New API for query trust of a fs-verity certificate

    field public static final String DOWNLOAD_SERVICE = "download";

    field public static final String DROPBOX_SERVICE = "dropbox";

    field public static final String EUICC_SERVICE = "euicc";

    field public static final String FILE_INTEGRITY_SERVICE = "file_integrity";

    field public static final String FINGERPRINT_SERVICE = "fingerprint";

    field public static final String HARDWARE_PROPERTIES_SERVICE = "hardware_properties";

    field public static final String INPUT_METHOD_SERVICE = "input_method";

    method public android.security.ConfirmationPrompt.Builder setPromptText(CharSequence);

  }

  public final class FileIntegrityManager {

    method public boolean isApkVeritySupported();

    method @RequiresPermission(anyOf={android.Manifest.permission.INSTALL_PACKAGES, android.Manifest.permission.REQUEST_INSTALL_PACKAGES}) public boolean isAppSourceCertificateTrusted(@NonNull java.security.cert.X509Certificate) throws java.security.cert.CertificateEncodingException;

  }

  public final class KeyChain {

    ctor public KeyChain();

    method public static void choosePrivateKeyAlias(@NonNull android.app.Activity, @NonNull android.security.KeyChainAliasCallback, @Nullable String[], @Nullable java.security.Principal[], @Nullable String, int, @Nullable String);

import android.permission.PermissionManager;

import android.print.IPrintManager;

import android.print.PrintManager;

import android.security.FileIntegrityManager;

import android.security.IFileIntegrityService;

import android.service.oemlock.IOemLockService;

import android.service.oemlock.OemLockManager;

import android.service.persistentdata.IPersistentDataBlockService;

                        return new DynamicSystemManager(

                                IDynamicSystemService.Stub.asInterface(b));

                    }});

        registerService(Context.BATTERY_STATS_SERVICE, BatteryStatsManager.class,

                new CachedServiceFetcher<BatteryStatsManager>() {

                    @Override

                        return new IncrementalManager(

                                IIncrementalManagerNative.Stub.asInterface(b));

                    }});

        registerService(Context.FILE_INTEGRITY_SERVICE, FileIntegrityManager.class,

                new CachedServiceFetcher<FileIntegrityManager>() {

                    @Override

                    public FileIntegrityManager createService(ContextImpl ctx)

                            throws ServiceNotFoundException {

                        IBinder b = ServiceManager.getServiceOrThrow(

                                Context.FILE_INTEGRITY_SERVICE);

                        return new FileIntegrityManager(

                                IFileIntegrityService.Stub.asInterface(b));

                    }});

        //CHECKSTYLE:ON IndentationCheck

        sInitializing = true;

     */

    public static final String INCREMENTAL_SERVICE = "incremental_service";

    /**

     * Use with {@link #getSystemService(String)} to retrieve an

     * {@link android.security.FileIntegrityManager}.

     * @see #getSystemService(String)

     * @see android.security.FileIntegrityManager

     */

    public static final String FILE_INTEGRITY_SERVICE = "file_integrity";

    /**

     * Determine whether the given permission is allowed for a particular

     * process and user ID running in the system.

/*

 * Copyright 2019 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package android.security;

import android.annotation.NonNull;

import android.annotation.RequiresPermission;

import android.annotation.SystemService;

import android.content.Context;

import android.os.RemoteException;

import java.security.cert.CertificateEncodingException;

import java.security.cert.X509Certificate;

/**

 * This class provides access to file integrity related operations.

 */

@SystemService(Context.FILE_INTEGRITY_SERVICE)

public final class FileIntegrityManager {

    @NonNull private final IFileIntegrityService mService;

    /** @hide */

    public FileIntegrityManager(@NonNull IFileIntegrityService service) {

        mService = service;

    }

    /**

     * Returns true if APK Verity is supported on the device. When supported, an APK can be

     * installed with a fs-verity signature (if verified with trusted App Source Certificate) for

     * continuous on-access verification.

     */

    public boolean isApkVeritySupported() {

        try {

            // Go through the service just to avoid exposing the vendor controlled system property

            // to all apps.

            return mService.isApkVeritySupported();

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        }

    }

    /**

     * Returns whether the given certificate can be used to prove app's install source. Always

     * return false if the feature is not supported.

     *

     * <p>A store can use this API to decide if a signature file needs to be downloaded. Also, if a

     * store has shipped different certificates before (e.g. with stronger and weaker key), it can

     * also use this API to download the best signature on the running device.

     *

     * @return whether the certificate is trusted in the system

     */

    @RequiresPermission(anyOf = {

            android.Manifest.permission.INSTALL_PACKAGES,

            android.Manifest.permission.REQUEST_INSTALL_PACKAGES

    })

    public boolean isAppSourceCertificateTrusted(@NonNull X509Certificate certificate)

            throws CertificateEncodingException {

        try {

            return mService.isAppSourceCertificateTrusted(certificate.getEncoded());

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        }

    }

}

/*

 * Copyright 2019 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package android.security;

/**

 * Binder interface to communicate with FileIntegrityService.

 * @hide

 */

interface IFileIntegrityService {

    boolean isApkVeritySupported();

    boolean isAppSourceCertificateTrusted(in byte[] certificateBytes);

}