diff options
5 files changed, 51 insertions, 74 deletions
diff --git a/api/current.txt b/api/current.txt index cf19d54..af989e8 100644 --- a/api/current.txt +++ b/api/current.txt @@ -5243,10 +5243,7 @@ package android.app.admin { method public int getPasswordQuality(android.content.ComponentName); method public boolean getStorageEncryption(android.content.ComponentName); method public int getStorageEncryptionStatus(); - method public boolean hasAnyCaCertsInstalled(); - method public boolean hasCaCertInstalled(byte[]); method public boolean hasGrantedPolicy(android.content.ComponentName, int); - method public boolean installCaCert(android.content.ComponentName, byte[]); method public boolean isActivePasswordSufficient(); method public boolean isAdminActive(android.content.ComponentName); method public boolean isApplicationBlocked(android.content.ComponentName, java.lang.String); @@ -5284,7 +5281,6 @@ package android.app.admin { method public void setRestrictionsProvider(android.content.ComponentName, android.content.ComponentName); method public void setSecureSetting(android.content.ComponentName, java.lang.String, java.lang.String); method public int setStorageEncryption(android.content.ComponentName, boolean); - method public void uninstallCaCert(android.content.ComponentName, byte[]); method public void wipeData(int); field public static final java.lang.String ACTION_ADD_DEVICE_ADMIN = "android.app.action.ADD_DEVICE_ADMIN"; field public static final java.lang.String ACTION_PROVISION_MANAGED_PROFILE = "android.app.action.ACTION_PROVISION_MANAGED_PROFILE"; diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java index 99f68d0..e80c761 100644 --- a/core/java/android/app/admin/DevicePolicyManager.java +++ b/core/java/android/app/admin/DevicePolicyManager.java @@ -1506,11 +1506,12 @@ public class DevicePolicyManager { * * @return false if the certBuffer cannot be parsed or installation is * interrupted, otherwise true + * @hide */ - public boolean installCaCert(ComponentName who, byte[] certBuffer) { + public boolean installCaCert(byte[] certBuffer) { if (mService != null) { try { - return mService.installCaCert(who, certBuffer); + return mService.installCaCert(certBuffer); } catch (RemoteException e) { Log.w(TAG, "Failed talking with device policy service", e); } @@ -1520,14 +1521,13 @@ public class DevicePolicyManager { /** * Uninstalls the given certificate from the list of User CAs, if present. + * + * @hide */ - public void uninstallCaCert(ComponentName who, byte[] certBuffer) { + public void uninstallCaCert(byte[] certBuffer) { if (mService != null) { try { - final String alias = getCaCertAlias(certBuffer); - mService.uninstallCaCert(who, alias); - } catch (CertificateException e) { - Log.w(TAG, "Unable to parse certificate", e); + mService.uninstallCaCert(certBuffer); } catch (RemoteException e) { Log.w(TAG, "Failed talking with device policy service", e); } @@ -1536,8 +1536,10 @@ public class DevicePolicyManager { /** * Returns whether there are any user-installed CA certificates. + * + * @hide */ - public boolean hasAnyCaCertsInstalled() { + public static boolean hasAnyCaCertsInstalled() { TrustedCertificateStore certStore = new TrustedCertificateStore(); Set<String> aliases = certStore.userAliases(); return aliases != null && !aliases.isEmpty(); @@ -1545,10 +1547,18 @@ public class DevicePolicyManager { /** * Returns whether this certificate has been installed as a User CA. + * + * @hide */ public boolean hasCaCertInstalled(byte[] certBuffer) { + TrustedCertificateStore certStore = new TrustedCertificateStore(); + String alias; + byte[] pemCert; try { - return getCaCertAlias(certBuffer) != null; + CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); + X509Certificate cert = (X509Certificate) certFactory.generateCertificate( + new ByteArrayInputStream(certBuffer)); + return certStore.getCertificateAlias(cert) != null; } catch (CertificateException ce) { Log.w(TAG, "Could not parse certificate", ce); } @@ -1556,17 +1566,6 @@ public class DevicePolicyManager { } /** - * Returns the alias of a given CA certificate in the certificate store, or null if it - * doesn't exist. - */ - private static String getCaCertAlias(byte[] certBuffer) throws CertificateException { - final CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); - final X509Certificate cert = (X509Certificate) certFactory.generateCertificate( - new ByteArrayInputStream(certBuffer)); - return new TrustedCertificateStore().getCertificateAlias(cert); - } - - /** * Called by an application that is administering the device to disable all cameras * on the device. After setting this, no applications will be able to access any cameras * on the device. diff --git a/core/java/android/app/admin/IDevicePolicyManager.aidl b/core/java/android/app/admin/IDevicePolicyManager.aidl index e935da7..a1caa21 100644 --- a/core/java/android/app/admin/IDevicePolicyManager.aidl +++ b/core/java/android/app/admin/IDevicePolicyManager.aidl @@ -115,8 +115,8 @@ interface IDevicePolicyManager { String getProfileOwnerName(int userHandle); void setProfileEnabled(in ComponentName who); - boolean installCaCert(in ComponentName admin, in byte[] certBuffer); - void uninstallCaCert(in ComponentName admin, in String alias); + boolean installCaCert(in byte[] certBuffer); + void uninstallCaCert(in byte[] certBuffer); void addPersistentPreferredActivity(in ComponentName admin, in IntentFilter filter, in ComponentName activity); void clearPackagePersistentPreferredActivities(in ComponentName admin, String packageName); diff --git a/keystore/java/android/security/KeyChain.java