Home | History | Annotate | Download | only in security
      1 /*
      2  * Copyright (C) 2012 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 package android.security;
     18 
     19 import com.android.org.bouncycastle.x509.X509V3CertificateGenerator;
     20 
     21 import org.apache.harmony.xnet.provider.jsse.OpenSSLEngine;
     22 
     23 import android.test.AndroidTestCase;
     24 
     25 import java.io.ByteArrayInputStream;
     26 import java.io.ByteArrayOutputStream;
     27 import java.io.OutputStream;
     28 import java.math.BigInteger;
     29 import java.security.InvalidKeyException;
     30 import java.security.Key;
     31 import java.security.KeyFactory;
     32 import java.security.KeyStore.Entry;
     33 import java.security.KeyStore.PrivateKeyEntry;
     34 import java.security.KeyStore.TrustedCertificateEntry;
     35 import java.security.KeyStoreException;
     36 import java.security.NoSuchAlgorithmException;
     37 import java.security.PrivateKey;
     38 import java.security.PublicKey;
     39 import java.security.cert.Certificate;
     40 import java.security.cert.CertificateFactory;
     41 import java.security.cert.X509Certificate;
     42 import java.security.interfaces.RSAPrivateKey;
     43 import java.security.spec.InvalidKeySpecException;
     44 import java.security.spec.PKCS8EncodedKeySpec;
     45 import java.security.spec.X509EncodedKeySpec;
     46 import java.util.Arrays;
     47 import java.util.Collection;
     48 import java.util.Date;
     49 import java.util.Enumeration;
     50 import java.util.HashSet;
     51 import java.util.Iterator;
     52 import java.util.Set;
     53 
     54 import javax.crypto.Cipher;
     55 import javax.crypto.SecretKey;
     56 import javax.crypto.spec.SecretKeySpec;
     57 import javax.security.auth.x500.X500Principal;
     58 
     59 public class AndroidKeyStoreTest extends AndroidTestCase {
     60     private android.security.KeyStore mAndroidKeyStore;
     61 
     62     private java.security.KeyStore mKeyStore;
     63 
     64     private static final String TEST_ALIAS_1 = "test1";
     65 
     66     private static final String TEST_ALIAS_2 = "test2";
     67 
     68     private static final String TEST_ALIAS_3 = "test3";
     69 
     70     private static final X500Principal TEST_DN_1 = new X500Principal("CN=test1");
     71 
     72     private static final X500Principal TEST_DN_2 = new X500Principal("CN=test2");
     73 
     74     private static final BigInteger TEST_SERIAL_1 = BigInteger.ONE;
     75 
     76     private static final BigInteger TEST_SERIAL_2 = BigInteger.valueOf(2L);
     77 
     78     private static final long NOW_MILLIS = System.currentTimeMillis();
     79 
     80     /* We have to round this off because X509v3 doesn't store milliseconds. */
     81     private static final Date NOW = new Date(NOW_MILLIS - (NOW_MILLIS % 1000L));
     82 
     83     @SuppressWarnings("deprecation")
     84     private static final Date NOW_PLUS_10_YEARS = new Date(NOW.getYear() + 10, 0, 1);
     85 
     86     /*
     87      * The keys and certificates below are generated with:
     88      *
     89      * openssl req -new -x509 -days 3650 -extensions v3_ca -keyout cakey.pem -out cacert.pem
     90      * openssl req -newkey rsa:1024 -keyout userkey.pem -nodes -days 3650 -out userkey.req
     91      * mkdir -p demoCA/newcerts
     92      * touch demoCA/index.txt
     93      * echo "01" > demoCA/serial
     94      * openssl ca -out usercert.pem -in userkey.req -cert cacert.pem -keyfile cakey.pem -days 3650
     95      */
     96 
     97     /**
     98      * Generated from above and converted with:
     99      *
    100      * openssl x509 -outform d -in cacert.pem | xxd -i | sed 's/0x/(byte) 0x/g'
    101      */
    102     private static final byte[] FAKE_CA_1 = {
    103             (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0xce, (byte) 0x30, (byte) 0x82,
    104             (byte) 0x02, (byte) 0x37, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01,
    105             (byte) 0x02, (byte) 0x02, (byte) 0x09, (byte) 0x00, (byte) 0xe1, (byte) 0x6a,
    106             (byte) 0xa2, (byte) 0xf4, (byte) 0x2e, (byte) 0x55, (byte) 0x48, (byte) 0x0a,
    107             (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86,
    108             (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01,
    109             (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x30, (byte) 0x4f, (byte) 0x31,
    110             (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55,
    111             (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53,
    112             (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03,
    113             (byte) 0x55, (byte) 0x04, (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43,
    114             (byte) 0x41, (byte) 0x31, (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06,
    115             (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d,
    116             (byte) 0x4d, (byte) 0x6f, (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61,
    117             (byte) 0x69, (byte) 0x6e, (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65,
    118             (byte) 0x77, (byte) 0x31, (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06,
    119             (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12,
    120             (byte) 0x41, (byte) 0x6e, (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69,
    121             (byte) 0x64, (byte) 0x20, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74,
    122             (byte) 0x20, (byte) 0x43, (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73,
    123             (byte) 0x30, (byte) 0x1e, (byte) 0x17, (byte) 0x0d, (byte) 0x31, (byte) 0x32,
    124             (byte) 0x30, (byte) 0x38, (byte) 0x31, (byte) 0x34, (byte) 0x31, (byte) 0x36,
    125             (byte) 0x35, (byte) 0x35, (byte) 0x34, (byte) 0x34, (byte) 0x5a, (byte) 0x17,
    126             (byte) 0x0d, (byte) 0x32, (byte) 0x32, (byte) 0x30, (byte) 0x38, (byte) 0x31,
    127             (byte) 0x32, (byte) 0x31, (byte) 0x36, (byte) 0x35, (byte) 0x35, (byte) 0x34,
    128             (byte) 0x34, (byte) 0x5a, (byte) 0x30, (byte) 0x4f, (byte) 0x31, (byte) 0x0b,
    129             (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04,
    130             (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31,
    131             (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55,
    132             (byte) 0x04, (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41,
    133             (byte) 0x31, (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06, (byte) 0x03,
    134             (byte) 0x55, (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d, (byte) 0x4d,
    135             (byte) 0x6f, (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61, (byte) 0x69,
    136             (byte) 0x6e, (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65, (byte) 0x77,
    137             (byte) 0x31, (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03,
    138             (byte) 0x55, (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41,
    139             (byte) 0x6e, (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64,
    140             (byte) 0x20, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20,
    141             (byte) 0x43, (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x30,
    142             (byte) 0x81, (byte) 0x9f, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09,
    143             (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d,
    144             (byte) 0x01, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x03,
    145             (byte) 0x81, (byte) 0x8d, (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0x89,
    146             (byte) 0x02, (byte) 0x81, (byte) 0x81, (byte) 0x00, (byte) 0xa3, (byte) 0x72,
    147             (byte) 0xab, (byte) 0xd0, (byte) 0xe4, (byte) 0xad, (byte) 0x2f, (byte) 0xe7,
    148             (byte) 0xe2, (byte) 0x79, (byte) 0x07, (byte) 0x36, (byte) 0x3d, (byte) 0x0c,
    149             (byte) 0x8d, (byte) 0x42, (byte) 0x9a, (byte) 0x0a, (byte) 0x33, (byte) 0x64,
    150             (byte) 0xb3, (byte) 0xcd, (byte) 0xb2, (byte) 0xd7, (byte) 0x3a, (byte) 0x42,
    151             (byte) 0x06, (byte) 0x77, (byte) 0x45, (byte) 0x29, (byte) 0xe9, (byte) 0xcb,
    152             (byte) 0xb7, (byte) 0x4a, (byte) 0xd6, (byte) 0xee, (byte) 0xad, (byte) 0x01,
    153             (byte) 0x91, (byte) 0x9b, (byte) 0x0c, (byte) 0x59, (byte) 0xa1, (byte) 0x03,
    154             (byte) 0xfa, (byte) 0xf0, (byte) 0x5a, (byte) 0x7c, (byte) 0x4f, (byte) 0xf7,
    155             (byte) 0x8d, (byte) 0x36, (byte) 0x0f, (byte) 0x1f, (byte) 0x45, (byte) 0x7d,
    156             (byte) 0x1b, (byte) 0x31, (byte) 0xa1, (byte) 0x35, (byte) 0x0b, (byte) 0x00,
    157             (byte) 0xed, (byte) 0x7a, (byte) 0xb6, (byte) 0xc8, (byte) 0x4e, (byte) 0xa9,
    158             (byte) 0x86, (byte) 0x4c, (byte) 0x7b, (byte) 0x99, (byte) 0x57, (byte) 0x41,
    159             (byte) 0x12, (byte) 0xef, (byte) 0x6b, (byte) 0xbc, (byte) 0x3d, (byte) 0x60,
    160             (byte) 0xf2, (byte) 0x99, (byte) 0x1a, (byte) 0xcd, (byte) 0xed, (byte) 0x56,
    161             (byte) 0xa4, (byte) 0xe5, (byte) 0x36, (byte) 0x9f, (byte) 0x24, (byte) 0x1f,
    162             (byte) 0xdc, (byte) 0x89, (byte) 0x40, (byte) 0xc8, (byte) 0x99, (byte) 0x92,
    163             (byte) 0xab, (byte) 0x4a, (byte) 0xb5, (byte) 0x61, (byte) 0x45, (byte) 0x62,
    164             (byte) 0xff, (byte) 0xa3, (byte) 0x45, (byte) 0x65, (byte) 0xaf, (byte) 0xf6,
    165             (byte) 0x27, (byte) 0x30, (byte) 0x51, (byte) 0x0e, (byte) 0x0e, (byte) 0xeb,
    166             (byte) 0x79, (byte) 0x0c, (byte) 0xbe, (byte) 0xb3, (byte) 0x0a, (byte) 0x6f,
    167             (byte) 0x29, (byte) 0x06, (byte) 0xdc, (byte) 0x2f, (byte) 0x6b, (byte) 0x51,
    168             (byte) 0x02, (byte) 0x03, (byte) 0x01, (byte) 0x00, (byte) 0x01, (byte) 0xa3,
    169             (byte) 0x81, (byte) 0xb1, (byte) 0x30, (byte) 0x81, (byte) 0xae, (byte) 0x30,
    170             (byte) 0x1d, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x0e,
    171             (byte) 0x04, (byte) 0x16, (byte) 0x04, (byte) 0x14, (byte) 0x33, (byte) 0x05,
    172             (byte) 0xee, (byte) 0xfe, (byte) 0x6f, (byte) 0x60, (byte) 0xc7, (byte) 0xf9,
    173             (byte) 0xa9, (byte) 0xd2, (byte) 0x73, (byte) 0x5c, (byte) 0x8f, (byte) 0x6d,
    174             (byte) 0xa2, (byte) 0x2f, (byte) 0x97, (byte) 0x8e, (byte) 0x5d, (byte) 0x51,
    175             (byte) 0x30, (byte) 0x7f, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d,
    176             (byte) 0x23, (byte) 0x04, (byte) 0x78, (byte) 0x30, (byte) 0x76, (byte) 0x80,
    177             (byte) 0x14, (byte) 0x33, (byte) 0x05, (byte) 0xee, (byte) 0xfe, (byte) 0x6f,
    178             (byte) 0x60, (byte) 0xc7, (byte) 0xf9, (byte) 0xa9, (byte) 0xd2, (byte) 0x73,
