Merge "[DO NOT MERGE] Rollup Cert-related changes from R"

res/values/strings.xml

@@ -5887,10 +5887,8 @@
 
     <!-- Title of preference group for credential storage settings [CHAR LIMIT=30] -->
     <string name="credentials_title">Credential storage</string>
-    <!-- Title of preference to install certificates from SD card [CHAR LIMIT=30] -->
+    <!-- Title of preference to install certificates [CHAR LIMIT=30] -->
-    <string name="credentials_install" product="nosdcard">Install from storage</string>
+    <string name="credentials_install">Install a certificate</string>
-    <!-- Title of preference to install certificates from SD card [CHAR LIMIT=30] -->
-    <string name="credentials_install" product="default">Install from SD card</string>
     <!-- Summary of preference to install certificates from SD card [CHAR LIMIT=NONE] -->
     <string name="credentials_install_summary" product="nosdcard">Install certificates from storage</string>
     <!-- Summary of preference to install certificates from SD card [CHAR LIMIT=NONE] -->
@@ -5929,6 +5927,22 @@
     <string name="credentials_not_erased">Credential storage couldn\u2019t be erased.</string>
     <!-- Title of Usage Access preference item [CHAR LIMIT=30] -->
     <string name="usage_access_title">Apps with usage access</string>
+    <!-- Title of CA certificate [CHAR LIMIT=30] -->
+    <string name="ca_certificate">CA certificate</string>
+    <!-- Title of User certificate [CHAR LIMIT=30] -->
+    <string name="user_certificate">VPN &amp; app user certificate</string>
+    <!-- Title of Wi-Fi certificate [CHAR LIMIT=30] -->
+    <string name="wifi_certificate">Wi\u2011Fi certificate</string>
+    <!-- Title of warning shown to the user before they can install a CA certificate [CHAR LIMIT=NONE] -->
+    <string name="ca_certificate_warning_title">Your data won\u2019t be private</string>
+    <!-- Description of warning shown to the user before they can install a CA certificate [CHAR LIMIT=NONE] -->
+    <string name="ca_certificate_warning_description">CA certificates are used by websites, apps, and VPNs for encryption. Only install CA certificates from organizations you trust. \n\n If you install a CA certificate, the certificate owner could access your data, such as passwords or credit card details, from websites you visit or apps you use – even if your data is encrypted.</string>
+    <!-- Label for button to not install a certificate [CHAR_LIMIT=50] -->
+    <string name="certificate_warning_dont_install">Don\u2019t install</string>
+    <!-- Label for button to continue installing a certificate [CHAR_LIMIT=50] -->
+    <string name="certificate_warning_install_anyway">Install anyway</string>
+    <!-- Toast message that a certificate was not installed -->
+    <string name="cert_not_installed">Certificate not installed</string>
 
     <!-- Sound settings screen, setting check box label -->
     <string name="emergency_tone_title">Emergency dialing signal</string>
@@ -6890,6 +6904,8 @@
     <string name="help_url_security" translatable="false"></string>
     <!-- Help URL, Encryption settings [DO NOT TRANSLATE] -->
     <string name="help_url_encryption" translatable="false"></string>
+    <!-- Help URL, Install certificate settings [DO NOT TRANSLATE] -->
+    <string name="help_url_install_certificate" translatable="false"></string>
     <!-- Help URL, Tap & pay [DO NOT TRANSLATE] -->
     <string name="help_url_nfc_payment" translatable="false"></string>
     <!-- Help URL, Remote display [DO NOT TRANSLATE] -->

res/xml/encryption_and_credential.xml

@@ -58,17 +58,11 @@
             settings:userRestriction="no_config_credentials" />
 
         <com.android.settingslib.RestrictedPreference
-            android:key="credentials_install"
+            android:key="install_certificate"
             android:title="@string/credentials_install"
             android:summary="@string/credentials_install_summary"
-            settings:userRestriction="no_config_credentials">
+            android:fragment="com.android.settings.security.InstallCertificateFromStorage"
-
+            settings:userRestriction="no_config_credentials" />
-            <intent
-                android:action="android.credentials.INSTALL"
-                android:targetPackage="com.android.certinstaller"
-                android:targetClass="com.android.certinstaller.CertInstallerMain" />
-
-        </com.android.settingslib.RestrictedPreference>
 
