Merge cherrypicks of [15601928, 15601978, 15601929, 15602376, 15602372, 15601960, 15601961, 15601962, 15601963, 15601964, 15602416, 15602437, 15602438, 15602440, 15602441, 15602443, 15602444, 15602445, 15602446, 15602447, 15601006, 15601007, 15601008, 15601009, 15601010, 15601011, 15601932, 15601933, 15601934, 15601935, 15602456, 15602457, 15602458, 15602459, 15601981, 15601982, 15601983, 15601984, 15602417, 15602418, 15602419, 15602420, 15602421, 15602422, 15602423, 15602379, 15602380, 15602381, 15602382, 15602383, 15602384, 15602385, 15602386, 15601012, 15601013, 15601014, 15601015, 15602476, 15602477] into sc-releaseandroid-vts-12.0_r1android-security-12.0.0_r59android-security-12.0.0_r58android-security-12.0.0_r57android-security-12.0.0_r56android-security-12.0.0_r55android-security-12.0.0_r54android-security-12.0.0_r53android-security-12.0.0_r52android-security-12.0.0_r51android-security-12.0.0_r50android-security-12.0.0_r49android-security-12.0.0_r48android-security-12.0.0_r47android-security-12.0.0_r46android-security-12.0.0_r45android-security-12.0.0_r44android-security-12.0.0_r43android-security-12.0.0_r42android-security-12.0.0_r41android-security-12.0.0_r40android-security-12.0.0_r39android-security-12.0.0_r38android-security-12.0.0_r37android-security-12.0.0_r36android-security-12.0.0_r35android-security-12.0.0_r34android-platform-12.0.0_r1android-cts-12.0_r1android-12.0.0_r9android-12.0.0_r8android-12.0.0_r34android-12.0.0_r33android-12.0.0_r31android-12.0.0_r30android-12.0.0_r3android-12.0.0_r25android-12.0.0_r2android-12.0.0_r11android-12.0.0_r10android-12.0.0_r1android12-security-releaseandroid12-s5-releaseandroid12-s4-releaseandroid12-s3-releaseandroid12-s2-releaseandroid12-s1-releaseandroid12-release

Change-Id: Ib5779eaebe4343915079821bbdf260ae9d3672c7

4 files changed, 129 insertions, 110 deletions

diff --git a/wifi/keystore/1.0/default/keystore.cpp b/wifi/keystore/1.0/default/keystore.cpp
index 68b682e..69bac18 100644
--- a/wifi/keystore/1.0/default/keystore.cpp
+++ b/wifi/keystore/1.0/default/keystore.cpp
@@ -7,19 +7,17 @@
 #include <android-base/strings.h>
 #include <android/binder_manager.h>
 #include <binder/IServiceManager.h>
-#include <ctype.h>
 #include <openssl/base.h>
 #include <openssl/bio.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 #include <private/android_filesystem_config.h>
 #include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
 
-#include <future>
 #include <vector>
 
+#include "wifikeystorehal_utils.h"
+
 #define AT __func__ << ":" << __LINE__ << " "
 
 namespace ks2 = ::aidl::android::system::keystore2;
@@ -35,43 +33,6 @@ constexpr const char kLegacyKeystoreServiceName[] = "android.security.legacykeys
 
 const std::string keystore2_grant_id_prefix("ks2_keystore-engine_grant_id:");
 
