Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 808f6ef2 authored by Esteban Talavera's avatar Esteban Talavera
Browse files

Pass ComponentName to probing certificate methods 

Pass ComponentName and check whether that admin is a profile owner on DPM
get/has certificate methods (requested on the API review).

As per Change I55eec17e01489ab323f8a0e68b11592605a7b740, not keeping track of
which admins installed which certificates for now:

"Having per-admin CA certificates would be a fair bit of work. The only MDMs
we're opening this up to for now are Device and Profile Owners which 100%
manage the profile so will be the only admin.
It seems like if we keep track of "who installed which certs" it'll be a little
pointless because the answer will always be "the ProfileOwner" for every single
one."

Bug: 17005622
Change-Id: I45e9dac5236ab4ed235a341c208ac3cb6aba17da
parent ef56dad5

api/current.txt

+2 −2
Original line number Diff line number Diff line
@@ -5435,7 +5435,7 @@ package android.app.admin { 
    method public boolean getCrossProfileCallerIdDisabled(android.content.ComponentName);

    method public java.util.List<java.lang.String> getCrossProfileWidgetProviders(android.content.ComponentName);

    method public int getCurrentFailedPasswordAttempts();

    method public java.util.List<byte[]> getInstalledCaCerts();

    method public java.util.List<byte[]> getInstalledCaCerts(android.content.ComponentName);

    method public int getKeyguardDisabledFeatures(android.content.ComponentName);

    method public int getMaximumFailedPasswordsForWipe(android.content.ComponentName);

    method public long getMaximumTimeToLock(android.content.ComponentName);
@@ -5456,7 +5456,7 @@ package android.app.admin { 
    method public boolean getScreenCaptureDisabled(android.content.ComponentName);

    method public boolean getStorageEncryption(android.content.ComponentName);

    method public int getStorageEncryptionStatus();

    method public boolean hasCaCertInstalled(byte[]);

    method public boolean hasCaCertInstalled(android.content.ComponentName, byte[]);

    method public boolean hasGrantedPolicy(android.content.ComponentName, int);

    method public boolean installCaCert(android.content.ComponentName, byte[]);

    method public boolean isActivePasswordSufficient();

core/java/android/app/admin/DevicePolicyManager.java

+25 −11
Original line number Diff line number Diff line
@@ -1773,11 +1773,15 @@ public class DevicePolicyManager { 
     * If a user has installed any certificates by other means than device policy these will be

     * included too.

     *

     * @param admin Which {@link DeviceAdminReceiver} this request is associated with.

     * @return a List of byte[] arrays, each encoding one user CA certificate.

     */

    public List<byte[]> getInstalledCaCerts() {

        final TrustedCertificateStore certStore = new TrustedCertificateStore();

    public List<byte[]> getInstalledCaCerts(ComponentName admin) {

        List<byte[]> certs = new ArrayList<byte[]>();

        if (mService != null) {

            try {

                mService.enforceCanManageCaCerts(admin);

                final TrustedCertificateStore certStore = new TrustedCertificateStore();

                for (String alias : certStore.userAliases()) {

                    try {

                        certs.add(certStore.getCertificate(alias).getEncoded());
@@ -1785,6 +1789,10 @@ public class DevicePolicyManager { 
                        Log.w(TAG, "Could not encode certificate: " + alias, ce);

                    }

                }

            } catch (RemoteException re) {

                Log.w(TAG, "Failed talking with device policy service", re);

            }

        }

        return certs;

    }
@@ -1809,14 +1817,20 @@ public class DevicePolicyManager { 
    /**

     * Returns whether this certificate is installed as a trusted CA.

     *

     * @param admin Which {@link DeviceAdminReceiver} this request is associated with.

     * @param certBuffer encoded form of the certificate to look up.

     */

    public boolean hasCaCertInstalled(byte[] certBuffer) {

    public boolean hasCaCertInstalled(ComponentName admin, byte[] certBuffer) {

        if (mService != null) {

            try {

                mService.enforceCanManageCaCerts(admin);

                return getCaCertAlias(certBuffer) != null;

            } catch (RemoteException re) {

                Log.w(TAG, "Failed talking with device policy service", re);

            } catch (CertificateException ce) {

                Log.w(TAG, "Could not parse certificate", ce);

            }

        }

        return false;

    }

core/java/android/app/admin/IDevicePolicyManager.aidl

+1 −0
Original line number Diff line number Diff line
@@ -124,6 +124,7 @@ interface IDevicePolicyManager { 


    boolean installCaCert(in ComponentName admin, in byte[] certBuffer);

    void uninstallCaCert(in ComponentName admin, in String alias);

    void enforceCanManageCaCerts(in ComponentName admin);



    void addPersistentPreferredActivity(in ComponentName admin, in IntentFilter filter, in ComponentName activity);

    void clearPackagePersistentPreferredActivities(in ComponentName admin, String packageName);

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+11 −13
Original line number Diff line number Diff line
@@ -40,7 +40,6 @@ import android.content.Intent; 
import android.content.IntentFilter;

import android.content.pm.ApplicationInfo;

import android.content.pm.IPackageManager;

import android.content.pm.PackageInfo;

import android.content.pm.PackageManager;

import android.content.pm.PackageManager.NameNotFoundException;

import android.content.pm.ResolveInfo;
@@ -70,7 +69,6 @@ import android.os.UserHandle; 
import android.os.UserManager;

import android.provider.Settings;

import android.security.Credentials;

import android.security.IKeyChainService;

import android.security.KeyChain;

import android.security.KeyChain.KeyChainConnection;

import android.util.Log;
@@ -2749,7 +2747,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
        return !"".equals(state);

    }



    public boolean installCaCert(ComponentName who, byte[] certBuffer) throws RemoteException {

    @Override

    public void enforceCanManageCaCerts(ComponentName who) {

        if (who == null) {

            mContext.enforceCallingOrSelfPermission(MANAGE_CA_CERTIFICATES, null);

        } else {
@@ -2757,6 +2756,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
                getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);

            }

        }

    }



    @Override

    public boolean installCaCert(ComponentName admin, byte[] certBuffer) throws RemoteException {

        enforceCanManageCaCerts(admin);



        byte[] pemCert;

        try {
@@ -2791,21 +2795,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
        return false;

    }



    private static X509Certificate parseCert(byte[] certBuffer)

            throws CertificateException, IOException {

    private static X509Certificate parseCert(byte[] certBuffer) throws CertificateException {

        CertificateFactory certFactory = CertificateFactory.getInstance("X.509");

        return (X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(

                certBuffer));

    }



    public void uninstallCaCert(ComponentName who, String alias) {

        if (who == null) {

            mContext.enforceCallingOrSelfPermission(MANAGE_CA_CERTIFICATES, null);

        } else {

            synchronized (this) {

                getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);

            }

        }

    @Override

    public void uninstallCaCert(ComponentName admin, String alias) {

        enforceCanManageCaCerts(admin);



        final UserHandle userHandle = new UserHandle(UserHandle.getCallingUserId());

        final long id = Binder.clearCallingIdentity();