         <com.android.settingslib.RestrictedPreference
             android:key="credentials_reset"

res/xml/install_certificate_from_storage.xml

@@ -0,0 +1,70 @@
+<!--
+  ~ Copyright (C) 2019 The Android Open Source Project
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<PreferenceScreen
+    xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:settings="http://schemas.android.com/apk/res-auto"
+    android:title="@string/credentials_install"
+    android:key="install_certificate_from_storage">
+
+    <PreferenceCategory
+        android:key="certificate_types">
+
+        <Preference
+            android:key="install_ca_certificate"
+            android:title="@string/ca_certificate">
+
+            <intent
+                android:action="android.credentials.INSTALL"
+                android:targetPackage="com.android.certinstaller"
+                android:targetClass="com.android.certinstaller.CertInstallerMain">
+                <!-- Same value as CERTIFICATE_USAGE_CA in keystore/java/android/security/Credentials.java -->
+                <extra android:name="certificate_install_usage" android:value="ca"/>
+            </intent>
+
+        </Preference>
+
+        <Preference
+            android:key="install_user_certificate"
+            android:title="@string/user_certificate">
+
+            <intent
+                android:action="android.credentials.INSTALL"
+                android:targetPackage="com.android.certinstaller"
+                android:targetClass="com.android.certinstaller.CertInstallerMain">
+                <!-- Same value as CERTIFICATE_USAGE_USER in keystore/java/android/security/Credentials.java -->
+                <extra android:name="certificate_install_usage" android:value="user"/>
+            </intent>
+
+        </Preference>
+
+        <Preference
+            android:key="install_wifi_certificate"
+            android:title="@string/wifi_certificate">
+
+            <intent
+                android:action="android.credentials.INSTALL"
+                android:targetPackage="com.android.certinstaller"
+                android:targetClass="com.android.certinstaller.CertInstallerMain">
+                <!-- Same value as CERTIFICATE_USAGE_WIFI in keystore/java/android/security/Credentials.java -->
+                <extra android:name="certificate_install_usage" android:value="wifi"/>
+            </intent>
+
+        </Preference>
+
+    </PreferenceCategory>
+
+</PreferenceScreen>

res/xml/wifi_configure_settings.xml

@@ -48,10 +48,12 @@
     <Preference
         android:key="install_credentials"
         android:title="@string/wifi_install_credentials">
-        <intent android:action="android.credentials.INSTALL_AS_USER"
+        <intent
-                android:targetPackage="com.android.certinstaller"
+            android:action="android.credentials.INSTALL"
-                android:targetClass="com.android.certinstaller.CertInstallerMain">
+            android:targetPackage="com.android.certinstaller"
-            <extra android:name="install_as_uid" android:value="1010" />
+            android:targetClass="com.android.certinstaller.CertInstallerMain">
+            <!-- Same value as CERTIFICATE_USAGE_WIFI in keystore/java/android/security/Credentials.java -->
+            <extra android:name="certificate_install_usage" android:value="wifi"/>
         </intent>
     </Preference>
 

src/com/android/settings/security/CredentialStorage.java

@@ -31,6 +31,7 @@ import android.os.RemoteException;
 import android.os.UserHandle;
 import android.os.UserManager;
 import android.security.Credentials;
+import android.security.IKeyChainService;
 import android.security.KeyChain;
 import android.security.KeyChain.KeyChainConnection;
 import android.security.KeyStore;
@@ -42,18 +43,10 @@ import androidx.appcompat.app.AlertDialog;
 import androidx.fragment.app.FragmentActivity;
 
 import com.android.internal.widget.LockPatternUtils;
-import com.android.org.bouncycastle.asn1.ASN1InputStream;
-import com.android.org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
 import com.android.settings.R;
 import com.android.settings.password.ChooseLockSettingsHelper;
 import com.android.settings.vpn2.VpnUtils;
 
