Update WifiKeystore and WifiMigration behavior

when the supplicant cannot access WifiBlobstore. On vendor partitions that are <= T, the supplicant will expect certs to be in the Legacy Keystore database. This means that: - New certs should be stored in Legacy Keystore - Certificates should not be migrated out of Legacy Keystore on bootup. Bug: 353140706 Flag: EXEMPT bugfix Test: atest WifiKeystoreTest WifiMigrationTest Test: Manual test - verify that the certs are stored in the expected database on a V device and a V sys + T vend device Change-Id: Ic7c49b5b3d1ad310b23f201d20c45b4fee142d22
author: Gabriel Biren <gbiren@google.com> 2024-07-30 15:50:40 +0000
committer: Gabriel Biren <gbiren@google.com> 2024-08-02 23:11:45 +0000
commit: f6823e71d0a7dc868600f9a9d207984df2c52e7b (patch)
tree: 1e9c6529a62dfded1ab1c7d6d37f67982d06fd80 /wifi
parent: f6f830510922e417352837955fa03dbe5d5ca4ca (diff)
4 files changed, 44 insertions, 6 deletions
diff --git a/wifi/java/src/android/net/wifi/WifiKeystore.java b/wifi/java/src/android/net/wifi/WifiKeystore.java
index 2ba7468a8c9c..59f14a94b514 100644
--- a/wifi/java/src/android/net/wifi/WifiKeystore.java
+++ b/wifi/java/src/android/net/wifi/WifiKeystore.java
@@ -36,6 +36,8 @@ import java.util.Set;
 @SuppressLint("UnflaggedApi") // Promoting from @SystemApi(MODULE_LIBRARIES)
 public final class WifiKeystore {
     private static final String TAG = "WifiKeystore";
+    private static final String sPrimaryDbName =
+            WifiBlobStore.supplicantCanAccessBlobstore() ? "WifiBlobstore" : "LegacyKeystore";
 
     /** @hide */
     WifiKeystore() {
@@ -57,8 +59,13 @@ public final class WifiKeystore {
         // are able to access the same values.
         final long identity = Binder.clearCallingIdentity();
         try {
-            Log.i(TAG, "put blob. alias " + alias);
-            return WifiBlobStore.getInstance().put(alias, blob);
+            Log.i(TAG, "put blob. alias=" + alias + ", primaryDb=" + sPrimaryDbName);
+            if (WifiBlobStore.supplicantCanAccessBlobstore()) {
+                return WifiBlobStore.getInstance().put(alias, blob);
+            } else {
+                WifiBlobStore.getLegacyKeystore().put(alias, Process.WIFI_UID, blob);
+                return true;
+            }
         } catch (Exception e) {
             Log.e(TAG, "Failed to put blob.", e);
             return false;
@@ -80,7 +87,7 @@ public final class WifiKeystore {
     public static @NonNull byte[] get(@NonNull String alias) {
         final long identity = Binder.clearCallingIdentity();
         try {
-            Log.i(TAG, "get blob. alias " + alias);
+            Log.i(TAG, "get blob. alias=" + alias + ", primaryDb=" + sPrimaryDbName);
             byte[] blob = WifiBlobStore.getInstance().get(alias);
             if (blob != null) {
                 return blob;
@@ -112,7 +119,7 @@ public final class WifiKeystore {
         boolean legacyKsSuccess = false;
         final long identity = Binder.clearCallingIdentity();
         try {
-            Log.i(TAG, "remove blob. alias " + alias);
+            Log.i(TAG, "remove blob. alias=" + alias + ", primaryDb=" + sPrimaryDbName);
             blobStoreSuccess = WifiBlobStore.getInstance().remove(alias);
             // Legacy Keystore will throw an exception if the alias is not found.
             WifiBlobStore.getLegacyKeystore().remove(alias, Process.WIFI_UID);
diff --git a/wifi/java/src/android/net/wifi/WifiMigration.java b/wifi/java/src/android/net/wifi/WifiMigration.java
index 6ea20ecdac6e..7df1d4b47204 100644
--- a/wifi/java/src/android/net/wifi/WifiMigration.java
+++ b/wifi/java/src/android/net/wifi/WifiMigration.java
@@ -577,6 +577,10 @@ public final class WifiMigration {
     @FlaggedApi(Flags.FLAG_LEGACY_KEYSTORE_TO_WIFI_BLOBSTORE_MIGRATION_READ_ONLY)
     @SystemApi(client = SystemApi.Client.MODULE_LIBRARIES)
     public static void migrateLegacyKeystoreToWifiBlobstore() {
+        if (!WifiBlobStore.supplicantCanAccessBlobstore()) {
+            Log.i(TAG, "Avoiding migration since supplicant cannot access WifiBlobstore");
+            return;
+        }
         final long identity = Binder.clearCallingIdentity();
         try {
             ILegacyKeystore legacyKeystore = WifiBlobStore.getLegacyKeystore();
diff --git a/wifi/tests/src/android/net/wifi/WifiKeystoreTest.java b/wifi/tests/src/android/net/wifi/WifiKeystoreTest.java
index c28a0ae00f69..4b1dc41f1426 100644
--- a/wifi/tests/src/android/net/wifi/WifiKeystoreTest.java
+++ b/wifi/tests/src/android/net/wifi/WifiKeystoreTest.java
@@ -61,6 +61,7 @@ public class WifiKeystoreTest {
         mSession = ExtendedMockito.mockitoSession()
                 .mockStatic(WifiBlobStore.class, withSettings().lenient())
                 .startMocking();
+        when(WifiBlobStore.supplicantCanAccessBlobstore()).thenReturn(true);
         when(WifiBlobStore.getLegacyKeystore()).thenReturn(mLegacyKeystore);
         when(WifiBlobStore.getInstance()).thenReturn(mWifiBlobStore);
     }
@@ -74,16 +75,30 @@ public class WifiKeystoreTest {
     }
 
