e4487ea288e9fea837995d9bc4608c8a4a253ec8 |
|
29-Feb-2016 |
Robin Lee <rgl@google.com> |
More sensible return code for Credentials.deleteAll Was: result = True iff nDeleted != 0 Now: result = True iff nDeleted == nExisted The most common reason you'd want to delete all credentials under an alias is to be sure they no longer exist. The new contract gives a way to do this without multiple IPCs to the same service. Bug: 27335182 Change-Id: I8762b9b4fcc48037387dd805dbd0dbbe141d5b24
/frameworks/base/keystore/java/android/security/KeyStore.java
|
8d8c7477746c357d54f586fc92e8d422a4fc6441 |
|
02-Feb-2016 |
Shawn Willden <swillden@google.com> |
Add attestation API to Android KeyStore. Bug: 22914603 Change-Id: I7c6162dc7a390aa48a2542494780959b01c23bd4
/frameworks/base/keystore/java/android/security/KeyStore.java
|
2cea8d4b7b15888d80d89cc04fb6d109e1e812dd |
|
11-Sep-2015 |
Alex Klyubin <klyubin@google.com> |
Merge "Allow uid to be passed for more operations"
|
3876b1be27e3aefde9a72eb2e4f856e94fc5f946 |
|
09-Sep-2015 |
Alex Klyubin <klyubin@google.com> |
Support cross-UID access from AndroidKeyStore. This is meant for exposing the pre-existing cross-UID access to keys backed by the keystore service via higher-level JCA API. For example, this lets system_server use Wi-Fi or VPN UID keys via JCA API. To obtain a JCA AndroidKeyStore KeyStore for another UID, use the hidden system API AndroidKeyStoreProvider.getKeyStoreForUid(uid). To generate a key owned by another UID, invoke setUid(uid) on KeyGenParameterSpec.Builder. This CL does not change the security policy, such as which UID can access/modify which UIDs' keys. The policy is that only certain system UIDs are permitted to access keys of certain other system UIDs. Bug: 23978113 Change-Id: Ie381530f41dc41c50d52f675fb9e68bc87c006de
/frameworks/base/keystore/java/android/security/KeyStore.java
|
5bbf04803f050296a6deab10a3c7104743c4e38c |
|
09-Sep-2015 |
Chad Brubaker <cbrubaker@google.com> |
Allow uid to be passed for more operations This expands get, getmtime, exportKey, getKeyCharacteristcs and begin to accept a uid to run as. This is only for system to use keys owned by Wifi and VPN, and not something that can be used to do operations as another arbitrary application. Bug: 23978113 Change-Id: I06aa089859edc934a5415e3b184b917d6d171ae2
/frameworks/base/keystore/java/android/security/KeyStore.java
|
ae6cb7aad56bb006769cd8a69b92af7236644fc1 |
|
23-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Keymaster INT, LONG and DATE tag values are unsigned. This CL ensures that Android Keystore framework code complies with signedness of keymaster tags. In particular: * INT tags are unsigned 32-bit numbers, and * LONG and DATE tags are unsigned 64-bit numbers. The ensure compliance, KeymasterArguments and KeyCharacteristics classes through which Android Keystore interacts with Keymaster tags have been modified as follows: * ENUM and INT tags which used to be conflated are now added/queried via separate methods, because ENUM can remain represented as an int data type whereas INT is now represented as a long data type with permitted range being [0; 2^32). * Methods for adding/quering LONG tags have been switched from the long data type to the BigInteger data type and now ensure that the value is in the permitted [0; 2^63). * Methods for adding/querying DATE tags now ensure the Date value is in the permitted range [0; 2^63) ms since Unix epoch. * Methods for adding tags throw an IllegalArgumentException if the tag type is unsuitable for the method. This is to ensure that tags with invalid values cannot be added through similar methods (e.g., INT tag added via an ENUM tag addition method invoked with a negative value). Bug: 22008538 Change-Id: I6eefd5cbb561cc52d27de952691af4d9d5e1af1e
/frameworks/base/keystore/java/android/security/KeyStore.java
|
a99b8b5e3fe456b74b9f86e12bebebb5e418f58e |
|
11-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Do not require USE_FINGERPRINT for getAuthenticatorId. This removes the requirement to hold the USE_FINGERPRINT permission to successfully invoke FingerprintManager.getAuthenticatorId(). This is needed because Android Keystore classes which run inside app processes occasionally need to access this authenticator ID. The access however is not necessarily triggered by the developer using APIs to do with fingerprints. Thus, if an app does not hold the USE_FINGERPRINT permission and uses Android Keystore API, it may unexpectedly encounter a SecurityException. It's OK to provide access to authenticator ID without requiring USE_FINGERPRINT permission because there are other ways to access this ID without holding that permission, such as though hidden KeyStore API. Once Android Keystore code is restructured to no longer require access to authenticator ID, this CL can be reverted. Bug: 21030147 Change-Id: I9af29830abce34c46e29e5c1682cc3ab88c95c00