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-
-import sun.security.util.ObjectIdentifier;
-import sun.security.x509.AlgorithmId;
-
 /**
  * CredentialStorage handles resetting and installing keys into KeyStore.
  */
@@ -118,20 +111,6 @@ public final class CredentialStorage extends FragmentActivity {
         }
     }
 
-    private boolean isHardwareBackedKey(byte[] keyData) {
-        try {
-            final ASN1InputStream bIn = new ASN1InputStream(new ByteArrayInputStream(keyData));
-            final PrivateKeyInfo pki = PrivateKeyInfo.getInstance(bIn.readObject());
-            final String algOid = pki.getPrivateKeyAlgorithm().getAlgorithm().getId();
-            final String algName = new AlgorithmId(new ObjectIdentifier(algOid)).getName();
-
-            return KeyChain.isBoundKeyAlgorithm(algName);
-        } catch (IOException e) {
-            Log.e(TAG, "Failed to parse key data");
-            return false;
-        }
-    }
-
     /**
      * Install credentials if available, otherwise do nothing.
      *
@@ -165,56 +144,18 @@ public final class CredentialStorage extends FragmentActivity {
             return true;
         }
 
-        boolean shouldFinish = true;
+        String alias = bundle.getString(Credentials.EXTRA_USER_KEY_ALIAS, null);
-        if (bundle.containsKey(Credentials.EXTRA_USER_PRIVATE_KEY_NAME)) {
+        if (TextUtils.isEmpty(alias)) {
-            final String key = bundle.getString(Credentials.EXTRA_USER_PRIVATE_KEY_NAME);
+            Log.e(TAG, "Cannot install key without an alias");
-            final byte[] value = bundle.getByteArray(Credentials.EXTRA_USER_PRIVATE_KEY_DATA);
+            return true;
-
-            if (!mKeyStore.importKey(key, value, uid, KeyStore.FLAG_NONE)) {
-                Log.e(TAG, "Failed to install " + key + " as uid " + uid);
-                return true;
-            }
-            // The key was prepended USER_PRIVATE_KEY by the CredentialHelper. However,
-            // KeyChain internally uses the raw alias name and only prepends USER_PRIVATE_KEY
-            // to the key name when interfacing with KeyStore.
-            // This is generally a symptom of CredentialStorage and CredentialHelper relying
-            // on internal implementation details of KeyChain and imitating its functionality
-            // rather than delegating to KeyChain for the certificate installation.
-            if (uid == Process.SYSTEM_UID || uid == KeyStore.UID_SELF) {
-                new MarkKeyAsUserSelectable(
-                        key.replaceFirst("^" + Credentials.USER_PRIVATE_KEY, "")).execute();
-                shouldFinish = false;
-            }
         }
 
-        final int flags = KeyStore.FLAG_NONE;
+        final byte[] privateKeyData = bundle.getByteArray(Credentials.EXTRA_USER_PRIVATE_KEY_DATA);
+        final byte[] certData = bundle.getByteArray(Credentials.EXTRA_USER_CERTIFICATE_DATA);
+        final byte[] caListData = bundle.getByteArray(Credentials.EXTRA_CA_CERTIFICATES_DATA);
+        new InstallKeyInKeyChain(alias, privateKeyData, certData, caListData, uid).execute();
 
-        if (bundle.containsKey(Credentials.EXTRA_USER_CERTIFICATE_NAME)) {
+        return false;
-            final String certName = bundle.getString(Credentials.EXTRA_USER_CERTIFICATE_NAME);
-            final byte[] certData = bundle.getByteArray(Credentials.EXTRA_USER_CERTIFICATE_DATA);
-
-            if (!mKeyStore.put(certName, certData, uid, flags)) {
-                Log.e(TAG, "Failed to install " + certName + " as uid " + uid);
-                return shouldFinish;
-            }
-        }
-
-        if (bundle.containsKey(Credentials.EXTRA_CA_CERTIFICATES_NAME)) {
-            final String caListName = bundle.getString(Credentials.EXTRA_CA_CERTIFICATES_NAME);
-            final byte[] caListData = bundle.getByteArray(Credentials.EXTRA_CA_CERTIFICATES_DATA);
-
-            if (!mKeyStore.put(caListName, caListData, uid, flags)) {
-                Log.e(TAG, "Failed to install " + caListName + " as uid " + uid);
-                return shouldFinish;
-            }
-        }
-
-        // Send the broadcast.
-        final Intent broadcast = new Intent(KeyChain.ACTION_KEYCHAIN_CHANGED);
-        sendBroadcast(broadcast);
-
-        setResult(RESULT_OK);
-        return shouldFinish;
     }
 
