Make CertInstaller installed CA certs trusted by applications via default TrustManager (4 of 6)
frameworks/base
Adding IKeyChainService APIs for CertInstaller and Settings use
keystore/java/android/security/IKeyChainService.aidl
libcore
Improve exceptions to include more information
luni/src/main/java/javax/security/auth/x500/X500Principal.java
Move guts of RootKeyStoreSpi to TrustedCertificateStore, leaving only KeyStoreSpi methods.
Added support for adding user CAs in a separate directory for system.
Added support for removing system CAs by placing a copy in a sytem directory
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStore.java
Formerly static methods on RootKeyStoreSpi are now instance methods on TrustedCertificateStore
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
Added test for NativeCrypto.X509_NAME_hash_old and X509_NAME_hash
to make sure the implementing algorithms doe not change since
TrustedCertificateStore depend on X509_NAME_hash_old (OpenSSL
changed the algorithm from MD5 to SHA1 when moving from 0.9.8 to
1.0.0)
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Extensive test of new TrustedCertificateStore behavior
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStoreTest.java
TestKeyStore improvements
- Refactored TestKeyStore to provide simpler createCA method (and
internal createCertificate)
- Cleaned up to remove use of BouncyCastle specific X509Principal
in the TestKeyStore API when the public X500Principal would do.
- Cleaned up TestKeyStore support methods to not throw Exception
to remove need for static blocks for catch clauses in tests.
support/src/test/java/libcore/java/security/TestKeyStore.java
luni/src/test/java/libcore/java/security/KeyStoreTest.java
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Added private PKIXParameters contructor for use by
IndexedPKIXParameters to avoid wart of having to lookup and pass
a TrustAnchor to satisfy the super-class sanity check.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java
luni/src/main/java/java/security/cert/PKIXParameters.java
packages/apps/CertInstaller
Change CertInstaller to call IKeyChainService.installCertificate
for CA certs to pass them to the KeyChainServiceTest which will
make them available to all apps through the
TrustedCertificateStore. Change PKCS12 extraction to use AsyncTask.
src/com/android/certinstaller/CertInstaller.java
Added installCaCertsToKeyChain and hasCaCerts accessor for use by
CertInstaller. Use hasUserCertificate() internally. Cleanup coding
style.
src/com/android/certinstaller/CredentialHelper.java
packages/apps/KeyChain
Added MANAGE_ACCOUNTS so that IKeyChainService.reset
implementation can remove KeyChain accounts.
AndroidManifest.xml
Implement new IKeyChainService methods:
- Added IKeyChainService.installCaCertificate to install certs
provided by CertInstaller using the TrustedCertificateStore.
- Added IKeyChainService.reset to allow Settings to remove the
KeyChain accounts so that any app granted access to keystore
credentials are revoked when the keystore is reset.
src/com/android/keychain/KeyChainService.java
packages/apps/Settings
Changed com.android.credentials.RESET credential reset action to
also call IKeyChainService.reset to remove any installed user CAs
and remove KeyChain accounts to have AccountManager revoke
credential granted to private keys removed during the RESET.
src/com/android/settings/CredentialStorage.java
Added toast text value for failure case
res/values/strings.xml
system/core
Have init create world readable /data/misc/keychain to allow apps
to access user added CA certificates installed by the CertInstaller.
rootdir/init.rc
Change-Id: I8f1c12751085ebf9b993ebd1c1419d792fd047c8
diff --git a/src/com/android/keychain/KeyChainService.java b/src/com/android/keychain/KeyChainService.java
index 8b0b0a1..1190368 100644
--- a/src/com/android/keychain/KeyChainService.java
+++ b/src/com/android/keychain/KeyChainService.java
@@ -20,27 +20,29 @@
import android.accounts.Account;
import android.accounts.AccountAuthenticatorResponse;
import android.accounts.AccountManager;
+import android.accounts.AccountsException;
import android.accounts.NetworkErrorException;
import android.app.Service;
import android.content.Context;
import android.content.Intent;
import android.os.Bundle;
import android.os.IBinder;
-import android.os.RemoteException;
import android.security.Credentials;
import android.security.IKeyChainService;
import android.security.KeyChain;
import android.security.KeyStore;
import android.util.Log;
import java.io.ByteArrayInputStream;
+import java.io.IOException;
import java.nio.charset.Charsets;
import java.security.SecureRandom;
-import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
