Throw an exception if the given root alias is unknown (0b8c82e6) · Commits · e / os / android_frameworks_base

core/java/android/security/keystore/recovery/TrustedRootCertificates.java

+1 −1

Original line number	Diff line number	Diff line
		@@ -40,7 +40,7 @@ public final class TrustedRootCertificates {
		/**
		* Certificate used for client-side end-to-end encryption tests.
		* When recovery controller is initialized with the certificate, recovery snapshots will only
		* contain application keys started with {@link INSECURE_KEY_ALIAS}.
		* contain application keys started with {@link #INSECURE_KEY_ALIAS_PREFIX}.
		* Recovery snapshot will only be created if device is unlocked with password started with
		* {@link #INSECURE_PASSWORD_PREFIX}.
		*

services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java

+3 −5

Original line number	Diff line number	Diff line
		@@ -19,12 +19,10 @@ package com.android.server.locksettings.recoverablekeystore;
		import static android.security.keystore.recovery.KeyChainProtectionParams.TYPE_LOCKSCREEN;

		import android.annotation.Nullable;
		import android.annotation.NonNull;
		import android.content.Context;
		import android.security.keystore.recovery.KeyChainProtectionParams;
		import android.security.keystore.recovery.KeyChainSnapshot;
		import android.security.keystore.recovery.KeyDerivationParams;
		import android.security.keystore.recovery.TrustedRootCertificates;
		import android.security.keystore.recovery.WrappedApplicationKey;
		import android.util.Log;

		@@ -218,10 +216,10 @@ public class KeySyncTask implements Runnable {
		return;
		}

		if (mTestOnlyInsecureCertificateHelper.isTestOnlyCertificate(rootCertAlias)) {
		if (mTestOnlyInsecureCertificateHelper.isTestOnlyCertificateAlias(rootCertAlias)) {
		Log.w(TAG, "Insecure root certificate is used by recovery agent "
		+ recoveryAgentUid);
		if (mTestOnlyInsecureCertificateHelper.doesCredentailSupportInsecureMode(
		if (mTestOnlyInsecureCertificateHelper.doesCredentialSupportInsecureMode(
		mCredentialType, mCredential)) {
		Log.w(TAG, "Whitelisted credential is used to generate snapshot by "
		+ "recovery agent "+ recoveryAgentUid);
		@@ -252,7 +250,7 @@ public class KeySyncTask implements Runnable {
		}

		// Only include insecure key material for test
		if (mTestOnlyInsecureCertificateHelper.isTestOnlyCertificate(rootCertAlias)) {
		if (mTestOnlyInsecureCertificateHelper.isTestOnlyCertificateAlias(rootCertAlias)) {
		rawKeys = mTestOnlyInsecureCertificateHelper.keepOnlyWhitelistedInsecureKeys(rawKeys);
		}
		SecretKey recoveryKey;

services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java

+5 −1

Original line number	Diff line number	Diff line
		@@ -174,9 +174,13 @@ public class RecoverableKeyStoreManager {
		checkRecoverKeyStorePermission();
		int userId = UserHandle.getCallingUserId();
		int uid = Binder.getCallingUid();

		rootCertificateAlias
		= mTestCertHelper.getDefaultCertificateAliasIfEmpty(rootCertificateAlias);

		if (!mTestCertHelper.isValidRootCertificateAlias(rootCertificateAlias)) {
		throw new ServiceSpecificException(
		ERROR_INVALID_CERTIFICATE, "Invalid root certificate alias");
		}
		// Always set active alias to the argument of the last call to initRecoveryService method,
		// even if cert file is incorrect.
		String activeRootAlias = mDatabase.getActiveRootOfTrust(userId, uid);

services/core/java/com/android/server/locksettings/recoverablekeystore/TestOnlyInsecureCertificateHelper.java

+8 −3

Original line number	Diff line number	Diff line
		@@ -51,7 +51,7 @@ public class TestOnlyInsecureCertificateHelper {
		public @NonNull X509Certificate
		getRootCertificate(String rootCertificateAlias) throws RemoteException {
		rootCertificateAlias = getDefaultCertificateAliasIfEmpty(rootCertificateAlias);
		if (isTestOnlyCertificate(rootCertificateAlias)) {
		if (isTestOnlyCertificateAlias(rootCertificateAlias)) {
		return TrustedRootCertificates.getTestOnlyInsecureCertificate();
		}