    179             (byte) 0x5c, (byte) 0x8f, (byte) 0x6d, (byte) 0xa2, (byte) 0x2f, (byte) 0x97,
    180             (byte) 0x8e, (byte) 0x5d, (byte) 0x51, (byte) 0xa1, (byte) 0x53, (byte) 0xa4,
    181             (byte) 0x51, (byte) 0x30, (byte) 0x4f, (byte) 0x31, (byte) 0x0b, (byte) 0x30,
    182             (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06,
    183             (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31, (byte) 0x0b,
    184             (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04,
    185             (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41, (byte) 0x31,
    186             (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06, (byte) 0x03, (byte) 0x55,
    187             (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d, (byte) 0x4d, (byte) 0x6f,
    188             (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61, (byte) 0x69, (byte) 0x6e,
    189             (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65, (byte) 0x77, (byte) 0x31,
    190             (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03, (byte) 0x55,
    191             (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41, (byte) 0x6e,
    192             (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64, (byte) 0x20,
    193             (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20, (byte) 0x43,
    194             (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x82, (byte) 0x09,
    195             (byte) 0x00, (byte) 0xe1, (byte) 0x6a, (byte) 0xa2, (byte) 0xf4, (byte) 0x2e,
    196             (byte) 0x55, (byte) 0x48, (byte) 0x0a, (byte) 0x30, (byte) 0x0c, (byte) 0x06,
    197             (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x13, (byte) 0x04, (byte) 0x05,
    198             (byte) 0x30, (byte) 0x03, (byte) 0x01, (byte) 0x01, (byte) 0xff, (byte) 0x30,
    199             (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, (byte) 0x48,
    200             (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05,
    201             (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81, (byte) 0x81, (byte) 0x00,
    202             (byte) 0x8c, (byte) 0x30, (byte) 0x42, (byte) 0xfa, (byte) 0xeb, (byte) 0x1a,
    203             (byte) 0x26, (byte) 0xeb, (byte) 0xda, (byte) 0x56, (byte) 0x32, (byte) 0xf2,
    204             (byte) 0x9d, (byte) 0xa5, (byte) 0x24, (byte) 0xd8, (byte) 0x3a, (byte) 0xda,
    205             (byte) 0x30, (byte) 0xa6, (byte) 0x8b, (byte) 0x46, (byte) 0xfe, (byte) 0xfe,
    206             (byte) 0xdb, (byte) 0xf1, (byte) 0xe6, (byte) 0xe1, (byte) 0x7c, (byte) 0x1b,
    207             (byte) 0xe7, (byte) 0x77, (byte) 0x00, (byte) 0xa1, (byte) 0x1c, (byte) 0x19,
    208             (byte) 0x17, (byte) 0x73, (byte) 0xb0, (byte) 0xf0, (byte) 0x9d, (byte) 0xf3,
    209             (byte) 0x4f, (byte) 0xb6, (byte) 0xbc, (byte) 0xc7, (byte) 0x47, (byte) 0x85,
    210             (byte) 0x2a, (byte) 0x4a, (byte) 0xa1, (byte) 0xa5, (byte) 0x58, (byte) 0xf5,
    211             (byte) 0xc5, (byte) 0x1a, (byte) 0x51, (byte) 0xb1, (byte) 0x04, (byte) 0x80,
    212             (byte) 0xee, (byte) 0x3a, (byte) 0xec, (byte) 0x2f, (byte) 0xe1, (byte) 0xfd,
    213             (byte) 0x58, (byte) 0xeb, (byte) 0xed, (byte) 0x82, (byte) 0x9e, (byte) 0x38,
    214             (byte) 0xa3, (byte) 0x24, (byte) 0x75, (byte) 0xf7, (byte) 0x3e, (byte) 0xc2,
    215             (byte) 0xc5, (byte) 0x27, (byte) 0xeb, (byte) 0x6f, (byte) 0x7b, (byte) 0x50,
    216             (byte) 0xda, (byte) 0x43, (byte) 0xdc, (byte) 0x3b, (byte) 0x0b, (byte) 0x6f,
    217             (byte) 0x78, (byte) 0x8f, (byte) 0xb0, (byte) 0x66, (byte) 0xe1, (byte) 0x12,
    218             (byte) 0x87, (byte) 0x5f, (byte) 0x97, (byte) 0x7b, (byte) 0xca, (byte) 0x14,
    219             (byte) 0x79, (byte) 0xf7, (byte) 0xe8, (byte) 0x6c, (byte) 0x72, (byte) 0xdb,
    220             (byte) 0x91, (byte) 0x65, (byte) 0x17, (byte) 0x54, (byte) 0xe0, (byte) 0x74,
    221             (byte) 0x1d, (byte) 0xac, (byte) 0x47, (byte) 0x04, (byte) 0x12, (byte) 0xe0,
    222             (byte) 0xc3, (byte) 0x66, (byte) 0x19, (byte) 0x05, (byte) 0x2e, (byte) 0x7e,
    223             (byte) 0xf1, (byte) 0x61
    224     };
    225 
    226     /**
    227      * Generated from above and converted with:
    228      *
    229      * openssl pkcs8 -topk8 -outform d -in userkey.pem -nocrypt | xxd -i | sed 's/0x/(byte) 0x/g'
    230      */
    231     private static final byte[] FAKE_KEY_1 = new byte[] {
    232             (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x78, (byte) 0x02, (byte) 0x01,
    233             (byte) 0x00, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a,
    234             (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01,
    235             (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x04, (byte) 0x82,
    236             (byte) 0x02, (byte) 0x62, (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x5e,
    237             (byte) 0x02, (byte) 0x01, (byte) 0x00, (byte) 0x02, (byte) 0x81, (byte) 0x81,
    238             (byte) 0x00, (byte) 0xce, (byte) 0x29, (byte) 0xeb, (byte) 0xf6, (byte) 0x5b,
    239             (byte) 0x25, (byte) 0xdc, (byte) 0xa1, (byte) 0xa6, (byte) 0x2c, (byte) 0x66,
    240             (byte) 0xcb, (byte) 0x20, (byte) 0x90, (byte) 0x27, (byte) 0x86, (byte) 0x8a,
    241             (byte) 0x44, (byte) 0x71, (byte) 0x50, (byte) 0xda, (byte) 0xd3, (byte) 0x02,
    242             (byte) 0x77, (byte) 0x55, (byte) 0xe9, (byte) 0xe8, (byte) 0x08, (byte) 0xf3,
    243             (byte) 0x36, (byte) 0x9a, (byte) 0xae, (byte) 0xab, (byte) 0x04, (byte) 0x6d,
    244             (byte) 0x00, (byte) 0x99, (byte) 0xbf, (byte) 0x7d, (byte) 0x0f, (byte) 0x67,
    245             (byte) 0x8b, (byte) 0x1d, (byte) 0xd4, (byte) 0x2b, (byte) 0x7c, (byte) 0xcb,
    246             (byte) 0xcd, (byte) 0x33, (byte) 0xc7, (byte) 0x84, (byte) 0x30, (byte) 0xe2,
    247             (byte) 0x45, (byte) 0x21, (byte) 0xb3, (byte) 0x75, (byte) 0xf5, (byte) 0x79,
    248             (byte) 0x02, (byte) 0xda, (byte) 0x50, (byte) 0xa3, (byte) 0x8b, (byte) 0xce,
    249             (byte) 0xc3, (byte) 0x8e, (byte) 0x0f, (byte) 0x25, (byte) 0xeb, (byte) 0x08,
    250             (byte) 0x2c, (byte) 0xdd, (byte) 0x1c, (byte) 0xcf, (byte) 0xff, (byte) 0x3b,
    251             (byte) 0xde, (byte) 0xb6, (byte) 0xaa, (byte) 0x2a, (byte) 0xa9, (byte) 0xc4,
    252             (byte) 0x8a, (byte) 0x24, (byte) 0x24, (byte) 0xe6, (byte) 0x29, (byte) 0x0d,
    253             (byte) 0x98, (byte) 0x4c, (byte) 0x32, (byte) 0xa1, (byte) 0x7b, (byte) 0x23,
    254             (byte) 0x2b, (byte) 0x42, (byte) 0x30, (byte) 0xee, (byte) 0x78, (byte) 0x08,
    255             (byte) 0x47, (byte) 0xad, (byte) 0xf2, (byte) 0x96, (byte) 0xd5, (byte) 0xf1,
    256             (byte) 0x62, (byte) 0x42, (byte) 0x2d, (byte) 0x35, (byte) 0x19, (byte) 0xb4,
    257             (byte) 0x3c, (byte) 0xc9, (byte) 0xc3, (byte) 0x5f, (byte) 0x03, (byte) 0x16,
    258             (byte) 0x3a, (byte) 0x23, (byte) 0xac, (byte) 0xcb, (byte) 0xce, (byte) 0x9e,
    259             (byte) 0x51, (byte) 0x2e, (byte) 0x6d, (byte) 0x02, (byte) 0x03, (byte) 0x01,
    260             (byte) 0x00, (byte) 0x01, (byte) 0x02, (byte) 0x81, (byte) 0x80, (byte) 0x16,
    261             (byte) 0x59, (byte) 0xc3, (byte) 0x24, (byte) 0x1d, (byte) 0x33, (byte) 0x98,
    262             (byte) 0x9c, (byte) 0xc9, (byte) 0xc8, (byte) 0x2c, (byte) 0x88, (byte) 0xbf,
    263             (byte) 0x0a, (byte) 0x01, (byte) 0xce, (byte) 0xfb, (byte) 0x34, (byte) 0x7a,
    264             (byte) 0x58, (byte) 0x7a, (byte) 0xb0, (byte) 0xbf, (byte) 0xa6, (byte) 0xb2,
    265             (byte) 0x60, (byte) 0xbe, (byte) 0x70, (byte) 0x21, (byte) 0xf5, (byte) 0xfc,
    266             (byte) 0x85, (byte) 0x0d, (byte) 0x33, (byte) 0x58, (byte) 0xa1, (byte) 0xe5,
    267             (byte) 0x09, (byte) 0x36, (byte) 0x84, (byte) 0xb2, (byte) 0x04, (byte) 0x0a,
    268             (byte) 0x02, (byte) 0xd3, (byte) 0x88, (byte) 0x1f, (byte) 0x0c, (byte) 0x2b,
    269             (byte) 0x1d, (byte) 0xe9, (byte) 0x3d, (byte) 0xe7, (byte) 0x79, (byte) 0xf9,
    270             (byte) 0x32, (byte) 0x5c, (byte) 0x8a, (byte) 0x75, (byte) 0x49, (byte) 0x12,
    271             (byte) 0xe4, (byte) 0x05, (byte) 0x26, (byte) 0xd4, (byte) 0x2e, (byte) 0x9e,
    272             (byte) 0x1f, (byte) 0xcc, (byte) 0x54, (byte) 0xad, (byte) 0x33, (byte) 0x8d,
    273             (byte) 0x99, (byte) 0x00, (byte) 0xdc, (byte) 0xf5, (byte) 0xb4, (byte) 0xa2,
    274             (byte) 0x2f, (byte) 0xba, (byte) 0xe5, (byte) 0x62, (byte) 0x30, (byte) 0x6d,
    275             (byte) 0xe6, (byte) 0x3d, (byte) 0xeb, (byte) 0x24, (byte) 0xc2, (byte) 0xdc,
    276             (byte) 0x5f, (byte) 0xb7, (byte) 0x16, (byte) 0x35, (byte) 0xa3, (byte) 0x98,
    277             (byte) 0x98, (byte) 0xa8, (byte) 0xef, (byte) 0xe8, (byte) 0xc4, (byte) 0x96,
    278             (byte) 0x6d, (byte) 0x38, (byte) 0xab, (byte) 0x26, (byte) 0x6d, (byte) 0x30,
    279             (byte) 0xc2, (byte) 0xa0, (byte) 0x44, (byte) 0xe4, (byte) 0xff, (byte) 0x7e,
    280             (byte) 0xbe, (byte) 0x7c, (byte) 0x33, (byte) 0xa5, (byte) 0x10, (byte) 0xad,
    281             (byte) 0xd7, (byte) 0x1e, (byte) 0x13, (byte) 0x20, (byte) 0xb3, (byte) 0x1f,
    282             (byte) 0x41, (byte) 0x02, (byte) 0x41, (byte) 0x00, (byte) 0xf1, (byte) 0x89,
    283             (byte) 0x07, (byte) 0x0f, (byte) 0xe8, (byte) 0xcf, (byte) 0xab, (byte) 0x13,
    284             (byte) 0x2a, (byte) 0x8f, (byte) 0x88, (byte) 0x80, (byte) 0x11, (byte) 0x9a,
    285             (byte) 0x79, (byte) 0xb6, (byte) 0x59, (byte) 0x3a, (byte) 0x50, (byte) 0x6e,
    286             (byte) 0x57, (byte) 0x37, (byte) 0xab, (byte) 0x2a, (byte) 0xd2, (byte) 0xaa,
    287             (byte) 0xd9, (byte) 0x72, (byte) 0x73, (byte) 0xff, (byte) 0x8b, (byte) 0x47,
    288             (byte) 0x76, (byte) 0xdd, (byte) 0xdc, (byte) 0xf5, (byte) 0x97, (byte) 0x44,
    289             (byte) 0x3a, (byte) 0x78, (byte) 0xbe, (byte) 0x17, (byte) 0xb4, (byte) 0x22,
    290             (byte) 0x6f, (byte) 0xe5, (byte) 0x23, (byte) 0x70, (byte) 0x1d, (byte) 0x10,
    291             (byte) 0x5d, (byte) 0xba, (byte) 0x16, (byte) 0x81, (byte) 0xf1, (byte) 0x45,
    292             (byte) 0xce, (byte) 0x30, (byte) 0xb4, (byte) 0xab, (byte) 0x80, (byte) 0xe4,
    293             (byte) 0x98, (byte) 0x31, (byte) 0x02, (byte) 0x41, (byte) 0x00, (byte) 0xda,
    294             (byte) 0x82, (byte) 0x9d, (byte) 0x3f, (byte) 0xca, (byte) 0x2f, (byte) 0xe1,
    295             (byte) 0xd4, (byte) 0x86, (byte) 0x77, (byte) 0x48, (byte) 0xa6, (byte) 0xab,
    296             (byte) 0xab, (byte) 0x1c, (byte) 0x42, (byte) 0x5c, (byte) 0xd5, (byte) 0xc7,
    297             (byte) 0x46, (byte) 0x59, (byte) 0x91, (byte) 0x3f, (byte) 0xfc, (byte) 0xcc,
    298             (byte) 0xec, (byte) 0xc2, (byte) 0x40, (byte) 0x12, (byte) 0x2c, (byte) 0x8d,
    299             (byte) 0x1f, (byte) 0xa2, (byte) 0x18, (byte) 0x88, (byte) 0xee, (byte) 0x82,
