Support installation of the new app source certificate

The new certificate can be installed from Settings ("Install a certificate > App Source certificate"). The installation flow includes a warning with user authorization to proceed, then a prompt for reboot (now or later). Installed certificate can be managed in "User credentials". The name is currently a hash of hex numbers. Upon deletion, there will also be a promot for reboot (now or later). Test: Only see the new setting entry if feature is enabled Test: Install from Settings, see the expected file name in /data/misc/keysetore/user_0. Reboot also works. Test: Able to see the certificate in Settings after installed Test: Able to delete the certificate, which triggers confirmation dialog to reboot. Reboot works. Test: add certificate, see dialog, "not now" / tapping elsewhere does nothing Test: atest RestrictedEncryptionPreferenceControllerTest Bug: 112038744 Change-Id: I7a4494ea0f243730df2212076588074d8774ae23
2019-10-30 15:35:19 -07:00
parent 9f5fc3c6da
commit c8a1960cf4
14 changed files with 373 additions and 15 deletions
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -1313,6 +1313,11 @@
                  android:exported="false">
        </activity>
        <activity android:name=".security.InstallAppSourceCertificateWarning"
                  android:theme="@style/GlifV3Theme.Light"
                  android:exported="false">
        </activity>
        <activity
            android:name="Settings$DeviceAdminSettingsActivity"
            android:label="@string/device_admin_settings_title">
--- a/res/layout/app_source_certificate_warning_dialog.xml
+++ b/res/layout/app_source_certificate_warning_dialog.xml
@@ -0,0 +1,56 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
  ~ Copyright (C) 2019 The Android Open Source Project
  ~
  ~ Licensed under the Apache License, Version 2.0 (the "License");
  ~ you may not use this file except in compliance with the License.
  ~ You may obtain a copy of the License at
  ~
  ~      http://www.apache.org/licenses/LICENSE-2.0
  ~
  ~ Unless required by applicable law or agreed to in writing, software
  ~ distributed under the License is distributed on an "AS IS" BASIS,
  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  ~ See the License for the specific language governing permissions and
  ~ limitations under the License.
  -->
 <com.google.android.setupdesign.GlifLayout
    xmlns:android="http://schemas.android.com/apk/res/android"
    android:id="@+id/setup_wizard_layout"
    android:layout_width="match_parent"
    android:layout_height="match_parent">
    <LinearLayout
        style="@style/SudContentFrame"
        android:layout_width="match_parent"
        android:layout_height="wrap_content"
        android:orientation="vertical"
        android:gravity="center_horizontal">
        <ImageView
            android:id="@+id/sud_layout_icon"
            style="@style/SudGlifIcon"
            android:layout_width="wrap_content"
            android:layout_height="wrap_content"
            android:gravity="center"
            android:src="@drawable/ic_warning_googred_48dp"/>
        <TextView
            android:id="@+id/sud_layout_title"
            style="@style/SudGlifHeaderTitle"
            android:layout_width="match_parent"
            android:layout_height="wrap_content"
            android:gravity="center"
            android:text="@string/app_src_certificate_warning_title"/>
        <TextView
            android:id="@+id/sud_layout_description"
            style="@style/SudDescription.Glif"
            android:layout_marginTop="16dp"
            android:layout_width="match_parent"
            android:layout_height="wrap_content"
            android:text="@string/app_src_certificate_warning_description"/>
    </LinearLayout>
 </com.google.android.setupdesign.GlifLayout>
--- a/res/layout/user_credential.xml
+++ b/res/layout/user_credential.xml
@@ -73,5 +73,14 @@
            android:textAppearance="?android:attr/textAppearanceSmall"
            android:textColor="?android:attr/textColorTertiary"
            android:paddingStart="?android:attr/listPreferredItemPaddingStart"/>
        <TextView
            android:id="@+id/contents_appsrccrt"
            android:text="@string/one_appsrccrt"
            android:layout_width="wrap_content"
            android:layout_height="wrap_content"
            android:textAppearance="?android:attr/textAppearanceSmall"
            android:textColor="?android:attr/textColorTertiary"
            android:paddingStart="?android:attr/listPreferredItemPaddingStart"/>
    </LinearLayout>
 </LinearLayout>
