Merge "Expose e.getMessage() from the exceptions in RecoverableKeyStore" into pi-dev (8b60ebc6) · Commits · e / os / android_frameworks_base

core/java/android/security/keystore/recovery/RecoveryController.java

+3 −3

Original line number	Diff line number	Diff line
		@@ -43,7 +43,7 @@ import java.util.Map;
		/**
		* Backs up cryptographic keys to remote secure hardware, encrypted with the user's lock screen.
		*
		* <p>A system app with the {@link android.Manifest#RECOVER_KEYSTORE} permission may generate or
		* <p>A system app with the {@code android.permission.RECOVER_KEYSTORE} permission may generate or
		* import recoverable keys using this class. To generate a key, the app must call
		* {@link #generateKey(String)} with the desired alias for the key. This returns an AndroidKeyStore
		* reference to a 256-bit {@link javax.crypto.SecretKey}, which can be used for AES/GCM/NoPadding.
		@@ -292,7 +292,7 @@ public class RecoveryController {
		} catch (ServiceSpecificException e) {
		if (e.errorCode == ERROR_BAD_CERTIFICATE_FORMAT
		\|\| e.errorCode == ERROR_INVALID_CERTIFICATE) {
		throw new CertificateException(e.getMessage());
		throw new CertificateException("Invalid certificate for recovery service", e);
		}
		throw wrapUnexpectedServiceSpecificException(e);
		}
		@@ -338,7 +338,7 @@ public class RecoveryController {
		} catch (ServiceSpecificException e) {
		if (e.errorCode == ERROR_BAD_CERTIFICATE_FORMAT
		\|\| e.errorCode == ERROR_INVALID_CERTIFICATE) {
		throw new CertificateException(e.getMessage());
		throw new CertificateException("Invalid certificate for recovery service", e);
		}
		throw wrapUnexpectedServiceSpecificException(e);
		}

core/java/android/security/keystore/recovery/RecoverySession.java

+3 −3

Original line number	Diff line number	Diff line
		@@ -102,7 +102,7 @@ public class RecoverySession implements AutoCloseable {
		} catch (ServiceSpecificException e) {
		if (e.errorCode == RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT
		\|\| e.errorCode == RecoveryController.ERROR_INVALID_CERTIFICATE) {
		throw new CertificateException(e.getMessage());
		throw new CertificateException("Invalid certificate for recovery session", e);
		}
		throw mRecoveryController.wrapUnexpectedServiceSpecificException(e);
		}
		@@ -137,7 +137,7 @@ public class RecoverySession implements AutoCloseable {
		} catch (ServiceSpecificException e) {
		if (e.errorCode == RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT
		\|\| e.errorCode == RecoveryController.ERROR_INVALID_CERTIFICATE) {
		throw new CertificateException(e.getMessage());
		throw new CertificateException("Invalid certificate for recovery session", e);
		}
		throw mRecoveryController.wrapUnexpectedServiceSpecificException(e);
		}
		@@ -191,7 +191,7 @@ public class RecoverySession implements AutoCloseable {
		} catch (ServiceSpecificException e) {
		if (e.errorCode == RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT
		\|\| e.errorCode == RecoveryController.ERROR_INVALID_CERTIFICATE) {
		throw new CertificateException(e.getMessage());
		throw new CertificateException("Invalid certificate for recovery session", e);
		}
		throw mRecoveryController.wrapUnexpectedServiceSpecificException(e);
		}

services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java

+6 −12

Original line number	Diff line number	Diff line
		@@ -227,8 +227,7 @@ public class RecoverableKeyStoreManager {
		certPath = certXml.getRandomEndpointCert(rootCert);
		} catch (CertValidationException e) {
		Log.e(TAG, "Invalid endpoint cert", e);
		throw new ServiceSpecificException(
		ERROR_INVALID_CERTIFICATE, "Failed to validate certificate.");
		throw new ServiceSpecificException(ERROR_INVALID_CERTIFICATE, e.getMessage());
		}

		boolean wasInitialized = mDatabase.getRecoveryServiceCertPath(userId, uid,
		@@ -249,8 +248,7 @@ public class RecoverableKeyStoreManager {
		}
		} catch (CertificateEncodingException e) {
		Log.e(TAG, "Failed to encode CertPath", e);
		throw new ServiceSpecificException(
		ERROR_BAD_CERTIFICATE_FORMAT, "Failed to encode CertPath.");
		throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage());
		}
		}