    300             (byte) 0x4a, (byte) 0x5a, (byte) 0x5e, (byte) 0x88, (byte) 0x20, (byte) 0xe3,
    301             (byte) 0x7b, (byte) 0xe0, (byte) 0xd8, (byte) 0x3a, (byte) 0x52, (byte) 0x9a,
    302             (byte) 0x26, (byte) 0x6a, (byte) 0x04, (byte) 0xec, (byte) 0xe8, (byte) 0xb9,
    303             (byte) 0x48, (byte) 0x40, (byte) 0xe1, (byte) 0xe1, (byte) 0x83, (byte) 0xa6,
    304             (byte) 0x67, (byte) 0xa6, (byte) 0xfd, (byte) 0x02, (byte) 0x41, (byte) 0x00,
    305             (byte) 0x89, (byte) 0x72, (byte) 0x3e, (byte) 0xb0, (byte) 0x90, (byte) 0xfd,
    306             (byte) 0x4c, (byte) 0x0e, (byte) 0xd6, (byte) 0x13, (byte) 0x63, (byte) 0xcb,
    307             (byte) 0xed, (byte) 0x38, (byte) 0x88, (byte) 0xb6, (byte) 0x79, (byte) 0xc4,
    308             (byte) 0x33, (byte) 0x6c, (byte) 0xf6, (byte) 0xf8, (byte) 0xd8, (byte) 0xd0,
    309             (byte) 0xbf, (byte) 0x9d, (byte) 0x35, (byte) 0xac, (byte) 0x69, (byte) 0xd2,
    310             (byte) 0x2b, (byte) 0xc1, (byte) 0xf9, (byte) 0x24, (byte) 0x7b, (byte) 0xce,
    311             (byte) 0xcd, (byte) 0xcb, (byte) 0xa7, (byte) 0xb2, (byte) 0x7a, (byte) 0x0a,
    312             (byte) 0x27, (byte) 0x19, (byte) 0xc9, (byte) 0xaf, (byte) 0x0d, (byte) 0x21,
    313             (byte) 0x89, (byte) 0x88, (byte) 0x7c, (byte) 0xad, (byte) 0x9e, (byte) 0x8d,
    314             (byte) 0x47, (byte) 0x6d, (byte) 0x3f, (byte) 0xce, (byte) 0x7b, (byte) 0xa1,
    315             (byte) 0x74, (byte) 0xf1, (byte) 0xa0, (byte) 0xa1, (byte) 0x02, (byte) 0x41,
    316             (byte) 0x00, (byte) 0xd9, (byte) 0xa8, (byte) 0xf5, (byte) 0xfe, (byte) 0xce,
    317             (byte) 0xe6, (byte) 0x77, (byte) 0x6b, (byte) 0xfe, (byte) 0x2d, (byte) 0xe0,
    318             (byte) 0x1e, (byte) 0xb6, (byte) 0x2e, (byte) 0x12, (byte) 0x4e, (byte) 0x40,
    319             (byte) 0xaf, (byte) 0x6a, (byte) 0x7b, (byte) 0x37, (byte) 0x49, (byte) 0x2a,
    320             (byte) 0x96, (byte) 0x25, (byte) 0x83, (byte) 0x49, (byte) 0xd4, (byte) 0x0c,
    321             (byte) 0xc6, (byte) 0x78, (byte) 0x25, (byte) 0x24, (byte) 0x90, (byte) 0x90,
    322             (byte) 0x06, (byte) 0x15, (byte) 0x9e, (byte) 0xfe, (byte) 0xf9, (byte) 0xdf,
    323             (byte) 0x5b, (byte) 0xf3, (byte) 0x7e, (byte) 0x38, (byte) 0x70, (byte) 0xeb,
    324             (byte) 0x57, (byte) 0xd0, (byte) 0xd9, (byte) 0xa7, (byte) 0x0e, (byte) 0x14,
    325             (byte) 0xf7, (byte) 0x95, (byte) 0x68, (byte) 0xd5, (byte) 0xc8, (byte) 0xab,
    326             (byte) 0x9d, (byte) 0x3a, (byte) 0x2b, (byte) 0x51, (byte) 0xf9, (byte) 0x02,
    327             (byte) 0x41, (byte) 0x00, (byte) 0x96, (byte) 0xdf, (byte) 0xe9, (byte) 0x67,
    328             (byte) 0x6c, (byte) 0xdc, (byte) 0x90, (byte) 0x14, (byte) 0xb4, (byte) 0x1d,
    329             (byte) 0x22, (byte) 0x33, (byte) 0x4a, (byte) 0x31, (byte) 0xc1, (byte) 0x9d,
    330             (byte) 0x2e, (byte) 0xff, (byte) 0x9a, (byte) 0x2a, (byte) 0x95, (byte) 0x4b,
    331             (byte) 0x27, (byte) 0x74, (byte) 0xcb, (byte) 0x21, (byte) 0xc3, (byte) 0xd2,
    332             (byte) 0x0b, (byte) 0xb2, (byte) 0x46, (byte) 0x87, (byte) 0xf8, (byte) 0x28,
    333             (byte) 0x01, (byte) 0x8b, (byte) 0xd8, (byte) 0xb9, (byte) 0x4b, (byte) 0xcd,
    334             (byte) 0x9a, (byte) 0x96, (byte) 0x41, (byte) 0x0e, (byte) 0x36, (byte) 0x6d,
    335             (byte) 0x40, (byte) 0x42, (byte) 0xbc, (byte) 0xd9, (byte) 0xd3, (byte) 0x7b,
    336             (byte) 0xbc, (byte) 0xa7, (byte) 0x92, (byte) 0x90, (byte) 0xdd, (byte) 0xa1,
    337             (byte) 0x9c, (byte) 0xce, (byte) 0xa1, (byte) 0x87, (byte) 0x11, (byte) 0x51
    338     };
    339 
    340     /**
    341      * Generated from above and converted with:
    342      *
    343      * openssl x509 -outform d -in usercert.pem | xxd -i | sed 's/0x/(byte) 0x/g'
    344      */
    345     private static final byte[] FAKE_USER_1 = new byte[] {
    346             (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x95, (byte) 0x30, (byte) 0x82,
    347             (byte) 0x01, (byte) 0xfe, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01,
    348             (byte) 0x02, (byte) 0x02, (byte) 0x01, (byte) 0x01, (byte) 0x30, (byte) 0x0d,
    349             (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86,
    350             (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05,
    351             (byte) 0x00, (byte) 0x30, (byte) 0x4f, (byte) 0x31, (byte) 0x0b, (byte) 0x30,
    352             (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06,
    353             (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31, (byte) 0x0b,
    354             (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04,
    355             (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41, (byte) 0x31,
    356             (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06, (byte) 0x03, (byte) 0x55,
    357             (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d, (byte) 0x4d, (byte) 0x6f,
    358             (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61, (byte) 0x69, (byte) 0x6e,
    359             (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65, (byte) 0x77, (byte) 0x31,
    360             (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03, (byte) 0x55,
    361             (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41, (byte) 0x6e,
    362             (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64, (byte) 0x20,
    363             (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20, (byte) 0x43,
    364             (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x30, (byte) 0x1e,
    365             (byte) 0x17, (byte) 0x0d, (byte) 0x31, (byte) 0x32, (byte) 0x30, (byte) 0x38,
    366             (byte) 0x31, (byte) 0x34, (byte) 0x32, (byte) 0x33, (byte) 0x32, (byte) 0x35,
    367             (byte) 0x34, (byte) 0x38, (byte) 0x5a, (byte) 0x17, (byte) 0x0d, (byte) 0x32,
    368             (byte) 0x32, (byte) 0x30, (byte) 0x38, (byte) 0x31, (byte) 0x32, (byte) 0x32,
    369             (byte) 0x33, (byte) 0x32, (byte) 0x35, (byte) 0x34, (byte) 0x38, (byte) 0x5a,
    370             (byte) 0x30, (byte) 0x55, (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09,
    371             (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, (byte) 0x13,
    372             (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31, (byte) 0x0b, (byte) 0x30,
    373             (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x08,
    374             (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41, (byte) 0x31, (byte) 0x1b,
    375             (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04,
    376             (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41, (byte) 0x6e, (byte) 0x64,
    377             (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64, (byte) 0x20, (byte) 0x54,
    378             (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20, (byte) 0x43, (byte) 0x61,
    379             (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x31, (byte) 0x1c, (byte) 0x30,
    380             (byte) 0x1a, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x03,
    381             (byte) 0x13, (byte) 0x13, (byte) 0x73, (byte) 0x65, (byte) 0x72, (byte) 0x76,
    382             (byte) 0x65, (byte) 0x72, (byte) 0x31, (byte) 0x2e, (byte) 0x65, (byte) 0x78,
    383             (byte) 0x61, (byte) 0x6d, (byte) 0x70, (byte) 0x6c, (byte) 0x65, (byte) 0x2e,
    384             (byte) 0x63, (byte) 0x6f, (byte) 0x6d, (byte) 0x30, (byte) 0x81, (byte) 0x9f,
    385             (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86,
    386             (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01,
    387             (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81, (byte) 0x8d,
    388             (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0x89, (byte) 0x02, (byte) 0x81,
    389             (byte) 0x81, (byte) 0x00, (byte) 0xce, (byte) 0x29, (byte) 0xeb, (byte) 0xf6,
    390             (byte) 0x5b, (byte) 0x25, (byte) 0xdc, (byte) 0xa1, (byte) 0xa6, (byte) 0x2c,
    391             (byte) 0x66, (byte) 0xcb, (byte) 0x20, (byte) 0x90, (byte) 0x27, (byte) 0x86,
    392             (byte) 0x8a, (byte) 0x44, (byte) 0x71, (byte) 0x50, (byte) 0xda, (byte) 0xd3,
    393             (byte) 0x02, (byte) 0x77, (byte) 0x55, (byte) 0xe9, (byte) 0xe8, (byte) 0x08,
    394             (byte) 0xf3, (byte) 0x36, (byte) 0x9a, (byte) 0xae, (byte) 0xab, (byte) 0x04,
    395             (byte) 0x6d, (byte) 0x00, (byte) 0x99, (byte) 0xbf, (byte) 0x7d, (byte) 0x0f,
    396             (byte) 0x67, (byte) 0x8b, (byte) 0x1d, (byte) 0xd4, (byte) 0x2b, (byte) 0x7c,
    397             (byte) 0xcb, (byte) 0xcd, (byte) 0x33, (byte) 0xc7, (byte) 0x84, (byte) 0x30,
    398             (byte) 0xe2, (byte) 0x45, (byte) 0x21, (byte) 0xb3, (byte) 0x75, (byte) 0xf5,
    399             (byte) 0x79, (byte) 0x02, (byte) 0xda, (byte) 0x50, (byte) 0xa3, (byte) 0x8b,
    400             (byte) 0xce, (byte) 0xc3, (byte) 0x8e, (byte) 0x0f, (byte) 0x25, (byte) 0xeb,
    401             (byte) 0x08, (byte) 0x2c, (byte) 0xdd, (byte) 0x1c, (byte) 0xcf, (byte) 0xff,
    402             (byte) 0x3b, (byte) 0xde, (byte) 0xb6, (byte) 0xaa, (byte) 0x2a, (byte) 0xa9,
    403             (byte) 0xc4, (byte) 0x8a, (byte) 0x24, (byte) 0x24, (byte) 0xe6, (byte) 0x29,
    404             (byte) 0x0d, (byte) 0x98, (byte) 0x4c, (byte) 0x32, (byte) 0xa1, (byte) 0x7b,
    405             (byte) 0x23, (byte) 0x2b, (byte) 0x42, (byte) 0x30, (byte) 0xee, (byte) 0x78,
    406             (byte) 0x08, (byte) 0x47, (byte) 0xad, (byte) 0xf2, (byte) 0x96, (byte) 0xd5,
    407             (byte) 0xf1, (byte) 0x62, (byte) 0x42, (byte) 0x2d, (byte) 0x35, (byte) 0x19,
    408             (byte) 0xb4, (byte) 0x3c, (byte) 0xc9, (byte) 0xc3, (byte) 0x5f, (byte) 0x03,
    409             (byte) 0x16, (byte) 0x3a, (byte) 0x23, (byte) 0xac, (byte) 0xcb, (byte) 0xce,
    410             (byte) 0x9e, (byte) 0x51, (byte) 0x2e, (byte) 0x6d, (byte) 0x02, (byte) 0x03,
    411             (byte) 0x01, (byte) 0x00, (byte) 0x01, (byte) 0xa3, (byte) 0x7b, (byte) 0x30,
    412             (byte) 0x79, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55,
    413             (byte) 0x1d, (byte) 0x13, (byte) 0x04, (byte) 0x02, (byte) 0x30, (byte) 0x00,
    414             (byte) 0x30, (byte) 0x2c, (byte) 0x06, (byte) 0x09, (byte) 0x60, (byte) 0x86,
    415             (byte) 0x48, (byte) 0x01, (byte) 0x86, (byte) 0xf8, (byte) 0x42, (byte) 0x01,
    416             (byte) 0x0d, (byte) 0x04, (byte) 0x1f, (byte) 0x16, (byte) 0x1d, (byte) 0x4f,
    417             (byte) 0x70, (byte) 0x65, (byte) 0x6e, (byte) 0x53, (byte) 0x53, (byte) 0x4c,
    418             (byte) 0x20, (byte) 0x47, (byte) 0x65, (byte) 0x6e, (byte) 0x65, (byte) 0x72,
    419             (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x64, (byte) 0x20, (byte) 0x43,
    420             (byte) 0x65, (byte) 0x72, (byte) 0x74, (byte) 0x69, (byte) 0x66, (byte) 0x69,
