| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Change-Id: Ia1f99bd2c1105b0b0f70aa614f1f4a67b2840906
|
|
|
|
|
|
|
|
|
| |
Before there was only one key type supported, so we didn't need to query
a key type. Now there is DSA, EC, and RSA, so there needs to be another
argument.
Bug: 10600582
Change-Id: I9fe9e46b9ec9cfb2f1246179b2c396216b2c1fdb
|
|
|
|
|
| |
Bug: 10600582
Change-Id: Ic710807d7e771737521e0abd83af2f666ec1199c
|
|
|
|
|
|
|
| |
(cherry picked from commit f64386fc26efeb245fd90fabaa47b8c8bf9b4613)
Bug: 10600582
Change-Id: I88dfcc8ca602f55fad54bd8bf043aee460c0de24
|
|
|
|
|
|
|
|
|
|
|
|
| |
Guard install/uninstall by enforcing that the caller have the new system-only permission MANAGE_CA_CERTIFICATES.
Also include API methods for asking whether there are any User CA certs
installed, or if one by a particular name is installed in the keystore.
CA certs will be installed via KeyChain into the TrustedCertificateStore.
Bug: 8232670
Change-Id: I17b47a452e72eb4fe556dc6db823a46c6e854be8
|
|\
| |
| |
| | |
Change-Id: I4791f0ffa324a313b8390fbde6d8f82f716ecf74
|
| |
| |
| |
| |
| | |
Bug: 3484927
Change-Id: I5d136d2ee629588538602766a182ae14ce5fc63c
|
|\ \
| |/
| |
| |
| | |
* commit 'cd1de3940d9c389b6e69a7040c67d3abb8458ad2':
Track change in NativeCrypto
|
| |
| |
| |
| | |
Change-Id: Ic04d4ac5218795fc226f1751b6ae4db1ae73a930
|
|\ \
| |/
| |
| | |
Change-Id: I06c05d637613215b6d83df3e29cd495f6a5a0176
|
| |
| |
| |
| | |
Change-Id: I35e824e47ad758ab6408e91e2ba5dcda053a82f5
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add the encrypted flag for the KeyPairGenerator and the KeyStore so that
applications can choose to allow entries when there is no lockscreen.
(partial cherry pick from commit 2eeda7286f3c7cb79f7eb71ae6464cad213d12a3)
Bug: 8122243
Change-Id: I5ecd9251ec79ec53a3b68c0fff8dfba10873e36e
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In order to let apps use keystore more productively, make the blob
encryption optional. As more hardware-assisted keystores (i.e., hardware
that has a Keymaster HAL) come around, encrypting blobs start to make
less sense since the thing it's encrypting is usually a token and not
any raw key material.
(cherry picked from commit a3788b00bb221e20abdd42f747d2af419e0a088c)
Bug: 8122243
Change-Id: Ifc1c64743651b23a4eace208ade0176af47ea989
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a hook into PackageManagerService so that when app IDs are
completely removed, we erase all entries from keystore for those UIDs
that have gone away.
Bug: 3020069
Change-Id: Id4b1d51a5fa4c418865055635a84bebcf5b65ec8
|
| |
| |
| |
| |
| |
| |
| | |
Add an API to keystore daemon to query what kind of storage is currently
in use.
Change-Id: I5a83ae92250ca63b691dcf1beb8b3e1703797745
|
| |
| |
| |
| |
| | |
Bug: 8657552
Change-Id: Id9102b7c2c2f6d27fba7645f0629750cfe1eb510
|
| |
| |
| |
| |
| |
| |
| |
| | |
Remove the APIs that don't specify the flags so callers know what
they're getting.
Bug: 8122243
Change-Id: Ifaef6fb1d16010237c01f9d11f2053bb6b3980c0
|
| |
| |
| |
| |
| |
| |
| |
| | |
Add the encrypted flag for the KeyPairGenerator and the KeyStore so that
applications can choose to allow entries when there is no lockscreen.
