Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1c471f00 authored by Aseem Kumar's avatar Aseem Kumar Committed by android-build-merger
Browse files

Merge "Throw ServiceSpecificException if calling app tries to initialize... 

Merge "Throw ServiceSpecificException if calling app tries to initialize certificates with lower version. Earlier, the code just returned silently, giving no indication that updating certs failed." into pi-dev am: b2e6e45d
am: 0fb6af21

Change-Id: Ib0842188fd215bb9b428cf522e667fc16d7bf789
parents 2af9a8fd 0fb6af21

core/java/android/security/keystore/recovery/RecoveryController.java

+14 −0
Original line number Diff line number Diff line
@@ -250,6 +250,16 @@ public class RecoveryController { 
     */

    public static final int ERROR_INVALID_CERTIFICATE = 28;





    /**

     * Failed because the provided certificate contained serial version which is lower that the

     * version device is already initialized with. It is not possible to downgrade serial version of

     * the provided certificate.

     *

     * @hide

     */

    public static final int ERROR_DOWNGRADE_CERTIFICATE = 29;



    private final ILockSettings mBinder;

    private final KeyStore mKeyStore;
@@ -340,6 +350,10 @@ public class RecoveryController { 
                    || e.errorCode == ERROR_INVALID_CERTIFICATE) {

                throw new CertificateException("Invalid certificate for recovery service", e);

            }

            if (e.errorCode == ERROR_DOWNGRADE_CERTIFICATE) {

                throw new CertificateException(

                        "Downgrading certificate serial version isn't supported.", e);

            }

            throw wrapUnexpectedServiceSpecificException(e);

        }

    }

services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java

+3 −0
Original line number Diff line number Diff line
@@ -18,6 +18,7 @@ package com.android.server.locksettings.recoverablekeystore; 


import static android.security.keystore.recovery.RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT;

import static android.security.keystore.recovery.RecoveryController.ERROR_DECRYPTION_FAILED;

import static android.security.keystore.recovery.RecoveryController.ERROR_DOWNGRADE_CERTIFICATE;

import static android.security.keystore.recovery.RecoveryController.ERROR_INSECURE_USER;

import static android.security.keystore.recovery.RecoveryController.ERROR_INVALID_KEY_FORMAT;

import static android.security.keystore.recovery.RecoveryController.ERROR_INVALID_CERTIFICATE;
@@ -212,6 +213,8 @@ public class RecoverableKeyStoreManager { 
                Log.i(TAG, "The cert file serial number is the same, so skip updating.");

            } else {

                Log.e(TAG, "The cert file serial number is older than the one in database.");

                throw new ServiceSpecificException(ERROR_DOWNGRADE_CERTIFICATE,

                        "The cert file serial number is older than the one in database.");

            }

            return;

        }

services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java

+9 −7
Original line number Diff line number Diff line
@@ -19,6 +19,7 @@ package com.android.server.locksettings.recoverablekeystore; 
import static android.security.keystore.recovery.KeyChainProtectionParams.TYPE_LOCKSCREEN;

import static android.security.keystore.recovery.KeyChainProtectionParams.UI_FORMAT_PASSWORD;

import static android.security.keystore.recovery.RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT;

import static android.security.keystore.recovery.RecoveryController.ERROR_DOWNGRADE_CERTIFICATE;

import static android.security.keystore.recovery.RecoveryController.ERROR_INVALID_CERTIFICATE;



import static com.google.common.truth.Truth.assertThat;
@@ -409,19 +410,20 @@ public class RecoverableKeyStoreManagerTest { 
    }



    @Test

    public void initRecoveryService_ignoresSmallerSerial() throws Exception {

    public void initRecoveryService_throwsExceptionOnSmallerSerial() throws Exception {

        int uid = Binder.getCallingUid();

        int userId = UserHandle.getCallingUserId();

        long certSerial = 1000L;



        mRecoverableKeyStoreManager.initRecoveryService(ROOT_CERTIFICATE_ALIAS,

                TestData.getCertXmlWithSerial(certSerial));

        try {

            mRecoverableKeyStoreManager.initRecoveryService(ROOT_CERTIFICATE_ALIAS,

                    TestData.getCertXmlWithSerial(certSerial - 1));



        assertThat(mRecoverableKeyStoreDb.getRecoveryServiceCertSerial(userId, uid,

                DEFAULT_ROOT_CERT_ALIAS)).isEqualTo(certSerial);

        assertThat(mRecoverableKeyStoreDb.getShouldCreateSnapshot(userId, uid)).isFalse();

            fail();

        } catch (ServiceSpecificException e) {

            assertThat(e.errorCode).isEqualTo(ERROR_DOWNGRADE_CERTIFICATE);

        }

    }



    @Test