Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 98bb355a authored by Alex Johnston's avatar Alex Johnston
Browse files

hasKeyPair callable by the cred mng app 

The credential management app can call
hasKeyPair. The provided alias must be
found in the credential management
app's authentication policy.

Bug: 177979648
Test: atest com.android.server.devicepolicy.DevicePolicyManagerTest
      atest android.devicepolicy.cts.CredentialManagementAppTest
Change-Id: Ib28549fb4e2848ba012df2d154d28f2002ec6e59
parent 3203531c

core/java/android/app/admin/DevicePolicyManager.java

+13 −4
Original line number Original line Diff line number Diff line
@@ -6159,13 +6159,22 @@ public class DevicePolicyManager { 
















    // STOPSHIP(b/174298501): clarify the expected return value following generateKeyPair call.







    // STOPSHIP(b/174298501): clarify the expected return value following generateKeyPair call.











    /**







    /**











     * Called by a device or profile owner, or delegated certificate installer, to query whether a







     * This API can be called by the following to query whether a certificate and private key are











     * certificate and private key are installed under a given alias.







     * installed under a given alias:














     * <ul>














     *    <li>Device owner</li>














     *    <li>Profile owner</li>














     *    <li>Delegated certificate installer</li>














     *    <li>Credential management app</li>














     * </ul>














     *














     * If called by the credential management app, the alias must exist in the credential














     * management app's {@link android.security.AppUriAuthenticationPolicy}.











     *







     *











     * @param alias The alias under which the key pair is installed.







     * @param alias The alias under which the key pair is installed.











     * @return {@code true} if a key pair with this alias exists, {@code false} otherwise.







     * @return {@code true} if a key pair with this alias exists, {@code false} otherwise.











     * @throws SecurityException if the caller is not a device or profile owner or a delegated







     * @throws SecurityException if the caller is not a device or profile owner, a delegated











     *         certificate installer.







     *         certificate installer or the credential management app.











     * @see #setDelegatedScopes







     * @see #setDelegatedScopes











     * @see #DELEGATION_CERT_INSTALL







     * @see #DELEGATION_CERT_INSTALL











     */







     */

































services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java



+2
−1




























Original line number
Original line
Diff line number
Diff line








@@ -5488,7 +5488,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {









    @Override







    @Override











    public boolean hasKeyPair(String callerPackage, String alias) {







    public boolean hasKeyPair(String callerPackage, String alias) {











        final CallerIdentity caller = getCallerIdentity(callerPackage);







        final CallerIdentity caller = getCallerIdentity(callerPackage);











        Preconditions.checkCallAuthorization(canManageCertificates(caller));







        Preconditions.checkCallAuthorization(canManageCertificates(caller)














                || isCredentialManagementApp(caller, alias));



























        return mInjector.binderWithCleanCallingIdentity(() -> {







        return mInjector.binderWithCleanCallingIdentity(() -> {











            try (KeyChainConnection keyChainConnection =







            try (KeyChainConnection keyChainConnection =