Has anyone out there attempted to use the new KeyChain APIs? They
don't seem to work the way I would expect.
I am able to install a certificate easily enough using
KeyChain.createInstallIntent(), and passing it a PEM formatted
certificate.
The documentation indicates that you need the USE_CREDENTIALS
permission in order to read any certificate data back. So, I have
enabled that. However, once I go back and try to read out the
certificate data with KeyChain.getCertificateChain() I get the
exception "java.lang.IllegalStateException: uid 10040 doesn't have
permission to access the requested alias". Looking at the
documentation indicates that you need the USE_CREDENTIALS permission.
Has anybody made something like this work?
In trying to figure this out, I dug a little deeper to see what I
could find. When I got a shell to the emulator, I found that my
certificate had been installed in two places. One was in /data/misc/
keystore, and the other was in /data/misc/keychain/cacerts-added.
The new certificate also shows up in the Settings->Security->Trusted
Credentials->User. So, the certificate appears to have been
installed correctly.
Digging around a little more found the database in /data/data/
com.android.keychain/databases. This database looks like it is
supposed to handle the permission mapping for certificates that are
installed. So, for fun, I added an entry to the database that I
thought should give uid 10040 access to the certificate with the alias
of "Testing". ("Testing" is the alias I used to install the
certificate in the first place.) When I run my test app, I no longer
get the "uid 10040 doesn't have permission..." error. However, I now
get this error : "java.lang.IllegalArgumentException: bytes ==
null". This change in errors would seem to indicate that my theory
about the permissions is correct, but even when it is fixed the
certificate still won't be returned to me.
Any help would be appreciated.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
