Make CertInstaller installed CA certs trusted by applications via default TrustManager (1 of 6)

frameworks/base Adding IKeyChainService APIs for CertInstaller and Settings use keystore/java/android/security/IKeyChainService.aidl libcore Improve exceptions to include more information luni/src/main/java/javax/security/auth/x500/X500Principal.java Move guts of RootKeyStoreSpi to TrustedCertificateStore, leaving only KeyStoreSpi methods. Added support for adding user CAs in a separate directroy for system. Added support for removeing system CAs by placing a copy in a sytem directory luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStore.java Formerly static methods on RootKeyStoreSpi are now instance methods on TrustedCertificateStore luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java Added test for NativeCrypto.X509_NAME_hash_old and X509_NAME_hash to make sure the implementing algortims doe not change since TrustedCertificateStore depend on X509_NAME_hash_old (OpenSSL changed the algorithm from MD5 to SHA1 when moving from 0.9.8 to 1.0.0) luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java Extensive test of new TrustedCertificateStore behavior luni/src/test/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStoreTest.java TestKeyStore improvements - Refactored TestKeyStore to provide simpler createCA method (and internal createCertificate) - Cleaned up to remove use of BouncyCastle specific X509Principal in the TestKeyStore API when the public X500Principal would do. - Cleaned up TestKeyStore support methods to not throw Exception to remove need for static blocks for catch clauses in tests. support/src/test/java/libcore/java/security/TestKeyStore.java luni/src/test/java/libcore/java/security/KeyStoreTest.java luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java packages/apps/CertInstaller Change CertInstaller to call IKeyChainService.installCertificate for CA certs to pass them to the KeyChainServiceTest which will make them available to all apps through the TrustedCertificateStore. Change PKCS12 extraction to use AsyncTask. src/com/android/certinstaller/CertInstaller.java Added installCaCertsToKeyChain and hasCaCerts accessor for use by CertInstaller. Use hasUserCertificate() internally. Cleanup coding style. src/com/android/certinstaller/CredentialHelper.java packages/apps/KeyChain Added MANAGE_ACCOUNTS so that IKeyChainService.reset implementation can remove KeyChain accounts. AndroidManifest.xml Implement new IKeyChainService methods: - Added IKeyChainService.installCaCertificate to install certs provided by CertInstaller using the TrustedCertificateStore. - Added IKeyChainService.reset to allow Settings to remove the KeyChain accounts so that any app granted access to keystore credentials are revoked when the keystore is reset. src/com/android/keychain/KeyChainService.java packages/apps/Settings Changed com.android.credentials.RESET credential reset action to also call IKeyChainService.reset to remove any installed user CAs and remove KeyChain accounts to have AccountManager revoke credential granted to private keys removed during the RESET. src/com/android/settings/CredentialStorage.java Added toast text value for failure case res/values/strings.xml system/core Have init create world readable /data/misc/keychain to allow apps to access user added CA certificates installed by the CertInstaller. rootdir/init.rc Change-Id: I2e4b169cbb35d32d97f5d6a00d988fa389eadcb2
author: Brian Carlstrom <bdc@google.com> 2011-05-13 12:54:24 -0700
committer: Brian Carlstrom <bdc@google.com> 2011-05-14 23:45:16 -0700
commit: 2627d53f65be672e9a27f735975de1bf3aebfec1 (patch)
tree: 48c1935198510301c39ebd071de0449204fc768c /keystore
parent: 444889838ce46475f04956e8b6b027328917f3fe (diff)
download: frameworks_base-2627d53f65be672e9a27f735975de1bf3aebfec1.zip
frameworks_base-2627d53f65be672e9a27f735975de1bf3aebfec1.tar.gz
frameworks_base-2627d53f65be672e9a27f735975de1bf3aebfec1.tar.bz2
1 files changed, 7 insertions, 0 deletions
diff --git a/keystore/java/android/security/IKeyChainService.aidl b/keystore/java/android/security/IKeyChainService.aidl
index 64f5a48..0bca5b5 100644
--- a/keystore/java/android/security/IKeyChainService.aidl
+++ b/keystore/java/android/security/IKeyChainService.aidl
@@ -24,8 +24,15 @@ import android.os.Bundle;
  * @hide
  */
 interface IKeyChainService {
+    // APIs used by KeyChain
     byte[] getPrivate(String alias, String authToken);
     byte[] getCertificate(String alias, String authToken);
     byte[] getCaCertificate(String alias, String authToken);
     String findIssuer(in Bundle cert);
+
+    // APIs used by CertInstaller
+    void installCaCertificate(in byte[] caCertificate);
+
+    // APIs used by Settings
+    boolean reset();
 }
author	Brian Carlstrom <bdc@google.com>	2011-05-13 12:54:24 -0700
committer	Brian Carlstrom <bdc@google.com>	2011-05-14 23:45:16 -0700
commit	2627d53f65be672e9a27f735975de1bf3aebfec1 (patch)
tree	48c1935198510301c39ebd071de0449204fc768c /keystore
parent	444889838ce46475f04956e8b6b027328917f3fe (diff)
download	frameworks_base-2627d53f65be672e9a27f735975de1bf3aebfec1.zip frameworks_base-2627d53f65be672e9a27f735975de1bf3aebfec1.tar.gz frameworks_base-2627d53f65be672e9a27f735975de1bf3aebfec1.tar.bz2