Add KeyChainService credential management app APIs

Background
* This is part of the work to support
  a credential management app on
  unmanaged devices.
Changes
* Add KeyChainService API methods to
  modify the stored credential management app.

Manual Testing
* Install TestDPC
* Request to manage credentials (fire intent).
  Add policy mapping: 'com.android.chrome' ->
  'client.badssl.com:443' -> 'testAlias'
* Install badssl user certificate as credential
  management app (TestDPC). Set alias to 'testAlias'
* Check certificate is installed in Settings
* Go to chrome > client.badssl.com
* Verify no certificate selection prompt is
  displayed. User is automatically authenticated.
* Remove credential management app from Settings
  Security > Encryption and credentials >
  Certificate management app
* Verify credential management app is removed and
  'testAlias' is uninstalled.

Bug: 165641221
Test: Manual Testing
      atest com.android.keychain.KeyChainServiceRoboTest

Change-Id: I00b7df27a92f6ee4f74546f892c83290fead1112

2 files changed, 24 insertions, 0 deletions

diff --git a/keystore/java/android/security/AppUriAuthenticationPolicy.java b/keystore/java/android/security/AppUriAuthenticationPolicy.java
index 30f5a94ca0c8..0244ce97c0d4 100644
--- a/keystore/java/android/security/AppUriAuthenticationPolicy.java
+++ b/keystore/java/android/security/AppUriAuthenticationPolicy.java
@@ -28,8 +28,10 @@ import org.xmlpull.v1.XmlSerializer;
 
 import java.io.IOException;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Set;
 
 /**
  * The app-URI authentication policy is set by the credential management app. This policy determines
@@ -223,4 +225,17 @@ public final class AppUriAuthenticationPolicy implements Parcelable {
         }
     }
 
+    /**
+     * Get the set of aliases found in the policy.
+     *
+     * @hide
+     */
+    public Set<String> getAliases() {
+        Set<String> aliases = new HashSet<>();
+        for (UrisToAliases appsToUris : mAppToUris.values()) {
+            aliases.addAll(appsToUris.getUrisToAliases().values());
+        }
+        return aliases;
+    }
+
 }
diff --git a/keystore/java/android/security/IKeyChainService.aidl b/keystore/java/android/security/IKeyChainService.aidl
index 1ae6a631dbcb..add52fa5b436 100644
--- a/keystore/java/android/security/IKeyChainService.aidl
+++ b/keystore/java/android/security/IKeyChainService.aidl
@@ -18,6 +18,8 @@ package android.security;
 import android.content.pm.StringParceledListSlice;
 import android.security.keymaster.KeymasterCertificateChain;
 import android.security.keystore.ParcelableKeyGenParameterSpec;
+import android.security.AppUriAuthenticationPolicy;
+import android.net.Uri;
 
 /**
  * Caller is required to ensure that {@link KeyStore#unlock
@@ -56,6 +58,13 @@ interface IKeyChainService {
     boolean containsCaAlias(String alias);
     byte[] getEncodedCaCertificate(String alias, boolean includeDeletedSystem);
     List<String> getCaCertificateChainAliases(String rootAlias, boolean includeDeletedSystem);
+    void setCredentialManagementApp(String packageName, in AppUriAuthenticationPolicy policy);
+    void updateCredentialManagementAppPolicy(in AppUriAuthenticationPolicy policy);
+    boolean hasCredentialManagementApp();
+    String getCredentialManagementAppPackageName();
+    AppUriAuthenticationPolicy getCredentialManagementAppPolicy();
+    String getPredefinedAliasForPackageAndUri(String packageName, in Uri uri);
+    void removeCredentialManagementApp();
 
     // APIs used by KeyChainActivity
     void setGrant(int uid, String alias, boolean value);