Keystore 2.0: Update Wifi settings to use mostly public keystore API.

Test: N/A
Bug: 171305607
Bug: 171305388
Merged-In: Ib794c5f2d904c2b187d7d5fd00b81afc852d0052
Change-Id: Ib794c5f2d904c2b187d7d5fd00b81afc852d0052
diff --git a/src/com/android/settings/utils/AndroidKeystoreAliasLoader.java b/src/com/android/settings/utils/AndroidKeystoreAliasLoader.java
new file mode 100644
index 0000000..b9ccf29
--- /dev/null
+++ b/src/com/android/settings/utils/AndroidKeystoreAliasLoader.java
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.utils;
+
+import android.os.Process;
+import android.security.keystore.AndroidKeyStoreProvider;
+import android.security.keystore.KeyProperties;
+import android.security.keystore2.AndroidKeyStoreLoadStoreParameter;
+import android.util.Log;
+
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.UnrecoverableKeyException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Enumeration;
+
+/**
+ * This class provides a portable and unified way to load the content of AndroidKeyStore through
+ * public API.
+ * @hide
+ */
+public class AndroidKeystoreAliasLoader {
+    private static final String TAG = "SettingsKeystoreUtils";
+
+    private final Collection<String> mKeyCertAliases;
+    private final Collection<String> mCaCertAliases;
+    /**
+     * This Constructor loads all aliases of asymmetric key pairs and certificates in the
+     * AndroidKeyStore within the given namespace.
+     * Viable namespaces are {@link KeyProperties#NAMESPACE_WIFI},
+     * {@link KeyProperties#NAMESPACE_APPLICATION}, or null. The latter two are equivalent in
+     * that they will load the keystore content of the app's own namespace. In case of settings,
+     * this is the namespace of the AID_SYSTEM.
+     *
+     * @param namespace {@link KeyProperties#NAMESPACE_WIFI},
+     *                  {@link KeyProperties#NAMESPACE_APPLICATION}, or null
+     * @hide
+     */
+    public AndroidKeystoreAliasLoader(Integer namespace) {
+        mKeyCertAliases = new ArrayList<>();
+        mCaCertAliases = new ArrayList<>();
+        KeyStore keyStore = null;
+        final Enumeration<String> aliases;
+        try {
+            if (namespace != null && namespace != KeyProperties.NAMESPACE_APPLICATION) {
+                if (AndroidKeyStoreProvider.isKeystore2Enabled()) {
+                    keyStore = KeyStore.getInstance("AndroidKeyStore");
+                    keyStore.load(new AndroidKeyStoreLoadStoreParameter(namespace));
+                } else {
+                    // In the legacy case we pass in the WIFI UID because that is the only
+                    // possible special namespace that existed as of this writing,
+                    // and new namespaces must only be added using the new mechanism.
+                    keyStore = AndroidKeyStoreProvider.getKeyStoreForUid(Process.WIFI_UID);
+                }
+            } else {
+                keyStore = KeyStore.getInstance("AndroidKeyStore");
+                keyStore.load(null);
+            }
+            aliases = keyStore.aliases();
+        } catch (Exception e) {
+            Log.e(TAG, "Failed to open Android Keystore.", e);
+            // Will return empty lists.
+            return;
+        }
+
+        while (aliases.hasMoreElements()) {
+            final String alias = aliases.nextElement();
+            try {
+                final Key key = keyStore.getKey(alias, null);
+                if (key != null) {
+                    if (key instanceof PrivateKey) {
+                        mKeyCertAliases.add(alias);
+                    }
+                } else {
+                    if (keyStore.getCertificate(alias) != null) {
+                        mCaCertAliases.add(alias);
+                    }
+                }
+            } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
+                Log.e(TAG, "Failed to load alias: "
+                        + alias + " from Android Keystore. Ignoring.", e);
+            }
+        }
+    }
+
+    /**
+     * Returns the aliases of the key pairs and certificates stored in the Android KeyStore at the
+     * time the constructor was called.
+     * @return Collection of keystore aliases.
+     * @hide
+     */
+    public Collection<String> getKeyCertAliases() {
+        return mKeyCertAliases;
+    }
+
+    /**
+     * Returns the aliases of the trusted certificates stored in the Android KeyStore at the
+     * time the constructor was called.
+     * @return Collection of keystore aliases.
+     * @hide
+     */
+    public Collection<String> getCaCertAliases() {
+        return mCaCertAliases;
+    }
+}
diff --git a/src/com/android/settings/wifi/WifiConfigController.java b/src/com/android/settings/wifi/WifiConfigController.java
index d0b5a40..6e96ae2 100644
--- a/src/com/android/settings/wifi/WifiConfigController.java
+++ b/src/com/android/settings/wifi/WifiConfigController.java
@@ -35,8 +35,7 @@
 import android.net.wifi.WifiManager;
 import android.os.IBinder;
 import android.os.UserManager;
-import android.security.Credentials;
-import android.security.KeyStore;
+import android.security.keystore.KeyProperties;
 import android.telephony.SubscriptionInfo;
 import android.telephony.SubscriptionManager;
 import android.text.Editable;
@@ -73,6 +72,7 @@
 import com.android.net.module.util.ProxyUtils;
 import com.android.settings.ProxySelector;
 import com.android.settings.R;
+import com.android.settings.utils.AndroidKeystoreAliasLoader;
 import com.android.settings.wifi.details.WifiPrivacyPreferenceController;
 import com.android.settings.wifi.details2.WifiPrivacyPreferenceController2;
 import com.android.settings.wifi.dpp.WifiDppUtils;
@@ -83,7 +83,7 @@
 import java.net.Inet4Address;
 import java.net.InetAddress;
 import java.util.ArrayList;
-import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Iterator;
 import java.util.List;
@@ -1051,15 +1051,17 @@
         if (refreshCertificates) {
             loadSims();
 
