diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2020-10-13 01:11:08 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2020-10-13 01:11:08 +0000 |
commit | 6a7b186f540eb5e48b4ada2a2592f5b69b4a3619 (patch) | |
tree | c9422dbafa34da263cf18f2fa4da4cb28891c18a | |
parent | e58ce8ace5b8dca6ebe8744dfa6ac687f0d50042 (diff) | |
parent | ed1888ebc3888399ec5144491e43bf7d871028e5 (diff) | |
download | KeyChain-android11-qpr1-s2-release.tar.gz |
Merge cherrypicks of [12820899, 12820921, 12820267, 12820924, 12820699, 12820781, 12821235, 12821236, 12820925, 12821237, 12820545, 12821039, 12820926, 12820927, 12820928, 12820929, 12820930, 12820590, 12820471, 12820591, 12820592, 12820593, 12820594, 12821255, 12821256, 12821257, 12820998, 12820932, 12821258, 12820546, 12820933, 12820934, 12820547, 12820548, 12821275, 12821238, 12821239, 12821240, 12821241, 12821199, 12821276, 12821277, 12821278, 12821279, 12821280] into rvc-qpr1-releaseandroid-11.0.0_r29android-11.0.0_r27android-11.0.0_r26android-11.0.0_r23android-11.0.0_r22android-11.0.0_r21android-11.0.0_r20android-11.0.0_r19android-11.0.0_r18android11-qpr1-s2-releaseandroid11-qpr1-s1-releaseandroid11-qpr1-release
Change-Id: I7cb7547b355836475d48a40c7b61cafd72e3e893
-rw-r--r-- | src/com/android/keychain/KeyChainService.java | 42 |
1 files changed, 27 insertions, 15 deletions
diff --git a/src/com/android/keychain/KeyChainService.java b/src/com/android/keychain/KeyChainService.java index 68a7cfa..6c03fa1 100644 --- a/src/com/android/keychain/KeyChainService.java +++ b/src/com/android/keychain/KeyChainService.java @@ -357,39 +357,51 @@ public class KeyChainService extends IntentService { @Override public String installCaCertificate(byte[] caCertificate) { checkCertInstallerOrSystemCaller(); final String alias; - String subjectForAudit = null; + String subject = null; + final boolean isSecurityLoggingEnabled = mInjector.isSecurityLoggingEnabled(); try { final X509Certificate cert = parseCertificate(caCertificate); - final boolean isSecurityLoggingEnabled = mInjector.isSecurityLoggingEnabled(); + final boolean isDebugLoggable = Log.isLoggable(TAG, Log.DEBUG); - if (isSecurityLoggingEnabled || isDebugLoggable) { - final String subject = - cert.getSubjectX500Principal().getName(X500Principal.CANONICAL); - if (isDebugLoggable) { - Log.d(TAG, String.format("Installing CA certificate: %s", subject)); - } - if (isSecurityLoggingEnabled) { - subjectForAudit = subject; - } + subject = cert.getSubjectX500Principal().getName(X500Principal.CANONICAL); + if (isDebugLoggable) { + Log.d(TAG, String.format("Installing CA certificate: %s", subject)); } + synchronized (mTrustedCertificateStore) { mTrustedCertificateStore.installCertificate(cert); alias = mTrustedCertificateStore.getCertificateAlias(cert); } } catch (IOException | CertificateException e) { Log.w(TAG, "Failed installing CA certificate", e); - if (subjectForAudit != null) { + if (isSecurityLoggingEnabled && subject != null) { mInjector.writeSecurityEvent( - TAG_CERT_AUTHORITY_INSTALLED, 0 /*result*/, subjectForAudit, + TAG_CERT_AUTHORITY_INSTALLED, 0 /*result*/, subject, UserHandle.myUserId()); } throw new IllegalStateException(e); } - if (subjectForAudit != null) { + if (isSecurityLoggingEnabled && subject != null) { mInjector.writeSecurityEvent( - TAG_CERT_AUTHORITY_INSTALLED, 1 /*result*/, subjectForAudit, + TAG_CERT_AUTHORITY_INSTALLED, 1 /*result*/, subject, UserHandle.myUserId()); } + + // If the caller is the cert installer, install the CA certificate into KeyStore. + // This is a temporary solution to enable CA certificates to be used as VPN trust + // anchors. Ultimately, the user should explicitly choose to install the VPN trust + // anchor separately and independently of CA certificates, at which point this code + // should be removed. + if (CERT_INSTALLER_PACKAGE.equals(callingPackage())) { + final boolean result = mKeyStore.put( + String.format("%s%s %s", Credentials.CA_CERTIFICATE, subject, alias), + caCertificate, Process.SYSTEM_UID, + KeyStore.FLAG_NONE); + Log.d(TAG, String.format( + "Attempted installing %s (subject: %s) to KeyStore. Result: %b", alias, + subject, result)); + } + broadcastLegacyStorageChange(); broadcastTrustStoreChange(); return alias; |