Integrating keystore with keyguard (Part 1 of 4)

Summary:

frameworks/base
  keystore rewrite
  keyguard integration with keystore on keyguard entry or keyguard change
  KeyStore API simplification

packages/apps/Settings
  Removed com.android.credentials.SET_PASSWORD intent support
  Added keyguard requirement for keystore use

packages/apps/CertInstaller
  Tracking KeyStore API changes
  Fix for NPE in CertInstaller when certificate lacks basic constraints

packages/apps/KeyChain
  Tracking KeyStore API changes

Details:

frameworks/base

   Move keystore from C to C++ while rewriting password
   implementation. Removed global variables. Added many comments.

	cmds/keystore/Android.mk
	cmds/keystore/keystore.h
	cmds/keystore/keystore.c => cmds/keystore/keystore.cpp
	cmds/keystore/keystore_cli.c => cmds/keystore/keystore_cli.cpp

   Changed saveLockPattern and saveLockPassword to notify the keystore
   on changes so that the keystore master key can be reencrypted when
   the keyguard changes.

	core/java/com/android/internal/widget/LockPatternUtils.java

   Changed unlock screens to pass values for keystore unlock or initialization

	policy/src/com/android/internal/policy/impl/PasswordUnlockScreen.java
	policy/src/com/android/internal/policy/impl/PatternUnlockScreen.java

   KeyStore API changes
   - renamed test() to state(), which now return a State enum
   - made APIs with byte[] key arguments private
   - added new KeyStore.isEmpty used to determine if a keyguard is required

	keystore/java/android/security/KeyStore.java

   In addition to tracking KeyStore API changes, added new testIsEmpty
   and improved some existing tests to validate expect values.

	keystore/tests/src/android/security/KeyStoreTest.java

packages/apps/Settings

    Removing com.android.credentials.SET_PASSWORD intent with the
    removal of the ability to set an explicit keystore password now
    that the keyguard value is used. Changed to ensure keyguard is
    enabled for keystore install or unlock. Cleaned up interwoven
    dialog handing into discrete dialog helper classes.

	AndroidManifest.xml
	src/com/android/settings/CredentialStorage.java

    Remove layout for entering new password

	res/layout/credentials_dialog.xml

    Remove enable credentials checkbox

	res/xml/security_settings_misc.xml
	src/com/android/settings/SecuritySettings.java

    Added ability to specify minimum quality key to ChooseLockGeneric
    Activity. Used by CredentialStorage, but could also be used by
    CryptKeeperSettings. Changed ChooseLockGeneric to understand
    minimum quality for keystore in addition to DPM and device
    encryption.

	src/com/android/settings/ChooseLockGeneric.java

    Changed to use getActivePasswordQuality from
    getKeyguardStoredPasswordQuality based on experience in
    CredentialStorage. Removed bogus class javadoc.

	src/com/android/settings/CryptKeeperSettings.java

    Tracking KeyStore API changes

	src/com/android/settings/vpn/VpnSettings.java
	src/com/android/settings/wifi/WifiSettings.java

   Removing now unused string resources

	res/values-af/strings.xml
	res/values-am/strings.xml
	res/values-ar/strings.xml
	res/values-bg/strings.xml
	res/values-ca/strings.xml
	res/values-cs/strings.xml
	res/values-da/strings.xml
	res/values-de/strings.xml
	res/values-el/strings.xml
	res/values-en-rGB/strings.xml
	res/values-es-rUS/strings.xml
	res/values-es/strings.xml
	res/values-fa/strings.xml
	res/values-fi/strings.xml
	res/values-fr/strings.xml
	res/values-hr/strings.xml
	res/values-hu/strings.xml
	res/values-in/strings.xml
	res/values-it/strings.xml
	res/values-iw/strings.xml
	res/values-ja/strings.xml
	res/values-ko/strings.xml
	res/values-lt/strings.xml
	res/values-lv/strings.xml
	res/values-ms/strings.xml
	res/values-nb/strings.xml
	res/values-nl/strings.xml
	res/values-pl/strings.xml
	res/values-pt-rPT/strings.xml
	res/values-pt/strings.xml
	res/values-rm/strings.xml
	res/values-ro/strings.xml
	res/values-ru/strings.xml
	res/values-sk/strings.xml
	res/values-sl/strings.xml
	res/values-sr/strings.xml
	res/values-sv/strings.xml
	res/values-sw/strings.xml
	res/values-th/strings.xml
	res/values-tl/strings.xml
	res/values-tr/strings.xml
	res/values-uk/strings.xml
	res/values-vi/strings.xml
	res/values-zh-rCN/strings.xml
	res/values-zh-rTW/strings.xml
	res/values-zu/strings.xml
	res/values/strings.xml