     /**
@@ -308,26 +249,45 @@ public final class CredentialStorage extends FragmentActivity {
     }
 
     /**
-     * Background task to mark a given key alias as user-selectable, so that
+     * Background task to install a certificate into KeyChain or the WiFi Keystore.
-     * it can be selected by users from the Certificate Selection prompt.
      */
-    private class MarkKeyAsUserSelectable extends AsyncTask<Void, Void, Boolean> {
+    private class InstallKeyInKeyChain extends AsyncTask<Void, Void, Boolean> {
         final String mAlias;
+        private final byte[] mKeyData;
+        private final byte[] mCertData;
+        private final byte[] mCaListData;
+        private final int mUid;
 
-        MarkKeyAsUserSelectable(String alias) {
+        InstallKeyInKeyChain(String alias, byte[] keyData, byte[] certData, byte[] caListData,
+                int uid) {
             mAlias = alias;
+            mKeyData = keyData;
+            mCertData = certData;
+            mCaListData = caListData;
+            mUid = uid;
         }
 
         @Override
         protected Boolean doInBackground(Void... unused) {
             try (KeyChainConnection keyChainConnection = KeyChain.bind(CredentialStorage.this)) {
-                keyChainConnection.getService().setUserSelectable(mAlias, true);
+                IKeyChainService service = keyChainConnection.getService();
+                if (!service.installKeyPair(mKeyData, mCertData, mCaListData, mAlias, mUid)) {
+                    Log.w(TAG, String.format("Failed installing key %s", mAlias));
+                    return false;
+                }
+
+                // If this is not a WiFi key, mark  it as user-selectable, so that it can be
+                // selected by users from the Certificate Selection prompt.
+                if (mUid == Process.SYSTEM_UID || mUid == KeyStore.UID_SELF) {
+                    service.setUserSelectable(mAlias, true);
+                }
+
                 return true;
             } catch (RemoteException e) {
-                Log.w(TAG, "Failed to mark key " + mAlias + " as user-selectable.");
+                Log.w(TAG, String.format("Failed to install key %s to uid %d", mAlias, mUid), e);
                 return false;
             } catch (InterruptedException e) {
-                Log.w(TAG, "Failed to mark key " + mAlias + " as user-selectable.");
+                Log.w(TAG, String.format("Interrupted while installing key %s", mAlias), e);
                 Thread.currentThread().interrupt();
                 return false;
             }
@@ -335,12 +295,28 @@ public final class CredentialStorage extends FragmentActivity {
 
         @Override
         protected void onPostExecute(Boolean result) {
-            Log.i(TAG, String.format("Marked alias %s as selectable, success? %s",
+            CredentialStorage.this.onKeyInstalled(mAlias, mUid, result);
-                        mAlias, result));
-            CredentialStorage.this.finish();
         }
     }
 
+    private void onKeyInstalled(String alias, int uid, boolean result) {
+        if (!result) {
+            Log.w(TAG, String.format("Error installing alias %s for uid %d", alias, uid));
+            finish();
+            return;
+        }
+
+        Log.i(TAG, String.format("Successfully installed alias %s to uid %d.",
+                alias, uid));
+
+        // Send the broadcast.
+        final Intent broadcast = new Intent(KeyChain.ACTION_KEYCHAIN_CHANGED);
+        sendBroadcast(broadcast);
+        setResult(RESULT_OK);
+
+        finish();
+    }
+
     /**
      * Check that the caller is either certinstaller or Settings running in a profile of this user.
      */

src/com/android/settings/security/EncryptionAndCredential.java

@@ -76,7 +76,7 @@ public class EncryptionAndCredential extends DashboardFragment {
         controllers.add(new CredentialStoragePreferenceController(context));
         controllers.add(new UserCredentialsPreferenceController(context));
         controllers.add(new ResetCredentialsPreferenceController(context, lifecycle));
-        controllers.add(new InstallCredentialsPreferenceController(context));
+        controllers.add(new InstallCertificatePreferenceController(context));
         return controllers;
     }
 