+            final AndroidKeystoreAliasLoader androidKeystoreAliasLoader =
+                    getAndroidKeystoreAliasLoader();
             loadCertificates(
                     mEapCaCertSpinner,
-                    Credentials.CA_CERTIFICATE,
+                    androidKeystoreAliasLoader.getCaCertAliases(),
                     null /* noCertificateString */,
                     false /* showMultipleCerts */,
                     true /* showUsePreinstalledCertOption */);
             loadCertificates(
                     mEapUserCertSpinner,
-                    Credentials.USER_PRIVATE_KEY,
+                    androidKeystoreAliasLoader.getKeyCertAliases(),
                     mDoNotProvideEapUserCertString,
                     false /* showMultipleCerts */,
                     false /* showUsePreinstalledCertOption */);
@@ -1142,10 +1144,13 @@
                 } else if (caCerts.length == 1) {
                     setSelection(mEapCaCertSpinner, caCerts[0]);
                 } else {
+                    final AndroidKeystoreAliasLoader androidKeystoreAliasLoader =
+                            getAndroidKeystoreAliasLoader();
+
                     // Reload the cert spinner with an extra "multiple certificates added" item.
                     loadCertificates(
                             mEapCaCertSpinner,
-                            Credentials.CA_CERTIFICATE,
+                            androidKeystoreAliasLoader.getCaCertAliases(),
                             null /* noCertificateString */,
                             true /* showMultipleCerts */,
                             true /* showUsePreinstalledCertOption */);
@@ -1464,8 +1469,8 @@
     }
 
     @VisibleForTesting
-    KeyStore getKeyStore() {
-        return KeyStore.getInstance();
+    AndroidKeystoreAliasLoader getAndroidKeystoreAliasLoader() {
+        return new AndroidKeystoreAliasLoader(KeyProperties.NAMESPACE_WIFI);
     }
 
     @VisibleForTesting
@@ -1509,7 +1514,7 @@
     @VisibleForTesting
     void loadCertificates(
             Spinner spinner,
-            String prefix,
+            Collection<String> choices,
             String noCertificateString,
             boolean showMultipleCerts,
             boolean showUsePreinstalledCertOption) {
@@ -1524,14 +1529,8 @@
             certs.add(mUseSystemCertsString);
         }
 