-// Helper method to extract public key from the certificate.
-std::vector<uint8_t> extractPubKey(const std::vector<uint8_t>& cert_bytes) {
-    bssl::UniquePtr<BIO> cert_bio(BIO_new_mem_buf(cert_bytes.data(), cert_bytes.size()));
-    if (!cert_bio) {
-        LOG(ERROR) << AT << "Failed to create BIO";
-        return {};
-    }
-    bssl::UniquePtr<X509> decoded_cert(d2i_X509_bio(cert_bio.get(), nullptr));
-    if (!decoded_cert) {
-        LOG(INFO) << AT << "Could not decode the cert, trying decoding as PEM";
-        decoded_cert =
-            bssl::UniquePtr<X509>(PEM_read_bio_X509(cert_bio.get(), nullptr, nullptr, nullptr));
-    }
-    if (!decoded_cert) {
-        LOG(ERROR) << AT << "Could not decode the cert.";
-        return {};
-    }
-    bssl::UniquePtr<EVP_PKEY> pub_key(X509_get_pubkey(decoded_cert.get()));
-    if (!pub_key) {
-        LOG(ERROR) << AT << "Could not extract public key.";
-        return {};
-    }
-    bssl::UniquePtr<BIO> pub_key_bio(BIO_new(BIO_s_mem()));
-    if (!pub_key_bio || i2d_PUBKEY_bio(pub_key_bio.get(), pub_key.get()) <= 0) {
-        LOG(ERROR) << AT << "Could not serialize public key.";
-        return {};
-    }
-    const uint8_t* pub_key_bytes;
-    size_t pub_key_len;
-    if (!BIO_mem_contents(pub_key_bio.get(), &pub_key_bytes, &pub_key_len)) {
-        LOG(ERROR) << AT << "Could not get bytes from BIO.";
-        return {};
-    }
-
-    return {pub_key_bytes, pub_key_bytes + pub_key_len};
-}
-
 ks2::KeyDescriptor mkKeyDescriptor(const std::string& alias) {
     // If the key_id starts with the grant id prefix, we parse the following string as numeric
     // grant id. We can then use the grant domain without alias to load the designated key.
diff --git a/wifi/keystore/1.0/default/test/Android.bp b/wifi/keystore/1.0/default/test/Android.bp
index e16155b..eef58e9 100644
--- a/wifi/keystore/1.0/default/test/Android.bp
+++ b/wifi/keystore/1.0/default/test/Android.bp
@@ -23,6 +23,7 @@ cc_test {
     shared_libs: [
         "libbase",
         "liblog",
+        "libcrypto",
         "libcutils",
         "libhidlbase",
         "libnativehelper",
diff --git a/wifi/keystore/1.0/default/test/WifiLegacyKeystoreIntegrationTest.cpp b/wifi/keystore/1.0/default/test/WifiLegacyKeystoreIntegrationTest.cpp
index 5fa1684..ac801e5 100644
--- a/wifi/keystore/1.0/default/test/WifiLegacyKeystoreIntegrationTest.cpp
+++ b/wifi/keystore/1.0/default/test/WifiLegacyKeystoreIntegrationTest.cpp
@@ -15,19 +15,16 @@
  */
 
 #include <aidl/android/security/legacykeystore/ILegacyKeystore.h>
-#include <aidl/android/system/keystore2/IKeystoreOperation.h>
-#include <aidl/android/system/keystore2/IKeystoreSecurityLevel.h>
-#include <aidl/android/system/keystore2/IKeystoreService.h>
 #include <aidl/android/system/keystore2/ResponseCode.h>
 #include <android/binder_manager.h>
 #include <android/system/wifi/keystore/1.0/IKeystore.h>
-#include <binder/IServiceManager.h>
 #include <cutils/properties.h>
 #include <gtest/gtest.h>
 #include <hidl/GtestPrinter.h>
 #include <hidl/ServiceManagement.h>
 #include <private/android_filesystem_config.h>
-#include <utils/String16.h>
+
+#include "../wifikeystorehal_utils.h"
 
 using namespace std;
 using namespace ::testing;
@@ -50,6 +47,65 @@ enum KeyPurpose {
     SIGNING,
 };
 