/frameworks/base/keystore/java/android/security/KeyStore.java
|
4a0ff7ca984d29bd34b02e54441957cad65e8b53 |
|
09-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Android Keystore keys are no longer backed by Conscrypt. This switches Android Keystore asymmetric keys from being backed by Conscrypt (via keystore-engine which is an OpenSSL/BoringSSL ENGINE which talks to keystore via the old KeyStore API) to being backed by the AndroidKeyStore Provider which talks to keystore via the new KeyStore API. In effect, this switches asymmetric crypto offered by Android Keystore from old Keystore API to new KeyStore API, enabling all the new features such as enforcement of authorizations on key use. Some algorithms offered by Android Keystore, such as RSA with OAEP or PSS padding schemes, are not supported by other providers. This complicates matters because Android Keystore only supports public key operations if the corresponding private key is in the keystore. Thus, Android Keystore can only offer these operations for its own public keys only. This requires AndroidKeyStore to use its own subclasses of PublicKey everywhere. The ugliest place is where it needs to return its own subclass of X509Certificate only to be able to return its own subclass of PublicKey from Certificate.getPublicKey(). Bug: 18088752 Bug: 19284418 Bug: 20912868 Change-Id: Id234f9ab9ff72d353ca1ff66768bd3d46da50d64
/frameworks/base/keystore/java/android/security/KeyStore.java
|
3ceb1a04b44539c2b2c3afec6df487fe128911f2 |
|
06-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Switch Android Keystore key gen and import to new KeyStore API. This makes Android Keystore's asymmetric key generation and import use the new KeyStore API (similar to keymaster 1.0 API). Because the resulting private keys will be used through Conscrypt/keystore-engine which uses the old Keystore API, this CL implements a temporary workaround where all generated and imported keys are authorized for padding NONE and digest NONE, in addition to padding schemes and digests requested by the user of the Android Keystore API. This workaround is needed because keystore-engine uses digest NONE and padding NONE for all its crypto operations. Bug: 18088752 Bug: 20912868 Change-Id: Idc709039d091294265bd000160b5507f13825849
/frameworks/base/keystore/java/android/security/KeyStore.java
|
469cbf5156ad54650726ade59f2ee5aa01359ec2 |
|
04-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Deprecate KeyChain.isBoundKeyAlgorithm. This is bad API. There was never a guarantee that when this method returns true for a key algorithm (e.g., RSA or EC), then all keys of that type will be imported into secure hardware. For example, the secure hardware may reject a key if it's of unsupported size or uses an unsupported public exponent or EC curve. In that case, the key will be imported into keystore/KeyChain without being backed by secure hardware. Bug: 18088752 Change-Id: I8daa574a2e703a347d09d93401cd1ea2d0162ed9
/frameworks/base/keystore/java/android/security/KeyStore.java
|
4350babc028822e8905190d88a9f5b8c6ffce8ec |
|
08-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Remove deprecated android.security.KeyStore methods. * delKey -> delete * getPubkey -> exportKey * saw -> list. Bug: 18088752 Change-Id: Ifb794f91a42646d67da1340ee16765cbaf255a49
/frameworks/base/keystore/java/android/security/KeyStore.java
|
8a07701f3817ad0b76b82cfc464868e8f57e359d |
|
29-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add optional additional entropy to finish If provided the extra entropy will be added to the device before calling finish. If entropy is provided and the device does not support supplying additional entropy then finish will fail with KM_ERROR_UNIMPLEMENTED. (cherry-picked from commit 9ce30624a448f439e19960d0dd88103c04676e7d) Change-Id: If26be118bf382604f6f8e96e833b76e6f9e94d58
/frameworks/base/keystore/java/android/security/KeyStore.java
|
966486e134c901ea61195b352fdd81476b3639b4 |
|
01-Jun-2015 |
Chad Brubaker <cbrubaker@google.com> |
Track changes to the keystore binder API Output parameters are gone from begin, instead they will returned in the OperationResult and begin, update, and finish may return output parameters. Change-Id: I072afeb6c65f6c512b40603824c25686ac44e7c8
/frameworks/base/keystore/java/android/security/KeyStore.java
|
e35d49f0d2853b79470ec890113bf4dcef03ab88 |
|
13-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Cleanup Keystore API Rename confusingly named methods, add userID arguments to all methods that operate on user state and delete methods that have been replaced by the onUser* methods. Some of the old methods have been kept in KeyStore.java in order to ease the transition of various system packages to the new methods. (cherry-picked from commit d8aacca3a197f65021e9b520807b7315b7a59d68) Change-Id: Ic271689d62c36d255c5adee26c7abc2e7ed24df5
