diff options
author | Robin Lee <rgl@google.com> | 2016-02-22 13:52:17 +0000 |
---|---|---|
committer | Robin Lee <rgl@google.com> | 2016-02-22 13:58:11 +0000 |
commit | 6f511d4f1c698350f3e2bffcd6d7a90d01eb47cd (patch) | |
tree | 81e6a9a777efd91110eb076026666f14f3511af3 | |
parent | 97910a20c5114215e04151d228aefbfde1e52be0 (diff) | |
download | android_packages_apps_CertInstaller-6f511d4f1c698350f3e2bffcd6d7a90d01eb47cd.tar.gz android_packages_apps_CertInstaller-6f511d4f1c698350f3e2bffcd6d7a90d01eb47cd.tar.bz2 android_packages_apps_CertInstaller-6f511d4f1c698350f3e2bffcd6d7a90d01eb47cd.zip |
Trust CA certificates added for the whole OS only
Excludes any CA certificates installed for wifi-only from being used for
anything else. Does not take effect retroactively against certs which
were already installed.
The CAs will continue to be saved to a part of the keystore accessible
by services running under WIFI_UID.
Bug: 26324357
Bug: 25780055
Change-Id: Ifeb9daf24c9f9a22b2b2daf247d5622c707c9885
-rw-r--r-- | src/com/android/certinstaller/CertInstaller.java | 3 | ||||
-rw-r--r-- | src/com/android/certinstaller/CredentialHelper.java | 6 |
2 files changed, 8 insertions, 1 deletions
diff --git a/src/com/android/certinstaller/CertInstaller.java b/src/com/android/certinstaller/CertInstaller.java index 0a6049e..dd334cb 100644 --- a/src/com/android/certinstaller/CertInstaller.java +++ b/src/com/android/certinstaller/CertInstaller.java @@ -181,7 +181,8 @@ public class CertInstaller extends Activity { Toast.makeText(this, getString(R.string.cert_is_added, mCredentials.getName()), Toast.LENGTH_LONG).show(); - if (mCredentials.hasCaCerts()) { + if (mCredentials.hasCaCerts() + && mCredentials.getInstallAsUid() == KeyStore.UID_SELF) { // more work to do, don't finish just yet new InstallCaCertsToKeyChainTask().execute(); return; diff --git a/src/com/android/certinstaller/CredentialHelper.java b/src/com/android/certinstaller/CredentialHelper.java index a3e2e27..19fb9a9 100644 --- a/src/com/android/certinstaller/CredentialHelper.java +++ b/src/com/android/certinstaller/CredentialHelper.java @@ -101,6 +101,7 @@ class CredentialHelper { try { outStates.putSerializable(DATA_KEY, mBundle); outStates.putString(KeyChain.EXTRA_NAME, mName); + outStates.putInt(Credentials.EXTRA_INSTALL_AS_UID, mUid); if (mUserKey != null) { outStates.putByteArray(Credentials.USER_PRIVATE_KEY, mUserKey.getEncoded()); @@ -121,6 +122,7 @@ class CredentialHelper { void onRestoreStates(Bundle savedStates) { mBundle = (HashMap) savedStates.getSerializable(DATA_KEY); mName = savedStates.getString(KeyChain.EXTRA_NAME); + mUid = savedStates.getInt(Credentials.EXTRA_INSTALL_AS_UID, -1); byte[] bytes = savedStates.getByteArray(Credentials.USER_PRIVATE_KEY); if (bytes != null) { setPrivateKey(bytes); @@ -257,6 +259,10 @@ class CredentialHelper { return mUid != -1; } + int getInstallAsUid() { + return mUid; + } + Intent createSystemInstallIntent(final Context context) { Intent intent = new Intent("com.android.credentials.INSTALL"); // To prevent the private key from being sniffed, we explicitly spell |