+// Some test certificate in PEM encoding.
+static const char kPemTestCert[] = R"(-----BEGIN CERTIFICATE-----
+MIICWDCCAcGgAwIBAgIUMpH52TRcL1gTknsm5eR+wvCGxNMwDQYJKoZIhvcNAQEL
+BQAwPjELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxGjAYBgNVBAoM
+EUFuZHJvaWQgVGVzdCBDZXJ0MB4XDTIxMDczMDAwMzY1OVoXDTIyMDczMDAwMzY1
+OVowPjELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxGjAYBgNVBAoM
+EUFuZHJvaWQgVGVzdCBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDL
+q7JTXvL3ErVX2ZU9hQ0PLnkyw984qweNhQw8xIvwzTs3hXtV0K4hmWJiPKxOv3H7
+Q//TOcxI6+Qp4qOa79UUYDvmObjOCW1jQvZ9UQQfvdMO1WSa3BQoPJYQXiuyiuPs
++XM58Yl8TPV+IQ+Znx5axn5PxEmoqCUmeBv/wbJlDwIDAQABo1MwUTAdBgNVHQ4E
+FgQUEbhF5fYkUPchj+GdWX1aoOHkH3owHwYDVR0jBBgwFoAUEbhF5fYkUPchj+Gd
+WX1aoOHkH3owDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQChejph
+iYWFBeQEQtPYGGwSNO1HgzRhvsdGKDJUtRDAvDPxlRO8jkGmrSaD3QJUY4bCkx5c
+S9W7oRxyiUaxJFtw9Lbxkc4G3v0hpxYqfX4R4lzM8oU/50cPEpZGVaIZNrqBiXbd
+wFzPSv/UTXFBKlR5grYTmsiHCBbEv0apNJNI0g==
+-----END CERTIFICATE-----
+)";
+
+// Some test certificate in DER encoding.
+static const std::vector<uint8_t> kDerTestCert{
+    0x30, 0x82, 0x02, 0x58, 0x30, 0x82, 0x01, 0xc1, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x14, 0x32,
+    0x91, 0xf9, 0xd9, 0x34, 0x5c, 0x2f, 0x58, 0x13, 0x92, 0x7b, 0x26, 0xe5, 0xe4, 0x7e, 0xc2, 0xf0,
+    0x86, 0xc4, 0xd3, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+    0x05, 0x00, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+    0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65,
+    0x2d, 0x53, 0x74, 0x61, 0x74, 0x65, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c,
+    0x11, 0x41, 0x6e, 0x64, 0x72, 0x6f, 0x69, 0x64, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65,
+    0x72, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x37, 0x33, 0x30, 0x30, 0x30, 0x33, 0x36,
+    0x35, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x32, 0x30, 0x37, 0x33, 0x30, 0x30, 0x30, 0x33, 0x36, 0x35,
+    0x39, 0x5a, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+    0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65,
+    0x2d, 0x53, 0x74, 0x61, 0x74, 0x65, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c,
+    0x11, 0x41, 0x6e, 0x64, 0x72, 0x6f, 0x69, 0x64, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65,
+    0x72, 0x74, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+    0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xcb,