/frameworks/base/keystore/java/android/security/KeyStore.java
|
dcdaf87ed0aa99073638bcfe645949f130f0c7ad |
|
14-May-2015 |
Alex Klyubin <klyubin@google.com> |
Move Android Keystore impl to android.security.keystore. This moves the non-public API classes backing Android Keystore from android.security to android.security.keystore, a package specially created for Android Keystore. Bug: 18088752 Change-Id: Ibf04d6a26c54d310b0501fc5e34f37b1176324ad
/frameworks/base/keystore/java/android/security/KeyStore.java
|
3f8d4d840894468f2be8a5b56ff266cef2d71c50 |
|
13-May-2015 |
Alex Klyubin <klyubin@google.com> |
New AndroidKeyStore API in android.security.keystore. This CL addresses the comments from API Council about Android KeyStore KeyPairGeneratorSpec, KeyGeneratorSpec and KeyStoreParameter: 1. These abstractions should not take or hold references to Context. 2. The Builders of these abstractions should take all mandatory parameters in their constructors rather than expose them as setters -- only optional paratemers should be exposed via setters. These comments cannot be addressed without deprecation in the already launched KeyPairGeneratorSpec and KeyStoreParameter. Instead of deprecating just the getContext methods and Builder constructors, this CL goes for the nuclear option of deprecating KeyPairGeneratorSpec and KeyStoreParameter as a whole and exposing all of the AndroidKeyStore API in the new package android.security.keystore. This enables this CL to correct all of the accrued design issues with KeyPairGeneratorSpec (e.g., naming of certificate-related methods) and KeyStoreParameter. This also makes the transition to API Level M more clear for existing users of the AndroidKeyStore API. These users will only have to deal with the new always-mandatory parameters (e.g., purposes) and sometimes-mandatory (e.g., digests, block modes, paddings) if they switch to the new API. Prior to this CL they would've had to deal with this if they invoked any of the new methods of KeyPairGeneratorSpec or KeyStoreParameter introduced in API Level M. This CL rips out all the new API introduced into KeyPairGeneratorSpec and KeyStoreParameter classes for Android M, thus reverting these classes to the API launched in L MR1. This is because the new API is now in android.security.keystore.KeyGenParameterSpec and KeyProtection respectively. Bug: 21039983 Change-Id: I59672b3c6ef7bc25c40aa85f1c47d9d8a05d627c
/frameworks/base/keystore/java/android/security/KeyStore.java
|
83ce095c848b972156256855d0f2a2ff4aa068fd |
|
12-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add keystore onUserAdded/Removed methods (cherry-picked from commit 31c2897105e6d71f8e6edeab312d2147bbdbaeb1) Change-Id: I73fe9344ec5660e58425d5c85d14381820533d57
/frameworks/base/keystore/java/android/security/KeyStore.java
|
622fd932fd33c6e86c86c8a24082674ad077a810 |
|
12-May-2015 |
Alex Klyubin <klyubin@google.com> |
Flatten KeyStoreKeyProperties constants. This moves constants/flags declared in inner classes of KeyStoreKeyProperties into KeyStoreKeyProperties, as requested by API Council. Bug: 21039983 Change-Id: I84a3c983e13644a027bed9f605ab8044220a352c
/frameworks/base/keystore/java/android/security/KeyStore.java
|
5418393c58d1d80fe37a209ab931f6d56bd46a86 |
|
09-May-2015 |
Alex Klyubin <klyubin@google.com> |
Document when encrypted AndroidKeyStore keys are wiped. This also drops the boolean parameter from KeyGeneratorSpec.Builder.setEncryptionRequired to match the already launched KeyPairGeneratorSpec.Builder.setEncryptionRequired. Bug: 18088752 Change-Id: I91a3e8c77958971b1bda8329319f1a0d8043b669
/frameworks/base/keystore/java/android/security/KeyStore.java
|
f8a96d16290dbca1b1bdad153ceadad9c7d55111 |
|
08-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Merge "Cleanup keystore password changing and unlocking" into mnc-dev
|
a91a8504191d91d288c55821caa5bf00c9be26a2 |
|
07-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Cleanup keystore password changing and unlocking Add KeyStore.onUserPasswordChanged for the lockscreen to call when the user changes their password. Keystore will then handle the logic of deleting keys. Instead of calling Keystore.password_uid for both unlocking and password changes the behavior has been split into Keystore.unlock and onUserPasswordChanged. Change-Id: I324914c00195d762cbaa8c63084e41fa796b7df8
/frameworks/base/keystore/java/android/security/KeyStore.java
|
4d5443f37f2bc58be8d22ed50024c39a5a1fbc8f |
|
07-May-2015 |
Alex Klyubin <klyubin@google.com> |
Define String constants for AndroidKeyStore crypto. This defines the String enum values based on JCA standard names for key algorithm, block mode, padding schemes, and digests. This should make it safer to interact with AndroidKeyStore code that uses JCA strings. This was requested by API Council. Bug: 18088752 Change-Id: I241d9225a13b85479d0a84e49d0a98cbc77e5817
