Install CA certificates into KeyStore
When the user installs a CA certificate (via Settings), store that
certificate into the system KeyStore.
This is necessary for it to be available as a VPN trust anchor.
Note that this is a temporary fix and long-term the user should install
VPN trust anchor separately of CA certificates. Particularly in the
context of VPN, it's undesirable for the VPN provider's endpoint
authentication certificate to also be a root CA on the device, as all
traffic goes through the VPN.
Test: Manual, installed CA certificate via cert installer and ensured it's available in VPN settings.
Bug: 163413737
Change-Id: Ib6a308177b7ce6c55fb45af9809e0efc5c48a079
(cherry picked from commit a21a521ae9c1fbd099f0fd84df8776a0c1c020f8)
(cherry picked from commit 6d6ea3f68307b3bf41bf22bfcbc0f1290a56c14b)
diff --git a/src/com/android/keychain/KeyChainService.java b/src/com/android/keychain/KeyChainService.java
index 68a7cfa..6c03fa1 100644
--- a/src/com/android/keychain/KeyChainService.java
+++ b/src/com/android/keychain/KeyChainService.java
@@ -357,39 +357,51 @@
@Override public String installCaCertificate(byte[] caCertificate) {
checkCertInstallerOrSystemCaller();
final String alias;
- String subjectForAudit = null;
+ String subject = null;
+ final boolean isSecurityLoggingEnabled = mInjector.isSecurityLoggingEnabled();
try {
final X509Certificate cert = parseCertificate(caCertificate);
- final boolean isSecurityLoggingEnabled = mInjector.isSecurityLoggingEnabled();
+
final boolean isDebugLoggable = Log.isLoggable(TAG, Log.DEBUG);
- if (isSecurityLoggingEnabled || isDebugLoggable) {
- final String subject =
- cert.getSubjectX500Principal().getName(X500Principal.CANONICAL);
- if (isDebugLoggable) {
- Log.d(TAG, String.format("Installing CA certificate: %s", subject));
- }
- if (isSecurityLoggingEnabled) {
- subjectForAudit = subject;
- }
+ subject = cert.getSubjectX500Principal().getName(X500Principal.CANONICAL);
+ if (isDebugLoggable) {
+ Log.d(TAG, String.format("Installing CA certificate: %s", subject));
}
+
synchronized (mTrustedCertificateStore) {
mTrustedCertificateStore.installCertificate(cert);
alias = mTrustedCertificateStore.getCertificateAlias(cert);
}
} catch (IOException | CertificateException e) {
Log.w(TAG, "Failed installing CA certificate", e);
- if (subjectForAudit != null) {
+ if (isSecurityLoggingEnabled && subject != null) {
mInjector.writeSecurityEvent(
- TAG_CERT_AUTHORITY_INSTALLED, 0 /*result*/, subjectForAudit,
+ TAG_CERT_AUTHORITY_INSTALLED, 0 /*result*/, subject,
UserHandle.myUserId());
}
throw new IllegalStateException(e);
}
- if (subjectForAudit != null) {
+ if (isSecurityLoggingEnabled && subject != null) {
mInjector.writeSecurityEvent(
- TAG_CERT_AUTHORITY_INSTALLED, 1 /*result*/, subjectForAudit,
+ TAG_CERT_AUTHORITY_INSTALLED, 1 /*result*/, subject,
UserHandle.myUserId());
}
+
+ // If the caller is the cert installer, install the CA certificate into KeyStore.
+ // This is a temporary solution to enable CA certificates to be used as VPN trust
+ // anchors. Ultimately, the user should explicitly choose to install the VPN trust
+ // anchor separately and independently of CA certificates, at which point this code
+ // should be removed.
+ if (CERT_INSTALLER_PACKAGE.equals(callingPackage())) {
+ final boolean result = mKeyStore.put(
+ String.format("%s%s %s", Credentials.CA_CERTIFICATE, subject, alias),
+ caCertificate, Process.SYSTEM_UID,
+ KeyStore.FLAG_NONE);
+ Log.d(TAG, String.format(
+ "Attempted installing %s (subject: %s) to KeyStore. Result: %b", alias,
+ subject, result));
+ }
+
broadcastLegacyStorageChange();
broadcastTrustStoreChange();
return alias;