packages/apps/CertInstaller

  Tracking KeyStore API changes
	src/com/android/certinstaller/CertInstaller.java

  Fix for NPE in CertInstaller when certificate lacks basic constraints
	src/com/android/certinstaller/CredentialHelper.java

packages/apps/KeyChain

  Tracking KeyStore API changes
	src/com/android/keychain/KeyChainActivity.java
	src/com/android/keychain/KeyChainService.java
	support/src/com/android/keychain/tests/support/IKeyChainServiceTestSupport.aidl
	support/src/com/android/keychain/tests/support/KeyChainServiceTestSupport.java
	tests/src/com/android/keychain/tests/KeyChainServiceTest.java

Change-Id: Ic141fb5d4b43d12fe62cb1e29c7cbd891b4be35d

2 files changed, 76 insertions, 61 deletions

diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java
index 7183688..2a48834 100644
--- a/keystore/java/android/security/KeyStore.java
+++ b/keystore/java/android/security/KeyStore.java
@@ -32,16 +32,21 @@ import java.util.ArrayList;
  * preclude the use of hardware crypto.
  */
 public class KeyStore {
-    public static final int NO_ERROR = 1;
-    public static final int LOCKED = 2;
-    public static final int UNINITIALIZED = 3;
-    public static final int SYSTEM_ERROR = 4;
-    public static final int PROTOCOL_ERROR = 5;
-    public static final int PERMISSION_DENIED = 6;
-    public static final int KEY_NOT_FOUND = 7;
-    public static final int VALUE_CORRUPTED = 8;
-    public static final int UNDEFINED_ACTION = 9;
-    public static final int WRONG_PASSWORD = 10;
+
+    // ResponseCodes
+    private static final int NO_ERROR = 1;
+    private static final int LOCKED = 2;
+    private static final int UNINITIALIZED = 3;
+    private static final int SYSTEM_ERROR = 4;
+    private static final int PROTOCOL_ERROR = 5;
+    private static final int PERMISSION_DENIED = 6;
+    private static final int KEY_NOT_FOUND = 7;
+    private static final int VALUE_CORRUPTED = 8;
+    private static final int UNDEFINED_ACTION = 9;
+    private static final int WRONG_PASSWORD = 10;
+
+    // States
+    public enum State { UNLOCKED, LOCKED, UNINITIALIZED };
 
     private static final LocalSocketAddress sAddress = new LocalSocketAddress(
             "keystore", LocalSocketAddress.Namespace.RESERVED);
@@ -54,31 +59,35 @@ public class KeyStore {
         return new KeyStore();
     }
 
-    public int test() {
+    public State state() {
         execute('t');
-        return mError;
+        switch (mError) {
+            case NO_ERROR: return State.UNLOCKED;
+            case LOCKED: return State.LOCKED;
+            case UNINITIALIZED: return State.UNINITIALIZED;
+            default: throw new AssertionError(mError);
+        }
     }
 
-    public byte[] get(byte[] key) {
+    private byte[] get(byte[] key) {
         ArrayList<byte[]> values = execute('g', key);
         return (values == null || values.isEmpty()) ? null : values.get(0);
     }
 
-    public String get(String key) {
-        byte[] value = get(getBytes(key));
-        return (value == null) ? null : toString(value);
+    public byte[] get(String key) {
+        return get(getBytes(key));
     }
 
-    public boolean put(byte[] key, byte[] value) {
+    private boolean put(byte[] key, byte[] value) {
         execute('i', key, value);
         return mError == NO_ERROR;
     }
 
-    public boolean put(String key, String value) {
-        return put(getBytes(key), getBytes(value));
+    public boolean put(String key, byte[] value) {
+        return put(getBytes(key), value);
     }
 
-    public boolean delete(byte[] key) {
+    private boolean delete(byte[] key) {
         execute('d', key);
         return mError == NO_ERROR;
     }
@@ -87,7 +96,7 @@ public class KeyStore {
         return delete(getBytes(key));
     }
 