/frameworks/base/keystore/java/android/security/KeyStore.java
|
2d7a85cd2b2ab4dbbe09354c6ae1668bff51a514 |
|
30-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
Switch from FingerprintService to FingerprintManager. FingerprintService is a lower layer of abstraction which should ideally be accessed only via FingerprintManager from AndroidKeyStore. The main issue with the switch is that it requires a reference to a Context. This is now obtained using ActivityThread's hidden API. Change-Id: If921e169838ee2cc5c7690b8c8d8ea95c33248aa
/frameworks/base/keystore/java/android/security/KeyStore.java
|
2dac95d03399bb9fa59999e4964d7f8bcd485c38 |
|
30-Apr-2015 |
Svetoslav <svetoslavganov@google.com> |
Fix the build Change-Id: I24e697e989b5f88c3f5e61343fbff60a09aa4c12
/frameworks/base/keystore/java/android/security/KeyStore.java
|
058de02073a129301d391c22b050f2d65adadb0f |
|
30-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
Enable per-use user authenticated keys to be used. This makes symmetric Cipher and Mac implementations backed by AndroidKeyStore succeed in their initialization when the key is configured to require user authentication for every use. Users of such keys should obtain an instance of Cipher or Mac, initialize it with the key, and then authorize the operation by passing this Cipher or Mac instance to FingerprintManager.authenticate. Bug: 18088752 Change-Id: Ia15a1e5f8274c3623f665dae1f400ff539639ab1
/frameworks/base/keystore/java/android/security/KeyStore.java
|
708fc9404501ac42b6cac925fe3e10801b5f633b |
|
29-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
Add KeyPermanentlyInvalidatedException. This enables users of AndroidKeyStore crypto to differentiate between the key being unusable until the user is authenticated (UserNotAuthenticatedException) and the key being permanently unusable (KeyPermanentlyInvalidatedException). The latter is the case when the secure lock screen has been disabled or reset, and, for keys that require user authentication for every use, when a new fingerprint is enrolled or all fingerprints are unenrolled. NOTE: The KeyPermanentlyInvalidatedException subsumes/replaces the NewFingerprintEnrolledException which has thus been removed. There is no way to find out whether a key was permenently invalidated specifically because a new fingerprint was added. Bug: 20642549 Bug: 20526234 Change-Id: I0206cd99eef5c605c9c4d6afc5eea02eb3b1fe6b
/frameworks/base/keystore/java/android/security/KeyStore.java
|
560d653e554882218232cd0fe4711be42145727a |
|
24-Apr-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add OP_AUTH_NEEDED KeyStore result code OP_AUTH_NEEDED will be returned from begin when an operation needs a per operation authentication before calling update. Note that the begin call succeeds when this error is returned, the token and handle are valid. (cherry picked from commit dabe520a3e6b0d0c40adfd748483fa336c43c366) Change-Id: I0ba4e997360843b5eb6c1db9c5fcd1c4d5a2c717
/frameworks/base/keystore/java/android/security/KeyStore.java
|
22335a9730d80c7282f2a10d617136702850c56f |
|
25-Apr-2015 |
Kenny Root <kroot@google.com> |
am 6c1af7ea: am 8652bce1: am c71f2648: Merge "frameworks/base: switch to using NativeConstants." * commit '6c1af7ea497b1a2f04bdf45a19d2147f5b9665b9': frameworks/base: switch to using NativeConstants.
|
c71f264847eb75d53c0f99e6e1c42a8a1527d3b4 |
|
24-Apr-2015 |
Kenny Root <kroot@google.com> |
Merge "frameworks/base: switch to using NativeConstants."
|
40485f5aac5bc02fb3b24ad03ac71f724e4c340a |
|
24-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
resolved conflicts for merge of f9c14b7d to master Change-Id: Ifa29891b8ad7979cbc28c54180b9606bb1319ff0
|
ad9ba10ecda10c14e46d00f40fc3e431cc2d9bc2 |
|
22-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
No runtime exceptions during normal use of AndroidKeyStore crypto. This changes the implementation of AndroidKeyStore-backed Cipher and Mac to avoid throwing runtime exceptions during normal use. Runtime exceptions will now be thrown only due to truly exceptional and unrecoverable errors (e.g., keystore unreachable, or crypto primitive not initialized). This also changes the implementation of Cipher to cache any errors encountered in Cipher.update until Cipher.doFinal which then throws them as checked exceptions. Bug: 20525947 Change-Id: I3c4ad57fe70abfbb817a79402f722a0208660727
/frameworks/base/keystore/java/android/security/KeyStore.java
|
6bf52c4271bd0483174fe3755caedb778693791e |
|
24-Apr-2015 |
Adam Langley <agl@google.com> |
frameworks/base: switch to using NativeConstants. NativeCrypto is a conscrypt class that contained several OpenSSL constants. NativeConstants is the new class that contains the same thing, but the latter is automatically generated and thus won't drift from the C headers. Bug: 20521989 Change-Id: I45c7b9a6844a06e3ffd09be692ebf733e1ebbbcc
