import android.os.UserHandle;
import android.util.Log;
+import com.android.org.conscrypt.TrustedCertificateStore;
+
+import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.Proxy;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
import java.util.List;
+import java.util.Set;
/**
* Public interface for managing policies enforced on a device. Most clients
}
/**
+ * Installs the given certificate as a User CA.
+ *
+ * @return false if the certBuffer cannot be parsed or installation is
+ * interrupted, otherwise true
+ * @hide
+ */
+ public boolean installCaCert(byte[] certBuffer) {
+ if (mService != null) {
+ try {
+ return mService.installCaCert(certBuffer);
+ } catch (RemoteException e) {
+ Log.w(TAG, "Failed talking with device policy service", e);
+ }
+ }
+ return false;
+ }
+
+ /**
+ * Uninstalls the given certificate from the list of User CAs, if present.
+ *
+ * @hide
+ */
+ public void uninstallCaCert(byte[] certBuffer) {
+ if (mService != null) {
+ try {
+ mService.uninstallCaCert(certBuffer);
+ } catch (RemoteException e) {
+ Log.w(TAG, "Failed talking with device policy service", e);
+ }
+ }
+ }
+
+ /**
+ * Returns whether there are any user-installed CA certificates.
+ *
+ * @hide
+ */
+ public boolean hasAnyCaCertsInstalled() {
+ TrustedCertificateStore certStore = new TrustedCertificateStore();
+ Set<String> aliases = certStore.userAliases();
+ return aliases != null && !aliases.isEmpty();
+ }
+
+ /**
+ * Returns whether this certificate has been installed as a User CA.
+ *
+ * @hide
+ */
+ public boolean hasCaCertInstalled(byte[] certBuffer) {
+ TrustedCertificateStore certStore = new TrustedCertificateStore();
+ String alias;
+ byte[] pemCert;
+ try {
+ CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+ X509Certificate cert = (X509Certificate) certFactory.generateCertificate(
+ new ByteArrayInputStream(certBuffer));
+ return certStore.getCertificateAlias(cert) != null;
+ } catch (CertificateException ce) {
+ Log.w(TAG, "Could not parse certificate", ce);
+ }
+ return false;
+ }
+
+ /**
* Called by an application that is administering the device to disable all cameras
* on the device. After setting this, no applications will be able to access any cameras
* on the device.
package com.android.server;
+import static android.Manifest.permission.MANAGE_CA_CERTIFICATES;
+
import com.android.internal.os.storage.ExternalStorageFormatter;
import com.android.internal.util.FastXmlSerializer;
import com.android.internal.util.JournaledFile;
import com.android.internal.util.XmlUtils;
import com.android.internal.widget.LockPatternUtils;
+import com.android.org.conscrypt.TrustedCertificateStore;
import org.xmlpull.v1.XmlPullParser;
import org.xmlpull.v1.XmlPullParserException;
import android.content.pm.PackageManager.NameNotFoundException;
import android.content.pm.ResolveInfo;
import android.net.Uri;
+import android.os.AsyncTask;
import android.os.Binder;
import android.os.Bundle;
import android.os.Environment;
import android.os.UserHandle;
import android.os.UserManager;
import android.provider.Settings;
+import android.security.Credentials;
+import android.security.IKeyChainService;
+import android.security.KeyChain;
+import android.security.KeyChain.KeyChainConnection;
import android.util.AtomicFile;
+import android.util.Log;
import android.util.PrintWriterPrinter;
import android.util.Printer;
import android.util.Slog;
import android.view.IWindowManager;
import android.view.WindowManagerPolicy;
+import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileDescriptor;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.PrintWriter;
+import java.security.KeyStore.TrustedCertificateEntry;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
import java.text.DateFormat;
import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
return !"".equals(state);
}
+ public boolean installCaCert(byte[] certBuffer) throws RemoteException {
+ mContext.enforceCallingOrSelfPermission(MANAGE_CA_CERTIFICATES, null);
+ KeyChainConnection keyChainConnection = null;
+ byte[] pemCert;
+ try {
+ X509Certificate cert = parseCert(certBuffer);
+ pemCert = Credentials.convertToPem(cert);
+ } catch (CertificateException ce) {
+ Log.e(TAG, "Problem converting cert", ce);
+ return false;
+ } catch (IOException ioe) {
+ Log.e(TAG, "Problem reading cert", ioe);
+ return false;
+ }
+ try {
+ keyChainConnection = KeyChain.bind(mContext);
+ try {
+ keyChainConnection.getService().installCaCertificate(pemCert);
+ return true;
+ } finally {
+ if (keyChainConnection != null) {
+ keyChainConnection.close();
+ keyChainConnection = null;
+ }
+ }
+ } catch (InterruptedException e1) {
+ Log.w(TAG, "installCaCertsToKeyChain(): ", e1);
+ Thread.currentThread().interrupt();
+ }
+ return false;
+ }
+
+ private static X509Certificate parseCert(byte[] certBuffer)
+ throws CertificateException, IOException {
+ CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+ return (X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(
+ certBuffer));
+ }
+
+ public void uninstallCaCert(final byte[] certBuffer) {
+ mContext.enforceCallingOrSelfPermission(MANAGE_CA_CERTIFICATES, null);
+ TrustedCertificateStore certStore = new TrustedCertificateStore();
+ String alias = null;
+ try {
+ X509Certificate cert = parseCert(certBuffer);
+ alias = certStore.getCertificateAlias(cert);
+ } catch (CertificateException ce) {
+ Log.e(TAG, "Problem creating X509Certificate", ce);
+ return;
+ } catch (IOException ioe) {
+ Log.e(TAG, "Problem reading certificate", ioe);
+ return;
+ }
+ try {
+ KeyChainConnection keyChainConnection = KeyChain.bind(mContext);
+ IKeyChainService service = keyChainConnection.getService();
+ try {
+ service.deleteCaCertificate(alias);
+ } catch (RemoteException e) {
+ Log.e(TAG, "from CaCertUninstaller: ", e);
+ } finally {
+ keyChainConnection.close();
+ keyChainConnection = null;
+ }
+ } catch (InterruptedException ie) {
+ Log.w(TAG, "CaCertUninstaller: ", ie);
+ Thread.currentThread().interrupt();
+ }
+ }
+
void wipeDataLocked(int flags) {
// If the SD card is encrypted and non-removable, we have to force a wipe.
boolean forceExtWipe = !Environment.isExternalStorageRemovable() && isExtStorageEncrypted();