Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b10ba442 authored by Bo Zhu's avatar Bo Zhu
Browse files

Skip the cert xml serial number check if the test root cert is in use 

Bug: 77165400
Test: runtest frameworks-services -p
com.android.server.locksettings.recoverablekeystore

Change-Id: I2242b4a97b9efa60a5a5ad7ab79e786951580299
parent 21306849

services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java

+2 −1
Original line number Diff line number Diff line
@@ -206,7 +206,8 @@ public class RecoverableKeyStoreManager { 
        // Check serial number

        long newSerial = certXml.getSerial();

        Long oldSerial = mDatabase.getRecoveryServiceCertSerial(userId, uid, rootCertificateAlias);

        if (oldSerial != null && oldSerial >= newSerial) {

        if (oldSerial != null && oldSerial >= newSerial

                && !mTestCertHelper.isTestOnlyCertificateAlias(rootCertificateAlias)) {

            if (oldSerial == newSerial) {

                Log.i(TAG, "The cert file serial number is the same, so skip updating.");

            } else {

services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java

+8 −0
Original line number Diff line number Diff line
@@ -26,6 +26,7 @@ import android.security.keystore.recovery.RecoveryController; 
import android.text.TextUtils;

import android.util.Log;



import com.android.server.locksettings.recoverablekeystore.TestOnlyInsecureCertificateHelper;

import com.android.server.locksettings.recoverablekeystore.WrappedKey;

import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDbContract.KeysEntry;

import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDbContract.RecoveryServiceMetadataEntry;
@@ -62,6 +63,7 @@ public class RecoverableKeyStoreDb { 
    private static final String CERT_PATH_ENCODING = "PkiPath";



    private final RecoverableKeyStoreDbHelper mKeyStoreDbHelper;

    private final TestOnlyInsecureCertificateHelper mTestOnlyInsecureCertificateHelper;



    /**

     * A new instance, storing the database in the user directory of {@code context}.
@@ -77,6 +79,7 @@ public class RecoverableKeyStoreDb { 


    private RecoverableKeyStoreDb(RecoverableKeyStoreDbHelper keyStoreDbHelper) {

        this.mKeyStoreDbHelper = keyStoreDbHelper;

        this.mTestOnlyInsecureCertificateHelper = new TestOnlyInsecureCertificateHelper();

    }



    /**
@@ -627,6 +630,7 @@ public class RecoverableKeyStoreDb { 
     * @hide

     */

    public long setActiveRootOfTrust(int userId, int uid, @Nullable String rootAlias) {

        // TODO: Call getDefaultCertificateAliasIfEmpty() here too?

        SQLiteDatabase db = mKeyStoreDbHelper.getWritableDatabase();

        ContentValues values = new ContentValues();

        values.put(RecoveryServiceMetadataEntry.COLUMN_NAME_ACTIVE_ROOT_OF_TRUST, rootAlias);
@@ -988,6 +992,7 @@ public class RecoverableKeyStoreDb { 
     * @hide

     */

    private byte[] getBytes(int userId, int uid, String rootAlias, String key) {

        rootAlias = mTestOnlyInsecureCertificateHelper.getDefaultCertificateAliasIfEmpty(rootAlias);

        SQLiteDatabase db = mKeyStoreDbHelper.getReadableDatabase();



        String[] projection = {
@@ -1046,6 +1051,7 @@ public class RecoverableKeyStoreDb { 
     * @hide

     */

    private long setBytes(int userId, int uid, String rootAlias, String key, byte[] value) {

        rootAlias = mTestOnlyInsecureCertificateHelper.getDefaultCertificateAliasIfEmpty(rootAlias);

        SQLiteDatabase db = mKeyStoreDbHelper.getWritableDatabase();

        ContentValues values = new ContentValues();

        values.put(key, value);
@@ -1072,6 +1078,7 @@ public class RecoverableKeyStoreDb { 
     * @hide

     */

    private Long getLong(int userId, int uid, String rootAlias, String key) {

        rootAlias = mTestOnlyInsecureCertificateHelper.getDefaultCertificateAliasIfEmpty(rootAlias);

