Merge changes I1d74c8c6,I98438575 into main am: 573e81d71d (628d1808) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/CertBlacklister.java→services/core/java/com/android/server/CertBlocklister.java

+55 −51

Original line number	Diff line number	Diff line
		@@ -16,37 +16,39 @@

		package com.android.server;

		import android.content.Context;
		import android.content.ContentResolver;
		import android.content.Context;
		import android.database.ContentObserver;
		import android.os.Binder;
		import android.os.FileUtils;
		import android.provider.Settings;
		import android.util.Slog;

		import libcore.io.IoUtils;

		import java.io.File;
		import java.io.FileOutputStream;
		import java.io.IOException;

		import libcore.io.IoUtils;

		/**
		* <p>CertBlacklister provides a simple mechanism for updating the platform denylists for SSL
		* <p>CertBlocklister provides a simple mechanism for updating the platform denylists for SSL
		* certificate public keys and serial numbers.
		*/
		public class CertBlacklister extends Binder {
		public class CertBlocklister extends Binder {

		private static final String TAG = "CertBlacklister";
		private static final String TAG = "CertBlocklister";

		private static final String DENYLIST_ROOT = System.getenv("ANDROID_DATA") + "/misc/keychain/";

		/* For compatibility reasons, the name of these paths cannot be changed */
		public static final String PUBKEY_PATH = DENYLIST_ROOT + "pubkey_blacklist.txt";
		public static final String SERIAL_PATH = DENYLIST_ROOT + "serial_blacklist.txt";

		public static final String PUBKEY_BLACKLIST_KEY = "pubkey_blacklist";
		public static final String SERIAL_BLACKLIST_KEY = "serial_blacklist";
		/* For compatibility reasons, the name of these keys cannot be changed */
		public static final String PUBKEY_BLOCKLIST_KEY = "pubkey_blacklist";
		public static final String SERIAL_BLOCKLIST_KEY = "serial_blacklist";

		private static class BlacklistObserver extends ContentObserver {
		private static class BlocklistObserver extends ContentObserver {

		private final String mKey;
		private final String mName;
		@@ -54,7 +56,7 @@ public class CertBlacklister extends Binder {
		private final File mTmpDir;
		private final ContentResolver mContentResolver;

		public BlacklistObserver(String key, String name, String path, ContentResolver cr) {
		BlocklistObserver(String key, String name, String path, ContentResolver cr) {
		super(null);
		mKey = key;
		mName = name;
		@@ -66,59 +68,61 @@ public class CertBlacklister extends Binder {
		@Override
		public void onChange(boolean selfChange) {
		super.onChange(selfChange);
		new Thread("BlocklistUpdater") {
		public void run() {
		writeDenylist();
		}
		}.start();
		}

		public String getValue() {
		return Settings.Secure.getString(mContentResolver, mKey);
		return Settings.Secure.getStringForUser(
		mContentResolver, mKey, mContentResolver.getUserId());
		}

		private void writeDenylist() {
		new Thread("BlacklistUpdater") {
		public void run() {
		synchronized (mTmpDir) {
		String blacklist = getValue();
		if (blacklist != null) {
		Slog.i(TAG, "Certificate blacklist changed, updating...");
		String blocklist = getValue();
		if (blocklist == null) {
		return;
		}
		if (mPath.equals(SERIAL_PATH)) {
		Slog.w(TAG, "The certificate blocklist based on serials is deprecated. "
		+ "Please use the pubkey blocklist instead.");
		}
		Slog.i(TAG, "Certificate blocklist changed, updating...");
		FileOutputStream out = null;
		try {
		// create a temporary file
		// Create a temporary file and rename it atomically.
		File tmp = File.createTempFile("journal", "", mTmpDir);
		// mark it -rw-r--r--
		tmp.setReadable(true, false);
		// write to it
		tmp.setReadable(true /* readable /, false / ownerOnly */);
		out = new FileOutputStream(tmp);
		out.write(blacklist.getBytes());
		// sync to disk
		out.write(blocklist.getBytes());
		FileUtils.sync(out);
		// atomic rename
		tmp.renameTo(new File(mPath));
		Slog.i(TAG, "Certificate blacklist updated");
		Slog.i(TAG, "Certificate blocklist updated");
		} catch (IOException e) {
		Slog.e(TAG, "Failed to write blacklist", e);
		Slog.e(TAG, "Failed to write blocklist", e);
		} finally {
		IoUtils.closeQuietly(out);
		}
		}
		}
		}
		}.start();
		}
		}

		public CertBlacklister(Context context) {
		public CertBlocklister(Context context) {
		registerObservers(context.getContentResolver());
		}

		private BlacklistObserver buildPubkeyObserver(ContentResolver cr) {
		return new BlacklistObserver(PUBKEY_BLACKLIST_KEY,
		private BlocklistObserver buildPubkeyObserver(ContentResolver cr) {
		return new BlocklistObserver(PUBKEY_BLOCKLIST_KEY,
		"pubkey",
		PUBKEY_PATH,
		cr);
		}

		private BlacklistObserver buildSerialObserver(ContentResolver cr) {
		return new BlacklistObserver(SERIAL_BLACKLIST_KEY,
		private BlocklistObserver buildSerialObserver(ContentResolver cr) {
		return new BlocklistObserver(SERIAL_BLOCKLIST_KEY,
		"serial",
		SERIAL_PATH,
		cr);
		@@ -127,14 +131,14 @@ public class CertBlacklister extends Binder {
		private void registerObservers(ContentResolver cr) {
		// set up the public key denylist observer
		cr.registerContentObserver(
		Settings.Secure.getUriFor(PUBKEY_BLACKLIST_KEY),
		Settings.Secure.getUriFor(PUBKEY_BLOCKLIST_KEY),
		true,
		buildPubkeyObserver(cr)
		);

		// set up the serial number denylist observer
		cr.registerContentObserver(
		Settings.Secure.getUriFor(SERIAL_BLACKLIST_KEY),
		Settings.Secure.getUriFor(SERIAL_BLOCKLIST_KEY),
		true,
		buildSerialObserver(cr)
		);

services/java/com/android/server/SystemServer.java

+3 −3

Original line number	Diff line number	Diff line
		@@ -2435,11 +2435,11 @@ public final class SystemServer implements Dumpable {
		t.traceEnd();
		}

		t.traceBegin("CertBlacklister");
		t.traceBegin("CertBlocklister");
		try {
		CertBlacklister blacklister = new CertBlacklister(context);
		CertBlocklister blocklister = new CertBlocklister(context);
		} catch (Throwable e) {
		reportWtf("starting CertBlacklister", e);
		reportWtf("starting CertBlocklister", e);
		}
		t.traceEnd();