commit ae7438eda7c9cf6f30323f6fb59c3aea4007bac3
author Robin Lee <rgl@google.com> Mon Feb 22 13:52:17 2016 +0000
committer The Android Automerger <android-build@android.com> Tue Mar 01 17:16:47 2016 -0800
tree 9572bf9f74d8d31b8c3ceebda4fb8a36a8a45a8b
parent cab79670a3342ce04a5bd6d76c35c2746e405c3f

Trust CA certificates added for the whole OS only

Excludes any CA certificates installed for wifi-only from being used for
anything else. Does not take effect retroactively against certs which
were already installed.

The CAs will continue to be saved to a part of the keystore accessible
by services running under WIFI_UID.

Bug: 26324357
Bug: 25780055
Change-Id: Ifeb9daf24c9f9a22b2b2daf247d5622c707c9885

Merge conflict resolution to ag/871740 with changes in ag/871667 to mnc-dr1.5-release

src/com/android/certinstaller/CertInstaller.java

diff --git a/src/com/android/certinstaller/CertInstaller.java b/src/com/android/certinstaller/CertInstaller.java
index 0a6049e..dd334cb 100644
--- a/src/com/android/certinstaller/CertInstaller.java
+++ b/src/com/android/certinstaller/CertInstaller.java
@@ -181,7 +181,8 @@
                 Toast.makeText(this, getString(R.string.cert_is_added,
                         mCredentials.getName()), Toast.LENGTH_LONG).show();
 
-                if (mCredentials.hasCaCerts()) {
+                if (mCredentials.hasCaCerts()
+                        && mCredentials.getInstallAsUid() == KeyStore.UID_SELF) {
                     // more work to do, don't finish just yet
                     new InstallCaCertsToKeyChainTask().execute();
                     return;

src/com/android/certinstaller/CredentialHelper.java

diff --git a/src/com/android/certinstaller/CredentialHelper.java b/src/com/android/certinstaller/CredentialHelper.java
index a3e2e27..0ef50bf 100644
--- a/src/com/android/certinstaller/CredentialHelper.java
+++ b/src/com/android/certinstaller/CredentialHelper.java
@@ -101,6 +101,7 @@
         try {
             outStates.putSerializable(DATA_KEY, mBundle);
             outStates.putString(KeyChain.EXTRA_NAME, mName);
+            outStates.putInt(Credentials.EXTRA_INSTALL_AS_UID, mUid);
             if (mUserKey != null) {
                 outStates.putByteArray(Credentials.USER_PRIVATE_KEY,
                         mUserKey.getEncoded());
@@ -121,6 +122,7 @@
     void onRestoreStates(Bundle savedStates) {
         mBundle = (HashMap) savedStates.getSerializable(DATA_KEY);
         mName = savedStates.getString(KeyChain.EXTRA_NAME);
+        mUid = savedStates.getInt(Credentials.EXTRA_INSTALL_AS_UID, -1);
         byte[] bytes = savedStates.getByteArray(Credentials.USER_PRIVATE_KEY);
         if (bytes != null) {
             setPrivateKey(bytes);
@@ -257,6 +259,11 @@
         return mUid != -1;
     }
 
+
+    int getInstallAsUid() {
+        return mUid;
+    }
+
     Intent createSystemInstallIntent(final Context context) {
         Intent intent = new Intent("com.android.credentials.INSTALL");
         // To prevent the private key from being sniffed, we explicitly spell