Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / packages / apps / KeyChain / 8df30b5214a5e99be8004dcc77b71f46034a993c / . / src / com / android / keychain / KeyChainService.java
blob: afdf272a3348bc08fd9b33eae2ad795732783bbc [file] [log] [blame]
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]1/*
2 * Copyright (C) 2011 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package com.android.keychain;
18
Chad Brubaker2099a7d2016-05-02 13:13:23 -0700[diff] [blame]19import android.app.BroadcastOptions;
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]20import android.app.IntentService;
21import android.content.ContentValues;
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]22import android.content.Context;
23import android.content.Intent;
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]24import android.content.pm.PackageManager;
Robin Lee7e9d0452017-02-20 20:57:41 +0000[diff] [blame]25import android.content.pm.StringParceledListSlice;
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]26import android.database.Cursor;
27import android.database.DatabaseUtils;
28import android.database.sqlite.SQLiteDatabase;
29import android.database.sqlite.SQLiteOpenHelper;
Kenny Root6f1f03b2012-03-08 10:30:39 -0800[diff] [blame]30import android.os.Binder;
Chad Brubaker2099a7d2016-05-02 13:13:23 -0700[diff] [blame]31import android.os.Build;
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]32import android.os.IBinder;
Kenny Root6f1f03b2012-03-08 10:30:39 -0800[diff] [blame]33import android.os.Process;
Robin Lee93772c32014-09-02 14:53:50 +0100[diff] [blame]34import android.os.UserHandle;
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]35import android.security.Credentials;
36import android.security.IKeyChainService;
Selim Gurun39e36e52012-02-14 10:50:42 -0800[diff] [blame]37import android.security.KeyChain;
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]38import android.security.KeyStore;
39import android.util.Log;
40import java.io.ByteArrayInputStream;
Brian Carlstroma58db542011-05-11 23:02:20 -0700[diff] [blame]41import java.io.IOException;
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]42import java.security.cert.CertificateException;
Zoltan Szatmary-Ban3d25b312014-08-18 10:54:19 +0100[diff] [blame]43import java.security.cert.CertificateEncodingException;
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]44import java.security.cert.CertificateFactory;
45import java.security.cert.X509Certificate;
Zoltan Szatmary-Ban3d25b312014-08-18 10:54:19 +0100[diff] [blame]46import java.util.Set;
47import java.util.List;
48import java.util.ArrayList;
49import java.util.Collections;
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]50
Kenny Root3048b6c2013-04-23 22:38:11 -0700[diff] [blame]51import com.android.org.conscrypt.TrustedCertificateStore;
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]52
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]53public class KeyChainService extends IntentService {
Selim Gurun39e36e52012-02-14 10:50:42 -0800[diff] [blame]54
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]55 private static final String TAG = "KeyChain";
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]56
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]57 private static final String DATABASE_NAME = "grants.db";
58 private static final int DATABASE_VERSION = 1;
59 private static final String TABLE_GRANTS = "grants";
60 private static final String GRANTS_ALIAS = "alias";
61 private static final String GRANTS_GRANTEE_UID = "uid";
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]62
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]63 /** created in onCreate(), closed in onDestroy() */
64 public DatabaseHelper mDatabaseHelper;
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]65
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]66 private static final String SELECTION_COUNT_OF_MATCHING_GRANTS =
67 "SELECT COUNT(*) FROM " + TABLE_GRANTS
68 + " WHERE " + GRANTS_GRANTEE_UID + "=? AND " + GRANTS_ALIAS + "=?";
69
70 private static final String SELECT_GRANTS_BY_UID_AND_ALIAS =
71 GRANTS_GRANTEE_UID + "=? AND " + GRANTS_ALIAS + "=?";
72
73 private static final String SELECTION_GRANTS_BY_UID = GRANTS_GRANTEE_UID + "=?";
74
Robin Leeba755b12016-02-24 15:27:43 +0000[diff] [blame]75 private static final String SELECTION_GRANTS_BY_ALIAS = GRANTS_ALIAS + "=?";
76
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]77 public KeyChainService() {
78 super(KeyChainService.class.getSimpleName());
79 }
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]80
81 @Override public void onCreate() {
82 super.onCreate();
