Make CertInstaller installed CA certs trusted by applications via default TrustManage...

    frameworks/base

        Adding IKeyChainService APIs for CertInstaller and Settings use
    	keystore/java/android/security/IKeyChainService.aidl

    libcore

        Improve exceptions to include more information
    	luni/src/main/java/javax/security/auth/x500/X500Principal.java

        Move guts of RootKeyStoreSpi to TrustedCertificateStore, leaving only KeyStoreSpi methods.
        Added support for adding user CAs in a separate directory for system.
        Added support for removing system CAs by placing a copy in a sytem directory
    	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java
    	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStore.java

        Formerly static methods on RootKeyStoreSpi are now instance methods on TrustedCertificateStore
    	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java

        Added test for NativeCrypto.X509_NAME_hash_old and X509_NAME_hash
        to make sure the implementing algorithms doe not change since
        TrustedCertificateStore depend on X509_NAME_hash_old (OpenSSL
        changed the algorithm from MD5 to SHA1 when moving from 0.9.8 to
        1.0.0)

    	luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java

        Extensive test of new TrustedCertificateStore behavior
    	luni/src/test/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStoreTest.java

        TestKeyStore improvements
        - Refactored TestKeyStore to provide simpler createCA method (and
          internal createCertificate)
        - Cleaned up to remove use of BouncyCastle specific X509Principal
          in the TestKeyStore API when the public X500Principal would do.
        - Cleaned up TestKeyStore support methods to not throw Exception
          to remove need for static blocks for catch clauses in tests.

    	support/src/test/java/libcore/java/security/TestKeyStore.java
    	luni/src/test/java/libcore/java/security/KeyStoreTest.java
    	luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java

        Added private PKIXParameters contructor for use by
        IndexedPKIXParameters to avoid wart of having to lookup and pass
        a TrustAnchor to satisfy the super-class sanity check.

    	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
    	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java
    	luni/src/main/java/java/security/cert/PKIXParameters.java

    packages/apps/CertInstaller

        Change CertInstaller to call IKeyChainService.installCertificate
        for CA certs to pass them to the KeyChainServiceTest which will
        make them available to all apps through the
        TrustedCertificateStore. Change PKCS12 extraction to use AsyncTask.

    	src/com/android/certinstaller/CertInstaller.java

        Added installCaCertsToKeyChain and hasCaCerts accessor for use by
        CertInstaller. Use hasUserCertificate() internally. Cleanup coding
        style.

    	src/com/android/certinstaller/CredentialHelper.java

    packages/apps/KeyChain

        Added MANAGE_ACCOUNTS so that IKeyChainService.reset
        implementation can remove KeyChain accounts.

    	AndroidManifest.xml

        Implement new IKeyChainService methods:
        - Added IKeyChainService.installCaCertificate to install certs
          provided by CertInstaller using the TrustedCertificateStore.
        - Added IKeyChainService.reset to allow Settings to remove the
          KeyChain accounts so that any app granted access to keystore
          credentials are revoked when the keystore is reset.

    	src/com/android/keychain/KeyChainService.java

    packages/apps/Settings

        Changed com.android.credentials.RESET credential reset action to
        also call IKeyChainService.reset to remove any installed user CAs
        and remove KeyChain accounts to have AccountManager revoke
        credential granted to private keys removed during the RESET.

    	src/com/android/settings/CredentialStorage.java

        Added toast text value for failure case

    	res/values/strings.xml

    system/core

        Have init create world readable /data/misc/keychain to allow apps
        to access user added CA certificates installed by the CertInstaller.

    	rootdir/init.rc

Change-Id: Ie329aafe88f6ebe108d25382f587c933f3244e55

diff --git a/res/values/strings.xml b/res/values/strings.xml
index 4da3ca4..e3250be 100644 (file)
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -3053,6 +3053,8 @@ found in the list of installed applications.</string>
     <!-- Toast message [CHAR LIMIT=30] -->
     <string name="credentials_erased">Credential storage is erased.</string>
     <!-- Toast message [CHAR LIMIT=30] -->
+    <string name="credentials_not_erased">Credential could not be erased.</string>
+    <!-- Toast message [CHAR LIMIT=30] -->
     <string name="credentials_enabled">Credential storage is enabled.</string>
 