+    0xab, 0xb2, 0x53, 0x5e, 0xf2, 0xf7, 0x12, 0xb5, 0x57, 0xd9, 0x95, 0x3d, 0x85, 0x0d, 0x0f, 0x2e,
+    0x79, 0x32, 0xc3, 0xdf, 0x38, 0xab, 0x07, 0x8d, 0x85, 0x0c, 0x3c, 0xc4, 0x8b, 0xf0, 0xcd, 0x3b,
+    0x37, 0x85, 0x7b, 0x55, 0xd0, 0xae, 0x21, 0x99, 0x62, 0x62, 0x3c, 0xac, 0x4e, 0xbf, 0x71, 0xfb,
+    0x43, 0xff, 0xd3, 0x39, 0xcc, 0x48, 0xeb, 0xe4, 0x29, 0xe2, 0xa3, 0x9a, 0xef, 0xd5, 0x14, 0x60,
+    0x3b, 0xe6, 0x39, 0xb8, 0xce, 0x09, 0x6d, 0x63, 0x42, 0xf6, 0x7d, 0x51, 0x04, 0x1f, 0xbd, 0xd3,
+    0x0e, 0xd5, 0x64, 0x9a, 0xdc, 0x14, 0x28, 0x3c, 0x96, 0x10, 0x5e, 0x2b, 0xb2, 0x8a, 0xe3, 0xec,
+    0xf9, 0x73, 0x39, 0xf1, 0x89, 0x7c, 0x4c, 0xf5, 0x7e, 0x21, 0x0f, 0x99, 0x9f, 0x1e, 0x5a, 0xc6,
+    0x7e, 0x4f, 0xc4, 0x49, 0xa8, 0xa8, 0x25, 0x26, 0x78, 0x1b, 0xff, 0xc1, 0xb2, 0x65, 0x0f, 0x02,
+    0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04,
+    0x16, 0x04, 0x14, 0x11, 0xb8, 0x45, 0xe5, 0xf6, 0x24, 0x50, 0xf7, 0x21, 0x8f, 0xe1, 0x9d, 0x59,
+    0x7d, 0x5a, 0xa0, 0xe1, 0xe4, 0x1f, 0x7a, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18,
+    0x30, 0x16, 0x80, 0x14, 0x11, 0xb8, 0x45, 0xe5, 0xf6, 0x24, 0x50, 0xf7, 0x21, 0x8f, 0xe1, 0x9d,
+    0x59, 0x7d, 0x5a, 0xa0, 0xe1, 0xe4, 0x1f, 0x7a, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
+    0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+    0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0xa1, 0x7a, 0x3a, 0x61,
+    0x89, 0x85, 0x85, 0x05, 0xe4, 0x04, 0x42, 0xd3, 0xd8, 0x18, 0x6c, 0x12, 0x34, 0xed, 0x47, 0x83,
+    0x34, 0x61, 0xbe, 0xc7, 0x46, 0x28, 0x32, 0x54, 0xb5, 0x10, 0xc0, 0xbc, 0x33, 0xf1, 0x95, 0x13,
+    0xbc, 0x8e, 0x41, 0xa6, 0xad, 0x26, 0x83, 0xdd, 0x02, 0x54, 0x63, 0x86, 0xc2, 0x93, 0x1e, 0x5c,
+    0x4b, 0xd5, 0xbb, 0xa1, 0x1c, 0x72, 0x89, 0x46, 0xb1, 0x24, 0x5b, 0x70, 0xf4, 0xb6, 0xf1, 0x91,
+    0xce, 0x06, 0xde, 0xfd, 0x21, 0xa7, 0x16, 0x2a, 0x7d, 0x7e, 0x11, 0xe2, 0x5c, 0xcc, 0xf2, 0x85,
+    0x3f, 0xe7, 0x47, 0x0f, 0x12, 0x96, 0x46, 0x55, 0xa2, 0x19, 0x36, 0xba, 0x81, 0x89, 0x76, 0xdd,
+    0xc0, 0x5c, 0xcf, 0x4a, 0xff, 0xd4, 0x4d, 0x71, 0x41, 0x2a, 0x54, 0x79, 0x82, 0xb6, 0x13, 0x9a,
+    0xc8, 0x87, 0x08, 0x16, 0xc4, 0xbf, 0x46, 0xa9, 0x34, 0x93, 0x48, 0xd2};
+
 // The fixture for testing the Wifi Keystore HAL legacy keystore integration.
 class WifiLegacyKeystoreTest : public TestWithParam<std::string> {
    protected:
@@ -163,27 +219,10 @@ TEST_P(WifiLegacyKeystoreTest, GetLegacyKeystoreTest) {
                      << "Cannot transition to AID_SYSTEM.";
     }
 
