From ae7438eda7c9cf6f30323f6fb59c3aea4007bac3 Mon Sep 17 00:00:00 2001
From: Robin Lee <rgl@google.com>
Date: Mon, 22 Feb 2016 13:52:17 +0000
Subject: Trust CA certificates added for the whole OS only

Excludes any CA certificates installed for wifi-only from being used for
anything else. Does not take effect retroactively against certs which
were already installed.

The CAs will continue to be saved to a part of the keystore accessible
by services running under WIFI_UID.

Bug: 26324357
Bug: 25780055
Change-Id: Ifeb9daf24c9f9a22b2b2daf247d5622c707c9885

Merge conflict resolution to ag/871740 with changes in ag/871667 to mnc-dr1.5-release
---
 src/com/android/certinstaller/CertInstaller.java    | 3 ++-
 src/com/android/certinstaller/CredentialHelper.java | 7 +++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/com/android/certinstaller/CertInstaller.java b/src/com/android/certinstaller/CertInstaller.java
index 0a6049e..dd334cb 100644
--- a/src/com/android/certinstaller/CertInstaller.java
+++ b/src/com/android/certinstaller/CertInstaller.java
@@ -181,7 +181,8 @@ public class CertInstaller extends Activity {
                 Toast.makeText(this, getString(R.string.cert_is_added,
                         mCredentials.getName()), Toast.LENGTH_LONG).show();
 
-                if (mCredentials.hasCaCerts()) {
+                if (mCredentials.hasCaCerts()
+                        && mCredentials.getInstallAsUid() == KeyStore.UID_SELF) {
                     // more work to do, don't finish just yet
                     new InstallCaCertsToKeyChainTask().execute();
                     return;
diff --git a/src/com/android/certinstaller/CredentialHelper.java b/src/com/android/certinstaller/CredentialHelper.java
index a3e2e27..0ef50bf 100644
--- a/src/com/android/certinstaller/CredentialHelper.java
+++ b/src/com/android/certinstaller/CredentialHelper.java
@@ -101,6 +101,7 @@ class CredentialHelper {
         try {
             outStates.putSerializable(DATA_KEY, mBundle);
             outStates.putString(KeyChain.EXTRA_NAME, mName);
+            outStates.putInt(Credentials.EXTRA_INSTALL_AS_UID, mUid);
             if (mUserKey != null) {
                 outStates.putByteArray(Credentials.USER_PRIVATE_KEY,
                         mUserKey.getEncoded());
@@ -121,6 +122,7 @@ class CredentialHelper {
     void onRestoreStates(Bundle savedStates) {
         mBundle = (HashMap) savedStates.getSerializable(DATA_KEY);
         mName = savedStates.getString(KeyChain.EXTRA_NAME);
+        mUid = savedStates.getInt(Credentials.EXTRA_INSTALL_AS_UID, -1);
         byte[] bytes = savedStates.getByteArray(Credentials.USER_PRIVATE_KEY);
         if (bytes != null) {
             setPrivateKey(bytes);
@@ -257,6 +259,11 @@ class CredentialHelper {
         return mUid != -1;
     }
 
+
+    int getInstallAsUid() {
+        return mUid;
+    }
+
     Intent createSystemInstallIntent(final Context context) {
         Intent intent = new Intent("com.android.credentials.INSTALL");
         // To prevent the private key from being sniffed, we explicitly spell
-- 
cgit v1.2.3