Install CA certificates into KeyStore

When the user installs a CA certificate (via Settings), store that
certificate into the system KeyStore.

This is necessary for it to be available as a VPN trust anchor.
Note that this is a temporary fix and long-term the user should install
VPN trust anchor separately of CA certificates. Particularly in the
context of VPN, it's undesirable for the VPN provider's endpoint
authentication certificate to also be a root CA on the device, as all
traffic goes through the VPN.

Test: Manual, installed CA certificate via cert installer and ensured it's available in VPN settings.
Bug: 163413737
Change-Id: Ib6a308177b7ce6c55fb45af9809e0efc5c48a079
(cherry picked from commit a21a521ae9c1fbd099f0fd84df8776a0c1c020f8)
(cherry picked from commit 6d6ea3f68307b3bf41bf22bfcbc0f1290a56c14b)
diff --git a/src/com/android/keychain/KeyChainService.java b/src/com/android/keychain/KeyChainService.java
index 68a7cfa..6c03fa1 100644
--- a/src/com/android/keychain/KeyChainService.java
+++ b/src/com/android/keychain/KeyChainService.java
@@ -357,39 +357,51 @@
         @Override public String installCaCertificate(byte[] caCertificate) {
             checkCertInstallerOrSystemCaller();
             final String alias;
-            String subjectForAudit = null;
+            String subject = null;
+            final boolean isSecurityLoggingEnabled = mInjector.isSecurityLoggingEnabled();
             try {
                 final X509Certificate cert = parseCertificate(caCertificate);
-                final boolean isSecurityLoggingEnabled = mInjector.isSecurityLoggingEnabled();
+
                 final boolean isDebugLoggable = Log.isLoggable(TAG, Log.DEBUG);
-                if (isSecurityLoggingEnabled || isDebugLoggable) {
-                    final String subject =
-                            cert.getSubjectX500Principal().getName(X500Principal.CANONICAL);
-                    if (isDebugLoggable) {
-                        Log.d(TAG, String.format("Installing CA certificate: %s", subject));
-                    }
-                    if (isSecurityLoggingEnabled) {
-                        subjectForAudit = subject;
-                    }
+                subject = cert.getSubjectX500Principal().getName(X500Principal.CANONICAL);
+                if (isDebugLoggable) {
+                    Log.d(TAG, String.format("Installing CA certificate: %s", subject));
                 }
+
                 synchronized (mTrustedCertificateStore) {
                     mTrustedCertificateStore.installCertificate(cert);
                     alias = mTrustedCertificateStore.getCertificateAlias(cert);
                 }
             } catch (IOException | CertificateException e) {
                 Log.w(TAG, "Failed installing CA certificate", e);
-                if (subjectForAudit != null) {
+                if (isSecurityLoggingEnabled && subject != null) {
                     mInjector.writeSecurityEvent(
-                            TAG_CERT_AUTHORITY_INSTALLED, 0 /*result*/, subjectForAudit,
+                            TAG_CERT_AUTHORITY_INSTALLED, 0 /*result*/, subject,
                             UserHandle.myUserId());
                 }
                 throw new IllegalStateException(e);
             }
-            if (subjectForAudit != null) {
+            if (isSecurityLoggingEnabled && subject != null) {
                 mInjector.writeSecurityEvent(
-                        TAG_CERT_AUTHORITY_INSTALLED, 1 /*result*/, subjectForAudit,
+                        TAG_CERT_AUTHORITY_INSTALLED, 1 /*result*/, subject,
                         UserHandle.myUserId());
             }
+
+            // If the caller is the cert installer, install the CA certificate into KeyStore.
+            // This is a temporary solution to enable CA certificates to be used as VPN trust
+            // anchors. Ultimately, the user should explicitly choose to install the VPN trust
+            // anchor separately and independently of CA certificates, at which point this code
+            // should be removed.
+            if (CERT_INSTALLER_PACKAGE.equals(callingPackage())) {
+                final boolean result = mKeyStore.put(
+                        String.format("%s%s %s", Credentials.CA_CERTIFICATE, subject, alias),
+                        caCertificate, Process.SYSTEM_UID,
+                        KeyStore.FLAG_NONE);
+                Log.d(TAG, String.format(
+                        "Attempted installing %s (subject: %s) to KeyStore. Result: %b", alias,
+                        subject, result));
+            }
+
             broadcastLegacyStorageChange();
             broadcastTrustStoreChange();
             return alias;