-    // Only AID_SYSTEM (and AID_WIFI) is allowed to manipulate
+    // Only AID_SYSTEM (and AID_WIFI) is allowed to manipulate the wifi namespace.
     ASSERT_EQ(0, seteuid(AID_SYSTEM)) << "Failed to set uid to AID_SYSTEM: " << strerror(errno);
 
-    // Some test certificate in PEM encoding.
-    static const char kTestBlob[] = R"(-----BEGIN CERTIFICATE-----
-MIICWDCCAcGgAwIBAgIUMpH52TRcL1gTknsm5eR+wvCGxNMwDQYJKoZIhvcNAQEL
-BQAwPjELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxGjAYBgNVBAoM
-EUFuZHJvaWQgVGVzdCBDZXJ0MB4XDTIxMDczMDAwMzY1OVoXDTIyMDczMDAwMzY1
-OVowPjELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxGjAYBgNVBAoM
-EUFuZHJvaWQgVGVzdCBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDL
-q7JTXvL3ErVX2ZU9hQ0PLnkyw984qweNhQw8xIvwzTs3hXtV0K4hmWJiPKxOv3H7
-Q//TOcxI6+Qp4qOa79UUYDvmObjOCW1jQvZ9UQQfvdMO1WSa3BQoPJYQXiuyiuPs
-+XM58Yl8TPV+IQ+Znx5axn5PxEmoqCUmeBv/wbJlDwIDAQABo1MwUTAdBgNVHQ4E
-FgQUEbhF5fYkUPchj+GdWX1aoOHkH3owHwYDVR0jBBgwFoAUEbhF5fYkUPchj+Gd
-WX1aoOHkH3owDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQChejph
-iYWFBeQEQtPYGGwSNO1HgzRhvsdGKDJUtRDAvDPxlRO8jkGmrSaD3QJUY4bCkx5c
-S9W7oRxyiUaxJFtw9Lbxkc4G3v0hpxYqfX4R4lzM8oU/50cPEpZGVaIZNrqBiXbd
-wFzPSv/UTXFBKlR5grYTmsiHCBbEv0apNJNI0g==
------END CERTIFICATE-----
-)";
-    const std::vector<uint8_t> TESTBLOB(std::begin(kTestBlob), std::end(kTestBlob));
+    const std::vector<uint8_t> TESTBLOB(std::begin(kPemTestCert), std::end(kPemTestCert));
     const std::string TESTALIAS = "LegacyKeystoreWifiTestAlias";
 
     ASSERT_TRUE(LegacyKeystoreRemove(TESTALIAS, AID_WIFI));
@@ -217,54 +256,10 @@ TEST_P(WifiLegacyKeystoreTest, IKeystoreGetAlwaysReturnsPem) {
     // Only AID_SYSTEM (and AID_WIFI) is allowed to manipulate
     ASSERT_EQ(0, seteuid(AID_SYSTEM)) << "Failed to set uid to AID_SYSTEM: " << strerror(errno);
 
