Throw ServiceSpecificException if calling app tries to initialize

     */

    public static final int ERROR_INVALID_CERTIFICATE = 28;

    /**

     * Failed because the provided certificate contained serial version which is lower that the

     * version device is already initialized with. It is not possible to downgrade serial version of

     * the provided certificate.

     *

     * @hide

     */

    public static final int ERROR_DOWNGRADE_CERTIFICATE = 29;

    private final ILockSettings mBinder;

    private final KeyStore mKeyStore;

                    || e.errorCode == ERROR_INVALID_CERTIFICATE) {

                throw new CertificateException("Invalid certificate for recovery service", e);

            }

            if (e.errorCode == ERROR_DOWNGRADE_CERTIFICATE) {

                throw new CertificateException(

                        "Downgrading certificate serial version isn't supported.", e);

            }

            throw wrapUnexpectedServiceSpecificException(e);

        }

    }

import static android.security.keystore.recovery.RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT;

import static android.security.keystore.recovery.RecoveryController.ERROR_DECRYPTION_FAILED;

import static android.security.keystore.recovery.RecoveryController.ERROR_DOWNGRADE_CERTIFICATE;

import static android.security.keystore.recovery.RecoveryController.ERROR_INSECURE_USER;

import static android.security.keystore.recovery.RecoveryController.ERROR_INVALID_KEY_FORMAT;

import static android.security.keystore.recovery.RecoveryController.ERROR_INVALID_CERTIFICATE;

                Log.i(TAG, "The cert file serial number is the same, so skip updating.");

            } else {

                Log.e(TAG, "The cert file serial number is older than the one in database.");

                throw new ServiceSpecificException(ERROR_DOWNGRADE_CERTIFICATE,

                        "The cert file serial number is older than the one in database.");

            }

            return;

        }

import static android.security.keystore.recovery.KeyChainProtectionParams.TYPE_LOCKSCREEN;

import static android.security.keystore.recovery.KeyChainProtectionParams.UI_FORMAT_PASSWORD;

import static android.security.keystore.recovery.RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT;

import static android.security.keystore.recovery.RecoveryController.ERROR_DOWNGRADE_CERTIFICATE;

import static android.security.keystore.recovery.RecoveryController.ERROR_INVALID_CERTIFICATE;

import static com.google.common.truth.Truth.assertThat;

    }

    @Test

    public void initRecoveryService_ignoresSmallerSerial() throws Exception {

    public void initRecoveryService_throwsExceptionOnSmallerSerial() throws Exception {

        int uid = Binder.getCallingUid();

        int userId = UserHandle.getCallingUserId();

        long certSerial = 1000L;

        mRecoverableKeyStoreManager.initRecoveryService(ROOT_CERTIFICATE_ALIAS,

                TestData.getCertXmlWithSerial(certSerial));

        try {

            mRecoverableKeyStoreManager.initRecoveryService(ROOT_CERTIFICATE_ALIAS,

                    TestData.getCertXmlWithSerial(certSerial - 1));

        assertThat(mRecoverableKeyStoreDb.getRecoveryServiceCertSerial(userId, uid,

                DEFAULT_ROOT_CERT_ALIAS)).isEqualTo(certSerial);

        assertThat(mRecoverableKeyStoreDb.getShouldCreateSnapshot(userId, uid)).isFalse();

            fail();

        } catch (ServiceSpecificException e) {

            assertThat(e.errorCode).isEqualTo(ERROR_DOWNGRADE_CERTIFICATE);

        }

    }

    @Test