Loading services/java/com/android/server/CertBlacklister.java 0 → 100644 +142 −0 Original line number Diff line number Diff line /* * Copyright (C) 2012 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.android.server; import android.content.Context; import android.content.ContentResolver; import android.database.ContentObserver; import android.os.Binder; import android.os.FileUtils; import android.provider.Settings; import android.util.Slog; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import libcore.io.IoUtils; /** * <p>CertBlacklister provides a simple mechanism for updating the platform blacklists for SSL * certificate public keys and serial numbers. */ public class CertBlacklister extends Binder { private static final String TAG = "CertBlacklister"; private static final String BLACKLIST_ROOT = System.getenv("ANDROID_DATA") + "/misc/keychain/"; public static final String PUBKEY_PATH = BLACKLIST_ROOT + "pubkey_blacklist.txt"; public static final String SERIAL_PATH = BLACKLIST_ROOT + "serial_blacklist.txt"; public static final String PUBKEY_BLACKLIST_KEY = "pubkey_blacklist"; public static final String SERIAL_BLACKLIST_KEY = "serial_blacklist"; private static class BlacklistObserver extends ContentObserver { private final String mKey; private final String mName; private final String mPath; private final File mTmpDir; private final ContentResolver mContentResolver; public BlacklistObserver(String key, String name, String path, ContentResolver cr) { super(null); mKey = key; mName = name; mPath = path; mTmpDir = new File(mPath).getParentFile(); mContentResolver = cr; } @Override public void onChange(boolean selfChange) { super.onChange(selfChange); writeBlacklist(); } public String getValue() { return Settings.Secure.getString(mContentResolver, mKey); } private void writeBlacklist() { new Thread("BlacklistUpdater") { public void run() { synchronized(mTmpDir) { String blacklist = getValue(); if (blacklist != null) { Slog.i(TAG, "Certificate blacklist changed, updating..."); FileOutputStream out = null; try { // create a temporary file File tmp = File.createTempFile("journal", "", mTmpDir); // mark it -rw-r--r-- tmp.setReadable(true, false); // write to it out = new FileOutputStream(tmp); out.write(blacklist.getBytes()); // sync to disk FileUtils.sync(out); // atomic rename tmp.renameTo(new File(mPath)); Slog.i(TAG, "Certificate blacklist updated"); } catch (IOException e) { Slog.e(TAG, "Failed to write blacklist", e); } finally { IoUtils.closeQuietly(out); } } } } }.start(); } } public CertBlacklister(Context context) { registerObservers(context.getContentResolver()); } private BlacklistObserver buildPubkeyObserver(ContentResolver cr) { return new BlacklistObserver(PUBKEY_BLACKLIST_KEY, "pubkey", PUBKEY_PATH, cr); } private BlacklistObserver buildSerialObserver(ContentResolver cr) { return new BlacklistObserver(SERIAL_BLACKLIST_KEY, "serial", SERIAL_PATH, cr); } private void registerObservers(ContentResolver cr) { // set up the public key blacklist observer cr.registerContentObserver( Settings.Secure.getUriFor(PUBKEY_BLACKLIST_KEY), true, buildPubkeyObserver(cr) ); // set up the serial number blacklist observer cr.registerContentObserver( Settings.Secure.getUriFor(SERIAL_BLACKLIST_KEY), true, buildSerialObserver(cr) ); } } services/java/com/android/server/SystemServer.java +7 −0 Original line number Diff line number Diff line Loading @@ -624,6 +624,13 @@ class ServerThread extends Thread { reportWtf("starting CommonTimeManagementService service", e); } try { Slog.i(TAG, "CertBlacklister"); CertBlacklister blacklister = new CertBlacklister(context); } catch (Throwable e) { reportWtf("starting CertBlacklister", e); } if (context.getResources().getBoolean( com.android.internal.R.bool.config_enableDreams)) { try { Loading