Refactoring AndroidKeyStore to support a KeyStore running in another process

chrome/android/java/src/org/chromium/chrome/browser/SSLClientCertificateRequest.java

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 package org.chromium.chrome.browser;
 
 import android.app.Activity;
 import android.content.Context;
 import android.os.AsyncTask;
 import android.security.KeyChain;
 import android.security.KeyChainAliasCallback;
 import android.security.KeyChainException;
 import android.util.Log;
 
 import org.chromium.base.ActivityStatus;
 import org.chromium.base.CalledByNative;
 import org.chromium.base.JNINamespace;
 import org.chromium.base.ThreadUtils;
+import org.chromium.net.AndroidKeyStoreLocalImpl;
+import org.chromium.net.AndroidPrivateKey;
 
 import java.security.Principal;
-import java.security.PrivateKey;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 
 import javax.security.auth.x500.X500Principal;
 
 /**
  * Handles selection of client certificate on the Java side. This class is responsible for selection
  * of the client certificate to be used for authentication and retrieval of the private key and full
  * certificate chain.
  *
  * The entry point is selectClientCertificate() and it will be called on the UI thread. Then the
  * class will construct and run an appropriate CertAsyncTask, that will run in background, and
  * finally pass the results back to the UI thread, which will return to the native code.
  */
 @JNINamespace("chrome::android")
-class SSLClientCertificateRequest {
+public class SSLClientCertificateRequest {
     static final String TAG = "SSLClientCertificateRequest";
 
+    static final AndroidKeyStoreLocalImpl sLocalKeyStore = new AndroidKeyStoreLocalImpl();

[bulach, 2014/02/14 10:45:29]

nit: can this be private, and wrapped in a GetInstance() or some such?

[Yaron, 2014/02/14 19:36:56]

Done.

+
     /**
      * Common implementation for anynchronous task of handling the certificate request. This
      * AsyncTask uses the abstract methods to retrieve the authentication material from a
      * generalized key store. The key store is accessed in background, as the APIs being exercised
      * may be blocking. The results are posted back to native on the UI thread.
      */
     abstract static class CertAsyncTask extends AsyncTask<Void, Void, Void> {
         // These fields will store the results computed in doInBackground so that they can be posted
         // back in onPostExecute.
         private byte[][] mEncodedChain;
-        private PrivateKey mPrivateKey;
+        private AndroidPrivateKey mAndroidKey;

[bulach, 2014/02/14 10:45:29]

nit: mAndroidPrivateKey, just to avoid confusion..

[Yaron, 2014/02/14 19:36:56]

Done.

 
         // Pointer to the native certificate request needed to return the results.
         private final int mNativePtr;
 
         CertAsyncTask(int nativePtr) {
             mNativePtr = nativePtr;
         }
 
         // These overriden methods will be used to access the key store.
         abstract String getAlias();
-        abstract PrivateKey getPrivateKey(String alias);
+        abstract AndroidPrivateKey getPrivateKey(String alias);
         abstract X509Certificate[] getCertificateChain(String alias);
 
         @Override
         protected Void doInBackground(Void... params) {
             String alias = getAlias();
             if (alias == null) return null;
 
-            PrivateKey key = getPrivateKey(alias);
+            AndroidPrivateKey key = getPrivateKey(alias);
+            Log.d(TAG, "got key " + key);
             X509Certificate[] chain = getCertificateChain(alias);
+             Log.d(TAG, "got chain " + chain);

[bulach, 2014/02/14 10:45:29]

nit: unindent

[Yaron, 2014/02/14 19:36:56]

Done.

+
             if (key == null || chain == null || chain.length == 0) {
                 Log.w(TAG, "Empty client certificate chain?");
                 return null;
             }
 
             // Encode the certificate chain.
             byte[][] encodedChain = new byte[chain.length][];
             try {
                 for (int i = 0; i < chain.length; ++i) {
                     encodedChain[i] = chain[i].getEncoded();
                 }
             } catch (CertificateEncodingException e) {
                 Log.w(TAG, "Could not retrieve encoded certificate chain: " + e);
                 return null;
             }
 
             mEncodedChain = encodedChain;
-            mPrivateKey = key;
+            mAndroidKey = key;
             return null;
         }
 
         @Override
         protected void onPostExecute(Void result) {
             ThreadUtils.assertOnUiThread();
-            nativeOnSystemRequestCompletion(mNativePtr, mEncodedChain, mPrivateKey);
+            nativeOnSystemRequestCompletion(mNativePtr, mEncodedChain, mAndroidKey);
         }
     }
 
     /** Implementation of CertAsyncTask for the system KeyChain API. */
     private static class CertAsyncTaskKeyChain extends CertAsyncTask {
         final Context mContext;
         final String mAlias;
 
         CertAsyncTaskKeyChain(Context context, int nativePtr, String alias) {
             super(nativePtr);
             mContext = context;
             assert alias != null;
             mAlias = alias;
         }
 
         @Override
         String getAlias() {
             return mAlias;
         }
 
         @Override
-        PrivateKey getPrivateKey(String alias) {
+        AndroidPrivateKey getPrivateKey(String alias) {
             try {
-                return KeyChain.getPrivateKey(mContext, alias);
+                return sLocalKeyStore.createKey(KeyChain.getPrivateKey(mContext, alias));
             } catch (KeyChainException e) {
                 Log.w(TAG, "KeyChainException when looking for '" + alias + "' certificate");
                 return null;
             } catch (InterruptedException e) {
                 Log.w(TAG, "InterruptedException when looking for '" + alias + "'certificate");
                 return null;
             }
         }
 
         @Override
@@ skipping 23 matching lines @@
             mPort = port;
             mPKCS11AuthManager = pkcs11CardAuthManager;
         }
 
         @Override
         String getAlias() {
             return mPKCS11AuthManager.getClientCertificateAlias(mHostName, mPort);
         }
 
         @Override
-        PrivateKey getPrivateKey(String alias) {
+        AndroidPrivateKey getPrivateKey(String alias) {
             return mPKCS11AuthManager.getPrivateKey(alias);
         }
 
         @Override
         X509Certificate[] getCertificateChain(String alias) {
             return mPKCS11AuthManager.getCertificateChain(alias);
         }
     }
 
     /**
@@ skipping 109 matching lines @@
             // Smart card support is not available, use the system store unconditionally.
             useSystemStore.run();
         }
 
         // We've taken ownership of the native ssl request object.
         return true;
     }
 
     // Called to pass request results to native side.
     private static native void nativeOnSystemRequestCompletion(
-            int requestPtr, byte[][] certChain, PrivateKey privateKey);
+            int requestPtr, byte[][] certChain, AndroidPrivateKey androidKey);
 }