diff options
author | Chad Brubaker <cbrubaker@google.com> | 2016-06-21 23:35:01 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2016-06-21 23:35:01 +0000 |
commit | 6a8a12844b98749aa98fc8fa233215a9f77a105b (patch) | |
tree | 245ff02de5f186791f4d01024994820163454ce5 | |
parent | 9a507d045f36cf3a88e02ea7340a419f7ffcec11 (diff) | |
parent | 473ee1358deac95b094a40fd47397ab97b975751 (diff) | |
download | android_packages_providers_DownloadProvider-6a8a12844b98749aa98fc8fa233215a9f77a105b.tar.gz android_packages_providers_DownloadProvider-6a8a12844b98749aa98fc8fa233215a9f77a105b.tar.bz2 android_packages_providers_DownloadProvider-6a8a12844b98749aa98fc8fa233215a9f77a105b.zip |
Use calling app\'s Network Security Config for HTTPS downloads
am: 473ee1358d
Change-Id: I4555060fa60460bc41613596dbec6fd9d8678fc5
4 files changed, 66 insertions, 0 deletions
diff --git a/src/com/android/providers/downloads/DownloadThread.java b/src/com/android/providers/downloads/DownloadThread.java index da51e9d4..34d6ad1a 100644 --- a/src/com/android/providers/downloads/DownloadThread.java +++ b/src/com/android/providers/downloads/DownloadThread.java @@ -85,6 +85,10 @@ import java.net.MalformedURLException; import java.net.ProtocolException; import java.net.URL; import java.net.URLConnection; +import java.security.GeneralSecurityException; + +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLContext; /** * Task which executes a given {@link DownloadInfo}: making network requests, @@ -403,6 +407,13 @@ public class DownloadThread extends Thread { } boolean cleartextTrafficPermitted = mSystemFacade.isCleartextTrafficPermitted(mInfo.mUid); + SSLContext appContext; + try { + appContext = mSystemFacade.getSSLContextForPackage(mContext, mInfo.mPackage); + } catch (GeneralSecurityException e) { + // This should never happen. + throw new StopRequestException(STATUS_UNKNOWN_ERROR, "Unable to create SSLContext."); + } int redirectionCount = 0; while (redirectionCount++ < Constants.MAX_REDIRECTS) { // Enforce the cleartext traffic opt-out for the UID. This cannot be enforced earlier @@ -424,6 +435,11 @@ public class DownloadThread extends Thread { conn.setInstanceFollowRedirects(false); conn.setConnectTimeout(DEFAULT_TIMEOUT); conn.setReadTimeout(DEFAULT_TIMEOUT); + // If this is going over HTTPS configure the trust to be the same as the calling + // package. + if (conn instanceof HttpsURLConnection) { + ((HttpsURLConnection)conn).setSSLSocketFactory(appContext.getSocketFactory()); + } addRequestHeaders(conn, resuming); diff --git a/src/com/android/providers/downloads/RealSystemFacade.java b/src/com/android/providers/downloads/RealSystemFacade.java index 2203eefc..df1d245f 100644 --- a/src/com/android/providers/downloads/RealSystemFacade.java +++ b/src/com/android/providers/downloads/RealSystemFacade.java @@ -26,6 +26,13 @@ import android.content.pm.PackageManager.NameNotFoundException; import android.net.ConnectivityManager; import android.net.Network; import android.net.NetworkInfo; +import android.security.NetworkSecurityPolicy; +import android.security.net.config.ApplicationConfig; + +import java.security.GeneralSecurityException; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.TrustManager; import com.android.internal.util.ArrayUtils; @@ -94,6 +101,21 @@ class RealSystemFacade implements SystemFacade { return false; } + @Override + public SSLContext getSSLContextForPackage(Context context, String packageName) + throws GeneralSecurityException { + ApplicationConfig appConfig; + try { + appConfig = NetworkSecurityPolicy.getApplicationConfigForPackage(context, packageName); + } catch (NameNotFoundException e) { + // Unknown package -- fallback to the default SSLContext + return SSLContext.getDefault(); + } + SSLContext ctx = SSLContext.getInstance("TLS"); + ctx.init(null, new TrustManager[] {appConfig.getTrustManager()}, null); + return ctx; + } + /** * Returns whether cleartext network traffic (HTTP) is permitted for the provided package. */ diff --git a/src/com/android/providers/downloads/SystemFacade.java b/src/com/android/providers/downloads/SystemFacade.java index 5f020b1a..c34317cb 100644 --- a/src/com/android/providers/downloads/SystemFacade.java +++ b/src/com/android/providers/downloads/SystemFacade.java @@ -16,11 +16,15 @@ package com.android.providers.downloads; +import android.content.Context; import android.content.Intent; import android.content.pm.PackageManager.NameNotFoundException; import android.net.Network; import android.net.NetworkInfo; +import java.security.GeneralSecurityException; +import javax.net.ssl.SSLContext; + interface SystemFacade { /** * @see System#currentTimeMillis() @@ -58,4 +62,10 @@ interface SystemFacade { * Returns true if cleartext network traffic is permitted for the specified UID. */ public boolean isCleartextTrafficPermitted(int uid); + + /** + * Return a {@link SSLContext} configured using the specified package's configuration. + */ + public SSLContext getSSLContextForPackage(Context context, String pckg) + throws GeneralSecurityException; } diff --git a/tests/src/com/android/providers/downloads/FakeSystemFacade.java b/tests/src/com/android/providers/downloads/FakeSystemFacade.java index 3b9a83bf..b6b800a2 100644 --- a/tests/src/com/android/providers/downloads/FakeSystemFacade.java +++ b/tests/src/com/android/providers/downloads/FakeSystemFacade.java @@ -4,6 +4,7 @@ import static org.mockito.Matchers.any; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; +import android.content.Context; import android.content.Intent; import android.content.pm.PackageManager.NameNotFoundException; import android.net.ConnectivityManager; @@ -17,8 +18,10 @@ import org.mockito.stubbing.Answer; import java.io.IOException; import java.net.URL; import java.net.URLConnection; +import java.security.GeneralSecurityException; import java.util.ArrayList; import java.util.List; +import javax.net.ssl.SSLContext; public class FakeSystemFacade implements SystemFacade { long mTimeMillis = 0; @@ -30,6 +33,7 @@ public class FakeSystemFacade implements SystemFacade { List<Intent> mBroadcastsSent = new ArrayList<Intent>(); boolean mCleartextTrafficPermitted = true; private boolean mReturnActualTime = false; + private SSLContext mSSLContext = null; public void setUp() { mTimeMillis = 0; @@ -40,6 +44,11 @@ public class FakeSystemFacade implements SystemFacade { mRecommendedMaxBytesOverMobile = Long.MAX_VALUE; mBroadcastsSent.clear(); mReturnActualTime = false; + try { + mSSLContext = SSLContext.getDefault(); + } catch (GeneralSecurityException e) { + throw new RuntimeException(e); + } } void incrementTimeMillis(long delta) { @@ -112,6 +121,15 @@ public class FakeSystemFacade implements SystemFacade { return mCleartextTrafficPermitted; } + @Override + public SSLContext getSSLContextForPackage(Context context, String pckg) { + return mSSLContext; + } + + public void setSSLContext(SSLContext context) { + mSSLContext = context; + } + public void setReturnActualTime(boolean flag) { mReturnActualTime = flag; } |