services/tests/servicestests/src/com/android/server/CertBlacklisterTest.java 0 → 100644 +169 −0 Original line number Diff line number Diff line /* * Copyright (C) 2012 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.android.server; import android.content.Context; import android.content.Intent; import android.test.AndroidTestCase; import android.provider.Settings; import android.util.Log; import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.util.HashSet; import libcore.io.IoUtils; /** * Tests for {@link com.android.server.CertBlacklister} */ public class CertBlacklisterTest extends AndroidTestCase { private static final String BLACKLIST_ROOT = System.getenv("ANDROID_DATA") + "/misc/keychain/"; public static final String PUBKEY_PATH = BLACKLIST_ROOT + "pubkey_blacklist.txt"; public static final String SERIAL_PATH = BLACKLIST_ROOT + "serial_blacklist.txt"; public static final String PUBKEY_KEY = "pubkey_blacklist"; public static final String SERIAL_KEY = "serial_blacklist"; private void overrideSettings(String key, String value) throws Exception { Settings.Secure.putString(mContext.getContentResolver(), key, value); Thread.sleep(1000); } public void testClearBlacklistPubkey() throws Exception { // clear the gservices setting for a clean slate overrideSettings(PUBKEY_KEY, ""); // read the contents of the pubkey blacklist String blacklist = IoUtils.readFileAsString(PUBKEY_PATH); // Verify that it's empty assertEquals("", blacklist); } public void testSetBlacklistPubkey() throws Exception { // build a new thing to blacklist String badPubkey = "7ccabd7db47e94a5759901b6a7dfd45d1c091ccc"; // add the gservices override overrideSettings(PUBKEY_KEY, badPubkey); // check the contents again String blacklist = IoUtils.readFileAsString(PUBKEY_PATH); // make sure that we're equal to the string we sent out assertEquals(badPubkey, blacklist); } public void testChangeBlacklistPubkey() throws Exception { String badPubkey = "6ccabd7db47e94a5759901b6a7dfd45d1c091ccc"; overrideSettings(PUBKEY_KEY, badPubkey); badPubkey = "6ccabd7db47e94a5759901b6a7dfd45d1c091cce"; overrideSettings(PUBKEY_KEY, badPubkey); String blacklist = IoUtils.readFileAsString(PUBKEY_PATH); assertEquals(badPubkey, blacklist); } public void testMultiBlacklistPubkey() throws Exception { String badPubkey = "6ccabd7db47e94a5759901b6a7dfd45d1c091ccc,6ccabd7db47e94a5759901b6a7dfd45d1c091ccd"; overrideSettings(PUBKEY_KEY, badPubkey); String blacklist = IoUtils.readFileAsString(PUBKEY_PATH); assertEquals(badPubkey, blacklist); } public void testInvalidMultiBlacklistPubkey() throws Exception { String badPubkey = "6ccabd7db47e94a5759901b6a7dfd45d1c091ccc,ZZZZZ,6ccabd7db47e94a5759901b6a7dfd45d1c091ccd"; overrideSettings(PUBKEY_KEY, badPubkey); String blacklist = IoUtils.readFileAsString(PUBKEY_PATH); assertEquals(badPubkey, blacklist); } public void testInvalidCharsBlacklistPubkey() throws Exception { String badPubkey = "\n6ccabd7db47e94a5759901b6a7dfd45d1c091ccc,-ZZZZZ,+6ccabd7db47e94a5759901b6a7dfd45d1c091ccd"; overrideSettings(PUBKEY_KEY, badPubkey); String blacklist = IoUtils.readFileAsString(PUBKEY_PATH); assertEquals(badPubkey, blacklist); } public void testLotsOfBlacklistedPubkeys() throws Exception { StringBuilder bl = new StringBuilder(); for (int i=0; i < 1000; i++) { bl.append("6ccabd7db47e94a5759901b6a7dfd45d1c091ccc,"); } overrideSettings(PUBKEY_KEY, bl.toString()); String blacklist = IoUtils.readFileAsString(PUBKEY_PATH); assertEquals(bl.toString(), blacklist); } public void testClearBlacklistSerial() throws Exception { // clear the gservices setting for a clean slate overrideSettings(SERIAL_KEY, ""); // read the contents of the pubkey blacklist String blacklist = IoUtils.readFileAsString(SERIAL_PATH); // Verify that it's empty assertEquals("", blacklist); } public void testSetBlacklistSerial() throws