    421             (byte) 0x63, (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x30, (byte) 0x1d,
    422             (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x0e, (byte) 0x04,
    423             (byte) 0x16, (byte) 0x04, (byte) 0x14, (byte) 0x32, (byte) 0xa1, (byte) 0x1e,
    424             (byte) 0x6b, (byte) 0x69, (byte) 0x04, (byte) 0xfe, (byte) 0xb3, (byte) 0xcd,
    425             (byte) 0xf8, (byte) 0xbb, (byte) 0x14, (byte) 0xcd, (byte) 0xff, (byte) 0xd4,
    426             (byte) 0x16, (byte) 0xc3, (byte) 0xab, (byte) 0x44, (byte) 0x2f, (byte) 0x30,
    427             (byte) 0x1f, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x23,
    428             (byte) 0x04, (byte) 0x18, (byte) 0x30, (byte) 0x16, (byte) 0x80, (byte) 0x14,
    429             (byte) 0x33, (byte) 0x05, (byte) 0xee, (byte) 0xfe, (byte) 0x6f, (byte) 0x60,
    430             (byte) 0xc7, (byte) 0xf9, (byte) 0xa9, (byte) 0xd2, (byte) 0x73, (byte) 0x5c,
    431             (byte) 0x8f, (byte) 0x6d, (byte) 0xa2, (byte) 0x2f, (byte) 0x97, (byte) 0x8e,
    432             (byte) 0x5d, (byte) 0x51, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09,
    433             (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d,
    434             (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x03,
    435             (byte) 0x81, (byte) 0x81, (byte) 0x00, (byte) 0x46, (byte) 0x42, (byte) 0xef,
    436             (byte) 0x56, (byte) 0x89, (byte) 0x78, (byte) 0x90, (byte) 0x38, (byte) 0x24,
    437             (byte) 0x9f, (byte) 0x8c, (byte) 0x7a, (byte) 0xce, (byte) 0x7a, (byte) 0xa5,
    438             (byte) 0xb5, (byte) 0x1e, (byte) 0x74, (byte) 0x96, (byte) 0x34, (byte) 0x49,
    439             (byte) 0x8b, (byte) 0xed, (byte) 0x44, (byte) 0xb3, (byte) 0xc9, (byte) 0x05,
    440             (byte) 0xd7, (byte) 0x48, (byte) 0x55, (byte) 0x52, (byte) 0x59, (byte) 0x15,
    441             (byte) 0x0b, (byte) 0xaa, (byte) 0x16, (byte) 0x86, (byte) 0xd2, (byte) 0x8e,
    442             (byte) 0x16, (byte) 0x99, (byte) 0xe8, (byte) 0x5f, (byte) 0x11, (byte) 0x71,
    443             (byte) 0x42, (byte) 0x55, (byte) 0xd1, (byte) 0xc4, (byte) 0x6f, (byte) 0x2e,
    444             (byte) 0xa9, (byte) 0x64, (byte) 0x6f, (byte) 0xd8, (byte) 0xfd, (byte) 0x43,
    445             (byte) 0x13, (byte) 0x24, (byte) 0xaa, (byte) 0x67, (byte) 0xe6, (byte) 0xf5,
    446             (byte) 0xca, (byte) 0x80, (byte) 0x5e, (byte) 0x3a, (byte) 0x3e, (byte) 0xcc,
    447             (byte) 0x4f, (byte) 0xba, (byte) 0x87, (byte) 0xe6, (byte) 0xae, (byte) 0xbf,
    448             (byte) 0x8f, (byte) 0xd5, (byte) 0x28, (byte) 0x38, (byte) 0x58, (byte) 0x30,
    449             (byte) 0x24, (byte) 0xf6, (byte) 0x53, (byte) 0x5b, (byte) 0x41, (byte) 0x53,
    450             (byte) 0xe6, (byte) 0x45, (byte) 0xbc, (byte) 0xbe, (byte) 0xe6, (byte) 0xbb,
    451             (byte) 0x5d, (byte) 0xd8, (byte) 0xa7, (byte) 0xf9, (byte) 0x64, (byte) 0x99,
    452             (byte) 0x04, (byte) 0x43, (byte) 0x75, (byte) 0xd7, (byte) 0x2d, (byte) 0x32,
    453             (byte) 0x0a, (byte) 0x94, (byte) 0xaf, (byte) 0x06, (byte) 0x34, (byte) 0xae,
    454             (byte) 0x46, (byte) 0xbd, (byte) 0xda, (byte) 0x00, (byte) 0x0e, (byte) 0x25,
    455             (byte) 0xc2, (byte) 0xf7, (byte) 0xc9, (byte) 0xc3, (byte) 0x65, (byte) 0xd2,
    456             (byte) 0x08, (byte) 0x41, (byte) 0x0a, (byte) 0xf3, (byte) 0x72
    457     };
    458 
    459     /**
    460      * The amount of time to allow before and after expected time for variance
    461      * in timing tests.
    462      */
    463     private static final long SLOP_TIME_MILLIS = 15000L;
    464 
    465     @Override
    466     protected void setUp() throws Exception {
    467         mAndroidKeyStore = android.security.KeyStore.getInstance();
    468 
    469         assertTrue(mAndroidKeyStore.reset());
    470         assertFalse(mAndroidKeyStore.isUnlocked());
    471 
    472         mKeyStore = java.security.KeyStore.getInstance("AndroidKeyStore");
    473     }
    474 
    475     private void setupPassword() {
    476         assertTrue(mAndroidKeyStore.password("1111"));
    477         assertTrue(mAndroidKeyStore.isUnlocked());
    478 
    479         assertEquals(0, mAndroidKeyStore.saw("").length);
    480     }
    481 
    482     private void assertAliases(final String[] expectedAliases) throws KeyStoreException {
    483         final Enumeration<String> aliases = mKeyStore.aliases();
    484         int count = 0;
    485 
    486         final Set<String> expectedSet = new HashSet<String>();
    487         expectedSet.addAll(Arrays.asList(expectedAliases));
    488 
    489         while (aliases.hasMoreElements()) {
    490             count++;
    491             final String alias = aliases.nextElement();
    492             assertTrue("The alias should be in the expected set", expectedSet.contains(alias));
    493             expectedSet.remove(alias);
    494         }
    495         assertTrue("The expected set and actual set should be exactly equal", expectedSet.isEmpty());
    496         assertEquals("There should be the correct number of keystore entries",
    497                 expectedAliases.length, count);
    498     }
    499 
    500     public void testKeyStore_Aliases_Encrypted_Success() throws Exception {
    501         setupPassword();
    502 
    503         mKeyStore.load(null, null);
    504 
    505         assertAliases(new String[] {});
    506 
    507         assertTrue(mAndroidKeyStore.generate(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1,
    508                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    509 
    510         assertAliases(new String[] { TEST_ALIAS_1 });
    511 
    512         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_2, FAKE_CA_1,
    513                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    514 
    515         assertAliases(new String[] { TEST_ALIAS_1, TEST_ALIAS_2 });
    516     }
    517 
    518     public void testKeyStore_Aliases_NotInitialized_Encrypted_Failure() throws Exception {
    519         setupPassword();
    520 
    521         try {
    522             mKeyStore.aliases();
    523             fail("KeyStore should throw exception when not initialized");
    524         } catch (KeyStoreException success) {
    525         }
    526     }
    527 
    528     public void testKeyStore_ContainsAliases_PrivateAndCA_Encrypted_Success() throws Exception {
    529         setupPassword();
    530 
    531         mKeyStore.load(null, null);
    532 
    533         assertAliases(new String[] {});
    534 
    535         assertTrue(mAndroidKeyStore.generate(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1,
    536                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    537 
    538         assertTrue("Should contain generated private key", mKeyStore.containsAlias(TEST_ALIAS_1));
    539 
    540         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_2, FAKE_CA_1,
    541                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    542 
    543         assertTrue("Should contain added CA certificate", mKeyStore.containsAlias(TEST_ALIAS_2));
    544 
    545         assertFalse("Should not contain unadded certificate alias",
    546                 mKeyStore.containsAlias(TEST_ALIAS_3));
    547     }
    548 
    549     public void testKeyStore_ContainsAliases_CAOnly_Encrypted_Success() throws Exception {
    550         setupPassword();
    551 
    552         mKeyStore.load(null, null);
    553 
    554         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_2, FAKE_CA_1,
    555                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    556 
    557         assertTrue("Should contain added CA certificate", mKeyStore.containsAlias(TEST_ALIAS_2));
    558     }
    559 
    560     public void testKeyStore_ContainsAliases_NonExistent_Encrypted_Failure() throws Exception {
    561         setupPassword();
    562 
    563         mKeyStore.load(null, null);
    564 
    565         assertFalse("Should contain added CA certificate", mKeyStore.containsAlias(TEST_ALIAS_1));
    566     }
    567 
    568     public void testKeyStore_DeleteEntry_Encrypted_Success() throws Exception {
    569         setupPassword();
    570 
    571         mKeyStore.load(null, null);
    572 
    573         // TEST_ALIAS_1
    574         assertTrue(mAndroidKeyStore.importKey(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1,
    575                 FAKE_KEY_1, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    576         assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1, FAKE_USER_1,
    577                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    578         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
    579                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    580 
    581         // TEST_ALIAS_2
    582         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_2, FAKE_CA_1,
    583                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    584 
    585         // TEST_ALIAS_3
    586         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_3, FAKE_CA_1,
    587                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    588 
    589         assertAliases(new String[] { TEST_ALIAS_1, TEST_ALIAS_2, TEST_ALIAS_3 });
    590 
    591         mKeyStore.deleteEntry(TEST_ALIAS_1);
    592 
    593         assertAliases(new String[] { TEST_ALIAS_2, TEST_ALIAS_3 });
    594 
    595         mKeyStore.deleteEntry(TEST_ALIAS_3);
    596 
    597         assertAliases(new String[] { TEST_ALIAS_2 });
    598 
    599         mKeyStore.deleteEntry(TEST_ALIAS_2);
    600 
    601         assertAliases(new String[] { });
    602     }
    603 
    604     public void testKeyStore_DeleteEntry_EmptyStore_Encrypted_Success() throws Exception {
    605         setupPassword();
    606 
    607         mKeyStore.load(null, null);
    608 
    609         // Should not throw when a non-existent entry is requested for delete.
    610         mKeyStore.deleteEntry(TEST_ALIAS_1);
    611     }
    612 
    613     public void testKeyStore_DeleteEntry_NonExistent_Encrypted_Success() throws Exception {
    614         setupPassword();
    615 
    616         mKeyStore.load(null, null);
    617 
    618         // TEST_ALIAS_1
    619         assertTrue(mAndroidKeyStore.importKey(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1,
    620                 FAKE_KEY_1, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    621         assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1, FAKE_USER_1,
    622                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    623         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
    624                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    625 
    626         // Should not throw when a non-existent entry is requested for delete.