+import java.util.Collections;
import javax.security.auth.x500.X500Principal;
import org.apache.harmony.luni.util.Base64;
+import org.apache.harmony.xnet.provider.jsse.TrustedCertificateStore;
public class KeyChainService extends Service {
@@ -59,12 +61,14 @@
private final IKeyChainService.Stub mIKeyChainService = new IKeyChainService.Stub() {
private final KeyStore mKeyStore = KeyStore.getInstance();
+ private final TrustedCertificateStore mTrustedCertificateStore
+ = new TrustedCertificateStore();
private boolean isKeyStoreUnlocked() {
return (mKeyStore.test() == KeyStore.NO_ERROR);
}
- @Override public byte[] getPrivate(String alias, String authToken) throws RemoteException {
+ @Override public byte[] getPrivate(String alias, String authToken) {
if (alias == null) {
throw new NullPointerException("alias == null");
}
@@ -85,17 +89,14 @@
return bytes;
}
- @Override public byte[] getCertificate(String alias, String authToken)
- throws RemoteException {
+ @Override public byte[] getCertificate(String alias, String authToken) {
return getCert(Credentials.USER_CERTIFICATE, alias, authToken);
}
- @Override public byte[] getCaCertificate(String alias, String authToken)
- throws RemoteException {
+ @Override public byte[] getCaCertificate(String alias, String authToken) {
return getCert(Credentials.CA_CERTIFICATE, alias, authToken);
}
- private byte[] getCert(String type, String alias, String authToken)
- throws RemoteException {
+ private byte[] getCert(String type, String alias, String authToken) {
if (alias == null) {
throw new NullPointerException("alias == null");
}
@@ -144,9 +145,7 @@
byte[] bytes = mKeyStore.get(alias);
try {
// TODO we could at least cache the byte to cert parsing
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- Certificate ca = cf.generateCertificate(new ByteArrayInputStream(bytes));
- X509Certificate caCert = (X509Certificate) ca;
+ X509Certificate caCert = parseCertificate(bytes);
if (issuer.equals(caCert.getSubjectX500Principal())) {
// will throw exception on failure to verify.
// this can happen if there are two CAs with
@@ -162,12 +161,81 @@
return null;
}
+ private X509Certificate parseCertificate(byte[] bytes) throws CertificateException {
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ return (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(bytes));
+ }
+
private byte[] concatenate(byte[] a, byte[] b) {
byte[] result = new byte[a.length + b.length];
System.arraycopy(a, 0, result, 0, a.length);
System.arraycopy(b, 0, result, a.length, b.length);
return result;
}
+
+ @Override public void installCaCertificate(byte[] caCertificate) {
+ // only the CertInstaller should be able to add new trusted CAs
+ final String expectedPackage = "com.android.certinstaller";
+ final String actualPackage = getPackageManager().getNameForUid(getCallingUid());
+ if (!expectedPackage.equals(actualPackage)) {
+ throw new IllegalStateException(actualPackage);
+ }
+ try {
+ synchronized (mTrustedCertificateStore) {
+ mTrustedCertificateStore.installCertificate(parseCertificate(caCertificate));
+ }
+ } catch (IOException e) {
+ throw new IllegalStateException(e);
+ } catch (CertificateException e) {
+ throw new IllegalStateException(e);
+ }
+ }
+ @Override public boolean reset() {
+ // only Settings should be able to reset
+ final String expectedPackage = "android.uid.system:1000";
+ final String actualPackage = getPackageManager().getNameForUid(getCallingUid());
+ if (!expectedPackage.equals(actualPackage)) {
+ throw new IllegalStateException(actualPackage);
+ }
+ boolean ok = true;
+
+ synchronized (mAccountLock) {
+ // remote Accounts from AccountManager to revoke any
+ // granted credential grants to applications
+ Account[] accounts = mAccountManager.getAccountsByType(KeyChain.ACCOUNT_TYPE);
+ for (Account a : accounts) {
+ try {
+ if (!mAccountManager.removeAccount(a, null, null).getResult()) {
+ ok = false;
+ }
+ } catch (AccountsException e) {
+ Log.w(TAG, "Problem removing account " + a, e);
+ ok = false;
+ } catch (IOException e) {
+ Log.w(TAG, "Problem removing account " + a, e);
+ ok = false;
+ }
+ }
+ }
+
+ synchronized (mTrustedCertificateStore) {
+ // delete user-installed CA certs
+ for (String alias : mTrustedCertificateStore.aliases()) {
+ if (TrustedCertificateStore.isUser(alias)) {
+ try {
+ mTrustedCertificateStore.deleteCertificateEntry(alias);
+ } catch (IOException e) {
+ Log.w(TAG, "Problem removing CA certificate " + alias, e);
+ ok = false;
+ } catch (CertificateException e) {
+ Log.w(TAG, "Problem removing CA certificate " + alias, e);
+ ok = false;
+ }
+ }
+ }
+ return ok;
+ }
+ }
};
private class KeyChainAccountAuthenticator extends AbstractAccountAuthenticator {