keystore: Expose @SystemApi's to wifi mainline module

Two @SystemApi's being added to allow wifi mainline module to access formal API's: a) KeyGenParameterSpec.Builder.setUid() to allow wifi to create/store keys with WIFI_UID. b) AndroidKeyStoreProvider.getKeyStoreForUid() to allow wifi to get/put any keys stored with WIFI_UID. Both of these API's are already permission protected in the lower layers. There is a map of euid's stored in the native keystore which limits which uid is allowed to access which other uid's data. Bug: 142089671 Test: make system-api-stubs-docs-update-current-api Change-Id: I39b92d2293bcdc26bb0a4a48a1d1e4cc0b20ad0b
2019-11-05 16:33:33 -08:00
parent 6f08e137e5
commit 780d117268
3 changed files with 26 additions and 1 deletions
--- a/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java
+++ b/keystore/java/android/security/keystore/AndroidKeyStoreProvider.java
@@ -17,6 +17,7 @@
 package android.security.keystore;

 import android.annotation.NonNull;
+import android.annotation.SystemApi;
 import android.annotation.UnsupportedAppUsage;
 import android.security.KeyStore;
 import android.security.keymaster.ExportResult;
@@ -52,8 +53,9 @@ import javax.crypto.Mac;
 *
 * @hide
 */
+@SystemApi
 public class AndroidKeyStoreProvider extends Provider {
-    public static final String PROVIDER_NAME = "AndroidKeyStore";
+    private static final String PROVIDER_NAME = "AndroidKeyStore";

    // IMPLEMENTATION NOTE: Class names are hard-coded in this provider to avoid loading these
    // classes when this provider is instantiated and installed early on during each app's
@@ -68,6 +70,7 @@ public class AndroidKeyStoreProvider extends Provider {
    private static final String DESEDE_SYSTEM_PROPERTY =
            "ro.hardware.keystore_desede";

+    /** @hide **/
    public AndroidKeyStoreProvider() {
        super(PROVIDER_NAME, 1.0, "Android KeyStore security provider");

@@ -111,6 +114,7 @@ public class AndroidKeyStoreProvider extends Provider {
    /**
     * Installs a new instance of this provider (and the
     * {@link AndroidKeyStoreBCWorkaroundProvider}).
+     * @hide
     */
    public static void install() {
        Provider[] providers = Security.getProviders();
@@ -156,6 +160,7 @@ public class AndroidKeyStoreProvider extends Provider {
     * @throws IllegalArgumentException if the provided primitive is not supported or is not backed
     *         by AndroidKeyStore provider.
     * @throws IllegalStateException if the provided primitive is not initialized.
+     * @hide
     */
    @UnsupportedAppUsage
    public static long getKeyStoreOperationHandle(Object cryptoPrimitive) {
@@ -183,6 +188,7 @@ public class AndroidKeyStoreProvider extends Provider {
        return ((KeyStoreCryptoOperation) spi).getOperationHandle();
    }

+    /** @hide **/
    @NonNull
    public static AndroidKeyStorePublicKey getAndroidKeyStorePublicKey(
            @NonNull String alias,
@@ -279,6 +285,7 @@ public class AndroidKeyStoreProvider extends Provider {
                privateKeyAlias, uid, jcaKeyAlgorithm, x509EncodedPublicKey);
    }

+    /** @hide **/
    @NonNull
    public static AndroidKeyStorePublicKey loadAndroidKeyStorePublicKeyFromKeystore(
            @NonNull KeyStore keyStore, @NonNull String privateKeyAlias, int uid)
@@ -300,6 +307,7 @@ public class AndroidKeyStoreProvider extends Provider {
        return new KeyPair(publicKey, privateKey);
    }

+    /** @hide **/
    @NonNull
    public static KeyPair loadAndroidKeyStoreKeyPairFromKeystore(
            @NonNull KeyStore keyStore, @NonNull String privateKeyAlias, int uid)
@@ -318,6 +326,7 @@ public class AndroidKeyStoreProvider extends Provider {
        return (AndroidKeyStorePrivateKey) keyPair.getPrivate();
    }

+    /** @hide **/
    @NonNull
    public static AndroidKeyStorePrivateKey loadAndroidKeyStorePrivateKeyFromKeystore(
            @NonNull KeyStore keyStore, @NonNull String privateKeyAlias, int uid)
@@ -357,6 +366,7 @@ public class AndroidKeyStoreProvider extends Provider {
        return new AndroidKeyStoreSecretKey(secretKeyAlias, uid, keyAlgorithmString);
    }

+    /** @hide **/
    @NonNull
    public static AndroidKeyStoreKey loadAndroidKeyStoreKeyFromKeystore(
            @NonNull KeyStore keyStore, @NonNull String userKeyAlias, int uid)
@@ -390,7 +400,9 @@ public class AndroidKeyStoreProvider extends Provider {
     *
     * <p>Note: the returned {@code KeyStore} is already initialized/loaded. Thus, there is
     * no need to invoke {@code load} on it.
+     * @hide
     */
+    @SystemApi
    @NonNull
    public static java.security.KeyStore getKeyStoreForUid(int uid)
            throws KeyStoreException, NoSuchProviderException {
--- a/keystore/java/android/security/keystore/KeyGenParameterSpec.java
+++ b/keystore/java/android/security/keystore/KeyGenParameterSpec.java
@@ -19,6 +19,7 @@ package android.security.keystore;
 import android.annotation.IntRange;
 import android.annotation.NonNull;
 import android.annotation.Nullable;
+import android.annotation.SystemApi;
 import android.annotation.TestApi;
 import android.annotation.UnsupportedAppUsage;
 import android.app.KeyguardManager;
@@ -808,10 +809,14 @@ public final class KeyGenParameterSpec implements AlgorithmParameterSpec, UserAu
        /**
         * Sets the UID which will own the key.
         *
+         * Such cross-UID access is permitted to a few system UIDs and only to a few other UIDs
+         * (e.g., Wi-Fi, VPN) all of which are system.
+         *
         * @param uid UID or {@code -1} for the UID of the current process.
         *
         * @hide
         */
+        @SystemApi
        @NonNull
        public Builder setUid(int uid) {
            mUid = uid;