Switch VPN to use keystore ENGINE

The VPN client will no longer receive the private key material directly
from the caller. Instead it will use the keystore OpenSSL ENGINE to
request that keystore does private key operations on its behalf.

We only pass the keystore key alias to the private key instead of the
private key itself now.

Change-Id: I4ea2abda5ab7dec7d7ef5f451b96fef5bc92d811

1 files changed, 6 insertions, 3 deletions

diff --git a/src/com/android/settings/vpn2/VpnSettings.java b/src/com/android/settings/vpn2/VpnSettings.java
index 975f807..5db434c 100644
--- a/src/com/android/settings/vpn2/VpnSettings.java
+++ b/src/com/android/settings/vpn2/VpnSettings.java
@@ -360,9 +360,12 @@ public class VpnSettings extends SettingsPreferenceFragment implements
         String caCert = "";
         String serverCert = "";
         if (!profile.ipsecUserCert.isEmpty()) {
-            byte[] value = mKeyStore.get(Credentials.USER_PRIVATE_KEY + profile.ipsecUserCert);
-            privateKey = (value == null) ? null : new String(value, Charsets.UTF_8);
-            value = mKeyStore.get(Credentials.USER_CERTIFICATE + profile.ipsecUserCert);
+            /*
+             * VPN has a special exception in keystore to allow it to use system
+             * UID certs.
+             */
+            privateKey = Credentials.USER_PRIVATE_KEY + profile.ipsecUserCert;
+            byte[] value = mKeyStore.get(Credentials.USER_CERTIFICATE + profile.ipsecUserCert);
             userCert = (value == null) ? null : new String(value, Charsets.UTF_8);
         }
         if (!profile.ipsecCaCert.isEmpty()) {