-        String[] certificateNames = null;
-        try {
-            certificateNames = getKeyStore().list(prefix, android.os.Process.WIFI_UID);
-        } catch (Exception e) {
-            Log.e(TAG, "can't get the certificate list from KeyStore");
-        }
-        if (certificateNames != null && certificateNames.length != 0) {
-            certs.addAll(Arrays.stream(certificateNames)
+        if (choices != null && choices.size() != 0) {
+            certs.addAll(choices.stream()
                     .filter(certificateName -> {
                         for (String undesired : UNDESIRED_CERTIFICATES) {
                             if (certificateName.startsWith(undesired)) {
diff --git a/src/com/android/settings/wifi/WifiConfigController2.java b/src/com/android/settings/wifi/WifiConfigController2.java
index 79acc59..467f32e 100644
--- a/src/com/android/settings/wifi/WifiConfigController2.java
+++ b/src/com/android/settings/wifi/WifiConfigController2.java
@@ -33,8 +33,7 @@
 import android.net.wifi.WifiManager;
 import android.os.IBinder;
 import android.os.UserManager;
-import android.security.Credentials;
-import android.security.KeyStore;
+import android.security.keystore.KeyProperties;
 import android.telephony.SubscriptionInfo;
 import android.telephony.SubscriptionManager;
 import android.text.Editable;
@@ -71,6 +70,7 @@
 import com.android.net.module.util.ProxyUtils;
 import com.android.settings.ProxySelector;
 import com.android.settings.R;
+import com.android.settings.utils.AndroidKeystoreAliasLoader;
 import com.android.settings.wifi.details.WifiPrivacyPreferenceController;
 import com.android.settings.wifi.details2.WifiPrivacyPreferenceController2;
 import com.android.settings.wifi.dpp.WifiDppUtils;
@@ -83,7 +83,7 @@
 import java.net.Inet4Address;
 import java.net.InetAddress;
 import java.util.ArrayList;
-import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Iterator;
 import java.util.List;
@@ -1034,15 +1034,17 @@
         if (refreshCertificates) {
             loadSims();
 
+            final AndroidKeystoreAliasLoader androidKeystoreAliasLoader =
+                    getAndroidKeystoreAliasLoader();
             loadCertificates(
                     mEapCaCertSpinner,
-                    Credentials.CA_CERTIFICATE,
+                    androidKeystoreAliasLoader.getCaCertAliases(),
                     null /* noCertificateString */,
                     false /* showMultipleCerts */,
                     true /* showUsePreinstalledCertOption */);
             loadCertificates(
                     mEapUserCertSpinner,
-                    Credentials.USER_PRIVATE_KEY,
+                    androidKeystoreAliasLoader.getKeyCertAliases(),
                     mDoNotProvideEapUserCertString,
                     false /* showMultipleCerts */,
                     false /* showUsePreinstalledCertOption */);
@@ -1127,9 +1129,11 @@
                     setSelection(mEapCaCertSpinner, caCerts[0]);
                 } else {
                     // Reload the cert spinner with an extra "multiple certificates added" item.
+                    final AndroidKeystoreAliasLoader androidKeystoreAliasLoader =
+                            getAndroidKeystoreAliasLoader();
                     loadCertificates(
                             mEapCaCertSpinner,
-                            Credentials.CA_CERTIFICATE,
+                            androidKeystoreAliasLoader.getCaCertAliases(),
                             null /* noCertificateString */,
                             true /* showMultipleCerts */,
                             true /* showUsePreinstalledCertOption */);
@@ -1448,8 +1452,8 @@
     }
 
     @VisibleForTesting
-    KeyStore getKeyStore() {
-        return KeyStore.getInstance();
+    AndroidKeystoreAliasLoader getAndroidKeystoreAliasLoader() {
+        return new AndroidKeystoreAliasLoader(KeyProperties.NAMESPACE_WIFI);
     }
 
     @VisibleForTesting
@@ -1493,7 +1497,7 @@
     @VisibleForTesting
     void loadCertificates(
             Spinner spinner,
-            String prefix,
+            Collection<String> choices,
             String noCertificateString,
             boolean showMultipleCerts,
             boolean showUsePreinstalledCertOption) {
@@ -1508,14 +1512,8 @@
             certs.add(mUseSystemCertsString);
         }
 
