Merge changes I69689a73,Iaaef6d41,I7e3cb47a,I42307f58 into jb-mr1-dev (f60921d9) · Commits · e / os / android_frameworks_base

core/java/android/app/ActivityThread.java

+11 −0

Original line number	Diff line number	Diff line
		@@ -109,6 +109,7 @@ import java.util.Map;
		import java.util.TimeZone;
		import java.util.regex.Pattern;

		import libcore.io.EventLogger;
		import libcore.io.IoUtils;

		import dalvik.system.CloseGuard;
		@@ -4870,6 +4871,13 @@ public final class ActivityThread {
		}
		}

		private static class EventLoggingReporter implements EventLogger.Reporter {
		@Override
		public void report (int code, Object... list) {
		EventLog.writeEvent(code, list);
		}
		}

		public static void main(String[] args) {
		SamplingProfilerIntegration.start();

		@@ -4880,6 +4888,9 @@ public final class ActivityThread {

		Environment.initForCurrentUser();

		// Set the reporter for event logging in libcore
		EventLogger.setReporter(new EventLoggingReporter());

		Security.addProvider(new AndroidKeyStoreProvider());

		Process.setArgV0("<pre-initialized>");

core/res/AndroidManifest.xml

+6 −0

Original line number	Diff line number	Diff line
		@@ -2130,6 +2130,12 @@
		</intent-filter>
		</receiver>

		<receiver android:name="com.android.server.updates.CertPinInstallReceiver" >
		<intent-filter>
		<action android:name="android.intent.action.UPDATE_PINS" />
		</intent-filter>
		</receiver>

		<receiver android:name="com.android.server.MasterClearReceiver"
		android:permission="android.permission.MASTER_CLEAR"
		android:priority="100" >

services/java/com/android/server/EventLogTags.logtags

+5 −0

Original line number	Diff line number	Diff line
		@@ -156,3 +156,8 @@ option java_package com.android.server
		51200 lockdown_vpn_connecting (egress_net\|1)
		51201 lockdown_vpn_connected (egress_net\|1)
		51202 lockdown_vpn_error (egress_net\|1)

		# ---------------------------
		# ConfigUpdateInstallReceiver.java
		# ---------------------------
		51300 config_install_failed (dir\|3)

services/java/com/android/server/updatable/CertPinInstallReceiver.java

0 → 100644

+24 −0

Original line number	Diff line number	Diff line
		/*
		* Copyright (C) 2012 The Android Open Source Project
		*
		* Licensed under the Apache License, Version 2.0 (the "License");
		* you may not use this file except in compliance with the License.
		* You may obtain a copy of the License at
		*
		* http://www.apache.org/licenses/LICENSE-2.0
		*
		* Unless required by applicable law or agreed to in writing, software
		* distributed under the License is distributed on an "AS IS" BASIS,
		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		* See the License for the specific language governing permissions and
		* limitations under the License.
		*/

		package com.android.server.updates;

		public class CertPinInstallReceiver extends ConfigUpdateInstallReceiver {

		public CertPinInstallReceiver() {
		super("/data/misc/keychain/", "pins", "metadata/", "version");
		}
		}

services/java/com/android/server/updatable/ConfigUpdateInstallReceiver.java

0 → 100644

+258 −0

Original line number	Diff line number	Diff line
		/*
		* Copyright (C) 2012 The Android Open Source Project
		*
		* Licensed under the Apache License, Version 2.0 (the "License");
		* you may not use this file except in compliance with the License.
		* You may obtain a copy of the License at
		*
		* http://www.apache.org/licenses/LICENSE-2.0
		*
		* Unless required by applicable law or agreed to in writing, software
		* distributed under the License is distributed on an "AS IS" BASIS,
		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		* See the License for the specific language governing permissions and
		* limitations under the License.
		*/

		package com.android.server.updates;

		import android.content.BroadcastReceiver;
		import android.content.ContentResolver;
		import android.content.Context;
		import android.content.Intent;
		import android.provider.Settings;
		import android.os.FileUtils;
		import android.util.Base64;
		import android.util.EventLog;
		import android.util.Slog;