-    // Some test certificate in DER encoding.
-    const std::vector<uint8_t> TESTBLOB_DER{
-        0x30, 0x82, 0x02, 0x58, 0x30, 0x82, 0x01, 0xc1, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x14,
-        0x32, 0x91, 0xf9, 0xd9, 0x34, 0x5c, 0x2f, 0x58, 0x13, 0x92, 0x7b, 0x26, 0xe5, 0xe4, 0x7e,
-        0xc2, 0xf0, 0x86, 0xc4, 0xd3, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
-        0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
-        0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
-        0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65, 0x31, 0x1a, 0x30, 0x18,
-        0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x41, 0x6e, 0x64, 0x72, 0x6f, 0x69, 0x64, 0x20,
-        0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x31,
-        0x30, 0x37, 0x33, 0x30, 0x30, 0x30, 0x33, 0x36, 0x35, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x32,
-        0x30, 0x37, 0x33, 0x30, 0x30, 0x30, 0x33, 0x36, 0x35, 0x39, 0x5a, 0x30, 0x3e, 0x31, 0x0b,
-        0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11,
-        0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61,
-        0x74, 0x65, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x41, 0x6e,
-        0x64, 0x72, 0x6f, 0x69, 0x64, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74,
-        0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
-        0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xcb,
-        0xab, 0xb2, 0x53, 0x5e, 0xf2, 0xf7, 0x12, 0xb5, 0x57, 0xd9, 0x95, 0x3d, 0x85, 0x0d, 0x0f,
-        0x2e, 0x79, 0x32, 0xc3, 0xdf, 0x38, 0xab, 0x07, 0x8d, 0x85, 0x0c, 0x3c, 0xc4, 0x8b, 0xf0,
-        0xcd, 0x3b, 0x37, 0x85, 0x7b, 0x55, 0xd0, 0xae, 0x21, 0x99, 0x62, 0x62, 0x3c, 0xac, 0x4e,
-        0xbf, 0x71, 0xfb, 0x43, 0xff, 0xd3, 0x39, 0xcc, 0x48, 0xeb, 0xe4, 0x29, 0xe2, 0xa3, 0x9a,
-        0xef, 0xd5, 0x14, 0x60, 0x3b, 0xe6, 0x39, 0xb8, 0xce, 0x09, 0x6d, 0x63, 0x42, 0xf6, 0x7d,
-        0x51, 0x04, 0x1f, 0xbd, 0xd3, 0x0e, 0xd5, 0x64, 0x9a, 0xdc, 0x14, 0x28, 0x3c, 0x96, 0x10,
-        0x5e, 0x2b, 0xb2, 0x8a, 0xe3, 0xec, 0xf9, 0x73, 0x39, 0xf1, 0x89, 0x7c, 0x4c, 0xf5, 0x7e,
-        0x21, 0x0f, 0x99, 0x9f, 0x1e, 0x5a, 0xc6, 0x7e, 0x4f, 0xc4, 0x49, 0xa8, 0xa8, 0x25, 0x26,
-        0x78, 0x1b, 0xff, 0xc1, 0xb2, 0x65, 0x0f, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30,
-        0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x11, 0xb8, 0x45,
-        0xe5, 0xf6, 0x24, 0x50, 0xf7, 0x21, 0x8f, 0xe1, 0x9d, 0x59, 0x7d, 0x5a, 0xa0, 0xe1, 0xe4,
-        0x1f, 0x7a, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
-        0x11, 0xb8, 0x45, 0xe5, 0xf6, 0x24, 0x50, 0xf7, 0x21, 0x8f, 0xe1, 0x9d, 0x59, 0x7d, 0x5a,
-        0xa0, 0xe1, 0xe4, 0x1f, 0x7a, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff,
-        0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
-        0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0xa1, 0x7a, 0x3a, 0x61,
-        0x89, 0x85, 0x85, 0x05, 0xe4, 0x04, 0x42, 0xd3, 0xd8, 0x18, 0x6c, 0x12, 0x34, 0xed, 0x47,
-        0x83, 0x34, 0x61, 0xbe, 0xc7, 0x46, 0x28, 0x32, 0x54, 0xb5, 0x10, 0xc0, 0xbc, 0x33, 0xf1,
-        0x95, 0x13, 0xbc, 0x8e, 0x41, 0xa6, 0xad, 0x26, 0x83, 0xdd, 0x02, 0x54, 0x63, 0x86, 0xc2,
-        0x93, 0x1e, 0x5c, 0x4b, 0xd5, 0xbb, 0xa1, 0x1c, 0x72, 0x89, 0x46, 0xb1, 0x24, 0x5b, 0x70,
-        0xf4, 0xb6, 0xf1, 0x91, 0xce, 0x06, 0xde, 0xfd, 0x21, 0xa7, 0x16, 0x2a, 0x7d, 0x7e, 0x11,
-        0xe2, 0x5c, 0xcc, 0xf2, 0x85, 0x3f, 0xe7, 0x47, 0x0f, 0x12, 0x96, 0x46, 0x55, 0xa2, 0x19,
-        0x36, 0xba, 0x81, 0x89, 0x76, 0xdd, 0xc0, 0x5c, 0xcf, 0x4a, 0xff, 0xd4, 0x4d, 0x71, 0x41,
-        0x2a, 0x54, 0x79, 0x82, 0xb6, 0x13, 0x9a, 0xc8, 0x87, 0x08, 0x16, 0xc4, 0xbf, 0x46, 0xa9,
-        0x34, 0x93, 0x48, 0xd2};
-
     const std::string TESTALIAS = "LegacyKeystoreWifiTestAlias";
 