/frameworks/base/keystore/java/android/security/KeyStore.java
|
dbcec13d64d7e6e8d4e5a867c1ca8b78951ed217 |
|
03-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
resolved conflicts for merge of b068f162 to master Change-Id: I5bc234e1da047880d3437a861ff93474a9797e18
|
b4834ae3fa09e8013f7ab743a12def063ae999e3 |
|
03-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
Rename KeymasterException to KeyStoreException. The code in question talks to KeyStore which returns error codes which are a mix of keystore and keymaster error codes. To better match the layering of KeyStore on top of keystore and keymaster, this CL renames KeymasterException into KeyStoreException. It also adds human-readable error messages to exceptions raised by keystore rather than keymaster (e.g., key not found). Bug: 18088752 Change-Id: I4cd1235e16518c9f2e8c5557a457774c6e687b88
/frameworks/base/keystore/java/android/security/KeyStore.java
|
f603e2861430f13a746f80885b5fc00994f64391 |
|
30-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Merge "Add authorization binder methods"
|
dae79e540844741fc35c648efe8bbb00fc8ab781 |
|
27-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Allow entropy to be provided to some operations generateKey and begin can now optionally take an array of bytes to add to the rng entropy of the device before the operation. If entropy is specified and the device does not support add_rng_entropy or the call fails then that device will not be used, leading to fallback or error depending on the situation. Change-Id: Id7d33e3cc959594dfa5483d002993ba35c1fb134
/frameworks/base/keystore/java/android/security/KeyStore.java
|
5e73c0eec2bc77222a5a87fb2a135d8303836411 |
|
22-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Make application/client id an object Having it as a raw byte[] caused issues in keystore because keymaster handles a null blob differently than a blob with null contents. Make this explicit in the API. Change-Id: Ifcf550f438608b8f09fc589d00d06fffa6ee463b
/frameworks/base/keystore/java/android/security/KeyStore.java
|
5654b36b4667431e49d27c07a06d275656071e75 |
|
18-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add authorization binder methods Add methods for sending an auth token to keystore and to query the authorization state of a given operation. Change-Id: I223df5c56ae2a251ef31cfe60f06c046c12a5cd8
/frameworks/base/keystore/java/android/security/KeyStore.java
|
e6a461341ccf3b952427daf40c973d9914cdb270 |
|
11-Feb-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add new IKeystoreService methods to KeyStore Add wrappers for all the new IKeystoreService keymaster 0.4 methods to android.security.KeyStore. Change-Id: Icb5500cfffb62d1af326edf326e1b9b67e5cece9
/frameworks/base/keystore/java/android/security/KeyStore.java
|
590c068e8380ba73a6571ddf797d4ce02b390bcb |
|
16-Jan-2015 |
Alex Klyubin <klyubin@google.com> |
Merge "Add KeyPairGenerator.EC backed by Android KeyStore."
|
21a76df55cf4b956f4d34f57c7b9e694d0363f54 |
|
14-Jan-2015 |
Alex Klyubin <klyubin@google.com> |
Add KeyPairGenerator.EC backed by Android KeyStore. The Android KeyStore backed KeyPairGenerator can generate EC key pairs, but it cannot be instantiated via the standard JCA approach of KeyPairGenerator.getInstance("EC", "AndroidKeyStore"). Instead, the user must invoke KeyPairGenerator.getInstance("RSA", "AndroidKeyStore") and then tell it to generate an EC key pair. This CL fixes this weirdness. The fix requires the introduction of late resolution of key algorithm and default key size. Prior to this CL, these parameters were resolved prior to KeyPairGenerator initialization, inside KeyPairGeneratorSpec. In this CL, these parameters are resolved during KeyPairGenerator initialization. This is fine because KeyPairGeneratorSpec should be as dumb as possible and all the logic should reside in KeyPairGenerator and lower layers. Bug: 19018089 Change-Id: I114502356e6c9691518cf05b6d9eb0920b4fe0b2
/frameworks/base/keystore/java/android/security/KeyStore.java
|
7a2c973db7756a60f1cdd6cf67411115c1576081 |
|
14-Jan-2015 |
Chad Brubaker <cbrubaker@google.com> |
Generate IKeystoreService using aidl This replaces IKeystoreService.java with IKeystoreService.aidl and changes the methods that passed down a byte[][] to instead pass down a KeystoreArguments which is currently a thin parcelable wrapper around a byte[][]. Change-Id: I6367bcf57562f41a27aab14f1903b74995cb65c2
/frameworks/base/keystore/java/android/security/KeyStore.java
|
9d2d6b6b4b1b16221cbd857703cd6301c6bf873c |
|
26-Nov-2014 |
Kenny Root <kroot@google.com> |
Track change to Conscrypt Change-Id: I8814fd0720acf09332927f184fdd9b2cdac4f413
/frameworks/base/keystore/java/android/security/KeyStore.java
|
f0246a8a14d69680d1776620e75a485cf963e574 |
|
13-Aug-2014 |
Robin Lee <rgl@google.com> |
