Instead of reseting the whole user only clear the uids that are used
for credential storage. These are limited to only WIFI, VPN, ROOT and
System. This prevents applications that use keystore for crypto keys
from losing their keys when the user clears credentials.
Previously when reset was called the next time the user unlocked the
keystore it would be reinitialized with the user's password however this
behavior was removed from keystore causing a loop of unlock prompts from
CredentialStorage when trying to install a new certificate after clearing
the storage.
Additionally this makes clear credentials clear any managed profiles as
well, previously it only cleared the current user.
Bug:
21373935
Change-Id: Id86ec0bc66a4f6c0d5e649bead007007e2fc8268
private final KeyStore mKeyStore = KeyStore.getInstance();
/**
+ * The UIDs that are used for system credential storage in keystore.
+ */
+ private static final int[] SYSTEM_CREDENTIAL_UIDS = {Process.WIFI_UID, Process.VPN_UID,
+ Process.ROOT_UID, Process.SYSTEM_UID};
+
+ /**
* When non-null, the bundle containing credentials to install.
*/
private Bundle mInstallBundle;
@Override protected Boolean doInBackground(Void... unused) {
- mKeyStore.reset();
+ // Clear all the users credentials could have been installed in for this user.
+ final UserManager um = (UserManager) getSystemService(USER_SERVICE);
+ for (UserInfo pi : um.getProfiles(UserHandle.getUserId(Process.myUid()))) {
+ for (int uid : SYSTEM_CREDENTIAL_UIDS) {
+ mKeyStore.clearUid(UserHandle.getUid(pi.id, uid));
+ }
+ }
+
try {
KeyChainConnection keyChainConnection = KeyChain.bind(CredentialStorage.this);