     ASSERT_TRUE(LegacyKeystoreRemove(TESTALIAS, AID_WIFI));
-    ASSERT_TRUE(LegacyKeystorePut(TESTALIAS, TESTBLOB_DER, AID_WIFI));
+    ASSERT_TRUE(LegacyKeystorePut(TESTALIAS, kDerTestCert, AID_WIFI));
 
     IKeystore::KeystoreStatusCode statusCode;
     std::vector<uint8_t> blob;
@@ -456,4 +451,15 @@ TEST_P(WifiLegacyKeystoreTest, IKeystoreGetAlwaysReturnsPemWithChain) {
     ASSERT_TRUE(LegacyKeystoreRemove(TESTALIAS, AID_WIFI));
 }
 
+TEST(WifiKeystoreUtilsTest, ExtractPublicKeyHandlesDer) {
+    auto cert = extractPubKey(kDerTestCert);
+    ASSERT_FALSE(cert.empty());
+}
+
+TEST(WifiKeystoreUtilsTest, ExtractPublicKeyHandlesPemFallback) {
+    const std::vector<uint8_t> TESTBLOB(std::begin(kPemTestCert), std::end(kPemTestCert));
+    auto cert = extractPubKey(TESTBLOB);
+    ASSERT_FALSE(cert.empty());
+}
+
 }  // namespace
diff --git a/wifi/keystore/1.0/default/wifikeystorehal_utils.h b/wifi/keystore/1.0/default/wifikeystorehal_utils.h
new file mode 100644
index 0000000..d7a790e
--- /dev/null
+++ b/wifi/keystore/1.0/default/wifikeystorehal_utils.h
@@ -0,0 +1,51 @@
+#pragma once
+
+#include <android-base/logging.h>
+#include <openssl/base.h>
+#include <openssl/bio.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+#include <vector>
+
+#define AT __func__ << ":" << __LINE__ << " "
+
+namespace {
+// Helper method to extract public key from the certificate.
+std::vector<uint8_t> extractPubKey(const std::vector<uint8_t>& cert_bytes) {
+    const uint8_t* p = cert_bytes.data();
+    bssl::UniquePtr<X509> decoded_cert(d2i_X509(nullptr, &p, cert_bytes.size()));
+    if (!decoded_cert) {
+        LOG(INFO) << AT << "Could not decode the cert, trying decoding as PEM";
+        bssl::UniquePtr<BIO> cert_bio(BIO_new_mem_buf(cert_bytes.data(), cert_bytes.size()));
+        if (!cert_bio) {
+            LOG(ERROR) << AT << "Failed to create BIO";
+            return {};
+        }
+        decoded_cert =
+            bssl::UniquePtr<X509>(PEM_read_bio_X509(cert_bio.get(), nullptr, nullptr, nullptr));
+    }
+    if (!decoded_cert) {
+        LOG(ERROR) << AT << "Could not decode the cert.";
+        return {};
+    }
+    bssl::UniquePtr<EVP_PKEY> pub_key(X509_get_pubkey(decoded_cert.get()));
+    if (!pub_key) {
+        LOG(ERROR) << AT << "Could not extract public key.";
+        return {};
+    }
+    bssl::UniquePtr<BIO> pub_key_bio(BIO_new(BIO_s_mem()));
+    if (!pub_key_bio || i2d_PUBKEY_bio(pub_key_bio.get(), pub_key.get()) <= 0) {
+        LOG(ERROR) << AT << "Could not serialize public key.";
+        return {};
+    }
+    const uint8_t* pub_key_bytes;
+    size_t pub_key_len;
+    if (!BIO_mem_contents(pub_key_bio.get(), &pub_key_bytes, &pub_key_len)) {
+        LOG(ERROR) << AT << "Could not get bytes from BIO.";
+        return {};
+    }
+
+    return {pub_key_bytes, pub_key_bytes + pub_key_len};
+}
+
+}  // namespace
\ No newline at end of file