		import com.android.server.EventLogTags;

		import java.io.ByteArrayInputStream;
		import java.io.File;
		import java.io.FileNotFoundException;
		import java.io.FileOutputStream;
		import java.io.InputStream;
		import java.io.IOException;
		import java.security.cert.Certificate;
		import java.security.cert.CertificateException;
		import java.security.cert.CertificateFactory;
		import java.security.cert.X509Certificate;
		import java.security.MessageDigest;
		import java.security.NoSuchAlgorithmException;
		import java.security.Signature;
		import java.security.SignatureException;

		import libcore.io.IoUtils;

		public class ConfigUpdateInstallReceiver extends BroadcastReceiver {

		private static final String TAG = "ConfigUpdateInstallReceiver";

		private static final String EXTRA_CONTENT_PATH = "CONTENT_PATH";
		private static final String EXTRA_REQUIRED_HASH = "REQUIRED_HASH";
		private static final String EXTRA_SIGNATURE = "SIGNATURE";
		private static final String EXTRA_VERSION_NUMBER = "VERSION";

		private static final String UPDATE_CERTIFICATE_KEY = "config_update_certificate";

		private final File updateDir;
		private final File updateContent;
		private final File updateVersion;

		public ConfigUpdateInstallReceiver(String updateDir, String updateContentPath,
		String updateMetadataPath, String updateVersionPath) {
		this.updateDir = new File(updateDir);
		this.updateContent = new File(updateDir, updateContentPath);
		File updateMetadataDir = new File(updateDir, updateMetadataPath);
		this.updateVersion = new File(updateMetadataDir, updateVersionPath);
		}

		@Override
		public void onReceive(final Context context, final Intent intent) {
		new Thread() {
		@Override
		public void run() {
		try {
		// get the certificate from Settings.Secure
		X509Certificate cert = getCert(context.getContentResolver());
		// get the content path from the extras
		String altContent = getAltContent(intent);
		// get the version from the extras
		int altVersion = getVersionFromIntent(intent);
		// get the previous value from the extras
		String altRequiredHash = getRequiredHashFromIntent(intent);
		// get the signature from the extras
		String altSig = getSignatureFromIntent(intent);
		// get the version currently being used
		int currentVersion = getCurrentVersion();
		// get the hash of the currently used value
		String currentHash = getCurrentHash(getCurrentContent());
		if (!verifyVersion(currentVersion, altVersion)) {
		Slog.e(TAG, "New version is not greater than current version, aborting!");
		} else if (!verifyPreviousHash(currentHash, altRequiredHash)) {
		Slog.e(TAG, "Current hash did not match required value, aborting!");
		} else if (!verifySignature(altContent, altVersion, altRequiredHash, altSig,
		cert)) {
		Slog.e(TAG, "Signature did not verify, aborting!");
		} else {
		// install the new content
		Slog.i(TAG, "Found new update, installing...");
		install(altContent, altVersion);
		Slog.i(TAG, "Installation successful");
		}
		} catch (Exception e) {
		Slog.e(TAG, "Could not update content!", e);
		EventLog.writeEvent(EventLogTags.CONFIG_INSTALL_FAILED,
		updateDir.toString());
		}
		}
		}.start();
		}

		private X509Certificate getCert(ContentResolver cr) {
		// get the cert from settings
		String cert = Settings.Secure.getString(cr, UPDATE_CERTIFICATE_KEY);
		// convert it into a real certificate
		try {
		byte[] derCert = Base64.decode(cert.getBytes(), Base64.DEFAULT);
		InputStream istream = new ByteArrayInputStream(derCert);
		CertificateFactory cf = CertificateFactory.getInstance("X.509");
		return (X509Certificate) cf.generateCertificate(istream);
		} catch (CertificateException e) {
		throw new IllegalStateException("Got malformed certificate from settings, ignoring", e);
		}
		}

		private String getContentFromIntent(Intent i) {
		String extraValue = i.getStringExtra(EXTRA_CONTENT_PATH);
		if (extraValue == null) {
		throw new IllegalStateException("Missing required content path, ignoring.");
		}
		return extraValue;
		}

