diff options
author | Rubin Xu <rubinxu@google.com> | 2016-03-23 11:41:28 +0000 |
---|---|---|
committer | Rubin Xu <rubinxu@google.com> | 2016-03-29 15:08:04 +0100 |
commit | 5e8156f9c9ed774b570154b0bb61a9e543ba8c3d (patch) | |
tree | 990cef0767d9293fe38c8d4bdc57b3f53fea9c0c | |
parent | 55e502076150f9ccde2af7e2c5e0ad4468b10c26 (diff) | |
download | android_packages_apps_CertInstaller-5e8156f9c9ed774b570154b0bb61a9e543ba8c3d.tar.gz android_packages_apps_CertInstaller-5e8156f9c9ed774b570154b0bb61a9e543ba8c3d.tar.bz2 android_packages_apps_CertInstaller-5e8156f9c9ed774b570154b0bb61a9e543ba8c3d.zip |
When installing client cert, do not add CA certs to trusted credentials
Bug: 18239590
Change-Id: I10b056c3bb86fdc371e92f0b2313425f9d1e125f
-rw-r--r-- | src/com/android/certinstaller/CertInstaller.java | 10 | ||||
-rw-r--r-- | src/com/android/certinstaller/CredentialHelper.java | 24 |
2 files changed, 28 insertions, 6 deletions
diff --git a/src/com/android/certinstaller/CertInstaller.java b/src/com/android/certinstaller/CertInstaller.java index 0f1f814..fedbadf 100644 --- a/src/com/android/certinstaller/CertInstaller.java +++ b/src/com/android/certinstaller/CertInstaller.java @@ -185,10 +185,9 @@ public class CertInstaller extends Activity { Toast.makeText(this, getString(R.string.cert_is_added, mCredentials.getName()), Toast.LENGTH_LONG).show(); - if (mCredentials.hasCaCerts() - && mCredentials.getInstallAsUid() == KeyStore.UID_SELF) { + if (mCredentials.includesVpnAndAppsTrustAnchors()) { // more work to do, don't finish just yet - new InstallCaCertsToKeyChainTask().execute(); + new InstallVpnAndAppsTrustAnchorsTask().execute(); return; } setResult(RESULT_OK); @@ -202,13 +201,14 @@ public class CertInstaller extends Activity { finish(); } - private class InstallCaCertsToKeyChainTask extends AsyncTask<Void, Void, Boolean> { + private class InstallVpnAndAppsTrustAnchorsTask extends AsyncTask<Void, Void, Boolean> { @Override protected Boolean doInBackground(Void... unused) { try { KeyChainConnection keyChainConnection = KeyChain.bind(CertInstaller.this); try { - return mCredentials.installCaCertsToKeyChain(keyChainConnection.getService()); + return mCredentials.installVpnAndAppsTrustAnchors( + keyChainConnection.getService()); } finally { keyChainConnection.close(); } diff --git a/src/com/android/certinstaller/CredentialHelper.java b/src/com/android/certinstaller/CredentialHelper.java index 3ae1ddd..55447f3 100644 --- a/src/com/android/certinstaller/CredentialHelper.java +++ b/src/com/android/certinstaller/CredentialHelper.java @@ -303,7 +303,7 @@ class CredentialHelper { } } - boolean installCaCertsToKeyChain(IKeyChainService keyChainService) { + boolean installVpnAndAppsTrustAnchors(IKeyChainService keyChainService) { for (X509Certificate caCert : mCaCerts) { byte[] bytes = null; try { @@ -397,4 +397,26 @@ class CredentialHelper { private static boolean isWear(final Context context) { return context.getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH); } + + /** + * Returns whether this credential contains CA certificates to be used as trust anchors + * for VPN and apps. + */ + public boolean includesVpnAndAppsTrustAnchors() { + if (!hasCaCerts()) { + return false; + } + if (getInstallAsUid() != android.security.KeyStore.UID_SELF) { + // VPN and Apps trust anchors can only be installed under UID_SELF + return false; + } + + if (mUserKey != null) { + // We are installing a key pair for client authentication, its CA + // should have nothing to do with VPN and apps trust anchors. + return false; + } else { + return true; + } + } } |