commit 3876b1be27e3aefde9a72eb2e4f856e94fc5f946
author Alex Klyubin <klyubin@google.com> Wed Sep 09 14:55:03 2015 -0700
committer Alex Klyubin <klyubin@google.com> Thu Sep 10 15:35:06 2015 -0700
tree 5783b18f074f1971a83a615ef805f5483f6cfb90
parent 435acfc88917e3535462ea520b01d0868266acd2

Support cross-UID access from AndroidKeyStore.

This is meant for exposing the pre-existing cross-UID access to keys
backed by the keystore service via higher-level JCA API. For example,
this lets system_server use Wi-Fi or VPN UID keys via JCA API.

To obtain a JCA AndroidKeyStore KeyStore for another UID, use the
hidden system API AndroidKeyStoreProvider.getKeyStoreForUid(uid).

To generate a key owned by another UID, invoke setUid(uid) on
KeyGenParameterSpec.Builder.

This CL does not change the security policy, such as which UID can
access/modify which UIDs' keys. The policy is that only certain system
UIDs are permitted to access keys of certain other system UIDs.

Bug: 23978113
Change-Id: Ie381530f41dc41c50d52f675fb9e68bc87c006de

keystore/java/android/security/KeyChain.java

diff --git a/keystore/java/android/security/KeyChain.java b/keystore/java/android/security/KeyChain.java
index 7de26d6..5b2594d 100644
--- a/keystore/java/android/security/KeyChain.java
+++ b/keystore/java/android/security/KeyChain.java
@@ -374,7 +374,7 @@
                 throw new KeyChainException("keystore had a problem");
             }
             return AndroidKeyStoreProvider.loadAndroidKeyStorePrivateKeyFromKeystore(
-                    KeyStore.getInstance(), keyId);
+                    KeyStore.getInstance(), keyId, KeyStore.UID_SELF);
         } catch (RemoteException e) {
             throw new KeyChainException(e);
         } catch (RuntimeException e) {