Keep managed profile keystores in sync with owner Fixes setting a keyguard password for keystore in a multi-user setup while we're at it. Bug: 16233206. Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
/frameworks/base/keystore/java/android/security/KeyStore.java
|
b91773bce1126d28a93f73fbef18f3a79245f24e |
|
05-Sep-2013 |
Kenny Root <kroot@google.com> |
Add argument to binder call to check key types Before there was only one key type supported, so we didn't need to query a key type. Now there is DSA, EC, and RSA, so there needs to be another argument. Bug: 10600582 Change-Id: I9fe9e46b9ec9cfb2f1246179b2c396216b2c1fdb
/frameworks/base/keystore/java/android/security/KeyStore.java
|
a39859889b7de0ad3190386cc732fa4bdcbe5504 |
|
16-Aug-2013 |
Kenny Root <kroot@google.com> |
Add support for DSA and ECDSA key types (cherry picked from commit f64386fc26efeb245fd90fabaa47b8c8bf9b4613) Bug: 10600582 Change-Id: I88dfcc8ca602f55fad54bd8bf043aee460c0de24
/frameworks/base/keystore/java/android/security/KeyStore.java
|
e7cf8c230208beef0c3a5f83a1e1d2c36ac5ca12 |
|
13-Apr-2013 |
Kenny Root <kroot@google.com> |
keystore: remove old APIs Remove the APIs that don't specify the flags so callers know what they're getting. Bug: 8122243 Change-Id: Ifaef6fb1d16010237c01f9d11f2053bb6b3980c0
/frameworks/base/keystore/java/android/security/KeyStore.java
|
2eeda7286f3c7cb79f7eb71ae6464cad213d12a3 |
|
10-Apr-2013 |
Kenny Root <kroot@google.com> |
AndroidKeyStore: Add encrypted flag Add the encrypted flag for the KeyPairGenerator and the KeyStore so that applications can choose to allow entries when there is no lockscreen. Bug: 8122243 Change-Id: Ia802afe965f2377ad3f282dab8c512388c705850
/frameworks/base/keystore/java/android/security/KeyStore.java
|
a3788b00bb221e20abdd42f747d2af419e0a088c |
|
10-Apr-2013 |
Kenny Root <kroot@google.com> |
keystore: Add flag for blobs to be unencrypted In order to let apps use keystore more productively, make the blob encryption optional. As more hardware-assisted keystores (i.e., hardware that has a Keymaster HAL) come around, encrypting blobs start to make less sense since the thing it's encrypting is usually a token and not any raw key material. Bug: 8122243 Change-Id: If9af0d992d68edec006e630c687df3d03a7c9608
/frameworks/base/keystore/java/android/security/KeyStore.java
|
d72317abd79ddf95d48c8f35bf1070900ff55b5e |
|
02-Apr-2013 |
Kenny Root <kroot@google.com> |
Remove keystore entries when package removed Add a hook into PackageManagerService so that when app IDs are completely removed, we erase all entries from keystore for those UIDs that have gone away. (cherry picked from commit 95e3ee3971915b323e5c13dcfe3b12a4180850cd) Bug: 3020069 Change-Id: I374258ccc103f8cb3e238f2bf0d1afda0659db94
/frameworks/base/keystore/java/android/security/KeyStore.java
|
5cb5cec6a4a4d5432d4ce6468c12de9508db1633 |
|
29-Mar-2013 |
Kenny Root <kroot@google.com> |
KeyStore: add API to query storage type Add an API to keystore daemon to query what kind of storage is currently in use. (cherry picked from commit a738e2a1aee26e0be3944c11820724aeca313f83) Change-Id: I52c84449a27b1cefc49372a6406b7132c2bbddee
/frameworks/base/keystore/java/android/security/KeyStore.java
|
5f1d965f7d7e1df50981ffed8faa11fbcc17ca22 |
|
21-Mar-2013 |
Kenny Root <kroot@google.com> |
KeyStore: change migrate to duplicate After discussion, it was determined that duplicate would be less disruptive and it still fit in the current HAL model. Change-Id: I2f9cae48d38ec7146511e876450fa39fc92cda55
/frameworks/base/keystore/java/android/security/KeyStore.java
|
bd79419ef84ae31f3765721b50aa413fa462d1d1 |
|
20-Mar-2013 |
Kenny Root <kroot@google.com> |
KeyStore: add "migrate" command To support the WiFi service, we need to support migration from the system UID to the wifi UID. This adds a command to achieve the migration. Bug: 8122243 Change-Id: I65f7a91504c1d2a2aac22b9c3051adffd28d66c1
/frameworks/base/keystore/java/android/security/KeyStore.java
|
78ad849163a7b01073b46fbd7d818392720005d1 |
|
14-Feb-2013 |
Kenny Root <kroot@google.com> |
KeyStore: add API to uid versions In previous commits, we added the ability to specify which UID we want to target on certain operations. This commit adds the ability to reach those binder calls from the KeyStore class. Also fix a problem where saw() was not reading all the values returned via the Binder call. This changes the semantics to return a null instead of failing silently when it's not possible to search. Change-Id: I32098dc0eb42e09ace89f6b7455766842a72e9f4
/frameworks/base/keystore/java/android/security/KeyStore.java
|
b9594ce9ebb3f5f303a280f04312ae5754ce3560 |
|
14-Feb-2013 |
Kenny Root <kroot@google.com> |
KeyStore: stop using state() Change-Id: I721974fd95f8d1ab06a3fd1bbb4c9b4d9d1d7752
/frameworks/base/keystore/java/android/security/KeyStore.java
|
e151f281d527f4bea5cbdf4219d5e0507a6668b0 |
|
14-Feb-2013 |
Kenny Root <kroot@google.com> |