-        String[] certificateNames = null;
-        try {
-            certificateNames = getKeyStore().list(prefix, android.os.Process.WIFI_UID);
-        } catch (Exception e) {
-            Log.e(TAG, "can't get the certificate list from KeyStore");
-        }
-        if (certificateNames != null && certificateNames.length != 0) {
-            certs.addAll(Arrays.stream(certificateNames)
+        if (choices != null && choices.size() != 0) {
+            certs.addAll(choices.stream()
                     .filter(certificateName -> {
                         for (String undesired : UNDESIRED_CERTIFICATES) {
                             if (certificateName.startsWith(undesired)) {
diff --git a/tests/robotests/src/com/android/settings/wifi/WifiConfigController2Test.java b/tests/robotests/src/com/android/settings/wifi/WifiConfigController2Test.java
index 8696582..a31e082 100644
--- a/tests/robotests/src/com/android/settings/wifi/WifiConfigController2Test.java
+++ b/tests/robotests/src/com/android/settings/wifi/WifiConfigController2Test.java
@@ -18,9 +18,6 @@
 
 import static com.google.common.truth.Truth.assertThat;
 
-import static org.mockito.Mockito.anyInt;
-import static org.mockito.Mockito.anyString;
-import static org.mockito.Mockito.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 import static org.robolectric.Shadows.shadowOf;
@@ -33,9 +30,6 @@
 import android.net.wifi.WifiEnterpriseConfig.Eap;
 import android.net.wifi.WifiEnterpriseConfig.Phase2;
 import android.net.wifi.WifiManager;
-import android.os.ServiceSpecificException;
-import android.security.Credentials;
-import android.security.KeyStore;
 import android.telephony.SubscriptionInfo;
 import android.telephony.SubscriptionManager;
 import android.telephony.TelephonyManager;
@@ -50,9 +44,12 @@
 
 import com.android.settings.R;
 import com.android.settings.testutils.shadow.ShadowConnectivityManager;
+import com.android.settings.utils.AndroidKeystoreAliasLoader;
 import com.android.settings.wifi.details.WifiPrivacyPreferenceController;
 import com.android.wifitrackerlib.WifiEntry;
 
+import com.google.common.collect.ImmutableList;
+
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -78,7 +75,7 @@
     @Mock
     private WifiEntry mWifiEntry;
     @Mock
-    private KeyStore mKeyStore;
+    private AndroidKeystoreAliasLoader mAndroidKeystoreAliasLoader;
     private View mView;
     private Spinner mHiddenSettingsSpinner;
     private Spinner mEapCaCertSpinner;
@@ -285,27 +282,11 @@
     }
 
     @Test
-    public void loadCertificates_keyStoreListFail_shouldNotCrash() {
-        // Set up
-        when(mWifiEntry.getSecurity()).thenReturn(WifiEntry.SECURITY_EAP);
-        when(mKeyStore.list(anyString()))
-            .thenThrow(new ServiceSpecificException(-1, "permission error"));
-
-        mController = new TestWifiConfigController2(mConfigUiBase, mView, mWifiEntry,
-              WifiConfigUiBase2.MODE_CONNECT);
-
-        // Verify that the EAP method menu is visible.
-        assertThat(mView.findViewById(R.id.eap).getVisibility()).isEqualTo(View.VISIBLE);
-        // No Crash
-    }
-
-    @Test
     public void loadCertificates_undesiredCertificates_shouldNotLoadUndesiredCertificates() {
         final Spinner spinner = new Spinner(mContext);
-        when(mKeyStore.list(anyString())).thenReturn(WifiConfigController.UNDESIRED_CERTIFICATES);
 
         mController.loadCertificates(spinner,
-                "prefix",
+                Arrays.asList(WifiConfigController.UNDESIRED_CERTIFICATES),
                 "doNotProvideEapUserCertString",
                 false /* showMultipleCerts */,
                 false /* showUsePreinstalledCertOption */);
@@ -436,8 +417,8 @@
         }
 
         @Override
-        KeyStore getKeyStore() {
-            return mKeyStore;
+        AndroidKeystoreAliasLoader getAndroidKeystoreAliasLoader() {
+            return mAndroidKeystoreAliasLoader;
         }
     }
 