		@@ -74,12 +74,17 @@ public class TestOnlyInsecureCertificateHelper {
		return rootCertificateAlias;
		}

		public boolean isTestOnlyCertificate(String rootCertificateAlias) {
		public boolean isTestOnlyCertificateAlias(String rootCertificateAlias) {
		return TrustedRootCertificates.TEST_ONLY_INSECURE_CERTIFICATE_ALIAS
		.equals(rootCertificateAlias);
		}

		public boolean doesCredentailSupportInsecureMode(int credentialType, String credential) {
		public boolean isValidRootCertificateAlias(String rootCertificateAlias) {
		return TrustedRootCertificates.getRootCertificates().containsKey(rootCertificateAlias)
		\|\| isTestOnlyCertificateAlias(rootCertificateAlias);
		}

		public boolean doesCredentialSupportInsecureMode(int credentialType, String credential) {
		return (credentialType == LockPatternUtils.CREDENTIAL_TYPE_PASSWORD)
		&& (credential != null)
		&& credential.startsWith(TrustedRootCertificates.INSECURE_PASSWORD_PREFIX);

services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java

+8 −8

Original line number	Diff line number	Diff line
		@@ -301,8 +301,8 @@ public class KeySyncTaskTest {
		TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1);

		// Enter test mode with whitelisted credentials
		when(mTestOnlyInsecureCertificateHelper.isTestOnlyCertificate(any())).thenReturn(true);
		when(mTestOnlyInsecureCertificateHelper.doesCredentailSupportInsecureMode(anyInt(), any()))
		when(mTestOnlyInsecureCertificateHelper.isTestOnlyCertificateAlias(any())).thenReturn(true);
		when(mTestOnlyInsecureCertificateHelper.doesCredentialSupportInsecureMode(anyInt(), any()))
		.thenReturn(true);
		mKeySyncTask.run();

		@@ -311,7 +311,7 @@ public class KeySyncTaskTest {

		// run whitelist checks
		verify(mTestOnlyInsecureCertificateHelper)
		.doesCredentailSupportInsecureMode(anyInt(), any());
		.doesCredentialSupportInsecureMode(anyInt(), any());
		verify(mTestOnlyInsecureCertificateHelper)
		.keepOnlyWhitelistedInsecureKeys(any());

		@@ -331,8 +331,8 @@ public class KeySyncTaskTest {
		TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1);

		// Enter test mode with non whitelisted credentials
		when(mTestOnlyInsecureCertificateHelper.isTestOnlyCertificate(any())).thenReturn(true);
		when(mTestOnlyInsecureCertificateHelper.doesCredentailSupportInsecureMode(anyInt(), any()))
		when(mTestOnlyInsecureCertificateHelper.isTestOnlyCertificateAlias(any())).thenReturn(true);
		when(mTestOnlyInsecureCertificateHelper.doesCredentialSupportInsecureMode(anyInt(), any()))
		.thenReturn(false);
		mKeySyncTask.run();

		@@ -340,7 +340,7 @@ public class KeySyncTaskTest {
		verify(mTestOnlyInsecureCertificateHelper)
		.getDefaultCertificateAliasIfEmpty(eq(TEST_ROOT_CERT_ALIAS));
		verify(mTestOnlyInsecureCertificateHelper)
		.doesCredentailSupportInsecureMode(anyInt(), any());
		.doesCredentialSupportInsecureMode(anyInt(), any());
		}

		@Test
		@@ -358,11 +358,11 @@ public class KeySyncTaskTest {
		verify(mTestOnlyInsecureCertificateHelper)
		.getDefaultCertificateAliasIfEmpty(eq(TEST_ROOT_CERT_ALIAS));
		verify(mTestOnlyInsecureCertificateHelper, atLeast(1))
		.isTestOnlyCertificate(eq(TEST_ROOT_CERT_ALIAS));
		.isTestOnlyCertificateAlias(eq(TEST_ROOT_CERT_ALIAS));

		// no whitelists check
		verify(mTestOnlyInsecureCertificateHelper, never())
		.doesCredentailSupportInsecureMode(anyInt(), any());
		.doesCredentialSupportInsecureMode(anyInt(), any());
		verify(mTestOnlyInsecureCertificateHelper, never())
		.keepOnlyWhitelistedInsecureKeys(any());
		}