Track keystore binder changes Change-Id: Id6133be059a8a0901d16355a9152e40e4a255454
/frameworks/base/keystore/java/android/security/KeyStore.java
|
e66769ad5194cb4533d1087416a2e804ac384285 |
|
05-Feb-2013 |
Kenny Root <kroot@google.com> |
AndroidKeyStore: return error code on error Instead of blindly multiplying return value by 1000 to convert to milliseconds, check to see if it's an error condition first. Change-Id: I8eab1e7a86d78c13458fcbbc79d590e452fc9791
/frameworks/base/keystore/java/android/security/KeyStore.java
|
8b58c52bf4cc276165b1857eb4087eabde7b6477 |
|
04-Feb-2013 |
Kenny Root <kroot@google.com> |
AndroidKeyStore: fix tests Change-Id: I65fd8ba27af57ea8fd27c8e08c9c1201f32c494d
/frameworks/base/keystore/java/android/security/KeyStore.java
|
6b77645aa9ac51ce33ea67adba226aaf1a6e8846 |
|
02-Nov-2012 |
Kenny Root <kroot@google.com> |
Switch keystore to binder Change-Id: I9fa1fc05068bee1eed3f618fb32f70cf3d4c05d4
/frameworks/base/keystore/java/android/security/KeyStore.java
|
473c712b19bad992ab4eafcd43175fdce77b913d |
|
18-Aug-2012 |
Kenny Root <kroot@google.com> |
Add getmtime to Android KeyStore API java.security.KeyStore requires that you be able to get the creation date for any given entry. We'll approximate that through using the mtime of the file in the keystore. Change-Id: I16f74354a6c2e78a1a0b4dc2ae720c5391274e6f
/frameworks/base/keystore/java/android/security/KeyStore.java
|
5b1f037829bff93877a6257db69f4e7723a27e20 |
|
31-Jul-2012 |
Brian Carlstrom <bdc@google.com> |
Change KeyStore to use Modified UTF-8 to match NativeCrypto Bug: http://code.google.com/p/android/issues/detail?id=35141 Bug: 6869713 Change-Id: I61cb309786960072148ef97ea5afedb33dc45f4e
/frameworks/base/keystore/java/android/security/KeyStore.java
|
5423e68d5dbe048ec6f042cce52a33f94184e9fb |
|
14-Nov-2011 |
Kenny Root <kroot@google.com> |
Add signing to keystore Change the keystore to keep the private keys in keystore. When returned, it uses the OpenSSL representation of the key to allow users to use it in various operations through the OpenSSL ENGINE that connects to keystore. Change-Id: I3681f98cb2ec49ffc4a49f3821909313b4ab5735
/frameworks/base/keystore/java/android/security/KeyStore.java
|
7e4b1a488dd02c4bf6156379e36834e9e01c5b1b |
|
02-Jun-2011 |
Brian Carlstrom <bdc@google.com> |
Restore ResponseCodes for use with getLastError Change-Id: I41b5bc9cbb6c05672c92d5864e889fd2b0186141
/frameworks/base/keystore/java/android/security/KeyStore.java
|
5cfee3fabb3482c6a6df1c8b6f21e843cf214527 |
|
31-May-2011 |
Brian Carlstrom <bdc@google.com> |
Integrating keystore with keyguard (Part 1 of 4) Summary: frameworks/base keystore rewrite keyguard integration with keystore on keyguard entry or keyguard change KeyStore API simplification packages/apps/Settings Removed com.android.credentials.SET_PASSWORD intent support Added keyguard requirement for keystore use packages/apps/CertInstaller Tracking KeyStore API changes Fix for NPE in CertInstaller when certificate lacks basic constraints packages/apps/KeyChain Tracking KeyStore API changes Details: frameworks/base Move keystore from C to C++ while rewriting password implementation. Removed global variables. Added many comments. cmds/keystore/Android.mk cmds/keystore/keystore.h cmds/keystore/keystore.c => cmds/keystore/keystore.cpp cmds/keystore/keystore_cli.c => cmds/keystore/keystore_cli.cpp Changed saveLockPattern and saveLockPassword to notify the keystore on changes so that the keystore master key can be reencrypted when the keyguard changes. core/java/com/android/internal/widget/LockPatternUtils.java Changed unlock screens to pass values for keystore unlock or initialization policy/src/com/android/internal/policy/impl/PasswordUnlockScreen.java policy/src/com/android/internal/policy/impl/PatternUnlockScreen.java KeyStore API changes - renamed test() to state(), which now return a State enum - made APIs with byte[] key arguments private - added new KeyStore.isEmpty used to determine if a keyguard is required keystore/java/android/security/KeyStore.java In addition to tracking KeyStore API changes, added new testIsEmpty and improved some existing tests to validate expect values. keystore/tests/src/android/security/KeyStoreTest.java packages/apps/Settings Removing com.android.credentials.SET_PASSWORD intent with the removal of the ability to set an explicit keystore password now that the keyguard value is used. Changed to ensure keyguard is enabled for keystore install or unlock. Cleaned up interwoven dialog handing into discrete dialog helper classes. AndroidManifest.xml src/com/android/settings/CredentialStorage.java Remove layout for entering new password res/layout/credentials_dialog.xml Remove enable credentials checkbox res/xml/security_settings_misc.xml src/com/android/settings/SecuritySettings.java Added ability to specify minimum quality key to