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]83 mDatabaseHelper = new DatabaseHelper(this);
84 }
85
86 @Override
87 public void onDestroy() {
88 super.onDestroy();
89 mDatabaseHelper.close();
90 mDatabaseHelper = null;
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]91 }
92
93 private final IKeyChainService.Stub mIKeyChainService = new IKeyChainService.Stub() {
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]94 private final KeyStore mKeyStore = KeyStore.getInstance();
Brian Carlstroma58db542011-05-11 23:02:20 -0700[diff] [blame]95 private final TrustedCertificateStore mTrustedCertificateStore
96 = new TrustedCertificateStore();
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]97
Kenny Root6f1f03b2012-03-08 10:30:39 -0800[diff] [blame]98 @Override
99 public String requestPrivateKey(String alias) {
100 checkArgs(alias);
101
102 final String keystoreAlias = Credentials.USER_PRIVATE_KEY + alias;
103 final int uid = Binder.getCallingUid();
104 if (!mKeyStore.grant(keystoreAlias, uid)) {
105 return null;
106 }
Robin Lee93772c32014-09-02 14:53:50 +0100[diff] [blame]107 final int userHandle = UserHandle.getUserId(uid);
108 final int systemUidForUser = UserHandle.getUid(userHandle, Process.SYSTEM_UID);
Kenny Root6f1f03b2012-03-08 10:30:39 -0800[diff] [blame]109
110 final StringBuilder sb = new StringBuilder();
Robin Lee93772c32014-09-02 14:53:50 +0100[diff] [blame]111 sb.append(systemUidForUser);
Kenny Root6f1f03b2012-03-08 10:30:39 -0800[diff] [blame]112 sb.append('_');
113 sb.append(keystoreAlias);
114
115 return sb.toString();
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]116 }
117
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]118 @Override public byte[] getCertificate(String alias) {
Kenny Root6f1f03b2012-03-08 10:30:39 -0800[diff] [blame]119 checkArgs(alias);
120 return mKeyStore.get(Credentials.USER_CERTIFICATE + alias);
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]121 }
122
Rubin Xu8714f062016-03-23 12:37:10 +0000[diff] [blame]123 @Override public byte[] getCaCertificates(String alias) {
124 checkArgs(alias);
125 return mKeyStore.get(Credentials.CA_CERTIFICATE + alias);
126 }
127
Kenny Root6f1f03b2012-03-08 10:30:39 -0800[diff] [blame]128 private void checkArgs(String alias) {
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]129 if (alias == null) {
130 throw new NullPointerException("alias == null");
131 }
Kenny Root4ff22962013-02-14 10:17:06 -0800[diff] [blame]132 if (!mKeyStore.isUnlocked()) {
Nick Kralevichc8b04632012-05-21 15:13:07 -0700[diff] [blame]133 throw new IllegalStateException("keystore is "
134 + mKeyStore.state().toString());
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]135 }
Nick Kralevichc8b04632012-05-21 15:13:07 -0700[diff] [blame]136
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]137 final int callingUid = getCallingUid();
138 if (!hasGrantInternal(mDatabaseHelper.getReadableDatabase(), callingUid, alias)) {
139 throw new IllegalStateException("uid " + callingUid
140 + " doesn't have permission to access the requested alias");
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]141 }
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]142 }
143
Bartosz Fabianowski9bacf2b2017-02-10 02:26:45 +0100[diff] [blame]144 @Override public String installCaCertificate(byte[] caCertificate) {
Brian Carlstrom43f5b772011-06-27 02:27:16 -0700[diff] [blame]145 checkCertInstallerOrSystemCaller();
Bartosz Fabianowski9bacf2b2017-02-10 02:26:45 +0100[diff] [blame]146 final String alias;
Brian Carlstroma58db542011-05-11 23:02:20 -0700[diff] [blame]147 try {
Bartosz Fabianowski9bacf2b2017-02-10 02:26:45 +0100[diff] [blame]148 final X509Certificate cert = parseCertificate(caCertificate);
Brian Carlstroma58db542011-05-11 23:02:20 -0700[diff] [blame]149 synchronized (mTrustedCertificateStore) {
Bartosz Fabianowski9bacf2b2017-02-10 02:26:45 +0100[diff] [blame]150 mTrustedCertificateStore.installCertificate(cert);
151 alias = mTrustedCertificateStore.getCertificateAlias(cert);
Brian Carlstroma58db542011-05-11 23:02:20 -0700[diff] [blame]152 }
153 } catch (IOException e) {
154 throw new IllegalStateException(e);
155 } catch (CertificateException e) {
156 throw new IllegalStateException(e);
157 }
Chad Brubaker2099a7d2016-05-02 13:13:23 -0700[diff] [blame]158 broadcastLegacyStorageChange();
159 broadcastTrustStoreChange();
Bartosz Fabianowski9bacf2b2017-02-10 02:26:45 +0100[diff] [blame]160 return alias;
Brian Carlstroma58db542011-05-11 23:02:20 -0700[diff] [blame]161 }
Brian Carlstrom5aeadd92011-05-17 00:40:33 -0700[diff] [blame]162
Rubin Xu8714f062016-03-23 12:37:10 +0000[diff] [blame]163 /**
164 * Install a key pair to the keystore.