    627         mKeyStore.deleteEntry(TEST_ALIAS_2);
    628     }
    629 
    630     public void testKeyStore_GetCertificate_Single_Encrypted_Success() throws Exception {
    631         setupPassword();
    632 
    633         mKeyStore.load(null, null);
    634 
    635         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
    636                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    637 
    638         assertAliases(new String[] { TEST_ALIAS_1 });
    639 
    640         assertNull("Certificate should not exist in keystore",
    641                 mKeyStore.getCertificate(TEST_ALIAS_2));
    642 
    643         Certificate retrieved = mKeyStore.getCertificate(TEST_ALIAS_1);
    644 
    645         assertNotNull("Retrieved certificate should not be null", retrieved);
    646 
    647         CertificateFactory f = CertificateFactory.getInstance("X.509");
    648         Certificate actual = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
    649 
    650         assertEquals("Actual and retrieved certificates should be the same", actual, retrieved);
    651     }
    652 
    653     public void testKeyStore_GetCertificate_NonExist_Encrypted_Failure() throws Exception {
    654         setupPassword();
    655 
    656         mKeyStore.load(null, null);
    657 
    658         assertNull("Certificate should not exist in keystore",
    659                 mKeyStore.getCertificate(TEST_ALIAS_1));
    660     }
    661 
    662     public void testKeyStore_GetCertificateAlias_CAEntry_Encrypted_Success() throws Exception {
    663         setupPassword();
    664 
    665         mKeyStore.load(null, null);
    666 
    667         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
    668                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    669 
    670         CertificateFactory f = CertificateFactory.getInstance("X.509");
    671         Certificate actual = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
    672 
    673         assertEquals("Stored certificate alias should be found", TEST_ALIAS_1,
    674                 mKeyStore.getCertificateAlias(actual));
    675     }
    676 
    677     public void testKeyStore_GetCertificateAlias_PrivateKeyEntry_Encrypted_Success()
    678             throws Exception {
    679         setupPassword();
    680 
    681         mKeyStore.load(null, null);
    682 
    683         assertTrue(mAndroidKeyStore.importKey(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1,
    684                 FAKE_KEY_1, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    685         assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1, FAKE_USER_1,
    686                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    687         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
    688                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    689 
    690         CertificateFactory f = CertificateFactory.getInstance("X.509");
    691         Certificate actual = f.generateCertificate(new ByteArrayInputStream(FAKE_USER_1));
    692 
    693         assertEquals("Stored certificate alias should be found", TEST_ALIAS_1,
    694                 mKeyStore.getCertificateAlias(actual));
    695     }
    696 
    697     public void testKeyStore_GetCertificateAlias_CAEntry_WithPrivateKeyUsingCA_Encrypted_Success()
    698             throws Exception {
    699         setupPassword();
    700 
    701         mKeyStore.load(null, null);
    702 
    703         // Insert TrustedCertificateEntry with CA name
    704         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_2, FAKE_CA_1,
    705                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    706 
    707         // Insert PrivateKeyEntry that uses the same CA
    708         assertTrue(mAndroidKeyStore.importKey(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1,
    709                 FAKE_KEY_1, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    710         assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1, FAKE_USER_1,
    711                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    712         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
    713                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    714 
    715         CertificateFactory f = CertificateFactory.getInstance("X.509");
    716         Certificate actual = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
    717 
    718         assertEquals("Stored certificate alias should be found", TEST_ALIAS_2,
    719                 mKeyStore.getCertificateAlias(actual));
    720     }
    721 
    722     public void testKeyStore_GetCertificateAlias_NonExist_Empty_Encrypted_Failure()
    723             throws Exception {
    724         setupPassword();
    725 
    726         mKeyStore.load(null, null);
    727 
    728         CertificateFactory f = CertificateFactory.getInstance("X.509");
    729         Certificate actual = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
    730 
    731         assertNull("Stored certificate alias should not be found",
    732                 mKeyStore.getCertificateAlias(actual));
    733     }
    734 
    735     public void testKeyStore_GetCertificateAlias_NonExist_Encrypted_Failure() throws Exception {
    736         setupPassword();
    737 
    738         mKeyStore.load(null, null);
    739 
    740         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
    741                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    742 
    743         CertificateFactory f = CertificateFactory.getInstance("X.509");
    744         Certificate userCert = f.generateCertificate(new ByteArrayInputStream(FAKE_USER_1));
    745 
    746         assertNull("Stored certificate alias should be found",
    747                 mKeyStore.getCertificateAlias(userCert));
    748     }
    749 
    750     public void testKeyStore_GetCertificateChain_SingleLength_Encrypted_Success() throws Exception {
    751         setupPassword();
    752 
    753         mKeyStore.load(null, null);
    754 
    755         assertTrue(mAndroidKeyStore.importKey(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1,
    756                 FAKE_KEY_1, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    757         assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1, FAKE_USER_1,
    758                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    759         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
    760                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    761 
    762         CertificateFactory cf = CertificateFactory.getInstance("X.509");
    763         Certificate[] expected = new Certificate[2];
    764         expected[0] = cf.generateCertificate(new ByteArrayInputStream(FAKE_USER_1));
    765         expected[1] = cf.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
    766 
    767         Certificate[] actual = mKeyStore.getCertificateChain(TEST_ALIAS_1);
    768 
    769         assertNotNull("Returned certificate chain should not be null", actual);
    770         assertEquals("Returned certificate chain should be correct size", expected.length,
    771                 actual.length);
    772         assertEquals("First certificate should be user certificate", expected[0], actual[0]);
    773         assertEquals("Second certificate should be CA certificate", expected[1], actual[1]);
    774 
    775         // Negative test when keystore is populated.
    776         assertNull("Stored certificate alias should not be found",
    777                 mKeyStore.getCertificateChain(TEST_ALIAS_2));
    778     }
    779 
    780     public void testKeyStore_GetCertificateChain_NonExist_Encrypted_Failure() throws Exception {
    781         setupPassword();
    782 
    783         mKeyStore.load(null, null);
    784 
    785         assertNull("Stored certificate alias should not be found",
    786                 mKeyStore.getCertificateChain(TEST_ALIAS_1));
    787     }
    788 
    789     public void testKeyStore_GetCreationDate_PrivateKeyEntry_Encrypted_Success() throws Exception {
    790         setupPassword();
    791 
    792         mKeyStore.load(null, null);
    793 
    794         assertTrue(mAndroidKeyStore.importKey(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1,
    795                 FAKE_KEY_1, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    796         assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1, FAKE_USER_1,
    797                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    798         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
    799                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    800 
    801         Date now = new Date();
    802         Date actual = mKeyStore.getCreationDate(TEST_ALIAS_1);
    803 
    804         Date expectedAfter = new Date(now.getTime() - SLOP_TIME_MILLIS);
    805         Date expectedBefore = new Date(now.getTime() + SLOP_TIME_MILLIS);
    806 
    807         assertTrue("Time should be close to current time", actual.before(expectedBefore));
    808         assertTrue("Time should be close to current time", actual.after(expectedAfter));
    809     }
    810 
    811     public void testKeyStore_GetCreationDate_PrivateKeyEntry_Unencrypted_Success() throws Exception {
    812         mKeyStore.load(null, null);
    813 
    814         assertTrue(mAndroidKeyStore.importKey(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1,
    815                 FAKE_KEY_1, KeyStore.UID_SELF, KeyStore.FLAG_NONE));
    816         assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1, FAKE_USER_1,
    817                 KeyStore.UID_SELF, KeyStore.FLAG_NONE));
    818         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
    819                 KeyStore.UID_SELF, KeyStore.FLAG_NONE));
    820 
    821         Date now = new Date();
    822         Date actual = mKeyStore.getCreationDate(TEST_ALIAS_1);
    823 
    824         Date expectedAfter = new Date(now.getTime() - SLOP_TIME_MILLIS);
    825         Date expectedBefore = new Date(now.getTime() + SLOP_TIME_MILLIS);
    826 
    827         assertTrue("Time should be close to current time", actual.before(expectedBefore));
    828         assertTrue("Time should be close to current time", actual.after(expectedAfter));
    829     }
    830 
    831     public void testKeyStore_GetCreationDate_CAEntry_Encrypted_Success() throws Exception {
    832         setupPassword();
    833 
    834         mKeyStore.load(null, null);
    835 
    836         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
    837                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    838 
    839         Date now = new Date();
    840         Date actual = mKeyStore.getCreationDate(TEST_ALIAS_1);
    841         assertNotNull("Certificate should be found", actual);
    842 
    843         Date expectedAfter = new Date(now.getTime() - SLOP_TIME_MILLIS);
    844         Date expectedBefore = new Date(now.getTime() + SLOP_TIME_MILLIS);
    845 
    846         assertTrue("Time should be close to current time", actual.before(expectedBefore));
    847         assertTrue("Time should be close to current time", actual.after(expectedAfter));
    848     }
    849 
    850     public void testKeyStore_GetEntry_NullParams_Encrypted_Success() throws Exception {
    851         setupPassword();
    852 
    853         mKeyStore.load(null, null);
    854 
    855         assertTrue(mAndroidKeyStore.importKey(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1,
    856                 FAKE_KEY_1, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    857         assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1, FAKE_USER_1,
    858                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    859         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
    860                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    861 
    862         Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null);
    863         assertNotNull("Entry should exist", entry);
    864 
    865         assertTrue("Should be a PrivateKeyEntry", entry instanceof PrivateKeyEntry);
    866 
    867         PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry;
    868 
    869         assertPrivateKeyEntryEquals(keyEntry, FAKE_KEY_1, FAKE_USER_1, FAKE_CA_1);
    870     }
    871 
    872     public void testKeyStore_GetEntry_NullParams_Unencrypted_Success() throws Exception {
    873         mKeyStore.load(null, null);
    874 
    875         assertTrue(mAndroidKeyStore.importKey(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1,
    876                 FAKE_KEY_1, KeyStore.UID_SELF, KeyStore.FLAG_NONE));
    877         assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1, FAKE_USER_1,
    878                 KeyStore.UID_SELF, KeyStore.FLAG_NONE));
    879         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
    880                 KeyStore.UID_SELF, KeyStore.FLAG_NONE));
    881 
    882         Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null);
    883         assertNotNull("Entry should exist", entry);
    884 
    885         assertTrue("Should be a PrivateKeyEntry", entry instanceof PrivateKeyEntry);
    886 
    887         PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry;
    888 
    889         assertPrivateKeyEntryEquals(keyEntry, FAKE_KEY_1, FAKE_USER_1, FAKE_CA_1);
    890     }
    891 
    892     @SuppressWarnings("unchecked")
    893     private void assertPrivateKeyEntryEquals(PrivateKeyEntry keyEntry, byte[] key, byte[] cert,
    894             byte[] ca) throws Exception {
    895         KeyFactory keyFact = KeyFactory.getInstance("RSA");
    896         PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(key));
    897 
    898         CertificateFactory certFact = CertificateFactory.getInstance("X.509");
    899         Certificate expectedCert = certFact.generateCertificate(new ByteArrayInputStream(cert));
    900 
    901         final Collection<Certificate> expectedChain;
    902         if (ca != null) {
    903             expectedChain = (Collection<Certificate>) certFact
    904                     .generateCertificates(new ByteArrayInputStream(ca));
    905         } else {
    906             expectedChain = null;
    907         }
    908 
    909         assertPrivateKeyEntryEquals(keyEntry, expectedKey, expectedCert, expectedChain);
    910     }
    911 
    912     private void assertPrivateKeyEntryEquals(PrivateKeyEntry keyEntry, PrivateKey expectedKey,
    913             Certificate expectedCert, Collection<Certificate> expectedChain) throws Exception {
    914         assertEquals("Returned PrivateKey should be what we inserted",
    915                 ((RSAPrivateKey) expectedKey).getModulus(),
    916                 ((RSAPrivateKey) keyEntry.getPrivateKey()).getModulus());
    917 
    918         assertEquals("Returned Certificate should be what we inserted", expectedCert,
    919                 keyEntry.getCertificate());
    920 
    921         Certificate[] actualChain = keyEntry.getCertificateChain();
    922 
    923         assertEquals("First certificate in chain should be user cert", expectedCert, actualChain[0]);
    924 
    925         if (expectedChain == null) {
    926             assertEquals("Certificate chain should not include CAs", 1, actualChain.length);
    927         } else {
    928             int i = 1;
    929             final Iterator<Certificate> it = expectedChain.iterator();
    930             while (it.hasNext()) {
    931                 assertEquals("CA chain certificate should equal what we put in", it.next(),
    932                         actualChain[i++]);
    933             }