ChooseLockGeneric Activity. Used by CredentialStorage, but could also be used by CryptKeeperSettings. Changed ChooseLockGeneric to understand minimum quality for keystore in addition to DPM and device encryption. src/com/android/settings/ChooseLockGeneric.java Changed to use getActivePasswordQuality from getKeyguardStoredPasswordQuality based on experience in CredentialStorage. Removed bogus class javadoc. src/com/android/settings/CryptKeeperSettings.java Tracking KeyStore API changes src/com/android/settings/vpn/VpnSettings.java src/com/android/settings/wifi/WifiSettings.java Removing now unused string resources res/values-af/strings.xml res/values-am/strings.xml res/values-ar/strings.xml res/values-bg/strings.xml res/values-ca/strings.xml res/values-cs/strings.xml res/values-da/strings.xml res/values-de/strings.xml res/values-el/strings.xml res/values-en-rGB/strings.xml res/values-es-rUS/strings.xml res/values-es/strings.xml res/values-fa/strings.xml res/values-fi/strings.xml res/values-fr/strings.xml res/values-hr/strings.xml res/values-hu/strings.xml res/values-in/strings.xml res/values-it/strings.xml res/values-iw/strings.xml res/values-ja/strings.xml res/values-ko/strings.xml res/values-lt/strings.xml res/values-lv/strings.xml res/values-ms/strings.xml res/values-nb/strings.xml res/values-nl/strings.xml res/values-pl/strings.xml res/values-pt-rPT/strings.xml res/values-pt/strings.xml res/values-rm/strings.xml res/values-ro/strings.xml res/values-ru/strings.xml res/values-sk/strings.xml res/values-sl/strings.xml res/values-sr/strings.xml res/values-sv/strings.xml res/values-sw/strings.xml res/values-th/strings.xml res/values-tl/strings.xml res/values-tr/strings.xml res/values-uk/strings.xml res/values-vi/strings.xml res/values-zh-rCN/strings.xml res/values-zh-rTW/strings.xml res/values-zu/strings.xml res/values/strings.xml packages/apps/CertInstaller Tracking KeyStore API changes src/com/android/certinstaller/CertInstaller.java Fix for NPE in CertInstaller when certificate lacks basic constraints src/com/android/certinstaller/CredentialHelper.java packages/apps/KeyChain Tracking KeyStore API changes src/com/android/keychain/KeyChainActivity.java src/com/android/keychain/KeyChainService.java support/src/com/android/keychain/tests/support/IKeyChainServiceTestSupport.aidl support/src/com/android/keychain/tests/support/KeyChainServiceTestSupport.java tests/src/com/android/keychain/tests/KeyChainServiceTest.java Change-Id: Ic141fb5d4b43d12fe62cb1e29c7cbd891b4be35d
/frameworks/base/keystore/java/android/security/KeyStore.java
|
46703b099516c383a6882815bcf9cd4df0ec538d |
|
07-Apr-2011 |
Brian Carlstrom <bdc@google.com> |
Tolerate missing AccountManager resource, not just missing resource name In addition to the primary change in the subject, also some minor cleanup of javadoc, typos, CloseGuard warning, etc found while working on a new AbstractAccountAuthenticator. Change-Id: I73f3408773a43a0021a15f8d051fd3dbbdf898a5
/frameworks/base/keystore/java/android/security/KeyStore.java
|
34c47c855815d731e6deb55748ff690b0ec7b53f |
|
09-Mar-2010 |
Nick Kralevich <nnk@google.com> |
Don't rely on the system locale for converting to/from bytes. By default, when java converts Strings to bytes, it uses the default system locale. This can be specified by the -Dfile.encoding option. If no file encoding is specified, java uses ISO8859_1. Unfortunately, not all unicode characters can be mapped to ISO8859_1. Unmappable characters may be replaced by a byte within ISO8859_1, which may change the meaning of the String. This is especially problematic for password strings, and has been used to compromise the security of passwords in the past. Thankfully, Android uses UTF-8 by default, so this bug doesn't effect Android devices. However, it's recommended to explicitly list the character set when converting to/from bytes to avoid the potential ambiguity. Change-Id: Iec927e27ed3fc103696c439f6bd3e8779a37ade8
/frameworks/base/keystore/java/android/security/KeyStore.java
|
d12feb97667498378a472c5a7895a9fcd8056ec5 |
|
06-Feb-2010 |
Chia-chi Yeh <chiachi@android.com> |
KeyStore: minor improvements. Make constants final. Only converts ArrayLists to arrays when necessary.
/frameworks/base/keystore/java/android/security/KeyStore.java
|
f1ece5d0c16fa3e79390e41ad9bec020c77d7720 |
|
24-Sep-2009 |
Chia-chi Yeh <chiachi@android.com> |
KeyStore: return null when response code indicates an error.
/frameworks/base/keystore/java/android/security/KeyStore.java
|
613fcc850686dfe71cec9809c3694be9cf02cdc7 |
|
21-Sep-2009 |
Chia-chi Yeh <chiachi@android.com> |
KeyStore: rename scan() to saw().
/frameworks/base/keystore/java/android/security/KeyStore.java
|
44039172627d1c15737ea73836ad375559d76211 |
|
21-Sep-2009 |
Chia-chi Yeh <chiachi@android.com> |
KeyStore: add java interface.
/frameworks/base/keystore/java/android/security/KeyStore.java
|