commit 70dde9870e9450e10418a32206ac1bb30f036b2c
author Robin Lee <rgl@google.com> Mon Feb 22 13:52:17 2016 +0000
committer The Android Automerger <android-build@google.com> Fri Feb 26 14:34:03 2016 -0800
tree 06d9f877922c4644c8aef2fd52cc3b9ca8ffd2cb
parent 33c0a544f35937a5175e45dea1c71d37595c4d3f

Trust CA certificates added for the whole OS only

Excludes any CA certificates installed for wifi-only from being used for
anything else. Does not take effect retroactively against certs which
were already installed.

The CAs will continue to be saved to a part of the keystore accessible
by services running under WIFI_UID.

Bug: 26324357
Bug: 25780055
Change-Id: Ifeb9daf24c9f9a22b2b2daf247d5622c707c9885

src/com/android/certinstaller/CertInstaller.java

diff --git a/src/com/android/certinstaller/CertInstaller.java b/src/com/android/certinstaller/CertInstaller.java
index 907646e..eb8fa90 100644
--- a/src/com/android/certinstaller/CertInstaller.java
+++ b/src/com/android/certinstaller/CertInstaller.java
@@ -180,7 +180,8 @@
                 Toast.makeText(this, getString(R.string.cert_is_added,
                         mCredentials.getName()), Toast.LENGTH_LONG).show();
 
-                if (mCredentials.hasCaCerts()) {
+                if (mCredentials.hasCaCerts()
+                        && mCredentials.getInstallAsUid() == KeyStore.UID_SELF) {
                     // more work to do, don't finish just yet
                     new InstallCaCertsToKeyChainTask().execute();
                     return;

src/com/android/certinstaller/CredentialHelper.java

diff --git a/src/com/android/certinstaller/CredentialHelper.java b/src/com/android/certinstaller/CredentialHelper.java
index c131268..b502a1d 100644
--- a/src/com/android/certinstaller/CredentialHelper.java
+++ b/src/com/android/certinstaller/CredentialHelper.java
@@ -100,6 +100,7 @@
         try {
             outStates.putSerializable(DATA_KEY, mBundle);
             outStates.putString(KeyChain.EXTRA_NAME, mName);
+            outStates.putInt(Credentials.EXTRA_INSTALL_AS_UID, mUid);
             if (mUserKey != null) {
                 outStates.putByteArray(Credentials.USER_PRIVATE_KEY,
                         mUserKey.getEncoded());
@@ -120,6 +121,7 @@
     void onRestoreStates(Bundle savedStates) {
         mBundle = (HashMap) savedStates.getSerializable(DATA_KEY);
         mName = savedStates.getString(KeyChain.EXTRA_NAME);
+        mUid = savedStates.getInt(Credentials.EXTRA_INSTALL_AS_UID, -1);
         byte[] bytes = savedStates.getByteArray(Credentials.USER_PRIVATE_KEY);
         if (bytes != null) {
             setPrivateKey(bytes);
@@ -256,6 +258,10 @@
         return mUid != -1;
     }
 
+    int getInstallAsUid() {
+        return mUid;
+    }
+
     Intent createSystemInstallIntent() {
         Intent intent = new Intent("com.android.credentials.INSTALL");
         // To prevent the private key from being sniffed, we explicitly spell