     /**
-     * Test that put() only writes to the WifiBlobStore database.
+     * Test that put() writes to the WifiBlobStore database when it
+     * is available to supplicant.
      */
     @Test
-    public void testPut() throws Exception {
+    public void testPut_wifiBlobstore() throws Exception {
+        when(WifiBlobStore.supplicantCanAccessBlobstore()).thenReturn(true);
         WifiKeystore.put(TEST_ALIAS, TEST_VALUE);
         verify(mWifiBlobStore).put(anyString(), any());
         verify(mLegacyKeystore, never()).put(anyString(), anyInt(), any());
     }
 
     /**
+     * Test that put() writes to Legacy Keystore if the WifiBlobstore database
+     * is not available to supplicant.
+     */
+    @Test
+    public void testPut_legacyKeystore() throws Exception {
+        when(WifiBlobStore.supplicantCanAccessBlobstore()).thenReturn(false);
+        WifiKeystore.put(TEST_ALIAS, TEST_VALUE);
+        verify(mLegacyKeystore).put(anyString(), anyInt(), any());
+        verify(mWifiBlobStore, never()).put(anyString(), any());
+    }
+
+    /**
      * Test that if the alias is found in the WifiBlobStore database,
      * then the legacy database is not searched.
      */
diff --git a/wifi/tests/src/android/net/wifi/WifiMigrationTest.java b/wifi/tests/src/android/net/wifi/WifiMigrationTest.java
index 8a5912f0ffdf..d95069d46879 100644
--- a/wifi/tests/src/android/net/wifi/WifiMigrationTest.java
+++ b/wifi/tests/src/android/net/wifi/WifiMigrationTest.java
@@ -56,6 +56,7 @@ public class WifiMigrationTest {
         mSession = ExtendedMockito.mockitoSession()
                 .mockStatic(WifiBlobStore.class, withSettings().lenient())
                 .startMocking();
+        when(WifiBlobStore.supplicantCanAccessBlobstore()).thenReturn(true);
         when(WifiBlobStore.getLegacyKeystore()).thenReturn(mLegacyKeystore);
         when(WifiBlobStore.getInstance()).thenReturn(mWifiBlobStore);
         when(mLegacyKeystore.get(anyString(), anyInt())).thenReturn(TEST_VALUE);
@@ -70,6 +71,17 @@ public class WifiMigrationTest {
     }
 
     /**
+     * Verify that the Keystore migration is skipped if supplicant does not have
+     * access to the WifiBlobstore database.
+     */
+    @Test
+    public void testKeystoreMigrationAvoidedOnLegacyVendorPartition() {
+        when(WifiBlobStore.supplicantCanAccessBlobstore()).thenReturn(false);
+        WifiMigration.migrateLegacyKeystoreToWifiBlobstore();
+        verifyNoMoreInteractions(mLegacyKeystore, mWifiBlobStore);
+    }
+
+    /**
      * Verify that the Keystore migration method returns immediately if no aliases
      * are found in Legacy Keystore.
      */
author	Gabriel Biren <gbiren@google.com>	2024-07-30 15:50:40 +0000
committer	Gabriel Biren <gbiren@google.com>	2024-08-02 23:11:45 +0000
commit	f6823e71d0a7dc868600f9a9d207984df2c52e7b (patch)
tree	1e9c6529a62dfded1ab1c7d6d37f67982d06fd80 /wifi
parent	f6f830510922e417352837955fa03dbe5d5ca4ca (diff)