Support installation of the new app source certificate

The new certificate can be installed from Settings ("Install a certificate > App Source certificate"). The installation flow includes a warning with user authorization to proceed, then a prompt for reboot (now or later). Installed certificate can be managed in "User credentials". The name is currently a hash of hex numbers. Upon deletion, there will also be a promot for reboot (now or later). Test: Only see the new setting entry if feature is enabled Test: Install from Settings, see the expected file name in /data/misc/keysetore/user_0. Reboot also works. Test: Able to see the certificate in Settings after installed Test: Able to delete the certificate, which triggers confirmation dialog to reboot. Reboot works. Test: add certificate, see dialog, "not now" / tapping elsewhere does nothing Test: atest RestrictedEncryptionPreferenceControllerTest Bug: 112038744 Change-Id: I7a4494ea0f243730df2212076588074d8774ae23
2019-10-30 15:35:19 -07:00
parent 9f5fc3c6da
commit c8a1960cf4
14 changed files with 373 additions and 15 deletions
--- a/src/com/android/settings/security/CredentialStorage.java
+++ b/src/com/android/settings/security/CredentialStorage.java
@@ -44,6 +44,7 @@ import androidx.fragment.app.FragmentActivity;

 import com.android.internal.widget.LockPatternUtils;
 import com.android.settings.R;
+import com.android.settings.RebootDialog;
 import com.android.settings.password.ChooseLockSettingsHelper;
 import com.android.settings.vpn2.VpnUtils;

@@ -130,10 +131,10 @@ public final class CredentialStorage extends FragmentActivity {
        if (uid != KeyStore.UID_SELF && !UserHandle.isSameUser(uid, Process.myUid())) {
            final int dstUserId = UserHandle.getUserId(uid);

-            // Restrict install target to the wifi uid.
-            if (uid != Process.WIFI_UID) {
+            // Restrict install target to the known uid.
+            if (uid != Process.WIFI_UID && uid != Process.FSVERITY_CERT_UID) {
                Log.e(TAG, "Failed to install credentials as uid " + uid + ": cross-user installs"
-                        + " may only target wifi uids");
+                        + " may only target known uids");
                return true;
            }

@@ -309,6 +310,16 @@ public final class CredentialStorage extends FragmentActivity {
        Log.i(TAG, String.format("Successfully installed alias %s to uid %d.",
                alias, uid));

+        if (uid == Process.FSVERITY_CERT_UID) {
+            new RebootDialog(
+                    this,
+                    R.string.app_src_cert_reboot_dialog_install_title,
+                    R.string.app_src_cert_reboot_dialog_install_message,
+                    "Reboot to make new fsverity cert effective").show();
+            setResult(RESULT_OK);
+            return;
+        }
+
        // Send the broadcast.
        final Intent broadcast = new Intent(KeyChain.ACTION_KEYCHAIN_CHANGED);
        sendBroadcast(broadcast);