165 *
166 * @param privateKey The private key associated with the client certificate
167 * @param userCertificate The client certificate to be installed
168 * @param userCertificateChain The rest of the chain for the client certificate
169 * @param alias The alias under which the key pair is installed
170 * @return Whether the operation succeeded or not.
171 */
Bernhard Bauerd300fc52014-07-21 15:32:30 +0100[diff] [blame]172 @Override public boolean installKeyPair(byte[] privateKey, byte[] userCertificate,
Rubin Xu8714f062016-03-23 12:37:10 +0000[diff] [blame]173 byte[] userCertificateChain, String alias) {
Bernhard Bauerd300fc52014-07-21 15:32:30 +0100[diff] [blame]174 checkCertInstallerOrSystemCaller();
Robin Lee8847b122015-07-27 12:50:28 +0100[diff] [blame]175 if (!mKeyStore.isUnlocked()) {
176 Log.e(TAG, "Keystore is " + mKeyStore.state().toString() + ". Credentials cannot"
177 + " be installed until device is unlocked");
178 return false;
179 }
Robin Leeba755b12016-02-24 15:27:43 +0000[diff] [blame]180 if (!removeKeyPair(alias)) {
181 return false;
182 }
Bernhard Bauerd300fc52014-07-21 15:32:30 +0100[diff] [blame]183 if (!mKeyStore.importKey(Credentials.USER_PRIVATE_KEY + alias, privateKey, -1,
184 KeyStore.FLAG_ENCRYPTED)) {
185 Log.e(TAG, "Failed to import private key " + alias);
186 return false;
187 }
188 if (!mKeyStore.put(Credentials.USER_CERTIFICATE + alias, userCertificate, -1,
189 KeyStore.FLAG_ENCRYPTED)) {
190 Log.e(TAG, "Failed to import user certificate " + userCertificate);
Alex Klyubin44c777b2015-06-08 09:46:15 -0700[diff] [blame]191 if (!mKeyStore.delete(Credentials.USER_PRIVATE_KEY + alias)) {
Bernhard Bauerd300fc52014-07-21 15:32:30 +0100[diff] [blame]192 Log.e(TAG, "Failed to delete private key after certificate importing failed");
193 }
194 return false;
195 }
Rubin Xu8714f062016-03-23 12:37:10 +0000[diff] [blame]196 if (userCertificateChain != null && userCertificateChain.length > 0) {
197 if (!mKeyStore.put(Credentials.CA_CERTIFICATE + alias, userCertificateChain, -1,
198 KeyStore.FLAG_ENCRYPTED)) {
199 Log.e(TAG, "Failed to import certificate chain" + userCertificateChain);
200 if (!removeKeyPair(alias)) {
201 Log.e(TAG, "Failed to clean up key chain after certificate chain"
202 + " importing failed");
203 }
204 return false;
205 }
206 }
Chad Brubaker2099a7d2016-05-02 13:13:23 -0700[diff] [blame]207 broadcastKeychainChange();
208 broadcastLegacyStorageChange();
Bernhard Bauerd300fc52014-07-21 15:32:30 +0100[diff] [blame]209 return true;
210 }
211
Robin Leef44a5192015-08-03 17:18:02 +0100[diff] [blame]212 @Override public boolean removeKeyPair(String alias) {
213 checkCertInstallerOrSystemCaller();
Robin Leeba755b12016-02-24 15:27:43 +0000[diff] [blame]214 if (!Credentials.deleteAllTypesForAlias(mKeyStore, alias)) {
215 return false;
216 }
217 removeGrantsForAlias(alias);
Chad Brubaker2099a7d2016-05-02 13:13:23 -0700[diff] [blame]218 broadcastKeychainChange();
219 broadcastLegacyStorageChange();
Robin Leeba755b12016-02-24 15:27:43 +0000[diff] [blame]220 return true;
Robin Leef44a5192015-08-03 17:18:02 +0100[diff] [blame]221 }
222
Brian Carlstrom5aeadd92011-05-17 00:40:33 -0700[diff] [blame]223 private X509Certificate parseCertificate(byte[] bytes) throws CertificateException {