src/com/android/settings/security/InstallCaCertificatePreferenceController.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.security;
+
+import android.content.Context;
+import android.os.UserManager;
+
+import com.android.settings.core.BasePreferenceController;
+
+public class InstallCaCertificatePreferenceController extends
+        BasePreferenceController {
+
+    private static final String KEY_INSTALL_CA_CERTIFICATE = "install_ca_certificate";
+
+    public InstallCaCertificatePreferenceController(Context context) {
+        super(context, UserManager.DISALLOW_CONFIG_CREDENTIALS);
+    }
+
+    @Override
+    public int getAvailabilityStatus() {
+        return AVAILABLE;
+    }
+
+    @Override
+    public String getPreferenceKey() {
+        return KEY_INSTALL_CA_CERTIFICATE;
+    }
+}

src/com/android/settings/security/InstallCertificateFromStorage.java

@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.security;
+
+import android.app.settings.SettingsEnums;
+import android.content.Context;
+import android.os.UserManager;
+
+import com.android.settings.R;
+import com.android.settings.dashboard.DashboardFragment;
+import com.android.settings.search.BaseSearchIndexProvider;
+import com.android.settingslib.core.AbstractPreferenceController;
+import com.android.settingslib.core.lifecycle.Lifecycle;
+import com.android.settingslib.search.SearchIndexable;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Install certificate from storage settings.
+ */
+@SearchIndexable
+public class InstallCertificateFromStorage extends DashboardFragment {
+
+    private static final String TAG = "InstallCertificateFromStorage";
+
+    @Override
+    public int getMetricsCategory() {
+        return SettingsEnums.INSTALL_CERTIFICATE_FROM_STORAGE;
+    }
+
+    @Override
+    protected int getPreferenceScreenResId() {
+        return R.xml.install_certificate_from_storage;
+    }
+
+    @Override
+    protected String getLogTag() {
+        return TAG;
+    }
+
+    @Override
+    protected List<AbstractPreferenceController> createPreferenceControllers(Context context) {
+        return new ArrayList<AbstractPreferenceController>();
+    }
+
+    private static List<AbstractPreferenceController> buildPreferenceControllers(Context context,
+            Lifecycle lifecycle) {
+        final List<AbstractPreferenceController> controllers = new ArrayList<>();
+        controllers.add(new InstallCaCertificatePreferenceController(context));
+        controllers.add(new InstallUserCertificatePreferenceController(context));
+        controllers.add(new InstallWifiCertificatePreferenceController(context));
+        return controllers;
+    }
+
+    @Override
+    public int getHelpResource() {
+        return R.string.help_url_install_certificate;
+    }
+
+    /**
+     * For Search. Please keep it in sync when updating "createPreferenceHierarchy()"
+     */
+    public static final BaseSearchIndexProvider SEARCH_INDEX_DATA_PROVIDER =
+            new BaseSearchIndexProvider() {
+                @Override
+                public List<AbstractPreferenceController> createPreferenceControllers(
+                        Context context) {
+                    return buildPreferenceControllers(context, null /* lifecycle */);
+                }
+
+                @Override
+                protected boolean isPageSearchEnabled(Context context) {
+                    final UserManager um = (UserManager) context.getSystemService(
+                            Context.USER_SERVICE);
+                    return um.isAdminUser();
+                }
+            };
+}

src/com/android/settings/security/InstallCertificatePreferenceController.java

@@ -19,17 +19,17 @@ package com.android.settings.security;
 import android.content.Context;
 import android.os.UserManager;
 
-public class InstallCredentialsPreferenceController extends
+public class InstallCertificatePreferenceController extends
         RestrictedEncryptionPreferenceController {
 
-    private static final String KEY_CREDENTIALS_INSTALL = "credentials_install";
+    private static final String KEY_INSTALL_CERTIFICATE = "install_certificate";
 