Bug: 8122243
Change-Id: Ia802afe965f2377ad3f282dab8c512388c705850
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In order to let apps use keystore more productively, make the blob
encryption optional. As more hardware-assisted keystores (i.e., hardware
that has a Keymaster HAL) come around, encrypting blobs start to make
less sense since the thing it's encrypting is usually a token and not
any raw key material.
Bug: 8122243
Change-Id: If9af0d992d68edec006e630c687df3d03a7c9608
|
| |
| |
| |
| |
| |
| | |
This reverts commit ce24985ad636c38b6ee01ec9cdecfb038bfeaeb6.
Change-Id: I02d6492c8db869619694c7209bb37522a7ec5a29
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a hook into PackageManagerService so that when app IDs are
completely removed, we erase all entries from keystore for those UIDs
that have gone away.
(cherry picked from commit 95e3ee3971915b323e5c13dcfe3b12a4180850cd)
Bug: 3020069
Change-Id: I374258ccc103f8cb3e238f2bf0d1afda0659db94
|
| |
| |
| |
| |
| |
| |
| | |
Late-breaking comments on API name. Revised.
Bug: 7095660
Change-Id: I7224d9c8a4f84a272360ede78a18bfb72d8aeb77
|
| |
| |
| |
| |
| | |
Bug: 7095660
Change-Id: Ia87caaa33bc01b032130811833f0a3c4f75b62d4
|
|/
|
|
|
|
|
|
|
| |
Add an API to keystore daemon to query what kind of storage is currently
in use.
(cherry picked from commit a738e2a1aee26e0be3944c11820724aeca313f83)
Change-Id: I52c84449a27b1cefc49372a6406b7132c2bbddee
|
|
|
|
| |
Change-Id: I13403197e1ac7ac607efa10979eb73bde0135a2a
|
|
|
|
|
|
|
|
|
|
| |
We need the ability to install from the system UID to wifi UID
to explicitly bind WiFi credentials to the WiFi profile. This adds the
ability for Wifi Settings to invoke installation of a PKCS12 file for
the wifi UID.
Bug: 8183258
Change-Id: I652b7e6fa93deda6d6d310be33f224e5a356c787
|
|
|
|
|
|
|
| |
After discussion, it was determined that duplicate would be less
disruptive and it still fit in the current HAL model.
Change-Id: I2f9cae48d38ec7146511e876450fa39fc92cda55
|
|
|
|
|
|
|
|
|
| |
To support the WiFi service, we need to support migration from the
system UID to the wifi UID. This adds a command to achieve the
migration.
Bug: 8122243
Change-Id: I65f7a91504c1d2a2aac22b9c3051adffd28d66c1
|
|
|
|
|
|
|
|
|
|
|
|
| |
In previous commits, we added the ability to specify which UID we want to
target on certain operations. This commit adds the ability to reach those
binder calls from the KeyStore class.
Also fix a problem where saw() was not reading all the values returned via
the Binder call. This changes the semantics to return a null instead of
failing silently when it's not possible to search.
Change-Id: I32098dc0eb42e09ace89f6b7455766842a72e9f4
|
|
|
|
| |
Change-Id: I721974fd95f8d1ab06a3fd1bbb4c9b4d9d1d7752
|
|\ |
|
| |
| |
| |
| | |
Change-Id: Id6133be059a8a0901d16355a9152e40e4a255454
|
|/
|
|
|
|
|
|
| |
The API documentation says it will return null if the key isn't found.
We get null back from the keystore daemon when it can't retrieve the
data, so just return null back to the API caller.
Change-Id: I42248bd50cbc5f76864bd762aae3faab1c50529d
|
|\
| |
| |
| |
| |
| | |
# Via Gerrit Code Review (1) and Kenny Root (1)
* commit '74637db21eb0b3c0167378e2b5c866fdc02e51f2':
AndroidKeyStore: return error code on error
|
| |
| |
| |
| |
| |
| |
| | |
Instead of blindly multiplying return value by 1000 to convert to
milliseconds, check to see if it's an error condition first.