224 CertificateFactory cf = CertificateFactory.getInstance("X.509");
225 return (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(bytes));
226 }
227
Brian Carlstroma58db542011-05-11 23:02:20 -0700[diff] [blame]228 @Override public boolean reset() {
229 // only Settings should be able to reset
Brian Carlstrom43f5b772011-06-27 02:27:16 -0700[diff] [blame]230 checkSystemCaller();
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]231 removeAllGrants(mDatabaseHelper.getWritableDatabase());
Brian Carlstroma58db542011-05-11 23:02:20 -0700[diff] [blame]232 boolean ok = true;
Brian Carlstroma58db542011-05-11 23:02:20 -0700[diff] [blame]233 synchronized (mTrustedCertificateStore) {
234 // delete user-installed CA certs
235 for (String alias : mTrustedCertificateStore.aliases()) {
236 if (TrustedCertificateStore.isUser(alias)) {
Brian Carlstrom43f5b772011-06-27 02:27:16 -0700[diff] [blame]237 if (!deleteCertificateEntry(alias)) {
Brian Carlstroma58db542011-05-11 23:02:20 -0700[diff] [blame]238 ok = false;
239 }
240 }
241 }
Brian Carlstroma58db542011-05-11 23:02:20 -0700[diff] [blame]242 }
Chad Brubaker2099a7d2016-05-02 13:13:23 -0700[diff] [blame]243 broadcastTrustStoreChange();
Chad Brubaker8df30b52017-03-10 13:02:48 -0800[diff] [blame^]244 broadcastKeychainChange();
Chad Brubaker2099a7d2016-05-02 13:13:23 -0700[diff] [blame]245 broadcastLegacyStorageChange();
Selim Gurun39e36e52012-02-14 10:50:42 -0800[diff] [blame]246 return ok;
Brian Carlstroma58db542011-05-11 23:02:20 -0700[diff] [blame]247 }
Brian Carlstrom43f5b772011-06-27 02:27:16 -0700[diff] [blame]248
249 @Override public boolean deleteCaCertificate(String alias) {
250 // only Settings should be able to delete
251 checkSystemCaller();
Selim Gurun39e36e52012-02-14 10:50:42 -0800[diff] [blame]252 boolean ok = true;
253 synchronized (mTrustedCertificateStore) {
254 ok = deleteCertificateEntry(alias);
255 }
Chad Brubaker2099a7d2016-05-02 13:13:23 -0700[diff] [blame]256 broadcastTrustStoreChange();
257 broadcastLegacyStorageChange();
Selim Gurun39e36e52012-02-14 10:50:42 -0800[diff] [blame]258 return ok;
Brian Carlstrom43f5b772011-06-27 02:27:16 -0700[diff] [blame]259 }
260
261 private boolean deleteCertificateEntry(String alias) {
262 try {
263 mTrustedCertificateStore.deleteCertificateEntry(alias);
264 return true;
265 } catch (IOException e) {
266 Log.w(TAG, "Problem removing CA certificate " + alias, e);
267 return false;
268 } catch (CertificateException e) {
269 Log.w(TAG, "Problem removing CA certificate " + alias, e);
270 return false;
271 }
272 }
273
274 private void checkCertInstallerOrSystemCaller() {
275 String actual = checkCaller("com.android.certinstaller");
276 if (actual == null) {
277 return;
278 }
279 checkSystemCaller();
280 }
281 private void checkSystemCaller() {
282 String actual = checkCaller("android.uid.system:1000");
283 if (actual != null) {
284 throw new IllegalStateException(actual);
285 }
286 }
287 /**
288 * Returns null if actually caller is expected, otherwise return bad package to report
289 */
290 private String checkCaller(String expectedPackage) {
291 String actualPackage = getPackageManager().getNameForUid(getCallingUid());
292 return (!expectedPackage.equals(actualPackage)) ? actualPackage : null;