-    public InstallCredentialsPreferenceController(Context context) {
+    public InstallCertificatePreferenceController(Context context) {
         super(context, UserManager.DISALLOW_CONFIG_CREDENTIALS);
     }
 
     @Override
     public String getPreferenceKey() {
-        return KEY_CREDENTIALS_INSTALL;
+        return KEY_INSTALL_CERTIFICATE;
     }
 }

src/com/android/settings/security/InstallUserCertificatePreferenceController.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.security;
+
+import android.content.Context;
+import android.os.UserManager;
+
+import com.android.settings.core.BasePreferenceController;
+
+public class InstallUserCertificatePreferenceController extends
+        BasePreferenceController {
+
+    private static final String KEY_INSTALL_USER_CERTIFICATE = "install_user_certificate";
+
+    public InstallUserCertificatePreferenceController(Context context) {
+        super(context, UserManager.DISALLOW_CONFIG_CREDENTIALS);
+    }
+
+    @Override
+    public int getAvailabilityStatus() {
+        return AVAILABLE;
+    }
+
+    @Override
+    public String getPreferenceKey() {
+        return KEY_INSTALL_USER_CERTIFICATE;
+    }
+}

src/com/android/settings/security/InstallWifiCertificatePreferenceController.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.security;
+
+import android.content.Context;
+import android.os.UserManager;
+
+import com.android.settings.core.BasePreferenceController;
+
+public class InstallWifiCertificatePreferenceController extends
+        BasePreferenceController {
+
+    private static final String KEY_INSTALL_WIFI_CERTIFICATE = "install_wifi_certificate";
+
+    public InstallWifiCertificatePreferenceController(Context context) {
+        super(context, UserManager.DISALLOW_CONFIG_CREDENTIALS);
+    }
+
+    @Override
+    public int getAvailabilityStatus() {
+        return AVAILABLE;
+    }
+
+    @Override
+    public String getPreferenceKey() {
+        return KEY_INSTALL_WIFI_CERTIFICATE;
+    }
+}

tests/robotests/src/com/android/settings/security/InstallCertificateFromStorageTest.java

@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.security;
+
+import static com.android.settings.security.InstallCertificateFromStorage.SEARCH_INDEX_DATA_PROVIDER;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import android.app.admin.DevicePolicyManager;
+import android.app.settings.SettingsEnums;
+import android.content.Context;
+import android.os.UserManager;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+import org.robolectric.RobolectricTestRunner;
+import org.robolectric.RuntimeEnvironment;
+import org.robolectric.shadows.ShadowApplication;
+
+import java.util.ArrayList;
+import java.util.List;
+
+@RunWith(RobolectricTestRunner.class)
+public class InstallCertificateFromStorageTest {
+
+    @Mock
+    private UserManager mUserManager;
+
+    @Mock
+    private DevicePolicyManager mDevicePolicyManager;
+
+    private Context mContext;
+
+    private List<String> mTestKeys;
+
+    @Before
+    public void setUp() {
+        MockitoAnnotations.initMocks(this);
+        ShadowApplication application = ShadowApplication.getInstance();
+        application.setSystemService(Context.DEVICE_POLICY_SERVICE, mDevicePolicyManager);
+        application.setSystemService(Context.USER_SERVICE, mUserManager);
+        mContext = RuntimeEnvironment.application;
+        setUpTestKeys();
+    }
+
+    private void setUpTestKeys() {
+        mTestKeys = new ArrayList<>();
+        mTestKeys.add("install_certificate_from_storage");
+        mTestKeys.add("certificate_types");
+        mTestKeys.add("install_ca_certificate");
+        mTestKeys.add("install_user_certificate");
+        mTestKeys.add("install_wifi_certificate");
+    }
+
+    @Test
+    public void getMetricsCategory_shouldReturnInstallCertificateFromStorage() {
+        InstallCertificateFromStorage fragment = new InstallCertificateFromStorage();
+        assertThat(fragment.getMetricsCategory()).isEqualTo(
+                SettingsEnums.INSTALL_CERTIFICATE_FROM_STORAGE);
+    }
+
+    @Test
+    public void getNonIndexableKeys_existInXmlLayout() {
+        final List<String> nonIndexableKeys =
+                SEARCH_INDEX_DATA_PROVIDER.getNonIndexableKeys(mContext);
+
+        assertThat(nonIndexableKeys).containsAllIn(mTestKeys);
+    }
+
+}

tests/robotests/src/com/android/settings/security/RestrictedEncryptionPreferenceControllerTest.java