    934         }
    935     }
    936 
    937     public void testKeyStore_GetEntry_Nonexistent_NullParams_Encrypted_Failure() throws Exception {
    938         setupPassword();
    939 
    940         mKeyStore.load(null, null);
    941 
    942         assertNull("A non-existent entry should return null",
    943                 mKeyStore.getEntry(TEST_ALIAS_1, null));
    944     }
    945 
    946     public void testKeyStore_GetEntry_Nonexistent_NullParams_Unencrypted_Failure() throws Exception {
    947         mKeyStore.load(null, null);
    948 
    949         assertNull("A non-existent entry should return null",
    950                 mKeyStore.getEntry(TEST_ALIAS_1, null));
    951     }
    952 
    953     public void testKeyStore_GetKey_NoPassword_Encrypted_Success() throws Exception {
    954         setupPassword();
    955 
    956         mKeyStore.load(null, null);
    957 
    958         assertTrue(mAndroidKeyStore.importKey(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1,
    959                 FAKE_KEY_1, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    960         assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1, FAKE_USER_1,
    961                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    962         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
    963                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
    964 
    965         Key key = mKeyStore.getKey(TEST_ALIAS_1, null);
    966         assertNotNull("Key should exist", key);
    967 
    968         assertTrue("Should be a RSAPrivateKey", key instanceof RSAPrivateKey);
    969 
    970         RSAPrivateKey actualKey = (RSAPrivateKey) key;
    971 
    972         KeyFactory keyFact = KeyFactory.getInstance("RSA");
    973         PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_KEY_1));
    974 
    975         assertEquals("Inserted key should be same as retrieved key",
    976                 ((RSAPrivateKey) expectedKey).getModulus(), actualKey.getModulus());
    977     }
    978 
    979     public void testKeyStore_GetKey_NoPassword_Unencrypted_Success() throws Exception {
    980         mKeyStore.load(null, null);
    981 
    982         assertTrue(mAndroidKeyStore.importKey(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1,
    983                 FAKE_KEY_1, KeyStore.UID_SELF, KeyStore.FLAG_NONE));
    984         assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1, FAKE_USER_1,
    985                 KeyStore.UID_SELF, KeyStore.FLAG_NONE));
    986         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
    987                 KeyStore.UID_SELF, KeyStore.FLAG_NONE));
    988 
    989         Key key = mKeyStore.getKey(TEST_ALIAS_1, null);
    990         assertNotNull("Key should exist", key);
    991 
    992         assertTrue("Should be a RSAPrivateKey", key instanceof RSAPrivateKey);
    993 
    994         RSAPrivateKey actualKey = (RSAPrivateKey) key;
    995 
    996         KeyFactory keyFact = KeyFactory.getInstance("RSA");
    997         PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_KEY_1));
    998 
    999         assertEquals("Inserted key should be same as retrieved key",
   1000                 ((RSAPrivateKey) expectedKey).getModulus(), actualKey.getModulus());
   1001     }
   1002 
   1003     public void testKeyStore_GetKey_Certificate_Encrypted_Failure() throws Exception {
   1004         setupPassword();
   1005 
   1006         mKeyStore.load(null, null);
   1007 
   1008         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
   1009                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1010 
   1011         assertNull("Certificate entries should return null", mKeyStore.getKey(TEST_ALIAS_1, null));
   1012     }
   1013 
   1014     public void testKeyStore_GetKey_NonExistent_Encrypted_Failure() throws Exception {
   1015         setupPassword();
   1016 
   1017         mKeyStore.load(null, null);
   1018 
   1019         assertNull("A non-existent entry should return null", mKeyStore.getKey(TEST_ALIAS_1, null));
   1020     }
   1021 
   1022     public void testKeyStore_GetProvider_Encrypted_Success() throws Exception {
   1023         assertEquals(AndroidKeyStoreProvider.PROVIDER_NAME, mKeyStore.getProvider().getName());
   1024         setupPassword();
   1025         assertEquals(AndroidKeyStoreProvider.PROVIDER_NAME, mKeyStore.getProvider().getName());
   1026     }
   1027 
   1028     public void testKeyStore_GetType_Encrypted_Success() throws Exception {
   1029         assertEquals(AndroidKeyStore.NAME, mKeyStore.getType());
   1030         setupPassword();
   1031         assertEquals(AndroidKeyStore.NAME, mKeyStore.getType());
   1032     }
   1033 
   1034     public void testKeyStore_IsCertificateEntry_CA_Encrypted_Success() throws Exception {
   1035         setupPassword();
   1036         mKeyStore.load(null, null);
   1037 
   1038         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
   1039                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1040 
   1041         assertTrue("Should return true for CA certificate",
   1042                 mKeyStore.isCertificateEntry(TEST_ALIAS_1));
   1043     }
   1044 
   1045     public void testKeyStore_IsCertificateEntry_PrivateKey_Encrypted_Failure() throws Exception {
   1046         setupPassword();
   1047         mKeyStore.load(null, null);
   1048 
   1049         assertTrue(mAndroidKeyStore.importKey(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1,
   1050                 FAKE_KEY_1, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1051         assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1, FAKE_USER_1,
   1052                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1053         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
   1054                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1055 
   1056         assertFalse("Should return false for PrivateKeyEntry",
   1057                 mKeyStore.isCertificateEntry(TEST_ALIAS_1));
   1058     }
   1059 
   1060     public void testKeyStore_IsCertificateEntry_NonExist_Encrypted_Failure() throws Exception {
   1061         setupPassword();
   1062         mKeyStore.load(null, null);
   1063 
   1064         assertFalse("Should return false for non-existent entry",
   1065                 mKeyStore.isCertificateEntry(TEST_ALIAS_1));
   1066     }
   1067 
   1068     public void testKeyStore_IsCertificateEntry_NonExist_Unencrypted_Failure() throws Exception {
   1069         mKeyStore.load(null, null);
   1070 
   1071         assertFalse("Should return false for non-existent entry",
   1072                 mKeyStore.isCertificateEntry(TEST_ALIAS_1));
   1073     }
   1074 
   1075     public void testKeyStore_IsKeyEntry_PrivateKey_Encrypted_Success() throws Exception {
   1076         setupPassword();
   1077         mKeyStore.load(null, null);
   1078 
   1079         assertTrue(mAndroidKeyStore.importKey(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1,
   1080                 FAKE_KEY_1, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1081         assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1, FAKE_USER_1,
   1082                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1083         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
   1084                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1085 
   1086         assertTrue("Should return true for PrivateKeyEntry", mKeyStore.isKeyEntry(TEST_ALIAS_1));
   1087     }
   1088 
   1089     public void testKeyStore_IsKeyEntry_CA_Encrypted_Failure() throws Exception {
   1090         setupPassword();
   1091         mKeyStore.load(null, null);
   1092 
   1093         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
   1094                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1095 
   1096         assertFalse("Should return false for CA certificate", mKeyStore.isKeyEntry(TEST_ALIAS_1));
   1097     }
   1098 
   1099     public void testKeyStore_IsKeyEntry_NonExist_Encrypted_Failure() throws Exception {
   1100         setupPassword();
   1101         mKeyStore.load(null, null);
   1102 
   1103         assertFalse("Should return false for non-existent entry",
   1104                 mKeyStore.isKeyEntry(TEST_ALIAS_1));
   1105     }
   1106 
   1107     public void testKeyStore_SetCertificate_CA_Encrypted_Success() throws Exception {
   1108         final CertificateFactory f = CertificateFactory.getInstance("X.509");
   1109         final Certificate actual = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
   1110 
   1111         setupPassword();
   1112         mKeyStore.load(null, null);
   1113 
   1114         mKeyStore.setCertificateEntry(TEST_ALIAS_1, actual);
   1115         assertAliases(new String[] { TEST_ALIAS_1 });
   1116 
   1117         Certificate retrieved = mKeyStore.getCertificate(TEST_ALIAS_1);
   1118 
   1119         assertEquals("Retrieved certificate should be the same as the one inserted", actual,
   1120                 retrieved);
   1121     }
   1122 
   1123     public void testKeyStore_SetCertificate_CAExists_Overwrite_Encrypted_Success() throws Exception {
   1124         setupPassword();
   1125         mKeyStore.load(null, null);
   1126 
   1127         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
   1128                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1129 
   1130         assertAliases(new String[] { TEST_ALIAS_1 });
   1131 
   1132         final CertificateFactory f = CertificateFactory.getInstance("X.509");
   1133         final Certificate cert = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
   1134 
   1135         // TODO have separate FAKE_CA for second test
   1136         mKeyStore.setCertificateEntry(TEST_ALIAS_1, cert);
   1137 
   1138         assertAliases(new String[] { TEST_ALIAS_1 });
   1139     }
   1140 
   1141     public void testKeyStore_SetCertificate_PrivateKeyExists_Encrypted_Failure() throws Exception {
   1142         setupPassword();
   1143         mKeyStore.load(null, null);
   1144 
   1145         assertTrue(mAndroidKeyStore.importKey(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1,
   1146                 FAKE_KEY_1, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1147         assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1, FAKE_USER_1,
   1148                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1149         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
   1150                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1151 
   1152         assertAliases(new String[] { TEST_ALIAS_1 });
   1153 
   1154         final CertificateFactory f = CertificateFactory.getInstance("X.509");
   1155         final Certificate cert = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
   1156 
   1157         try {
   1158             mKeyStore.setCertificateEntry(TEST_ALIAS_1, cert);
   1159             fail("Should throw when trying to overwrite a PrivateKey entry with a Certificate");
   1160         } catch (KeyStoreException success) {
   1161         }
   1162     }
   1163 
   1164     public void testKeyStore_SetEntry_PrivateKeyEntry_Encrypted_Success() throws Exception {
   1165         setupPassword();
   1166         mKeyStore.load(null, null);
   1167 
   1168         KeyFactory keyFact = KeyFactory.getInstance("RSA");
   1169         PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_KEY_1));
   1170 
   1171         final CertificateFactory f = CertificateFactory.getInstance("X.509");
   1172 
   1173         final Certificate[] expectedChain = new Certificate[2];
   1174         expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_USER_1));
   1175         expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
   1176 
   1177         PrivateKeyEntry expected = new PrivateKeyEntry(expectedKey, expectedChain);
   1178 
   1179         mKeyStore.setEntry(TEST_ALIAS_1, expected, null);
   1180 
   1181         Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1182         assertNotNull("Retrieved entry should exist", actualEntry);
   1183 
   1184         assertTrue("Retrieved entry should be of type PrivateKeyEntry",
   1185                 actualEntry instanceof PrivateKeyEntry);
   1186 
   1187         PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry;
   1188 
   1189         assertPrivateKeyEntryEquals(actual, FAKE_KEY_1, FAKE_USER_1, FAKE_CA_1);
   1190     }
   1191 
   1192     public void testKeyStore_SetEntry_PrivateKeyEntry_Unencrypted_Success() throws Exception {
   1193         mKeyStore.load(null, null);
   1194 
   1195         KeyFactory keyFact = KeyFactory.getInstance("RSA");
   1196         PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_KEY_1));
   1197 
   1198         final CertificateFactory f = CertificateFactory.getInstance("X.509");
   1199 
   1200         final Certificate[] expectedChain = new Certificate[2];
   1201         expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_USER_1));
   1202         expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
   1203 
   1204         PrivateKeyEntry expected = new PrivateKeyEntry(expectedKey, expectedChain);
   1205 
   1206         mKeyStore.setEntry(TEST_ALIAS_1, expected, null);
   1207 
   1208         Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1209         assertNotNull("Retrieved entry should exist", actualEntry);
   1210 
   1211         assertTrue("Retrieved entry should be of type PrivateKeyEntry",
   1212                 actualEntry instanceof PrivateKeyEntry);
   1213 
   1214         PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry;
   1215 
   1216         assertPrivateKeyEntryEquals(actual, FAKE_KEY_1, FAKE_USER_1, FAKE_CA_1);
   1217     }
   1218 
   1219     public void testKeyStore_SetEntry_PrivateKeyEntry_Params_Unencrypted_Failure() throws Exception {
   1220         mKeyStore.load(null, null);
   1221 
   1222         KeyFactory keyFact = KeyFactory.getInstance("RSA");
   1223         PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_KEY_1));
   1224 
   1225         final CertificateFactory f = CertificateFactory.getInstance("X.509");
   1226 
   1227         final Certificate[] expectedChain = new Certificate[2];
   1228         expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_USER_1));
   1229         expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
   1230 
   1231         PrivateKeyEntry entry = new PrivateKeyEntry(expectedKey, expectedChain);
   1232 
   1233         try {
   1234             mKeyStore.setEntry(TEST_ALIAS_1, entry,
   1235                     new KeyStoreParameter.Builder(getContext())
   1236                     .setEncryptionRequired(true)
   1237                     .build());
   1238             fail("Shouldn't be able to insert encrypted entry when KeyStore uninitialized");
   1239         } catch (KeyStoreException expected) {
   1240         }
   1241 
   1242         assertNull(mKeyStore.getEntry(TEST_ALIAS_1, null));
   1243     }
   1244 
   1245     public void
   1246             testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_PrivateKeyEntry_Encrypted_Success()
   1247             throws Exception {
   1248         setupPassword();
   1249         mKeyStore.load(null, null);
   1250 
   1251         final KeyFactory keyFact = KeyFactory.getInstance("RSA");
   1252         final CertificateFactory f = CertificateFactory.getInstance("X.509");
   1253 
   1254         // Start with PrivateKeyEntry
   1255         {
   1256             PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_KEY_1));
   1257 
   1258             final Certificate[] expectedChain = new Certificate[2];
   1259             expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_USER_1));
