This class provides a portable and unified way to load the content of AndroidKeyStore through
+ * public API.
+ * @hide
+ */
+public class AndroidKeystoreAliasLoader {
+    private static final String TAG = "SettingsKeystoreUtils";
+
+    private final Collection<String> mKeyCertAliases;
+    private final Collection<String> mCaCertAliases;
+    /**
+     * This Constructor loads all aliases of asymmetric key pairs and certificates in the
+     * AndroidKeyStore within the given namespace.
+     * Viable namespaces are {@link KeyProperties#NAMESPACE_WIFI},
+     * {@link KeyProperties#NAMESPACE_APPLICATION}, or null. The latter two are equivalent in
+     * that they will load the keystore content of the app's own namespace. In case of settings,
+     * this is the namespace of the AID_SYSTEM.
+     *
+     * @param namespace {@link KeyProperties#NAMESPACE_WIFI},
+     *                  {@link KeyProperties#NAMESPACE_APPLICATION}, or null
+     * @hide
+     */
+    public AndroidKeystoreAliasLoader(Integer namespace) {
+        mKeyCertAliases = new ArrayList<>();
+        mCaCertAliases = new ArrayList<>();
+        KeyStore keyStore = null;
+        final Enumeration<String> aliases;
+        try {
+            if (namespace != null && namespace != KeyProperties.NAMESPACE_APPLICATION) {
+                if (AndroidKeyStoreProvider.isKeystore2Enabled()) {
+                    keyStore = KeyStore.getInstance("AndroidKeyStore");
+                    keyStore.load(new AndroidKeyStoreLoadStoreParameter(namespace));
+                } else {
+                    // In the legacy case we pass in the WIFI UID because that is the only
+                    // possible special namespace that existed as of this writing,
+                    // and new namespaces must only be added using the new mechanism.
+                    keyStore = AndroidKeyStoreProvider.getKeyStoreForUid(Process.WIFI_UID);
+                }
+            } else {
+                keyStore = KeyStore.getInstance("AndroidKeyStore");
+                keyStore.load(null);
+            }
+            aliases = keyStore.aliases();
+        } catch (Exception e) {
+            Log.e(TAG, "Failed to open Android Keystore.", e);
+            // Will return empty lists.
+            return;
+        }
+
+        while (aliases.hasMoreElements()) {
+            final String alias = aliases.nextElement();
+            try {
+                final Key key = keyStore.getKey(alias, null);
+                if (key != null) {
+                    if (key instanceof PrivateKey) {
+                        mKeyCertAliases.add(alias);
+                    }
+                } else {
+                    if (keyStore.getCertificate(alias) != null) {
+                        mCaCertAliases.add(alias);
+                    }
+                }
+            } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
+                Log.e(TAG, "Failed to load alias: "
+                        + alias + " from Android Keystore. Ignoring.", e);
+            }
+        }
+    }
+
+    /**
+     * Returns the aliases of the key pairs and certificates stored in the Android KeyStore at the
+     * time the constructor was called.
+     * @return Collection of keystore aliases.
+     * @hide
+     */
+    public Collection<String> getKeyCertAliases() {
+        return mKeyCertAliases;
+    }
+
+    /**
+     * Returns the aliases of the trusted certificates stored in the Android KeyStore at the
+     * time the constructor was called.
+     * @return Collection of keystore aliases.
+     * @hide
+     */
+    public Collection<String> getCaCertAliases() {
+        return mCaCertAliases;
+    }
+}