		@@ -281,8 +279,7 @@ public class RecoverableKeyStoreManager {
		} catch (CertParsingException e) {
		Log.d(TAG, "Failed to parse the sig file: " + HexDump.toHexString(
		recoveryServiceSigFile));
		throw new ServiceSpecificException(
		ERROR_BAD_CERTIFICATE_FORMAT, "Failed to parse the sig file.");
		throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage());
		}

		X509Certificate rootCert =
		@@ -293,8 +290,7 @@ public class RecoverableKeyStoreManager {
		Log.d(TAG, "The signature over the cert file is invalid."
		+ " Cert: " + HexDump.toHexString(recoveryServiceCertFile)
		+ " Sig: " + HexDump.toHexString(recoveryServiceSigFile));
		throw new ServiceSpecificException(
		ERROR_INVALID_CERTIFICATE, "The signature over the cert file is invalid.");
		throw new ServiceSpecificException(ERROR_INVALID_CERTIFICATE, e.getMessage());
		}

		initRecoveryService(rootCertificateAlias, recoveryServiceCertFile);
		@@ -471,8 +467,7 @@ public class RecoverableKeyStoreManager {
		try {
		publicKey = KeySyncUtils.deserializePublicKey(verifierPublicKey);
		} catch (InvalidKeySpecException e) {
		throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT,
		"Not a valid X509 key");
		throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage());
		}
		// The raw public key bytes contained in vaultParams must match the ones given in
		// verifierPublicKey; otherwise, the user secret may be decrypted by a key that is not owned
		@@ -537,8 +532,7 @@ public class RecoverableKeyStoreManager {
		try {
		certPath = verifierCertPath.getCertPath();
		} catch (CertificateException e) {
		throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT,
		"Failed decode the certificate path");
		throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage());
		}

		try {

services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java

+5 −3

Original line number	Diff line number	Diff line
		@@ -18,6 +18,8 @@ package com.android.server.locksettings.recoverablekeystore;

		import static android.security.keystore.recovery.KeyChainProtectionParams.TYPE_LOCKSCREEN;
		import static android.security.keystore.recovery.KeyChainProtectionParams.UI_FORMAT_PASSWORD;
		import static android.security.keystore.recovery.RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT;
		import static android.security.keystore.recovery.RecoveryController.ERROR_INVALID_CERTIFICATE;

		import static com.google.common.truth.Truth.assertThat;
		import static org.junit.Assert.assertArrayEquals;
		@@ -386,7 +388,7 @@ public class RecoverableKeyStoreManagerTest {
		modifiedCertXml);
		fail("should have thrown");
		} catch (ServiceSpecificException e) {
		assertThat(e.getMessage()).contains("validate cert");
		assertThat(e.errorCode).isEqualTo(ERROR_INVALID_CERTIFICATE);
		}
		}

		@@ -518,7 +520,7 @@ public class RecoverableKeyStoreManagerTest {
		getUtf8Bytes("wrong-sig-file-format"));
		fail("should have thrown");
		} catch (ServiceSpecificException e) {
		assertThat(e.getMessage()).contains("parse the sig file");
		assertThat(e.errorCode).isEqualTo(ERROR_BAD_CERTIFICATE_FORMAT);
		}
		}

		@@ -530,7 +532,7 @@ public class RecoverableKeyStoreManagerTest {
		INSECURE_CERTIFICATE_ALIAS, TestData.getCertXml(), TestData.getSigXml());
		fail("should have thrown");
		} catch (ServiceSpecificException e) {
		assertThat(e.getMessage()).contains("signature over the cert file is invalid");
		assertThat(e.errorCode).isEqualTo(ERROR_INVALID_CERTIFICATE);
		}
		}