   1260             expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
   1261 
   1262             PrivateKeyEntry expected = new PrivateKeyEntry(expectedKey, expectedChain);
   1263 
   1264             mKeyStore.setEntry(TEST_ALIAS_1, expected, null);
   1265 
   1266             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1267             assertNotNull("Retrieved entry should exist", actualEntry);
   1268 
   1269             assertTrue("Retrieved entry should be of type PrivateKeyEntry",
   1270                     actualEntry instanceof PrivateKeyEntry);
   1271 
   1272             PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry;
   1273 
   1274             assertPrivateKeyEntryEquals(actual, FAKE_KEY_1, FAKE_USER_1, FAKE_CA_1);
   1275         }
   1276 
   1277         // TODO make entirely new test vector for the overwrite
   1278         // Replace with PrivateKeyEntry
   1279         {
   1280             PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_KEY_1));
   1281 
   1282             final Certificate[] expectedChain = new Certificate[2];
   1283             expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_USER_1));
   1284             expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
   1285 
   1286             PrivateKeyEntry expected = new PrivateKeyEntry(expectedKey, expectedChain);
   1287 
   1288             mKeyStore.setEntry(TEST_ALIAS_1, expected, null);
   1289 
   1290             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1291             assertNotNull("Retrieved entry should exist", actualEntry);
   1292 
   1293             assertTrue("Retrieved entry should be of type PrivateKeyEntry",
   1294                     actualEntry instanceof PrivateKeyEntry);
   1295 
   1296             PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry;
   1297 
   1298             assertPrivateKeyEntryEquals(actual, FAKE_KEY_1, FAKE_USER_1, FAKE_CA_1);
   1299         }
   1300     }
   1301 
   1302     public void testKeyStore_SetEntry_CAEntry_Overwrites_PrivateKeyEntry_Encrypted_Success()
   1303             throws Exception {
   1304         setupPassword();
   1305         mKeyStore.load(null, null);
   1306 
   1307         final CertificateFactory f = CertificateFactory.getInstance("X.509");
   1308 
   1309         // Start with TrustedCertificateEntry
   1310         {
   1311             final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
   1312 
   1313             TrustedCertificateEntry expectedCertEntry = new TrustedCertificateEntry(caCert);
   1314             mKeyStore.setEntry(TEST_ALIAS_1, expectedCertEntry, null);
   1315 
   1316             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1317             assertNotNull("Retrieved entry should exist", actualEntry);
   1318             assertTrue("Retrieved entry should be of type TrustedCertificateEntry",
   1319                     actualEntry instanceof TrustedCertificateEntry);
   1320             TrustedCertificateEntry actualCertEntry = (TrustedCertificateEntry) actualEntry;
   1321             assertEquals("Stored and retrieved certificates should be the same",
   1322                     expectedCertEntry.getTrustedCertificate(),
   1323                     actualCertEntry.getTrustedCertificate());
   1324         }
   1325 
   1326         // Replace with PrivateKeyEntry
   1327         {
   1328             KeyFactory keyFact = KeyFactory.getInstance("RSA");
   1329             PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_KEY_1));
   1330             final Certificate[] expectedChain = new Certificate[2];
   1331             expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_USER_1));
   1332             expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
   1333 
   1334             PrivateKeyEntry expectedPrivEntry = new PrivateKeyEntry(expectedKey, expectedChain);
   1335 
   1336             mKeyStore.setEntry(TEST_ALIAS_1, expectedPrivEntry, null);
   1337 
   1338             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1339             assertNotNull("Retrieved entry should exist", actualEntry);
   1340             assertTrue("Retrieved entry should be of type PrivateKeyEntry",
   1341                     actualEntry instanceof PrivateKeyEntry);
   1342 
   1343             PrivateKeyEntry actualPrivEntry = (PrivateKeyEntry) actualEntry;
   1344             assertPrivateKeyEntryEquals(actualPrivEntry, FAKE_KEY_1, FAKE_USER_1, FAKE_CA_1);
   1345         }
   1346     }
   1347 
   1348     public void testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_CAEntry_Encrypted_Success()
   1349             throws Exception {
   1350         setupPassword();
   1351         mKeyStore.load(null, null);
   1352 
   1353         final CertificateFactory f = CertificateFactory.getInstance("X.509");
   1354 
   1355         final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
   1356 
   1357         // Start with PrivateKeyEntry
   1358         {
   1359             KeyFactory keyFact = KeyFactory.getInstance("RSA");
   1360             PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_KEY_1));
   1361             final Certificate[] expectedChain = new Certificate[2];
   1362             expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_USER_1));
   1363             expectedChain[1] = caCert;
   1364 
   1365             PrivateKeyEntry expectedPrivEntry = new PrivateKeyEntry(expectedKey, expectedChain);
   1366 
   1367             mKeyStore.setEntry(TEST_ALIAS_1, expectedPrivEntry, null);
   1368 
   1369             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1370             assertNotNull("Retrieved entry should exist", actualEntry);
   1371             assertTrue("Retrieved entry should be of type PrivateKeyEntry",
   1372                     actualEntry instanceof PrivateKeyEntry);
   1373 
   1374             PrivateKeyEntry actualPrivEntry = (PrivateKeyEntry) actualEntry;
   1375             assertPrivateKeyEntryEquals(actualPrivEntry, FAKE_KEY_1, FAKE_USER_1, FAKE_CA_1);
   1376         }
   1377 
   1378         // Replace with TrustedCertificateEntry
   1379         {
   1380             TrustedCertificateEntry expectedCertEntry = new TrustedCertificateEntry(caCert);
   1381             mKeyStore.setEntry(TEST_ALIAS_1, expectedCertEntry, null);
   1382 
   1383             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1384             assertNotNull("Retrieved entry should exist", actualEntry);
   1385             assertTrue("Retrieved entry should be of type TrustedCertificateEntry",
   1386                     actualEntry instanceof TrustedCertificateEntry);
   1387             TrustedCertificateEntry actualCertEntry = (TrustedCertificateEntry) actualEntry;
   1388             assertEquals("Stored and retrieved certificates should be the same",
   1389                     expectedCertEntry.getTrustedCertificate(),
   1390                     actualCertEntry.getTrustedCertificate());
   1391         }
   1392     }
   1393 
   1394     public
   1395             void
   1396             testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_ShortPrivateKeyEntry_Encrypted_Success()
   1397             throws Exception {
   1398         setupPassword();
   1399         mKeyStore.load(null, null);
   1400 
   1401         final CertificateFactory f = CertificateFactory.getInstance("X.509");
   1402 
   1403         final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
   1404 
   1405         // Start with PrivateKeyEntry
   1406         {
   1407             KeyFactory keyFact = KeyFactory.getInstance("RSA");
   1408             PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_KEY_1));
   1409             final Certificate[] expectedChain = new Certificate[2];
   1410             expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_USER_1));
   1411             expectedChain[1] = caCert;
   1412 
   1413             PrivateKeyEntry expectedPrivEntry = new PrivateKeyEntry(expectedKey, expectedChain);
   1414 
   1415             mKeyStore.setEntry(TEST_ALIAS_1, expectedPrivEntry, null);
   1416 
   1417             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1418             assertNotNull("Retrieved entry should exist", actualEntry);
   1419             assertTrue("Retrieved entry should be of type PrivateKeyEntry",
   1420                     actualEntry instanceof PrivateKeyEntry);
   1421 
   1422             PrivateKeyEntry actualPrivEntry = (PrivateKeyEntry) actualEntry;
   1423             assertPrivateKeyEntryEquals(actualPrivEntry, FAKE_KEY_1, FAKE_USER_1, FAKE_CA_1);
   1424         }
   1425 
   1426         // Replace with PrivateKeyEntry that has no chain
   1427         {
   1428             KeyFactory keyFact = KeyFactory.getInstance("RSA");
   1429             PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_KEY_1));
   1430             final Certificate[] expectedChain = new Certificate[1];
   1431             expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_USER_1));
   1432 
   1433             PrivateKeyEntry expectedPrivEntry = new PrivateKeyEntry(expectedKey, expectedChain);
   1434 
   1435             mKeyStore.setEntry(TEST_ALIAS_1, expectedPrivEntry, null);
   1436 
   1437             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1438             assertNotNull("Retrieved entry should exist", actualEntry);
   1439             assertTrue("Retrieved entry should be of type PrivateKeyEntry",
   1440                     actualEntry instanceof PrivateKeyEntry);
   1441 
   1442             PrivateKeyEntry actualPrivEntry = (PrivateKeyEntry) actualEntry;
   1443             assertPrivateKeyEntryEquals(actualPrivEntry, FAKE_KEY_1, FAKE_USER_1, null);
   1444         }
   1445     }
   1446 
   1447     public void testKeyStore_SetEntry_CAEntry_Overwrites_CAEntry_Encrypted_Success()
   1448             throws Exception {
   1449         setupPassword();
   1450         mKeyStore.load(null, null);
   1451 
   1452         final CertificateFactory f = CertificateFactory.getInstance("X.509");
   1453 
   1454         // Insert TrustedCertificateEntry
   1455         {
   1456             final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
   1457 
   1458             TrustedCertificateEntry expectedCertEntry = new TrustedCertificateEntry(caCert);
   1459             mKeyStore.setEntry(TEST_ALIAS_1, expectedCertEntry, null);
   1460 
   1461             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1462             assertNotNull("Retrieved entry should exist", actualEntry);
   1463             assertTrue("Retrieved entry should be of type TrustedCertificateEntry",
   1464                     actualEntry instanceof TrustedCertificateEntry);
   1465             TrustedCertificateEntry actualCertEntry = (TrustedCertificateEntry) actualEntry;
   1466             assertEquals("Stored and retrieved certificates should be the same",
   1467                     expectedCertEntry.getTrustedCertificate(),
   1468                     actualCertEntry.getTrustedCertificate());
   1469         }
   1470 
   1471         // Replace with TrustedCertificateEntry of USER
   1472         {
   1473             final Certificate userCert = f
   1474                     .generateCertificate(new ByteArrayInputStream(FAKE_USER_1));
   1475 
   1476             TrustedCertificateEntry expectedUserEntry = new TrustedCertificateEntry(userCert);
   1477             mKeyStore.setEntry(TEST_ALIAS_1, expectedUserEntry, null);
   1478 
   1479             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1480             assertNotNull("Retrieved entry should exist", actualEntry);
   1481             assertTrue("Retrieved entry should be of type TrustedCertificateEntry",
   1482                     actualEntry instanceof TrustedCertificateEntry);
   1483             TrustedCertificateEntry actualUserEntry = (TrustedCertificateEntry) actualEntry;
   1484             assertEquals("Stored and retrieved certificates should be the same",
   1485                     expectedUserEntry.getTrustedCertificate(),
   1486                     actualUserEntry.getTrustedCertificate());
   1487         }
   1488     }
   1489 
   1490     public void testKeyStore_SetKeyEntry_ProtectedKey_Encrypted_Failure() throws Exception {
   1491         setupPassword();
   1492         mKeyStore.load(null, null);
   1493 
   1494         final CertificateFactory f = CertificateFactory.getInstance("X.509");
   1495 
   1496         final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
   1497 
   1498         KeyFactory keyFact = KeyFactory.getInstance("RSA");
   1499         PrivateKey privKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_KEY_1));
   1500         final Certificate[] chain = new Certificate[2];
   1501         chain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_USER_1));
   1502         chain[1] = caCert;
   1503 
   1504         try {
   1505             mKeyStore.setKeyEntry(TEST_ALIAS_1, privKey, "foo".toCharArray(), chain);
   1506             fail("Should fail when a password is specified");
   1507         } catch (KeyStoreException success) {
   1508         }
   1509     }
   1510 
   1511     public void testKeyStore_SetKeyEntry_Encrypted_Success() throws Exception {
   1512         setupPassword();
   1513         mKeyStore.load(null, null);
   1514 
   1515         final CertificateFactory f = CertificateFactory.getInstance("X.509");
   1516 
   1517         final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
   1518 
   1519         KeyFactory keyFact = KeyFactory.getInstance("RSA");
   1520         PrivateKey privKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_KEY_1));
   1521         final Certificate[] chain = new Certificate[2];
   1522         chain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_USER_1));
   1523         chain[1] = caCert;
   1524 
   1525         mKeyStore.setKeyEntry(TEST_ALIAS_1, privKey, null, chain);
   1526 
   1527         Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1528         assertNotNull("Retrieved entry should exist", actualEntry);
   1529 
   1530         assertTrue("Retrieved entry should be of type PrivateKeyEntry",
   1531                 actualEntry instanceof PrivateKeyEntry);
   1532 
   1533         PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry;
   1534 
   1535         assertPrivateKeyEntryEquals(actual, FAKE_KEY_1, FAKE_USER_1, FAKE_CA_1);
   1536     }
   1537 
   1538     public void testKeyStore_SetKeyEntry_Replaced_Encrypted_Success() throws Exception {
   1539         setupPassword();
   1540         mKeyStore.load(null, null);
   1541 
   1542         final CertificateFactory f = CertificateFactory.getInstance("X.509");
   1543 
   1544         final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_CA_1));
   1545 
   1546         // Insert initial key
   1547         {
   1548             KeyFactory keyFact = KeyFactory.getInstance("RSA");
   1549             PrivateKey privKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_KEY_1));
   1550             final Certificate[] chain = new Certificate[2];
   1551             chain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_USER_1));
   1552             chain[1] = caCert;
   1553 
   1554             mKeyStore.setKeyEntry(TEST_ALIAS_1, privKey, null, chain);
   1555 
   1556             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1557             assertNotNull("Retrieved entry should exist", actualEntry);
   1558 
   1559             assertTrue("Retrieved entry should be of type PrivateKeyEntry",
   1560                     actualEntry instanceof PrivateKeyEntry);
   1561 
   1562             PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry;
   1563 
   1564             assertPrivateKeyEntryEquals(actual, FAKE_KEY_1, FAKE_USER_1, FAKE_CA_1);
   1565         }
   1566 