Exception { // build a new thing to blacklist String badSerial = "22e514121e61c643b1e9b06bd4b9f7d0"; // add the gservices override overrideSettings(SERIAL_KEY, badSerial); // check the contents again String blacklist = IoUtils.readFileAsString(SERIAL_PATH); // make sure that we're equal to the string we sent out assertEquals(badSerial, blacklist); } public void testChangeBlacklistSerial() throws Exception { String badSerial = "22e514121e61c643b1e9b06bd4b9f7d0"; overrideSettings(SERIAL_KEY, badSerial); badSerial = "22e514121e61c643b1e9b06bd4b9f7d1"; overrideSettings(SERIAL_KEY, badSerial); String blacklist = IoUtils.readFileAsString(SERIAL_PATH); assertEquals(badSerial, blacklist); } public void testMultiBlacklistSerial() throws Exception { String badSerial = "22e514121e61c643b1e9b06bd4b9f7d0,22e514121e61c643b1e9b06bd4b9f7d1"; overrideSettings(SERIAL_KEY, badSerial); String blacklist = IoUtils.readFileAsString(SERIAL_PATH); assertEquals(badSerial, blacklist); } public void testInvalidMultiBlacklistSerial() throws Exception { String badSerial = "22e514121e61c643b1e9b06bd4b9f7d0,ZZZZ,22e514121e61c643b1e9b06bd4b9f7d1"; overrideSettings(SERIAL_KEY, badSerial); String blacklist = IoUtils.readFileAsString(SERIAL_PATH); assertEquals(badSerial, blacklist); } public void testInvalidCharsBlacklistSerial() throws Exception { String badSerial = "\n22e514121e61c643b1e9b06bd4b9f7d0,-ZZZZ,+22e514121e61c643b1e9b06bd4b9f7d1"; overrideSettings(SERIAL_KEY, badSerial); String blacklist = IoUtils.readFileAsString(SERIAL_PATH); assertEquals(badSerial, blacklist); } public void testLotsOfBlacklistedSerials() throws Exception { StringBuilder bl = new StringBuilder(); for (int i=0; i < 1000; i++) { bl.append("22e514121e61c643b1e9b06bd4b9f7d0,"); } overrideSettings(SERIAL_KEY, bl.toString()); String blacklist = IoUtils.readFileAsString(SERIAL_PATH); assertEquals(bl.toString(), blacklist); } } Loading
services/java/com/android/server/CertBlacklister.java 0 → 100644 +142 −0 Original line number Diff line number Diff line /* * Copyright (C) 2012 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.android.server; import android.content.Context; import android.content.ContentResolver; import android.database.ContentObserver; import android.os.Binder; import android.os.FileUtils; import android.provider.Settings; import android.util.Slog; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import libcore.io.IoUtils; /** * <p>CertBlacklister provides a simple mechanism for updating the platform blacklists for SSL * certificate public keys and serial numbers. */ public class CertBlacklister extends Binder { private static final String TAG = "CertBlacklister"; private static final String BLACKLIST_ROOT = System.getenv("ANDROID_DATA") + "/misc/keychain/"; public static final String PUBKEY_PATH = BLACKLIST_ROOT + "pubkey_blacklist.txt"; public static final String SERIAL_PATH = BLACKLIST_ROOT + "serial_blacklist.txt"; public static final String PUBKEY_BLACKLIST_KEY = "pubkey_blacklist"; public static final String SERIAL_BLACKLIST_KEY = "serial_blacklist"; private static class BlacklistObserver extends ContentObserver { private final String mKey; private final String mName; private final String mPath; private final File mTmpDir; private final ContentResolver mContentResolver; public BlacklistObserver(String key, String name, String path, ContentResolver cr) { super(null); mKey = key; mName = name; mPath = path; mTmpDir = new File(mPath).getParentFile(); mContentResolver = cr; } @Override public void onChange(boolean selfChange) { super.onChange(selfChange); writeBlacklist(); } public String getValue() { return Settings.Secure.getString(mContentResolver, mKey); } private void writeBlacklist() { new Thread("BlacklistUpdater") { public void run() { synchronized(mTmpDir) { String