@@ -883,6 +864,7 @@
             String savedUserCertificate) {
         final WifiConfiguration mockWifiConfig = mock(WifiConfiguration.class);
         final WifiEnterpriseConfig mockWifiEnterpriseConfig = mock(WifiEnterpriseConfig.class);
+
         mockWifiConfig.enterpriseConfig = mockWifiEnterpriseConfig;
         when(mWifiEntry.isSaved()).thenReturn(true);
         when(mWifiEntry.getSecurity()).thenReturn(WifiEntry.SECURITY_EAP);
@@ -893,15 +875,15 @@
             String[] savedCaCertificates = new String[]{savedCaCertificate};
             when(mockWifiEnterpriseConfig.getCaCertificateAliases())
                     .thenReturn(savedCaCertificates);
-            when(mKeyStore.list(eq(Credentials.CA_CERTIFICATE), anyInt()))
-                    .thenReturn(savedCaCertificates);
+            when(mAndroidKeystoreAliasLoader.getCaCertAliases())
+                    .thenReturn(ImmutableList.of(savedCaCertificate));
         }
         if (savedUserCertificate != null) {
             String[] savedUserCertificates = new String[]{savedUserCertificate};
             when(mockWifiEnterpriseConfig.getClientCertificateAlias())
                     .thenReturn(savedUserCertificate);
-            when(mKeyStore.list(eq(Credentials.USER_PRIVATE_KEY), anyInt()))
-                    .thenReturn(savedUserCertificates);
+            when(mAndroidKeystoreAliasLoader.getKeyCertAliases())
+                    .thenReturn(ImmutableList.of(savedUserCertificate));
         }
 
         mController = new TestWifiConfigController2(mConfigUiBase, mView, mWifiEntry,
diff --git a/tests/robotests/src/com/android/settings/wifi/WifiConfigControllerTest.java b/tests/robotests/src/com/android/settings/wifi/WifiConfigControllerTest.java
index 9e62b25..40a0dd6 100644
--- a/tests/robotests/src/com/android/settings/wifi/WifiConfigControllerTest.java
+++ b/tests/robotests/src/com/android/settings/wifi/WifiConfigControllerTest.java
@@ -18,7 +18,6 @@
 
 import static com.google.common.truth.Truth.assertThat;
 
-import static org.mockito.Mockito.anyString;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 import static org.robolectric.Shadows.shadowOf;
@@ -31,8 +30,6 @@
 import android.net.wifi.WifiEnterpriseConfig.Eap;
 import android.net.wifi.WifiEnterpriseConfig.Phase2;
 import android.net.wifi.WifiManager;
-import android.os.ServiceSpecificException;
-import android.security.KeyStore;
 import android.telephony.SubscriptionInfo;
 import android.telephony.SubscriptionManager;
 import android.telephony.TelephonyManager;
@@ -74,8 +71,6 @@
     private Context mContext;
     @Mock
     private AccessPoint mAccessPoint;
-    @Mock
-    private KeyStore mKeyStore;
     private View mView;
     private Spinner mHiddenSettingsSpinner;
     private ShadowSubscriptionManager mShadowSubscriptionManager;
@@ -264,27 +259,11 @@
     }
 
     @Test
-    public void loadCertificates_keyStoreListFail_shouldNotCrash() {
-        // Set up
-        when(mAccessPoint.getSecurity()).thenReturn(AccessPoint.SECURITY_EAP);
-        when(mKeyStore.list(anyString()))
-            .thenThrow(new ServiceSpecificException(-1, "permission error"));
-
-        mController = new TestWifiConfigController(mConfigUiBase, mView, mAccessPoint,
-              WifiConfigUiBase.MODE_CONNECT);
-
-        // Verify that the EAP method menu is visible.
-        assertThat(mView.findViewById(R.id.eap).getVisibility()).isEqualTo(View.VISIBLE);
-        // No Crash
-    }
-
-    @Test
     public void loadCertificates_undesiredCertificates_shouldNotLoadUndesiredCertificates() {
         final Spinner spinner = new Spinner(mContext);
-        when(mKeyStore.list(anyString())).thenReturn(WifiConfigController.UNDESIRED_CERTIFICATES);
 
         mController.loadCertificates(spinner,
-                "prefix",
+                Arrays.asList(WifiConfigController.UNDESIRED_CERTIFICATES),
                 "doNotProvideEapUserCertString",
                 false /* showMultipleCerts */,
                 false /* showUsePreinstalledCertOption */);
@@ -413,9 +392,6 @@
         boolean isSplitSystemUser() {
             return false;
         }
-
-        @Override
-        KeyStore getKeyStore() { return mKeyStore; }
     }
 
     @Test