Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f8839eaa authored by Pavel Grafov's avatar Pavel Grafov
Browse files

NIAP: Log cert validation and key integrity failures. 

Bug: 70886042
Test: manual, connect to EAP-TLS with self-signed cert.
Test: manual, create a key and damage it in /data/misc/keystore/user_0/
Change-Id: I61a8307da72bac38993f6588e9f184b360f6bf79
parent f62b1d36

api/current.txt

+2 −0
Original line number Original line Diff line number Diff line
@@ -6740,6 +6740,7 @@ package android.app.admin { 
    field public static final int TAG_APP_PROCESS_START = 210005; // 0x33455

    field public static final int TAG_APP_PROCESS_START = 210005; // 0x33455

    field public static final int TAG_CERT_AUTHORITY_INSTALLED = 210029; // 0x3346d

    field public static final int TAG_CERT_AUTHORITY_INSTALLED = 210029; // 0x3346d

    field public static final int TAG_CERT_AUTHORITY_REMOVED = 210030; // 0x3346e

    field public static final int TAG_CERT_AUTHORITY_REMOVED = 210030; // 0x3346e

    field public static final int TAG_CERT_VALIDATION_FAILURE = 210033; // 0x33471

    field public static final int TAG_CRYPTO_SELF_TEST_COMPLETED = 210031; // 0x3346f

    field public static final int TAG_CRYPTO_SELF_TEST_COMPLETED = 210031; // 0x3346f

    field public static final int TAG_KEYGUARD_DISABLED_FEATURES_SET = 210021; // 0x33465

    field public static final int TAG_KEYGUARD_DISABLED_FEATURES_SET = 210021; // 0x33465

    field public static final int TAG_KEYGUARD_DISMISSED = 210006; // 0x33456

    field public static final int TAG_KEYGUARD_DISMISSED = 210006; // 0x33456
@@ -6748,6 +6749,7 @@ package android.app.admin { 
    field public static final int TAG_KEY_DESTRUCTION = 210026; // 0x3346a

    field public static final int TAG_KEY_DESTRUCTION = 210026; // 0x3346a

    field public static final int TAG_KEY_GENERATED = 210024; // 0x33468

    field public static final int TAG_KEY_GENERATED = 210024; // 0x33468

    field public static final int TAG_KEY_IMPORT = 210025; // 0x33469

    field public static final int TAG_KEY_IMPORT = 210025; // 0x33469

    field public static final int TAG_KEY_INTEGRITY_VIOLATION = 210032; // 0x33470

    field public static final int TAG_LOGGING_STARTED = 210011; // 0x3345b

    field public static final int TAG_LOGGING_STARTED = 210011; // 0x3345b

    field public static final int TAG_LOGGING_STOPPED = 210012; // 0x3345c

    field public static final int TAG_LOGGING_STOPPED = 210012; // 0x3345c

    field public static final int TAG_LOG_BUFFER_SIZE_CRITICAL = 210015; // 0x3345f

    field public static final int TAG_LOG_BUFFER_SIZE_CRITICAL = 210015; // 0x3345f

core/java/android/app/admin/SecurityLog.java

+22 −0
Original line number Original line Diff line number Diff line
@@ -78,6 +78,8 @@ public class SecurityLog { 
            TAG_CERT_AUTHORITY_INSTALLED,

            TAG_CERT_AUTHORITY_INSTALLED,

            TAG_CERT_AUTHORITY_REMOVED,

            TAG_CERT_AUTHORITY_REMOVED,

            TAG_CRYPTO_SELF_TEST_COMPLETED,

            TAG_CRYPTO_SELF_TEST_COMPLETED,

            TAG_KEY_INTEGRITY_VIOLATION,

            TAG_CERT_VALIDATION_FAILURE,

    })

    })

    public @interface SecurityLogTag {}

    public @interface SecurityLogTag {}
@@ -408,6 +410,23 @@ public class SecurityLog { 
    public static final int TAG_CRYPTO_SELF_TEST_COMPLETED =

    public static final int TAG_CRYPTO_SELF_TEST_COMPLETED =

            SecurityLogTags.SECURITY_CRYPTO_SELF_TEST_COMPLETED;

            SecurityLogTags.SECURITY_CRYPTO_SELF_TEST_COMPLETED;





    /**

     * Indicates a failed cryptographic key integrity check. The log entry contains the following

     * information about the event, encapsulated in an {@link Object} array and accessible via

     * {@link SecurityEvent#getData()}:

     * <li> [0] alias of the key ({@code String})

     * <li> [1] owner application uid ({@code Integer}).

     */

    public static final int TAG_KEY_INTEGRITY_VIOLATION =

            SecurityLogTags.SECURITY_KEY_INTEGRITY_VIOLATION;



    /**

     * Indicates a failure to validate X.509v3 certificate. The log entry contains a {@code String}

     * payload indicating the failure reason, accessible via {@link SecurityEvent#getData()}.

     */

    public static final int TAG_CERT_VALIDATION_FAILURE =

            SecurityLogTags.SECURITY_CERT_VALIDATION_FAILURE;



    /**

    /**

     * Event severity level indicating that the event corresponds to normal workflow.

     * Event severity level indicating that the event corresponds to normal workflow.

     */

     */
@@ -548,7 +567,10 @@ public class SecurityLog { 
                    return getSuccess() ? LEVEL_INFO : LEVEL_WARNING;

                    return getSuccess() ? LEVEL_INFO : LEVEL_WARNING;

                case TAG_LOG_BUFFER_SIZE_CRITICAL:

                case TAG_LOG_BUFFER_SIZE_CRITICAL:

                case TAG_WIPE_FAILURE:

                case TAG_WIPE_FAILURE:

                case TAG_KEY_INTEGRITY_VIOLATION:

                    return LEVEL_ERROR;

                    return LEVEL_ERROR;

                case TAG_CERT_VALIDATION_FAILURE:

                    return LEVEL_WARNING;

                default:

                default:

                    return LEVEL_INFO;

                    return LEVEL_INFO;

            }

            }

core/java/android/app/admin/SecurityLogTags.logtags

+3 −1
Original line number Original line Diff line number Diff line
@@ -36,3 +36,5 @@ option java_package android.app.admin 
210029 security_cert_authority_installed        (success|1),(subject|3)

210029 security_cert_authority_installed        (success|1),(subject|3)

210030 security_cert_authority_removed          (success|1),(subject|3)

210030 security_cert_authority_removed          (success|1),(subject|3)

210031 security_crypto_self_test_completed      (success|1)

210031 security_crypto_self_test_completed      (success|1)

210032 security_key_integrity_violation         (key_id|3),(uid|1)

210033 security_cert_validation_failure         (reason|3)