293 }
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]294
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]295 @Override public boolean hasGrant(int uid, String alias) {
296 checkSystemCaller();
297 return hasGrantInternal(mDatabaseHelper.getReadableDatabase(), uid, alias);
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]298 }
299
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]300 @Override public void setGrant(int uid, String alias, boolean value) {
301 checkSystemCaller();
302 setGrantInternal(mDatabaseHelper.getWritableDatabase(), uid, alias, value);
Chad Brubaker2099a7d2016-05-02 13:13:23 -0700[diff] [blame]303 broadcastPermissionChange(uid, alias, value);
304 broadcastLegacyStorageChange();
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]305 }
Zoltan Szatmary-Ban3d25b312014-08-18 10:54:19 +0100[diff] [blame]306
Zoltan Szatmary-Ban3d25b312014-08-18 10:54:19 +0100[diff] [blame]307 @Override
Robin Lee7e9d0452017-02-20 20:57:41 +0000[diff] [blame]308 public StringParceledListSlice getUserCaAliases() {
Zoltan Szatmary-Ban3d25b312014-08-18 10:54:19 +0100[diff] [blame]309 synchronized (mTrustedCertificateStore) {
Robin Lee7e9d0452017-02-20 20:57:41 +0000[diff] [blame]310 return new StringParceledListSlice(new ArrayList<String>(
311 mTrustedCertificateStore.userAliases()));
Zoltan Szatmary-Ban3d25b312014-08-18 10:54:19 +0100[diff] [blame]312 }
313 }
314
315 @Override
Robin Lee7e9d0452017-02-20 20:57:41 +0000[diff] [blame]316 public StringParceledListSlice getSystemCaAliases() {
Zoltan Szatmary-Ban3d25b312014-08-18 10:54:19 +0100[diff] [blame]317 synchronized (mTrustedCertificateStore) {
Robin Lee7e9d0452017-02-20 20:57:41 +0000[diff] [blame]318 return new StringParceledListSlice(new ArrayList<String>(
319 mTrustedCertificateStore.allSystemAliases()));
Zoltan Szatmary-Ban3d25b312014-08-18 10:54:19 +0100[diff] [blame]320 }
321 }
322
323 @Override
324 public boolean containsCaAlias(String alias) {
325 return mTrustedCertificateStore.containsAlias(alias);
326 }
327
328 @Override
329 public byte[] getEncodedCaCertificate(String alias, boolean includeDeletedSystem) {
330 synchronized (mTrustedCertificateStore) {
331 X509Certificate certificate = (X509Certificate) mTrustedCertificateStore
332 .getCertificate(alias, includeDeletedSystem);
333 if (certificate == null) {
334 Log.w(TAG, "Could not find CA certificate " + alias);
335 return null;
336 }
337 try {
338 return certificate.getEncoded();
339 } catch (CertificateEncodingException e) {
340 Log.w(TAG, "Error while encoding CA certificate " + alias);
341 return null;
342 }
343 }
344 }
345
346 @Override
347 public List<String> getCaCertificateChainAliases(String rootAlias,
348 boolean includeDeletedSystem) {
349 synchronized (mTrustedCertificateStore) {
350 X509Certificate root = (X509Certificate) mTrustedCertificateStore.getCertificate(
351 rootAlias, includeDeletedSystem);
352 try {
353 List<X509Certificate> chain = mTrustedCertificateStore.getCertificateChain(
354 root);
355 List<String> aliases = new ArrayList<String>(chain.size());
356 final int n = chain.size();
357 for (int i = 0; i < n; ++i) {
358 String alias = mTrustedCertificateStore.getCertificateAlias(chain.get(i),