   1567         // TODO make a separate key
   1568         // Replace key
   1569         {
   1570             KeyFactory keyFact = KeyFactory.getInstance("RSA");
   1571             PrivateKey privKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_KEY_1));
   1572             final Certificate[] chain = new Certificate[2];
   1573             chain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_USER_1));
   1574             chain[1] = caCert;
   1575 
   1576             mKeyStore.setKeyEntry(TEST_ALIAS_1, privKey, null, chain);
   1577 
   1578             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1579             assertNotNull("Retrieved entry should exist", actualEntry);
   1580 
   1581             assertTrue("Retrieved entry should be of type PrivateKeyEntry",
   1582                     actualEntry instanceof PrivateKeyEntry);
   1583 
   1584             PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry;
   1585 
   1586             assertPrivateKeyEntryEquals(actual, FAKE_KEY_1, FAKE_USER_1, FAKE_CA_1);
   1587         }
   1588     }
   1589 
   1590     @SuppressWarnings("deprecation")
   1591     private static X509Certificate generateCertificate(android.security.KeyStore keyStore,
   1592             String alias, BigInteger serialNumber, X500Principal subjectDN, Date notBefore,
   1593             Date notAfter) throws Exception {
   1594         final String privateKeyAlias = Credentials.USER_PRIVATE_KEY + alias;
   1595 
   1596         final PrivateKey privKey;
   1597         final OpenSSLEngine engine = OpenSSLEngine.getInstance("keystore");
   1598         try {
   1599             privKey = engine.getPrivateKeyById(privateKeyAlias);
   1600         } catch (InvalidKeyException e) {
   1601             throw new RuntimeException("Can't get key", e);
   1602         }
   1603 
   1604         final byte[] pubKeyBytes = keyStore.getPubkey(privateKeyAlias);
   1605 
   1606         final PublicKey pubKey;
   1607         try {
   1608             final KeyFactory keyFact = KeyFactory.getInstance("RSA");
   1609             pubKey = keyFact.generatePublic(new X509EncodedKeySpec(pubKeyBytes));
   1610         } catch (NoSuchAlgorithmException e) {
   1611             throw new IllegalStateException("Can't instantiate RSA key generator", e);
   1612         } catch (InvalidKeySpecException e) {
   1613             throw new IllegalStateException("keystore returned invalid key encoding", e);
   1614         }
   1615 
   1616         final X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
   1617         certGen.setPublicKey(pubKey);
   1618         certGen.setSerialNumber(serialNumber);
   1619         certGen.setSubjectDN(subjectDN);
   1620         certGen.setIssuerDN(subjectDN);
   1621         certGen.setNotBefore(notBefore);
   1622         certGen.setNotAfter(notAfter);
   1623         certGen.setSignatureAlgorithm("sha1WithRSA");
   1624 
   1625         final X509Certificate cert = certGen.generate(privKey);
   1626 
   1627         return cert;
   1628     }
   1629 
   1630     public void testKeyStore_SetKeyEntry_ReplacedChain_Encrypted_Success() throws Exception {
   1631         setupPassword();
   1632         mKeyStore.load(null, null);
   1633 
   1634         // Create key #1
   1635         {
   1636             final String privateKeyAlias = Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1;
   1637             assertTrue(mAndroidKeyStore.generate(privateKeyAlias, KeyStore.UID_SELF,
   1638                     KeyStore.FLAG_ENCRYPTED));
   1639 
   1640             Key key = mKeyStore.getKey(TEST_ALIAS_1, null);
   1641 
   1642             assertTrue(key instanceof PrivateKey);
   1643 
   1644             PrivateKey expectedKey = (PrivateKey) key;
   1645 
   1646             X509Certificate expectedCert = generateCertificate(mAndroidKeyStore, TEST_ALIAS_1,
   1647                     TEST_SERIAL_1, TEST_DN_1, NOW, NOW_PLUS_10_YEARS);
   1648 
   1649             assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1,
   1650                     expectedCert.getEncoded(), KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1651 
   1652             Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1653 
   1654             assertTrue(entry instanceof PrivateKeyEntry);
   1655 
   1656             PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry;
   1657 
   1658             assertPrivateKeyEntryEquals(keyEntry, expectedKey, expectedCert, null);
   1659         }
   1660 
   1661         // Replace key #1 with new chain
   1662         {
   1663             Key key = mKeyStore.getKey(TEST_ALIAS_1, null);
   1664 
   1665             assertTrue(key instanceof PrivateKey);
   1666 
   1667             PrivateKey expectedKey = (PrivateKey) key;
   1668 
   1669             X509Certificate expectedCert = generateCertificate(mAndroidKeyStore, TEST_ALIAS_1,
   1670                     TEST_SERIAL_2, TEST_DN_2, NOW, NOW_PLUS_10_YEARS);
   1671 
   1672             mKeyStore.setKeyEntry(TEST_ALIAS_1, expectedKey, null,
   1673                     new Certificate[] { expectedCert });
   1674 
   1675             Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1676 
   1677             assertTrue(entry instanceof PrivateKeyEntry);
   1678 
   1679             PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry;
   1680 
   1681             assertPrivateKeyEntryEquals(keyEntry, expectedKey, expectedCert, null);
   1682         }
   1683     }
   1684 
   1685     public void testKeyStore_SetKeyEntry_ReplacedChain_DifferentPrivateKey_Encrypted_Failure()
   1686             throws Exception {
   1687         setupPassword();
   1688         mKeyStore.load(null, null);
   1689 
   1690         // Create key #1
   1691         {
   1692             final String privateKeyAlias = Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1;
   1693             assertTrue(mAndroidKeyStore.generate(privateKeyAlias, KeyStore.UID_SELF,
   1694                     KeyStore.FLAG_ENCRYPTED));
   1695 
   1696             X509Certificate cert = generateCertificate(mAndroidKeyStore, TEST_ALIAS_1,
   1697                     TEST_SERIAL_1, TEST_DN_1, NOW, NOW_PLUS_10_YEARS);
   1698 
   1699             assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1,
   1700                     cert.getEncoded(), KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1701         }
   1702 
   1703         // Create key #2
   1704         {
   1705             final String privateKeyAlias = Credentials.USER_PRIVATE_KEY + TEST_ALIAS_2;
   1706             assertTrue(mAndroidKeyStore.generate(privateKeyAlias, KeyStore.UID_SELF,
   1707                     KeyStore.FLAG_ENCRYPTED));
   1708 
   1709             X509Certificate cert = generateCertificate(mAndroidKeyStore, TEST_ALIAS_2,
   1710                     TEST_SERIAL_2, TEST_DN_2, NOW, NOW_PLUS_10_YEARS);
   1711 
   1712             assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_2,
   1713                     cert.getEncoded(), KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1714         }
   1715 
   1716         // Replace key #1 with key #2
   1717         {
   1718             Key key1 = mKeyStore.getKey(TEST_ALIAS_2, null);
   1719 
   1720             X509Certificate cert = generateCertificate(mAndroidKeyStore, TEST_ALIAS_2,
   1721                     TEST_SERIAL_2, TEST_DN_2, NOW, NOW_PLUS_10_YEARS);
   1722 
   1723             try {
   1724                 mKeyStore.setKeyEntry(TEST_ALIAS_1, key1, null, new Certificate[] { cert });
   1725                 fail("Should not allow setting of KeyEntry with wrong PrivaetKey");
   1726             } catch (KeyStoreException success) {
   1727             }
   1728         }
   1729     }
   1730 
   1731     public void testKeyStore_SetKeyEntry_ReplacedChain_UnencryptedToEncrypted_Failure()
   1732             throws Exception {
   1733         mKeyStore.load(null, null);
   1734 
   1735         // Create key #1
   1736         {
   1737             final String privateKeyAlias = Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1;
   1738             assertTrue(mAndroidKeyStore.generate(privateKeyAlias,
   1739                     android.security.KeyStore.UID_SELF, android.security.KeyStore.FLAG_NONE));
   1740 
   1741             X509Certificate cert =
   1742                     generateCertificate(mAndroidKeyStore, TEST_ALIAS_1, TEST_SERIAL_1, TEST_DN_1,
   1743                             NOW, NOW_PLUS_10_YEARS);
   1744 
   1745             assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1,
   1746                     cert.getEncoded(), android.security.KeyStore.UID_SELF,
   1747                     android.security.KeyStore.FLAG_NONE));
   1748         }
   1749 
   1750         // Replace with one that requires encryption
   1751         {
   1752             Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1753 
   1754             try {
   1755                 mKeyStore.setEntry(TEST_ALIAS_1, entry,
   1756                         new KeyStoreParameter.Builder(getContext())
   1757                                 .setEncryptionRequired(true)
   1758                                 .build());
   1759                 fail("Should not allow setting of Entry without unlocked keystore");
   1760             } catch (KeyStoreException success) {
   1761             }
   1762 
   1763             assertTrue(mAndroidKeyStore.password("1111"));
   1764             assertTrue(mAndroidKeyStore.isUnlocked());
   1765 
   1766             mKeyStore.setEntry(TEST_ALIAS_1, entry,
   1767                     new KeyStoreParameter.Builder(getContext())
   1768                             .setEncryptionRequired(true)
   1769                             .build());
   1770         }
   1771     }
   1772 
   1773     public void testKeyStore_Size_Encrypted_Success() throws Exception {
   1774         setupPassword();
   1775         mKeyStore.load(null, null);
   1776 
   1777         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_1, FAKE_CA_1,
   1778                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1779 
   1780         assertEquals("The keystore size should match expected", 1, mKeyStore.size());
   1781         assertAliases(new String[] { TEST_ALIAS_1 });
   1782 
   1783         assertTrue(mAndroidKeyStore.put(Credentials.CA_CERTIFICATE + TEST_ALIAS_2, FAKE_CA_1,
   1784                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1785 
   1786         assertEquals("The keystore size should match expected", 2, mKeyStore.size());
   1787         assertAliases(new String[] { TEST_ALIAS_1, TEST_ALIAS_2 });
   1788 
   1789         assertTrue(mAndroidKeyStore.generate(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_3,
   1790                 KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1791 
   1792         assertEquals("The keystore size should match expected", 3, mKeyStore.size());
   1793         assertAliases(new String[] { TEST_ALIAS_1, TEST_ALIAS_2, TEST_ALIAS_3 });
   1794 
   1795         assertTrue(mAndroidKeyStore.delete(Credentials.CA_CERTIFICATE + TEST_ALIAS_1));
   1796 
   1797         assertEquals("The keystore size should match expected", 2, mKeyStore.size());
   1798         assertAliases(new String[] { TEST_ALIAS_2, TEST_ALIAS_3 });
   1799 
   1800         assertTrue(mAndroidKeyStore.delKey(Credentials.USER_PRIVATE_KEY + TEST_ALIAS_3));
   1801 
   1802         assertEquals("The keystore size should match expected", 1, mKeyStore.size());
   1803         assertAliases(new String[] { TEST_ALIAS_2 });
   1804     }
   1805 
   1806     public void testKeyStore_Store_LoadStoreParam_Encrypted_Failure() throws Exception {
   1807         setupPassword();
   1808         mKeyStore.load(null, null);
   1809 
   1810         try {
   1811             mKeyStore.store(null);
   1812             fail("Should throw UnsupportedOperationException when trying to store");
   1813         } catch (UnsupportedOperationException success) {
   1814         }
   1815     }
   1816 
   1817     public void testKeyStore_Load_InputStreamSupplied_Encrypted_Failure() throws Exception {
   1818         byte[] buf = "FAKE KEYSTORE".getBytes();
   1819         ByteArrayInputStream is = new ByteArrayInputStream(buf);
   1820 
   1821         try {
   1822             mKeyStore.load(is, null);
   1823             fail("Should throw IllegalArgumentException when InputStream is supplied");
   1824         } catch (IllegalArgumentException success) {
   1825         }
   1826     }
   1827 
   1828     public void testKeyStore_Load_PasswordSupplied_Encrypted_Failure() throws Exception {
   1829         try {
   1830             mKeyStore.load(null, "password".toCharArray());
   1831             fail("Should throw IllegalArgumentException when password is supplied");
   1832         } catch (IllegalArgumentException success) {
   1833         }
   1834     }
   1835 
   1836     public void testKeyStore_Store_OutputStream_Encrypted_Failure() throws Exception {
   1837         setupPassword();
   1838         mKeyStore.load(null, null);
   1839 
   1840         OutputStream sink = new ByteArrayOutputStream();
   1841         try {
   1842             mKeyStore.store(sink, null);
   1843             fail("Should throw UnsupportedOperationException when trying to store");
   1844         } catch (UnsupportedOperationException success) {
   1845         }
   1846 
   1847         try {
   1848             mKeyStore.store(sink, "blah".toCharArray());
   1849             fail("Should throw UnsupportedOperationException when trying to store");
   1850         } catch (UnsupportedOperationException success) {
   1851         }
   1852     }
   1853 
   1854     private void setupKey() throws Exception {
   1855         final String privateKeyAlias = Credentials.USER_PRIVATE_KEY + TEST_ALIAS_1;
   1856         assertTrue(mAndroidKeyStore
   1857                 .generate(privateKeyAlias, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1858 
   1859         X509Certificate cert = generateCertificate(mAndroidKeyStore, TEST_ALIAS_1, TEST_SERIAL_1,
   1860                 TEST_DN_1, NOW, NOW_PLUS_10_YEARS);
   1861 
   1862         assertTrue(mAndroidKeyStore.put(Credentials.USER_CERTIFICATE + TEST_ALIAS_1,
   1863                 cert.getEncoded(), KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED));
   1864     }
   1865 
   1866     public void testKeyStore_KeyOperations_Wrap_Encrypted_Success() throws Exception {
   1867         setupPassword();
   1868         mKeyStore.load(null, null);
   1869 
   1870         setupKey();
   1871 
   1872         // Test key usage
   1873         Entry e = mKeyStore.getEntry(TEST_ALIAS_1, null);
   1874         assertNotNull(e);
   1875         assertTrue(e instanceof PrivateKeyEntry);
   1876 
   1877         PrivateKeyEntry privEntry = (PrivateKeyEntry) e;
   1878         PrivateKey privKey = privEntry.getPrivateKey();
   1879         assertNotNull(privKey);
   1880 
   1881         PublicKey pubKey = privEntry.getCertificate().getPublicKey();
   1882 
   1883         Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding");
   1884         c.init(Cipher.WRAP_MODE, pubKey);
   1885 
   1886         byte[] expectedKey = new byte[] {
   1887                 0x00, 0x05, (byte) 0xAA, (byte) 0x0A5, (byte) 0xFF, 0x55, 0x0A
   1888         };
   1889 
   1890         SecretKey expectedSecret = new SecretKeySpec(expectedKey, "AES");
   1891 
   1892         byte[] wrappedExpected = c.wrap(expectedSecret);
   1893 
   1894         c.init(Cipher.UNWRAP_MODE, privKey);
   1895         SecretKey actualSecret = (SecretKey) c.unwrap(wrappedExpected, "AES", Cipher.SECRET_KEY);
   1896 
   1897         assertEquals(Arrays.toString(expectedSecret.getEncoded()),
   1898                 Arrays.toString(actualSecret.getEncoded()));
   1899     }
   1900 }
   1901