Change-Id: I8eab1e7a86d78c13458fcbbc79d590e452fc9791
|
|\ \
| |/
| |
| |
| |
| | |
# Via Gerrit Code Review (1) and Kenny Root (1)
* commit '133c5f5e91e72cff1a9a3a4903a0efc96b39165b':
AndroidKeyStore: fix tests
|
| |
| |
| |
| | |
Change-Id: I65fd8ba27af57ea8fd27c8e08c9c1201f32c494d
|
|\ \
| |/
| |
| |
| |
| | |
# Via Android Git Automerger (1) and others
* commit '2e99d3c9646861ca92faf6708c18e36c7530fd93':
Track libcore changes for OpenSSLKey
|
| |
| |
| |
| | |
Change-Id: I39f60c34daa9ccc633efb02988ea238a84e6bbf1
|
|\ \
| |/
|/|
| |
| |
| |
| | |
links and add new sitemap text file" into jb-mr1-dev
* commit '834b0f3cd90679655ac1549cb427fc9475ac4a4b':
docs: fix broken links and add new sitemap text file
|
| |
| |
| |
| | |
Change-Id: If0f7967a65a6e3a444a565a2e8229a04a5265f56
|
|/
|
|
| |
Change-Id: I9fa1fc05068bee1eed3f618fb32f70cf3d4c05d4
|
|
|
|
| |
Change-Id: Ibe09d78e5a5b86604f01144f344525bff94c2dde
|
|
|
|
| |
Change-Id: I4a3c508c5e65dd46a2df22935b5351092550fad5
|
|
|
|
|
|
|
|
|
|
| |
Existing KeyStore implementations throw NullPointerExceptions beacuse
the KeyStoreSpi doesn't check these arguments for null. Add in checks so
we don't accidentally check some bogus values.
Also switch a RuntimeException to a KeyStoreException
Change-Id: I18f4d4474d607cb2057ea8069b901e0992275e78
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds support for always-on VPN profiles, also called "lockdown." When
enabled, LockdownVpnTracker manages the netd firewall to prevent
unencrypted traffic from leaving the device. It creates narrow rules
to only allow traffic to the selected VPN server. When an egress
network becomes available, LockdownVpnTracker will try bringing up
the VPN connection, and will reconnect if disconnected.
ConnectivityService augments any NetworkInfo based on the lockdown
VPN status to help apps wait until the VPN is connected.
This feature requires that VPN profiles use an IP address for both
VPN server and DNS. It also blocks non-default APN access when
enabled. Waits for USER_PRESENT after boot to check KeyStore status.
Bug: 5756357
Change-Id: If615f206b1634000d78a8350a17e88bfcac8e0d0
|
|
|
|
|
|
|
|
|
| |
For the AndroidKeyStore API, allow entries to have their certificate
chain replaced without destroying the underlying PrivateKey. Since
entries are backed by unexportable private keys, requiring them to be
supplied again doesn't make sense and is impossible.
Change-Id: I629ce2a625315c8d8020a082892650ac5eba22ae
|
|
|
|
|
|
|
|
| |
This allows end-users to generate keys in the keystore without the
private part of the key ever needing to leave the device. The generation
process also generates a self-signed certificate.
Change-Id: I114ffb8e0cbe3b1edaae7e69e8aa578cb835efc9
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces a public API for the Android keystore that is accessible
via java.security.KeyStore API. This allows programs to store
PrivateKeyEntry and TrustedCertificateEntry items visible only to
themselves.
Future work should include:
* Implement KeyStore.CallbackHandlerProtection parameter to allow the
caller to request that the keystore daemon unlock itself via the
system password input dialog.
* Implement SecretKeyEntry once that support is in keystore daemon
Change-Id: I382ffdf742d3f9f7647c5f5a429244a340b6bb0a
|
|
|
|
|
|
|
|
| |
java.security.KeyStore requires that you be able to get the creation
date for any given entry. We'll approximate that through using the mtime
of the file in the keystore.
Change-Id: I16f74354a6c2e78a1a0b4dc2ae720c5391274e6f
|