     <!-- Sound settings screen, setting check box label -->

diff --git a/src/com/android/settings/CredentialStorage.java b/src/com/android/settings/CredentialStorage.java
index 9d5a603..b2d0a3a 100644 (file)
--- a/src/com/android/settings/CredentialStorage.java
+++ b/src/com/android/settings/CredentialStorage.java
@@ -18,9 +18,16 @@ package com.android.settings;
 
 import android.app.Activity;
 import android.app.AlertDialog;
+import android.content.ComponentName;
+import android.content.Context;
 import android.content.DialogInterface;
 import android.content.Intent;
+import android.content.ServiceConnection;
+import android.os.AsyncTask;
 import android.os.Bundle;
+import android.os.IBinder;
+import android.os.RemoteException;
+import android.security.IKeyChainService;
 import android.security.KeyStore;
 import android.text.Editable;
 import android.text.TextWatcher;
@@ -30,6 +37,8 @@ import android.widget.Button;
 import android.widget.TextView;
 import android.widget.Toast;
 
+import java.util.concurrent.BlockingQueue;
+import java.util.concurrent.LinkedBlockingQueue;
 import java.io.UnsupportedEncodingException;
 
 public class CredentialStorage extends Activity implements TextWatcher,
@@ -43,7 +52,8 @@ public class CredentialStorage extends Activity implements TextWatcher,
     private static final String TAG = "CredentialStorage";
 
     private KeyStore mKeyStore = KeyStore.getInstance();
-    private boolean mSubmit = false;
+    private boolean mPositive = false;
+    private boolean mNeutral = false;
     private Bundle mBundle;
 
     private TextView mOldPassword;
@@ -177,16 +187,13 @@ public class CredentialStorage extends Activity implements TextWatcher,
     }
 
     public void onClick(DialogInterface dialog, int button) {
-        mSubmit = (button == DialogInterface.BUTTON_POSITIVE);
-        if (button == DialogInterface.BUTTON_NEUTRAL) {
-            mKeyStore.reset();
-            Toast.makeText(this, R.string.credentials_erased, Toast.LENGTH_SHORT).show();
-        }
+        mPositive = (button == DialogInterface.BUTTON_POSITIVE);
+        mNeutral = (button == DialogInterface.BUTTON_NEUTRAL);
     }
 
     public void onDismiss(DialogInterface dialog) {
-        if (mSubmit) {
-            mSubmit = false;
+        if (mPositive) {
+            mPositive = false;
             mError.setVisibility(View.VISIBLE);
 
             if (mNewPassword == null) {
@@ -225,6 +232,61 @@ public class CredentialStorage extends Activity implements TextWatcher,
                 return;
             }
         }
+        if (mNeutral) {
+            mNeutral = false;
+            new ResetKeyStoreAndKeyChain().execute();
+            return;
+        }
         finish();
     }
+
+    private class ResetKeyStoreAndKeyChain extends AsyncTask<Void, Void, Boolean> {
+
+        @Override protected Boolean doInBackground(Void... unused) {
+
+            mKeyStore.reset();
+
+            final BlockingQueue<IKeyChainService> q = new LinkedBlockingQueue<IKeyChainService>(1);
+            ServiceConnection keyChainServiceConnection = new ServiceConnection() {
+                @Override public void onServiceConnected(ComponentName name, IBinder service) {
+                    try {
+                        q.put(IKeyChainService.Stub.asInterface(service));
+                    } catch (InterruptedException e) {
+                        throw new AssertionError(e);
+                    }
+                }
+                @Override public void onServiceDisconnected(ComponentName name) {}
+            };
+            boolean isBound = bindService(new Intent(IKeyChainService.class.getName()),
+                                          keyChainServiceConnection,
+                                          Context.BIND_AUTO_CREATE);
+            if (!isBound) {
+                Log.w(TAG, "could not bind to KeyChainService");
+                return false;
+            }
+            IKeyChainService keyChainService;
+            try {
+                keyChainService = q.take();
+                return keyChainService.reset();
+            } catch (InterruptedException e) {
+                Thread.currentThread().interrupt();
+                return false;
+            } catch (RemoteException e) {
+                return false;
+            } finally {
+                unbindService(keyChainServiceConnection);
+            }
+        }
+
+        @Override protected void onPostExecute(Boolean success) {
+            if (success) {
+                Toast.makeText(CredentialStorage.this,
+                               R.string.credentials_erased, Toast.LENGTH_SHORT).show();
+            } else {
+                Toast.makeText(CredentialStorage.this,
+                               R.string.credentials_not_erased, Toast.LENGTH_SHORT).show();
+            }
+            finish();
+        }
+    }
 }