-    public boolean contains(byte[] key) {
+    private boolean contains(byte[] key) {
         execute('e', key);
         return mError == NO_ERROR;
     }
@@ -118,19 +127,11 @@ public class KeyStore {
         return mError == NO_ERROR;
     }
 
-    public boolean password(byte[] oldPassword, byte[] newPassword) {
-        execute('p', oldPassword, newPassword);
+    private boolean password(byte[] password) {
+        execute('p', password);
         return mError == NO_ERROR;
     }
 
-    public boolean password(String oldPassword, String newPassword) {
-        return password(getBytes(oldPassword), getBytes(newPassword));
-    }
-
-    public boolean password(byte[] password) {
-        return password(password, password);
-    }
-
     public boolean password(String password) {
         return password(getBytes(password));
     }
@@ -140,7 +141,7 @@ public class KeyStore {
         return mError == NO_ERROR;
     }
 
-    public boolean unlock(byte[] password) {
+    private boolean unlock(byte[] password) {
         execute('u', password);
         return mError == NO_ERROR;
     }
@@ -149,6 +150,11 @@ public class KeyStore {
         return unlock(getBytes(password));
     }
 
+    public boolean isEmpty() {
+        execute('z');
+        return mError == KEY_NOT_FOUND;
+    }
+
     public int getLastError() {
         return mError;
     }
diff --git a/keystore/tests/src/android/security/KeyStoreTest.java b/keystore/tests/src/android/security/KeyStoreTest.java
index 6630a4f..4582aa0 100755
--- a/keystore/tests/src/android/security/KeyStoreTest.java
+++ b/keystore/tests/src/android/security/KeyStoreTest.java
@@ -20,6 +20,9 @@ import android.app.Activity;
 import android.security.KeyStore;
 import android.test.ActivityUnitTestCase;
 import android.test.suitebuilder.annotation.MediumTest;
+import java.nio.charset.Charsets;
+import java.util.Arrays;
+import java.util.HashSet;
 
 /**
  * Junit / Instrumentation test case for KeyStore class
@@ -31,16 +34,15 @@ import android.test.suitebuilder.annotation.MediumTest;
 @MediumTest
 public class KeyStoreTest extends ActivityUnitTestCase<Activity> {
     private static final String TEST_PASSWD = "12345678";
-    private static final String TEST_EMPTY_PASSWD = "";
-    private static final String TEST_SHORT_PASSWD = "short";
     private static final String TEST_PASSWD2 = "87654321";
     private static final String TEST_KEYNAME = "testkey";
     private static final String TEST_KEYNAME1 = "testkey1";
     private static final String TEST_KEYNAME2 = "testkey2";
-    private static final String TEST_KEYVALUE = "test value";
+    private static final byte[] TEST_KEYVALUE = "test value".getBytes(Charsets.UTF_8);
 
     // "Hello, World" in Chinese
-    private static final String TEST_I18N = "\u4F60\u597D, \u4E16\u754C";
+    private static final String TEST_I18N_KEY = "\u4F60\u597D, \u4E16\u754C";
+    private static final byte[] TEST_I18N_VALUE = TEST_I18N_KEY.getBytes(Charsets.UTF_8);
 
     private KeyStore mKeyStore = null;
 
@@ -51,8 +53,10 @@ public class KeyStoreTest extends ActivityUnitTestCase<Activity> {
     @Override
     protected void setUp() throws Exception {
         mKeyStore = KeyStore.getInstance();
-        if (mKeyStore.test() != KeyStore.UNINITIALIZED) mKeyStore.reset();
-        assertEquals(KeyStore.UNINITIALIZED, mKeyStore.test());
+        if (mKeyStore.state() != KeyStore.State.UNINITIALIZED) {
+            mKeyStore.reset();
+        }
+        assertEquals(KeyStore.State.UNINITIALIZED, mKeyStore.state());
         super.setUp();
     }
 
@@ -62,21 +66,13 @@ public class KeyStoreTest extends ActivityUnitTestCase<Activity> {
         super.tearDown();
     }
 
