Merge cherrypicks of [12820899, 12820921, 12820267, 12820924, 12820699, 12820781, 12821235, 12821236, 12820925, 12821237, 12820545, 12821039, 12820926, 12820927, 12820928, 12820929, 12820930, 12820590, 12820471, 12820591, 12820592, 12820593, 12820594, 12821255, 12821256, 12821257, 12820998, 12820932, 12821258, 12820546, 12820933, 12820934, 12820547, 12820548, 12821275, 12821238, 12821239, 12821240, 12821241, 12821199, 12821276, 12821277, 12821278, 12821279, 12821280] into rvc-qpr1-releaseandroid-11.0.0_r29android-11.0.0_r27android-11.0.0_r26android-11.0.0_r23android-11.0.0_r22android-11.0.0_r21android-11.0.0_r20android-11.0.0_r19android-11.0.0_r18android11-qpr1-s2-releaseandroid11-qpr1-s1-releaseandroid11-qpr1-release

Change-Id: I7cb7547b355836475d48a40c7b61cafd72e3e893

1 files changed, 27 insertions, 15 deletions

diff --git a/src/com/android/keychain/KeyChainService.java b/src/com/android/keychain/KeyChainService.java
index 68a7cfa..6c03fa1 100644
--- a/src/com/android/keychain/KeyChainService.java
+++ b/src/com/android/keychain/KeyChainService.java
@@ -357,39 +357,51 @@ public class KeyChainService extends IntentService {
         @Override public String installCaCertificate(byte[] caCertificate) {
             checkCertInstallerOrSystemCaller();
             final String alias;
-            String subjectForAudit = null;
+            String subject = null;
+            final boolean isSecurityLoggingEnabled = mInjector.isSecurityLoggingEnabled();
             try {
                 final X509Certificate cert = parseCertificate(caCertificate);
-                final boolean isSecurityLoggingEnabled = mInjector.isSecurityLoggingEnabled();
+
                 final boolean isDebugLoggable = Log.isLoggable(TAG, Log.DEBUG);
-                if (isSecurityLoggingEnabled || isDebugLoggable) {
-                    final String subject =
-                            cert.getSubjectX500Principal().getName(X500Principal.CANONICAL);
-                    if (isDebugLoggable) {
-                        Log.d(TAG, String.format("Installing CA certificate: %s", subject));
-                    }
-                    if (isSecurityLoggingEnabled) {
-                        subjectForAudit = subject;
-                    }
+                subject = cert.getSubjectX500Principal().getName(X500Principal.CANONICAL);
+                if (isDebugLoggable) {
+                    Log.d(TAG, String.format("Installing CA certificate: %s", subject));
                 }
+
                 synchronized (mTrustedCertificateStore) {
                     mTrustedCertificateStore.installCertificate(cert);
                     alias = mTrustedCertificateStore.getCertificateAlias(cert);
                 }
             } catch (IOException | CertificateException e) {
                 Log.w(TAG, "Failed installing CA certificate", e);
-                if (subjectForAudit != null) {
+                if (isSecurityLoggingEnabled && subject != null) {
                     mInjector.writeSecurityEvent(
-                            TAG_CERT_AUTHORITY_INSTALLED, 0 /*result*/, subjectForAudit,
+                            TAG_CERT_AUTHORITY_INSTALLED, 0 /*result*/, subject,
                             UserHandle.myUserId());
                 }
                 throw new IllegalStateException(e);
             }
-            if (subjectForAudit != null) {
+            if (isSecurityLoggingEnabled && subject != null) {
                 mInjector.writeSecurityEvent(
-                        TAG_CERT_AUTHORITY_INSTALLED, 1 /*result*/, subjectForAudit,
+                        TAG_CERT_AUTHORITY_INSTALLED, 1 /*result*/, subject,
                         UserHandle.myUserId());
             }
+
+            // If the caller is the cert installer, install the CA certificate into KeyStore.
+            // This is a temporary solution to enable CA certificates to be used as VPN trust
+            // anchors. Ultimately, the user should explicitly choose to install the VPN trust
+            // anchor separately and independently of CA certificates, at which point this code
+            // should be removed.
+            if (CERT_INSTALLER_PACKAGE.equals(callingPackage())) {
+                final boolean result = mKeyStore.put(
+                        String.format("%s%s %s", Credentials.CA_CERTIFICATE, subject, alias),
+                        caCertificate, Process.SYSTEM_UID,
+                        KeyStore.FLAG_NONE);
+                Log.d(TAG, String.format(
+                        "Attempted installing %s (subject: %s) to KeyStore. Result: %b", alias,
+                        subject, result));
+            }
+
             broadcastLegacyStorageChange();
             broadcastTrustStoreChange();
             return alias;