Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit beae8c67 authored by Max Bires's avatar Max Bires
Browse files

Fixing engineGetCertificateChain exception 

If a certificate is self signed, then currently KeyStore will still
attempt to find the CA certificate. When it obviously fails to find it,
a key not found exception is propagated up and thrown. This CL
suppresses that exception, as it seems to exclusively be thrown in this
condition, which is WAI. Having the stack trace show up can be very
misleading to developers.

Test: atest cts/tests/tests/keystore/src/android/keystore/cts
Change-Id: I192f54d3d8355c183e830ab09314932e8800f7ed
parent 18cccec6

keystore/java/android/security/keystore/AndroidKeyStoreSpi.java

+10 −2
Original line number Diff line number Diff line
@@ -16,7 +16,6 @@ 


package android.security.keystore;



import libcore.util.EmptyArray;

import android.security.Credentials;

import android.security.GateKeeper;

import android.security.KeyStore;
@@ -30,6 +29,8 @@ import android.security.keystore.SecureKeyImportUnavailableException; 
import android.security.keystore.WrappedKeyEntry;

import android.util.Log;



import libcore.util.EmptyArray;



import java.io.ByteArrayInputStream;

import java.io.IOException;

import java.io.InputStream;
@@ -115,7 +116,14 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { 


        final Certificate[] caList;



        final byte[] caBytes = mKeyStore.get(Credentials.CA_CERTIFICATE + alias, mUid);

        // Suppress the key not found warning for this call. It seems that this error is exclusively

        // being thrown when there is a self signed certificate chain, so when the keystore service

        // attempts to query for the CA details, it obviously fails to find them and returns a

        // key not found exception. This is WAI, and throwing a stack trace here can be very

        // misleading since the trace is not clear.

        final byte[] caBytes = mKeyStore.get(Credentials.CA_CERTIFICATE + alias,

                                             mUid,

                                             true /* suppressKeyNotFoundWarning */);

        if (caBytes != null) {

            final Collection<X509Certificate> caChain = toCertificates(caBytes);