Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3bc8a077 authored by Eghosa Ewansiha-Vlachavas's avatar Eghosa Ewansiha-Vlachavas
Browse files

Handle exception thrown by KCS.setGrant() 

KeyChainService.setGrant() now throws an IllegalArguementException if
the alias passed to it does not have an exisitng key. So
DPMS.setKeyGrantForApp() and DMPS.setKeyGrantToWifiAuth() will also now
throw IllegalArgumentExceptions in the senario described above. As this
will propagaet up to the DPM API's that call these functions, we will
have to gate this new behavios on DPC's target SDK level.

So if DPC targets DPC U+ : throw exception
else : return false

Fixes: 175101461
Test: n/a
Topic: make-GrantKeyPairToApp-And-grantKeyPairToWifiAuth-Throw-Exception
Change-Id: I995227b633e2fd60dad096e35f92cb539a9389d4
parent 39f9fc43

core/java/android/app/admin/DevicePolicyManager.java

+12 −0
Original line number Diff line number Diff line
@@ -7394,6 +7394,9 @@ public class DevicePolicyManager { 
     * The grantee app will receive the {@link android.security.KeyChain#ACTION_KEY_ACCESS_CHANGED}

     * broadcast when access to a key is granted.

     *

     * Starting from {@link android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE} throws an

     * {@link IllegalArgumentException} if {@code alias} doesn't correspond to an existing key.

     *

     * @param admin Which {@link DeviceAdminReceiver} this request is associated with, or

     *        {@code null} if calling from a delegated certificate chooser.

     * @param alias The alias of the key to grant access to.
@@ -7460,6 +7463,9 @@ public class DevicePolicyManager { 
     * The grantee app will receive the {@link android.security.KeyChain#ACTION_KEY_ACCESS_CHANGED}

     * broadcast when access to a key is revoked.

     *

     * Starting from {@link android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE} throws an

     * {@link IllegalArgumentException} if {@code alias} doesn't correspond to an existing key.

     *

     * @param admin Which {@link DeviceAdminReceiver} this request is associated with, or

     *        {@code null} if calling from a delegated certificate chooser.

     * @param alias The alias of the key to revoke access from.
@@ -7490,6 +7496,9 @@ public class DevicePolicyManager { 
     * pair for authentication to Wifi networks. The key can then be used in configurations passed

     * to {@link android.net.wifi.WifiManager#addNetwork}.

     *

     * Starting from {@link android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE} throws an

     * {@link IllegalArgumentException} if {@code alias} doesn't correspond to an existing key.

     *

     * @param alias The alias of the key pair.

     * @return {@code true} if the operation was set successfully, {@code false} otherwise.

     *
@@ -7513,6 +7522,9 @@ public class DevicePolicyManager { 
     * pair for authentication to Wifi networks. Configured networks using this key won't be able to

     * authenticate.

     *

     * Starting from {@link android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE} throws an

     * {@link IllegalArgumentException} if {@code alias} doesn't correspond to an existing key.

     *

     * @param alias The alias of the key pair.

     * @return {@code true} if the operation was set successfully, {@code false} otherwise.

     *

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+28 −4
Original line number Diff line number Diff line
@@ -671,6 +671,15 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { 
    @EnabledSince(targetSdkVersion = Build.VERSION_CODES.S)

    private static final long PREVENT_SETTING_PASSWORD_QUALITY_ON_PARENT = 165573442L;













    /**













     * For Admin Apps targeting U+













     * If {@link android.security.IKeyChainService#setGrant} is called with an alias with no













     * existing key, throw IllegalArgumentException.













     */













    @ChangeId













    @EnabledSince(targetSdkVersion = Build.VERSION_CODES.UPSIDE_DOWN_CAKE)













    private static final long THROW_EXCEPTION_WHEN_KEY_MISSING = 175101461L;



























    private static final String CREDENTIAL_MANAGEMENT_APP_INVALID_ALIAS_MSG =















            "The alias provided must be contained in the aliases specified in the credential "















                    + "management app's authentication policy";










@@ -5654,8 +5663,16 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {



























        final CallerIdentity caller = getCallerIdentity(callerPackage);















        Preconditions.checkCallAuthorization(canChooseCertificates(caller));

























        return setKeyChainGrantInternal(alias, hasGrant, Process.WIFI_UID, caller.getUserHandle());













        try {













            return setKeyChainGrantInternal(













                    alias, hasGrant, Process.WIFI_UID, caller.getUserHandle());













        } catch (IllegalArgumentException e) {













            if (mInjector.isChangeEnabled(THROW_EXCEPTION_WHEN_KEY_MISSING, caller.getPackageName(),













                    caller.getUserId())) {













                throw e;













            }













            return false;













        }















    }





























    @Override










@@ -5705,8 +5722,15 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        } catch (RemoteException e) {















            throw new IllegalStateException("Failure getting grantee uid", e);















        }

























        try {















            return setKeyChainGrantInternal(alias, hasGrant, granteeUid, caller.getUserHandle());













        } catch (IllegalArgumentException e) {













            if (mInjector.isChangeEnabled(THROW_EXCEPTION_WHEN_KEY_MISSING, packageName,













                    caller.getUserId())) {













                throw e;













            }













            return false;













        }















    }





























    private boolean setKeyChainGrantInternal(String alias, boolean hasGrant, int granteeUid,