@@ -40,9 +40,12 @@ public class RestrictedEncryptionPreferenceControllerTest {
     private Context mContext;
     private ShadowUserManager mUserManager;
     private CredentialStoragePreferenceController mCredentialStoragePreferenceController;
-    private InstallCredentialsPreferenceController mInstallCredentialsPreferenceController;
+    private InstallCertificatePreferenceController mInstallCertificatePreferenceController;
     private ResetCredentialsPreferenceController mResetCredentialsPreferenceController;
     private UserCredentialsPreferenceController mUserCredentialsPreferenceController;
+    private InstallCaCertificatePreferenceController mInstallCaCertificatePreferenceController;
+    private InstallUserCertificatePreferenceController mInstallUserCertificatePreferenceController;
+    private InstallWifiCertificatePreferenceController mInstallWifiCertificatePreferenceController;
     private Lifecycle mLifecycle;
     private LifecycleOwner mLifecycleOwner;
 
@@ -53,21 +56,30 @@ public class RestrictedEncryptionPreferenceControllerTest {
         mLifecycle = new Lifecycle(mLifecycleOwner);
         mCredentialStoragePreferenceController =
                 new CredentialStoragePreferenceController(mContext);
-        mInstallCredentialsPreferenceController =
+        mInstallCertificatePreferenceController =
-                new InstallCredentialsPreferenceController(mContext);
+                new InstallCertificatePreferenceController(mContext);
         mResetCredentialsPreferenceController =
                 new ResetCredentialsPreferenceController(mContext, mLifecycle);
         mUserCredentialsPreferenceController =
                 new UserCredentialsPreferenceController(mContext);
+        mInstallCaCertificatePreferenceController =
+                new InstallCaCertificatePreferenceController(mContext);
+        mInstallUserCertificatePreferenceController =
+                new InstallUserCertificatePreferenceController(mContext);
+        mInstallWifiCertificatePreferenceController =
+                new InstallWifiCertificatePreferenceController(mContext);
         mUserManager = ShadowUserManager.getShadow();
     }
 
     @Test
     public void isAvailable_noRestriction_shouldReturnTrue() {
         assertThat(mCredentialStoragePreferenceController.isAvailable()).isTrue();
-        assertThat(mInstallCredentialsPreferenceController.isAvailable()).isTrue();
+        assertThat(mInstallCertificatePreferenceController.isAvailable()).isTrue();
         assertThat(mResetCredentialsPreferenceController.isAvailable()).isTrue();
         assertThat(mUserCredentialsPreferenceController.isAvailable()).isTrue();
+        assertThat(mInstallCaCertificatePreferenceController.isAvailable()).isTrue();
+        assertThat(mInstallUserCertificatePreferenceController.isAvailable()).isTrue();
+        assertThat(mInstallWifiCertificatePreferenceController.isAvailable()).isTrue();
     }
 
     @Test
@@ -75,8 +87,11 @@ public class RestrictedEncryptionPreferenceControllerTest {
         mUserManager.addBaseUserRestriction(UserManager.DISALLOW_CONFIG_CREDENTIALS);
 
         assertThat(mCredentialStoragePreferenceController.isAvailable()).isFalse();
-        assertThat(mInstallCredentialsPreferenceController.isAvailable()).isFalse();
+        assertThat(mInstallCertificatePreferenceController.isAvailable()).isFalse();
         assertThat(mResetCredentialsPreferenceController.isAvailable()).isFalse();
         assertThat(mUserCredentialsPreferenceController.isAvailable()).isFalse();
+        assertThat(mInstallCaCertificatePreferenceController.isAvailable()).isFalse();
+        assertThat(mInstallUserCertificatePreferenceController.isAvailable()).isFalse();
+        assertThat(mInstallWifiCertificatePreferenceController.isAvailable()).isFalse();
     }
 }