        SQLiteDatabase db = mKeyStoreDbHelper.getReadableDatabase();



        String[] projection = {
@@ -1131,6 +1138,7 @@ public class RecoverableKeyStoreDb { 
     */



    private long setLong(int userId, int uid, String rootAlias, String key, long value) {

        rootAlias = mTestOnlyInsecureCertificateHelper.getDefaultCertificateAliasIfEmpty(rootAlias);

        SQLiteDatabase db = mKeyStoreDbHelper.getWritableDatabase();

        ContentValues values = new ContentValues();

        values.put(key, value);

services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java

+46 −0
Original line number Diff line number Diff line
@@ -424,6 +424,52 @@ public class RecoverableKeyStoreManagerTest { 
        assertThat(mRecoverableKeyStoreDb.getShouldCreateSnapshot(userId, uid)).isFalse();

    }



    @Test

    public void initRecoveryService_alwaysUpdatesCertsWhenTestRootCertIsUsed() throws Exception {

        int uid = Binder.getCallingUid();

        int userId = UserHandle.getCallingUserId();

        int certSerial = 3333;



        String testRootCertAlias = TrustedRootCertificates.TEST_ONLY_INSECURE_CERTIFICATE_ALIAS;



        mRecoverableKeyStoreManager.initRecoveryService(testRootCertAlias,

                TestData.getInsecureCertXmlBytesWithEndpoint1(certSerial));

        assertThat(mRecoverableKeyStoreDb.getRecoveryServiceCertSerial(userId, uid,

                testRootCertAlias)).isEqualTo(certSerial);

        assertThat(mRecoverableKeyStoreDb.getRecoveryServiceCertPath(userId, uid,

                testRootCertAlias)).isEqualTo(TestData.getInsecureCertPathForEndpoint1());



        mRecoverableKeyStoreManager.initRecoveryService(testRootCertAlias,

                TestData.getInsecureCertXmlBytesWithEndpoint2(certSerial - 1));

        assertThat(mRecoverableKeyStoreDb.getRecoveryServiceCertSerial(userId, uid,

                testRootCertAlias)).isEqualTo(certSerial - 1);

        assertThat(mRecoverableKeyStoreDb.getRecoveryServiceCertPath(userId, uid,

                testRootCertAlias)).isEqualTo(TestData.getInsecureCertPathForEndpoint2());

    }



    @Test

    public void initRecoveryService_updatesCertsIndependentlyForDifferentRoots() throws Exception {

        int uid = Binder.getCallingUid();

        int userId = UserHandle.getCallingUserId();



        mRecoverableKeyStoreManager.initRecoveryService(ROOT_CERTIFICATE_ALIAS,

                TestData.getCertXmlWithSerial(1111L));

        mRecoverableKeyStoreManager.initRecoveryService(

                TrustedRootCertificates.TEST_ONLY_INSECURE_CERTIFICATE_ALIAS,

                TestData.getInsecureCertXmlBytesWithEndpoint1(2222));



        assertThat(mRecoverableKeyStoreDb.getRecoveryServiceCertSerial(userId, uid,

                ROOT_CERTIFICATE_ALIAS)).isEqualTo(1111L);

        assertThat(mRecoverableKeyStoreDb.getRecoveryServiceCertSerial(userId, uid,

                TrustedRootCertificates.TEST_ONLY_INSECURE_CERTIFICATE_ALIAS)).isEqualTo(2222L);



        assertThat(mRecoverableKeyStoreDb.getRecoveryServiceCertPath(userId, uid,

                ROOT_CERTIFICATE_ALIAS)).isEqualTo(TestData.CERT_PATH_1);

        assertThat(mRecoverableKeyStoreDb.getRecoveryServiceCertPath(userId, uid,

                TrustedRootCertificates.TEST_ONLY_INSECURE_CERTIFICATE_ALIAS)).isEqualTo(

                        TestData.getInsecureCertPathForEndpoint1());

    }



    @Test

    public void initRecoveryService_ignoresTheSameSerial() throws Exception {

        int uid = Binder.getCallingUid();

services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/TestData.java

+290 −0

File changed.

Preview size limit exceeded, changes collapsed.