359 true);
360 if (alias != null) {
361 aliases.add(alias);
362 }
363 }
364 return aliases;
365 } catch (CertificateException e) {
366 Log.w(TAG, "Error retrieving cert chain for root " + rootAlias);
367 return Collections.emptyList();
368 }
369 }
370 }
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]371 };
372
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]373 private boolean hasGrantInternal(final SQLiteDatabase db, final int uid, final String alias) {
374 final long numMatches = DatabaseUtils.longForQuery(db, SELECTION_COUNT_OF_MATCHING_GRANTS,
375 new String[]{String.valueOf(uid), alias});
376 return numMatches > 0;
377 }
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]378
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]379 private void setGrantInternal(final SQLiteDatabase db,
380 final int uid, final String alias, final boolean value) {
381 if (value) {
382 if (!hasGrantInternal(db, uid, alias)) {
383 final ContentValues values = new ContentValues();
384 values.put(GRANTS_ALIAS, alias);
385 values.put(GRANTS_GRANTEE_UID, uid);
386 db.insert(TABLE_GRANTS, GRANTS_ALIAS, values);
387 }
388 } else {
389 db.delete(TABLE_GRANTS, SELECT_GRANTS_BY_UID_AND_ALIAS,
390 new String[]{String.valueOf(uid), alias});
391 }
392 }
393
Robin Leeba755b12016-02-24 15:27:43 +0000[diff] [blame]394 private void removeGrantsForAlias(String alias) {
395 final SQLiteDatabase db = mDatabaseHelper.getWritableDatabase();
396 db.delete(TABLE_GRANTS, SELECTION_GRANTS_BY_ALIAS, new String[] {alias});
397 }
398
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]399 private void removeAllGrants(final SQLiteDatabase db) {
400 db.delete(TABLE_GRANTS, null /* whereClause */, null /* whereArgs */);
401 }
402
403 private class DatabaseHelper extends SQLiteOpenHelper {
404 public DatabaseHelper(Context context) {
405 super(context, DATABASE_NAME, null /* CursorFactory */, DATABASE_VERSION);
406 }
407
408 @Override
409 public void onCreate(final SQLiteDatabase db) {
410 db.execSQL("CREATE TABLE " + TABLE_GRANTS + " ( "
411 + GRANTS_ALIAS + " STRING NOT NULL, "
412 + GRANTS_GRANTEE_UID + " INTEGER NOT NULL, "
413 + "UNIQUE (" + GRANTS_ALIAS + "," + GRANTS_GRANTEE_UID + "))");
414 }
415
416 @Override
417 public void onUpgrade(final SQLiteDatabase db, int oldVersion, final int newVersion) {
418 Log.e(TAG, "upgrade from version " + oldVersion + " to version " + newVersion);
419
420 if (oldVersion == 1) {
421 // the first upgrade step goes here
422 oldVersion++;
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]423 }
Brian Carlstrom7037b732011-06-30 15:04:49 -0700[diff] [blame]424 }
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]425 }
426
427 @Override public IBinder onBind(Intent intent) {
Brian Carlstrom7037b732011-06-30 15:04:49 -0700[diff] [blame]428 if (IKeyChainService.class.getName().equals(intent.getAction())) {
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]429 return mIKeyChainService;
430 }
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]431 return null;
432 }
Fred Quintanafb2e18e2011-07-13 14:54:05 -0700[diff] [blame]433
434 @Override
435 protected void onHandleIntent(final Intent intent) {
436 if (Intent.ACTION_PACKAGE_REMOVED.equals(intent.getAction())) {