blacklist = getValue(); if (blacklist != null) { Slog.i(TAG, "Certificate blacklist changed, updating..."); FileOutputStream out = null; try { // create a temporary file File tmp = File.createTempFile("journal", "", mTmpDir); // mark it -rw-r--r-- tmp.setReadable(true, false); // write to it out = new FileOutputStream(tmp); out.write(blacklist.getBytes()); // sync to disk FileUtils.sync(out); // atomic rename tmp.renameTo(new File(mPath)); Slog.i(TAG, "Certificate blacklist updated"); } catch (IOException e) { Slog.e(TAG, "Failed to write blacklist", e); } finally { IoUtils.closeQuietly(out); } } } } }.start(); } } public CertBlacklister(Context context) { registerObservers(context.getContentResolver()); } private BlacklistObserver buildPubkeyObserver(ContentResolver cr) { return new BlacklistObserver(PUBKEY_BLACKLIST_KEY, "pubkey", PUBKEY_PATH, cr); } private BlacklistObserver buildSerialObserver(ContentResolver cr) { return new BlacklistObserver(SERIAL_BLACKLIST_KEY, "serial", SERIAL_PATH, cr); } private void registerObservers(ContentResolver cr) { // set up the public key blacklist observer cr.registerContentObserver( Settings.Secure.getUriFor(PUBKEY_BLACKLIST_KEY), true, buildPubkeyObserver(cr) ); // set up the serial number blacklist observer cr.registerContentObserver( Settings.Secure.getUriFor(SERIAL_BLACKLIST_KEY), true, buildSerialObserver(cr) ); } }
services/java/com/android/server/SystemServer.java +7 −0 Original line number Diff line number Diff line Loading @@ -624,6 +624,13 @@ class ServerThread extends Thread { reportWtf("starting CommonTimeManagementService service", e); } try { Slog.i(TAG, "CertBlacklister"); CertBlacklister blacklister = new CertBlacklister(context); } catch (Throwable e) { reportWtf("starting CertBlacklister", e); } if (context.getResources().getBoolean( com.android.internal.R.bool.config_enableDreams)) { try { Loading
services/tests/servicestests/src/com/android/server/CertBlacklisterTest.java 0 → 100644 +169 −0 Original line number Diff line number Diff line /* * Copyright (C) 2012 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.android.server; import android.content.Context; import android.content.Intent; import android.test.AndroidTestCase; import android.provider.Settings; import android.util.Log; import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.util.HashSet; import libcore.io.IoUtils; /** * Tests for {@link com.android.server.CertBlacklister} */ public class CertBlacklisterTest extends AndroidTestCase { private static final String BLACKLIST_ROOT = System.getenv("ANDROID_DATA") + "/misc/keychain/"; public static final String PUBKEY_PATH = BLACKLIST_ROOT + "pubkey_blacklist.txt"; public static final String SERIAL_PATH = BLACKLIST_ROOT + "serial_blacklist.txt"; public static final String PUBKEY_KEY = "pubkey_blacklist"; public static final String SERIAL_KEY = "serial_blacklist"; private void overrideSettings(String key, String value) throws Exception { Settings.Secure.putString(mContext.getContentResolver(), key, value); Thread.sleep(1000); } public void testClearBlacklistPubkey() throws Exception { // clear the gservices setting for a clean slate overrideSettings(PUBKEY_KEY, ""); // read the contents of the pubkey blacklist String blacklist = IoUtils.readFileAsString(PUBKEY_PATH); // Verify that it's empty assertEquals("", blacklist); } public void testSetBlacklistPubkey() throws Exception { // build a new thing to blacklist String badPubkey = "7ccabd7db47e94a5759901b6a7dfd45d1c091ccc"; // add the gservices override overrideSettings(PUBKEY_KEY, badPubkey); // check the contents again String blacklist = IoUtils.readFileAsString(PUBKEY_PATH); // make sure that we're equal to the string we sent out assertEquals(badPubkey, blacklist); } public void testChangeBlacklistPubkey() throws