When installing client cert, do not add CA certs to trusted credentials

Bug: 18239590
Change-Id: I10b056c3bb86fdc371e92f0b2313425f9d1e125f

2 files changed, 28 insertions, 6 deletions

diff --git a/src/com/android/certinstaller/CertInstaller.java b/src/com/android/certinstaller/CertInstaller.java
index 0f1f814..fedbadf 100644
--- a/src/com/android/certinstaller/CertInstaller.java
+++ b/src/com/android/certinstaller/CertInstaller.java
@@ -185,10 +185,9 @@ public class CertInstaller extends Activity {
                 Toast.makeText(this, getString(R.string.cert_is_added,
                         mCredentials.getName()), Toast.LENGTH_LONG).show();
 
-                if (mCredentials.hasCaCerts()
-                        && mCredentials.getInstallAsUid() == KeyStore.UID_SELF) {
+                if (mCredentials.includesVpnAndAppsTrustAnchors()) {
                     // more work to do, don't finish just yet
-                    new InstallCaCertsToKeyChainTask().execute();
+                    new InstallVpnAndAppsTrustAnchorsTask().execute();
                     return;
                 }
                 setResult(RESULT_OK);
@@ -202,13 +201,14 @@ public class CertInstaller extends Activity {
         finish();
     }
 
-    private class InstallCaCertsToKeyChainTask extends AsyncTask<Void, Void, Boolean> {
+    private class InstallVpnAndAppsTrustAnchorsTask extends AsyncTask<Void, Void, Boolean> {
 
         @Override protected Boolean doInBackground(Void... unused) {
             try {
                 KeyChainConnection keyChainConnection = KeyChain.bind(CertInstaller.this);
                 try {
-                    return mCredentials.installCaCertsToKeyChain(keyChainConnection.getService());
+                    return mCredentials.installVpnAndAppsTrustAnchors(
+                            keyChainConnection.getService());
                 } finally {
                     keyChainConnection.close();
                 }
diff --git a/src/com/android/certinstaller/CredentialHelper.java b/src/com/android/certinstaller/CredentialHelper.java
index 3ae1ddd..55447f3 100644
--- a/src/com/android/certinstaller/CredentialHelper.java
+++ b/src/com/android/certinstaller/CredentialHelper.java
@@ -303,7 +303,7 @@ class CredentialHelper {
         }
     }
 
-    boolean installCaCertsToKeyChain(IKeyChainService keyChainService) {
+    boolean installVpnAndAppsTrustAnchors(IKeyChainService keyChainService) {
         for (X509Certificate caCert : mCaCerts) {
             byte[] bytes = null;
             try {
@@ -397,4 +397,26 @@ class CredentialHelper {
     private static boolean isWear(final Context context) {
         return context.getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH);
     }
+
+    /**
+     * Returns whether this credential contains CA certificates to be used as trust anchors
+     * for VPN and apps.
+     */
+    public boolean includesVpnAndAppsTrustAnchors() {
+        if (!hasCaCerts()) {
+            return false;
+        }
+        if (getInstallAsUid() != android.security.KeyStore.UID_SELF) {
+            // VPN and Apps trust anchors can only be installed under UID_SELF
+            return false;
+        }
+
+        if (mUserKey != null) {
+            // We are installing a key pair for client authentication, its CA
+            // should have nothing to do with VPN and apps trust anchors.
+            return false;
+        } else {
+            return true;
+        }
+    }
 }