-    public void testTest() throws Exception {
-        assertEquals(KeyStore.UNINITIALIZED, mKeyStore.test());
+    public void teststate() throws Exception {
+        assertEquals(KeyStore.State.UNINITIALIZED, mKeyStore.state());
     }
 
     public void testPassword() throws Exception {
-        //assertFalse(mKeyStore.password(TEST_EMPTY_PASSWD));
-        //assertFalse(mKeyStore.password(TEST_SHORT_PASSWD));
-
         assertTrue(mKeyStore.password(TEST_PASSWD));
-        assertEquals(KeyStore.NO_ERROR, mKeyStore.test());
-
-        assertFalse(mKeyStore.password(TEST_PASSWD2, TEST_PASSWD2));
-        //assertFalse(mKeyStore.password(TEST_PASSWD, TEST_SHORT_PASSWD));
-
-        assertTrue(mKeyStore.password(TEST_PASSWD, TEST_PASSWD2));
+        assertEquals(KeyStore.State.UNLOCKED, mKeyStore.state());
     }
 
     public void testPut() throws Exception {
@@ -87,11 +83,11 @@ public class KeyStoreTest extends ActivityUnitTestCase<Activity> {
     }
 
     public void testI18n() throws Exception {
-        assertFalse(mKeyStore.put(TEST_I18N, TEST_I18N));
-        assertFalse(mKeyStore.contains(TEST_I18N));
-        mKeyStore.password(TEST_I18N);
-        assertTrue(mKeyStore.put(TEST_I18N, TEST_I18N));
-        assertTrue(mKeyStore.contains(TEST_I18N));
+        assertFalse(mKeyStore.put(TEST_I18N_KEY, TEST_I18N_VALUE));
+        assertFalse(mKeyStore.contains(TEST_I18N_KEY));
+        mKeyStore.password(TEST_I18N_KEY);
+        assertTrue(mKeyStore.put(TEST_I18N_KEY, TEST_I18N_VALUE));
+        assertTrue(mKeyStore.contains(TEST_I18N_KEY));
     }
 
     public void testDelete() throws Exception {
@@ -114,33 +110,46 @@ public class KeyStoreTest extends ActivityUnitTestCase<Activity> {
     }
 
     public void testSaw() throws Exception {
-        String[] results = mKeyStore.saw(TEST_KEYNAME);
-        assertEquals(0, results.length);
+        String[] emptyResult = mKeyStore.saw(TEST_KEYNAME);
+        assertNotNull(emptyResult);
+        assertEquals(0, emptyResult.length);
 
         mKeyStore.password(TEST_PASSWD);
         mKeyStore.put(TEST_KEYNAME1, TEST_KEYVALUE);
         mKeyStore.put(TEST_KEYNAME2, TEST_KEYVALUE);
 
-        results = mKeyStore.saw(TEST_KEYNAME);
-        assertEquals(2, results.length);
+        String[] results = mKeyStore.saw(TEST_KEYNAME);
+        assertEquals(new HashSet(Arrays.asList(TEST_KEYNAME1.substring(TEST_KEYNAME.length()),
+                                               TEST_KEYNAME2.substring(TEST_KEYNAME.length()))),
+                     new HashSet(Arrays.asList(results)));
     }
 
     public void testLock() throws Exception {
         assertFalse(mKeyStore.lock());
 
         mKeyStore.password(TEST_PASSWD);
-        assertEquals(KeyStore.NO_ERROR, mKeyStore.test());
+        assertEquals(KeyStore.State.UNLOCKED, mKeyStore.state());
 
         assertTrue(mKeyStore.lock());
-        assertEquals(KeyStore.LOCKED, mKeyStore.test());
+        assertEquals(KeyStore.State.LOCKED, mKeyStore.state());
     }
 
     public void testUnlock() throws Exception {
         mKeyStore.password(TEST_PASSWD);
-        assertEquals(KeyStore.NO_ERROR, mKeyStore.test());
+        assertEquals(KeyStore.State.UNLOCKED, mKeyStore.state());
         mKeyStore.lock();
 
         assertFalse(mKeyStore.unlock(TEST_PASSWD2));
         assertTrue(mKeyStore.unlock(TEST_PASSWD));
     }
+
+    public void testIsEmpty() throws Exception {
+        assertTrue(mKeyStore.isEmpty());
+        mKeyStore.password(TEST_PASSWD);
+        assertTrue(mKeyStore.isEmpty());
+        mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE);
+        assertFalse(mKeyStore.isEmpty());
+        mKeyStore.reset();
+        assertTrue(mKeyStore.isEmpty());
+    }
 }