Exception { String badPubkey = "6ccabd7db47e94a5759901b6a7dfd45d1c091ccc"; overrideSettings(PUBKEY_KEY, badPubkey); badPubkey = "6ccabd7db47e94a5759901b6a7dfd45d1c091cce"; overrideSettings(PUBKEY_KEY, badPubkey); String blacklist = IoUtils.readFileAsString(PUBKEY_PATH); assertEquals(badPubkey, blacklist); } public void testMultiBlacklistPubkey() throws Exception { String badPubkey = "6ccabd7db47e94a5759901b6a7dfd45d1c091ccc,6ccabd7db47e94a5759901b6a7dfd45d1c091ccd"; overrideSettings(PUBKEY_KEY, badPubkey); String blacklist = IoUtils.readFileAsString(PUBKEY_PATH); assertEquals(badPubkey, blacklist); } public void testInvalidMultiBlacklistPubkey() throws Exception { String badPubkey = "6ccabd7db47e94a5759901b6a7dfd45d1c091ccc,ZZZZZ,6ccabd7db47e94a5759901b6a7dfd45d1c091ccd"; overrideSettings(PUBKEY_KEY, badPubkey); String blacklist = IoUtils.readFileAsString(PUBKEY_PATH); assertEquals(badPubkey, blacklist); } public void testInvalidCharsBlacklistPubkey() throws Exception { String badPubkey = "\n6ccabd7db47e94a5759901b6a7dfd45d1c091ccc,-ZZZZZ,+6ccabd7db47e94a5759901b6a7dfd45d1c091ccd"; overrideSettings(PUBKEY_KEY, badPubkey); String blacklist = IoUtils.readFileAsString(PUBKEY_PATH); assertEquals(badPubkey, blacklist); } public void testLotsOfBlacklistedPubkeys() throws Exception { StringBuilder bl = new StringBuilder(); for (int i=0; i < 1000; i++) { bl.append("6ccabd7db47e94a5759901b6a7dfd45d1c091ccc,"); } overrideSettings(PUBKEY_KEY, bl.toString()); String blacklist = IoUtils.readFileAsString(PUBKEY_PATH); assertEquals(bl.toString(), blacklist); } public void testClearBlacklistSerial() throws Exception { // clear the gservices setting for a clean slate overrideSettings(SERIAL_KEY, ""); // read the contents of the pubkey blacklist String blacklist = IoUtils.readFileAsString(SERIAL_PATH); // Verify that it's empty assertEquals("", blacklist); } public void testSetBlacklistSerial() throws Exception { // build a new thing to blacklist String badSerial = "22e514121e61c643b1e9b06bd4b9f7d0"; // add the gservices override overrideSettings(SERIAL_KEY, badSerial); // check the contents again String blacklist = IoUtils.readFileAsString(SERIAL_PATH); // make sure that we're equal to the string we sent out assertEquals(badSerial, blacklist); } public void testChangeBlacklistSerial() throws Exception { String badSerial = "22e514121e61c643b1e9b06bd4b9f7d0"; overrideSettings(SERIAL_KEY, badSerial); badSerial = "22e514121e61c643b1e9b06bd4b9f7d1"; overrideSettings(SERIAL_KEY, badSerial); String blacklist = IoUtils.readFileAsString(SERIAL_PATH); assertEquals(badSerial, blacklist); } public void testMultiBlacklistSerial() throws Exception { String badSerial = "22e514121e61c643b1e9b06bd4b9f7d0,22e514121e61c643b1e9b06bd4b9f7d1"; overrideSettings(SERIAL_KEY, badSerial); String blacklist = IoUtils.readFileAsString(SERIAL_PATH); assertEquals(badSerial, blacklist); } public void testInvalidMultiBlacklistSerial() throws Exception { String badSerial = "22e514121e61c643b1e9b06bd4b9f7d0,ZZZZ,22e514121e61c643b1e9b06bd4b9f7d1"; overrideSettings(SERIAL_KEY, badSerial); String blacklist = IoUtils.readFileAsString(SERIAL_PATH); assertEquals(badSerial, blacklist); } public void testInvalidCharsBlacklistSerial() throws Exception { String badSerial = "\n22e514121e61c643b1e9b06bd4b9f7d0,-ZZZZ,+22e514121e61c643b1e9b06bd4b9f7d1"; overrideSettings(SERIAL_KEY, badSerial); String blacklist = IoUtils.readFileAsString(SERIAL_PATH); assertEquals(badSerial, blacklist); } public void testLotsOfBlacklistedSerials() throws Exception { StringBuilder bl = new StringBuilder(); for (int i=0; i < 1000; i++) { bl.append("22e514121e61c643b1e9b06bd4b9f7d0,"); } overrideSettings(SERIAL_KEY, bl.toString()); String blacklist = IoUtils.readFileAsString(SERIAL_PATH); assertEquals(bl.toString(), blacklist); } }