		private int getVersionFromIntent(Intent i) throws NumberFormatException {
		String extraValue = i.getStringExtra(EXTRA_VERSION_NUMBER);
		if (extraValue == null) {
		throw new IllegalStateException("Missing required version number, ignoring.");
		}
		return Integer.parseInt(extraValue.trim());
		}

		private String getRequiredHashFromIntent(Intent i) {
		String extraValue = i.getStringExtra(EXTRA_REQUIRED_HASH);
		if (extraValue == null) {
		throw new IllegalStateException("Missing required previous hash, ignoring.");
		}
		return extraValue.trim();
		}

		private String getSignatureFromIntent(Intent i) {
		String extraValue = i.getStringExtra(EXTRA_SIGNATURE);
		if (extraValue == null) {
		throw new IllegalStateException("Missing required signature, ignoring.");
		}
		return extraValue.trim();
		}

		private int getCurrentVersion() throws NumberFormatException {
		try {
		String strVersion = IoUtils.readFileAsString(updateVersion.getCanonicalPath()).trim();
		return Integer.parseInt(strVersion);
		} catch (IOException e) {
		Slog.i(TAG, "Couldn't find current metadata, assuming first update", e);
		return 0;
		}
		}

		private String getAltContent(Intent i) throws IOException {
		String contents = IoUtils.readFileAsString(getContentFromIntent(i));
		return contents.trim();
		}

		private String getCurrentContent() {
		try {
		return IoUtils.readFileAsString(updateContent.getCanonicalPath()).trim();
		} catch (IOException e) {
		Slog.i(TAG, "Failed to read current content, assuming first update!", e);
		return null;
		}
		}

		private static String getCurrentHash(String content) {
		if (content == null) {
		return "0";
		}
		try {
		MessageDigest dgst = MessageDigest.getInstance("SHA512");
		byte[] encoded = content.getBytes();
		byte[] fingerprint = dgst.digest(encoded);
		return IntegralToString.bytesToHexString(fingerprint, false);
		} catch (NoSuchAlgorithmException e) {
		throw new AssertionError(e);
		}
		}

		private boolean verifyVersion(int current, int alternative) {
		return (current < alternative);
		}

		private boolean verifyPreviousHash(String current, String required) {
		// this is an optional value- if the required field is NONE then we ignore it
		if (required.equals("NONE")) {
		return true;
		}
		// otherwise, verify that we match correctly
		return current.equals(required);
		}

		private boolean verifySignature(String content, int version, String requiredPrevious,
		String signature, X509Certificate cert) throws Exception {
		Signature signer = Signature.getInstance("SHA512withRSA");
		signer.initVerify(cert);
		signer.update(content.getBytes());
		signer.update(Long.toString(version).getBytes());
		signer.update(requiredPrevious.getBytes());
		return signer.verify(Base64.decode(signature.getBytes(), Base64.DEFAULT));
		}

		private void writeUpdate(File dir, File file, String content) {
		FileOutputStream out = null;
		File tmp = null;
		try {
		// create the temporary file
		tmp = File.createTempFile("journal", "", dir);
		// create the parents for the destination file
		File parent = file.getParentFile();
		parent.mkdirs();
		// check that they were created correctly
		if (!parent.exists()) {
		throw new IOException("Failed to create directory " + parent.getCanonicalPath());
		}
		// mark tmp -rw-r--r--
		tmp.setReadable(true, false);
		// write to it
		out = new FileOutputStream(tmp);
		out.write(content.getBytes());
		// sync to disk
		out.getFD().sync();
		// atomic rename
		if (!tmp.renameTo(file)) {
		throw new IOException("Failed to atomically rename " + file.getCanonicalPath());
		}
		} catch (IOException e) {
		Slog.e(TAG, "Failed to write update", e);
		} finally {
		if (tmp != null) {
		tmp.delete();
		}
		IoUtils.closeQuietly(out);
		}
		}

		private void install(String content, int version) {
		writeUpdate(updateDir, updateContent, content);
		writeUpdate(updateDir, updateVersion, Long.toString(version));
		}
		}