b/keystore/java/android/security/KeyChain.java index 0da2b99..9d6d76e 100644 --- a/keystore/java/android/security/KeyChain.java +++ b/keystore/java/android/security/KeyChain.java @@ -23,9 +23,7 @@ import android.content.Intent; import android.content.ServiceConnection; import android.os.IBinder; import android.os.Looper; -import android.os.Process; import android.os.RemoteException; -import android.os.UserHandle; import java.io.ByteArrayInputStream; import java.io.Closeable; import java.security.InvalidKeyException; @@ -439,14 +437,6 @@ public final class KeyChain { * Caller should call unbindService on the result when finished. */ public static KeyChainConnection bind(Context context) throws InterruptedException { - return bindAsUser(context, Process.myUserHandle()); - } - - /** - * @hide - */ - public static KeyChainConnection bindAsUser(Context context, UserHandle user) - throws InterruptedException { if (context == null) { throw new NullPointerException("context == null"); } @@ -469,10 +459,9 @@ public final class KeyChain { Intent intent = new Intent(IKeyChainService.class.getName()); ComponentName comp = intent.resolveSystemService(context.getPackageManager(), 0); intent.setComponent(comp); - boolean isBound = context.bindServiceAsUser(intent, - keyChainServiceConnection, - Context.BIND_AUTO_CREATE, - user); + boolean isBound = context.bindService(intent, + keyChainServiceConnection, + Context.BIND_AUTO_CREATE); if (!isBound) { throw new AssertionError("could not bind to KeyChainService"); } diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 24a998d..4574caf 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -1324,7 +1324,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { private void manageMonitoringCertificateNotification(Intent intent) { final NotificationManager notificationManager = getNotificationManager(); - final boolean hasCert = !(new TrustedCertificateStore().userAliases().isEmpty()); + final boolean hasCert = DevicePolicyManager.hasAnyCaCertsInstalled(); if (! hasCert) { if (intent.getAction().equals(KeyChain.ACTION_STORAGE_CHANGED)) { for (UserInfo user : mUserManager.getUsers()) { @@ -2384,19 +2384,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return !"".equals(state); } - public boolean installCaCert(ComponentName who, byte[] certBuffer) throws RemoteException { - if (who == null) { - mContext.enforceCallingOrSelfPermission(MANAGE_CA_CERTIFICATES, null); - } else { - synchronized (this) { - getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER); - } - } - + public boolean installCaCert(byte[] certBuffer) throws RemoteException { + mContext.enforceCallingOrSelfPermission(MANAGE_CA_CERTIFICATES, null); + KeyChainConnection keyChainConnection = null; byte[] pemCert; try { X509Certificate cert = parseCert(certBuffer); - pemCert = Credentials.convertToPem(cert); + pemCert = Credentials.convertToPem(cert); } catch (CertificateException ce) { Log.e(LOG_TAG, "Problem converting cert", ce); return false; @@ -2404,24 +2398,20 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Log.e(LOG_TAG, "Problem reading cert", ioe); return false; } - - final UserHandle userHandle = new UserHandle(UserHandle.getCallingUserId()); - final long id = Binder.clearCallingIdentity(); try { - final KeyChainConnection keyChainConnection = KeyChain.bindAsUser(mContext, userHandle); + keyChainConnection = KeyChain.bind(mContext); try { keyChainConnection.getService().installCaCertificate(pemCert); return true; - } catch (RemoteException e) { - Log.e(LOG_TAG, "installCaCertsToKeyChain(): ", e); } finally { - keyChainConnection.close(); + if (keyChainConnection != null) { + keyChainConnection.close(); + keyChainConnection = null; + } } } catch (InterruptedException e1) { Log.w(LOG_TAG, "installCaCertsToKeyChain(): ", e1); Thread.currentThread().interrupt(); - } finally { - Binder.restoreCallingIdentity(id); } return false; } @@ -2433,31 +2423,34 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { certBuffer)); } - public void uninstallCaCert(ComponentName who, String alias) { - if (who == null) { - mContext.enforceCallingOrSelfPermission(MANAGE_CA_CERTIFICATES, null); - } else { - synchronized (this) { - getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER); - } + public void uninstallCaCert(final byte[] certBuffer) { + mContext.enforceCallingOrSelfPermission(MANAGE_CA_CERTIFICATES, null); + TrustedCertificateStore certStore = new TrustedCertificateStore(); + String alias = null; + try { + X509Certificate cert = parseCert(certBuffer); + alias = certStore.getCertificateAlias(cert); + } catch (CertificateException ce) { + Log.e(LOG_TAG, "Problem creating X509Certificate", ce); + return; + } catch (IOException ioe) { + Log.e(LOG_TAG, "Problem reading certificate", ioe); + return; } - - final UserHandle userHandle = new UserHandle(UserHandle.getCallingUserId()); - final long id = Binder.clearCallingIdentity(); try { - final KeyChainConnection keyChainConnection = KeyChain.bindAsUser(mContext, userHandle); + KeyChainConnection keyChainConnection = KeyChain.bind(mContext); + IKeyChainService service = keyChainConnection.getService(); try { - keyChainConnection.getService().deleteCaCertificate(alias); + service.deleteCaCertificate(alias); } catch (RemoteException e) { Log.e(LOG_TAG, "from CaCertUninstaller: ", e); } finally { keyChainConnection.close(); + keyChainConnection = null; } } catch (InterruptedException ie) { Log.w(LOG_TAG, "CaCertUninstaller: ", ie); Thread.currentThread().interrupt(); - } finally { - Binder.restoreCallingIdentity(id); } } |