437 purgeOldGrants();
438 }
439 }
440
441 private void purgeOldGrants() {
442 final PackageManager packageManager = getPackageManager();
443 final SQLiteDatabase db = mDatabaseHelper.getWritableDatabase();
444 Cursor cursor = null;
445 db.beginTransaction();
446 try {
447 cursor = db.query(TABLE_GRANTS,
448 new String[]{GRANTS_GRANTEE_UID}, null, null, GRANTS_GRANTEE_UID, null, null);
449 while (cursor.moveToNext()) {
450 final int uid = cursor.getInt(0);
451 final boolean packageExists = packageManager.getPackagesForUid(uid) != null;
452 if (packageExists) {
453 continue;
454 }
455 Log.d(TAG, "deleting grants for UID " + uid
456 + " because its package is no longer installed");
457 db.delete(TABLE_GRANTS, SELECTION_GRANTS_BY_UID,
458 new String[]{Integer.toString(uid)});
459 }
460 db.setTransactionSuccessful();
461 } finally {
462 if (cursor != null) {
463 cursor.close();
464 }
465 db.endTransaction();
466 }
467 }
Selim Gurun39e36e52012-02-14 10:50:42 -0800[diff] [blame]468
Chad Brubaker2099a7d2016-05-02 13:13:23 -0700[diff] [blame]469 private void broadcastLegacyStorageChange() {
Selim Gurun39e36e52012-02-14 10:50:42 -0800[diff] [blame]470 Intent intent = new Intent(KeyChain.ACTION_STORAGE_CHANGED);
Chad Brubaker2099a7d2016-05-02 13:13:23 -0700[diff] [blame]471 BroadcastOptions opts = BroadcastOptions.makeBasic();
Chad Brubaker04028072016-07-08 10:48:54 -0700[diff] [blame]472 opts.setMaxManifestReceiverApiLevel(Build.VERSION_CODES.N_MR1);
Chad Brubakere5a5dd12016-07-25 14:34:54 -0700[diff] [blame]473 sendBroadcastAsUser(intent, UserHandle.of(UserHandle.myUserId()), null, opts.toBundle());
Selim Gurun39e36e52012-02-14 10:50:42 -0800[diff] [blame]474 }
475
Chad Brubaker2099a7d2016-05-02 13:13:23 -0700[diff] [blame]476 private void broadcastKeychainChange() {
477 Intent intent = new Intent(KeyChain.ACTION_KEYCHAIN_CHANGED);
Chad Brubakere5a5dd12016-07-25 14:34:54 -0700[diff] [blame]478 sendBroadcastAsUser(intent, UserHandle.of(UserHandle.myUserId()));
Chad Brubaker2099a7d2016-05-02 13:13:23 -0700[diff] [blame]479 }
480
481 private void broadcastTrustStoreChange() {
482 Intent intent = new Intent(KeyChain.ACTION_TRUST_STORE_CHANGED);
Chad Brubakere5a5dd12016-07-25 14:34:54 -0700[diff] [blame]483 sendBroadcastAsUser(intent, UserHandle.of(UserHandle.myUserId()));
Chad Brubaker2099a7d2016-05-02 13:13:23 -0700[diff] [blame]484 }
485
486 private void broadcastPermissionChange(int uid, String alias, boolean access) {
487 // Since the permission change only impacts one uid only send to that uid's packages.
488 final PackageManager packageManager = getPackageManager();
489 String[] packages = packageManager.getPackagesForUid(uid);
490 if (packages == null) {
491 return;
492 }
493 for (String pckg : packages) {
494 Intent intent = new Intent(KeyChain.ACTION_KEY_ACCESS_CHANGED);
495 intent.putExtra(KeyChain.EXTRA_KEY_ALIAS, alias);
496 intent.putExtra(KeyChain.EXTRA_KEY_ACCESSIBLE, access);
497 intent.setPackage(pckg);
Chad Brubakere5a5dd12016-07-25 14:34:54 -0700[diff] [blame]498 sendBroadcastAsUser(intent, UserHandle.of(UserHandle.myUserId()));
Chad Brubaker2099a7d2016-05-02 13:13:23 -0700[diff] [blame]499 }
500 }
Brian Carlstrom3e6251d2011-04-11 09:05:06 -0700[diff] [blame]501}