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -5902,6 +5902,8 @@
    <string name="credential_for_vpn_and_apps">Installed for VPN and apps</string>
    <!-- Sub-heading for a user credential installed to be used as part of a Wi-Fi configuration. [CHAR LIMIT=NONE]. -->
    <string name="credential_for_wifi">Installed for Wi-Fi</string>
    <!-- Sub-heading for a user credential installed to be used by kernel for fs-verity verification [CHAR LIMIT=NONE]. -->
    <string name="credential_for_fsverity">Installed for app install source verification</string>
    <!-- Description of dialog to reset credential storage [CHAR LIMIT=NONE] -->
    <string name="credentials_reset_hint">Remove all the contents?</string>
    <!-- Toast message [CHAR LIMIT=30] -->
@@ -5916,14 +5918,20 @@
    <string name="user_certificate">VPN &amp; app user certificate</string>
    <!-- Title of Wi-Fi certificate [CHAR LIMIT=30] -->
    <string name="wifi_certificate">Wi\u2011Fi certificate</string>
    <!-- Title of App Source certificate [CHAR LIMIT=30] -->
    <string name="app_src_certificate">App Source certificate</string>
    <!-- Title of warning shown to the user before they can install a CA certificate [CHAR LIMIT=NONE] -->
    <string name="ca_certificate_warning_title">Your privacy is at risk</string>
    <!-- Description of warning shown to the user before they can install a CA certificate [CHAR LIMIT=NONE] -->
    <string name="ca_certificate_warning_description">CA certificates are used by websites, apps, and VPNs for encryption. Only install CA certificates from organizations you trust. \n\n If you install a CA certificate, the certificate owner could access your information, such as passwords, messages, or credit card details, from websites you visit or apps you use - even if that information is encrypted.</string>
-    <!-- Label for button to not install a CA certificate [CHAR_LIMIT=50] -->
+    <!-- Label for button to not install a certificate [CHAR_LIMIT=50] -->
-    <string name="ca_certificate_warning_dont_install">Don\u2019t install</string>
+    <string name="certificate_warning_dont_install">Don\u2019t install</string>
-    <!-- Label for button to continue installing a CA certificate [CHAR_LIMIT=50] -->
+    <!-- Label for button to continue installing a certificate [CHAR_LIMIT=50] -->
-    <string name="ca_certificate_warning_install_anyway">Install anyways</string>
+    <string name="certificate_warning_install_anyway">Install anyways</string>
    <!-- Title of warning shown to the user before they can install an App Source certificate [CHAR LIMIT=50] -->
    <string name="app_src_certificate_warning_title">Install this certificate at your own risk</string>
    <!-- Description of warning shown to the user before they can install an App Source certificate [CHAR LIMIT=NONE] -->
    <string name="app_src_certificate_warning_description">App source certificates verify that apps are safe for your device. Only install certificates from organizations you trust.</string>
    <!-- Toast message that a certificate was not installed -->
    <string name="cert_not_installed">Certificate not installed</string>
@@ -6549,14 +6557,28 @@
    <string name="one_usercrt">one user certificate</string>
    <!-- Item found in the PKCS12 keystore being investigated [CHAR LIMIT=NONE] -->
    <string name="one_cacrt">one CA certificate</string>
-    <!-- Item found in thee PKCS12 keystore being investigated [CHAR LIMIT=NONE]-->
+    <!-- Item found in the PKCS12 keystore being investigated [CHAR LIMIT=NONE]-->
    <string name="n_cacrts">%d CA certificates</string>
    <!-- Item found in the PKCS12 keystore being investigated [CHAR LIMIT=NONE] -->
    <string name="one_appsrccrt">one App Source certificate</string>
    <!-- Alert dialog when viewing a set of user credentials. -->
    <string name="user_credential_title">Credential details</string>
    <!-- Announcement to confirm a user credential being removed. [CHAR LIMIT=NONE] -->
    <string name="user_credential_removed">Removed credential: <xliff:g id="credential_name" example="signing key">%s</xliff:g></string>
    <!-- Placeholder for the list of installed user credentials (private keys) when the list is empty. [CHAR LIMIT=120] -->
    <string name="user_credential_none_installed">No user credentials installed</string>
    <!-- Title of alert dialog after an app source certificate is installed. [CHAR LIMIT=45] -->
    <string name="app_src_cert_reboot_dialog_install_title">Restart to use certificate</string>
    <!-- Message of alert dialog after an app source certificate is installed. [CHAR LIMIT=NONE] -->
    <string name="app_src_cert_reboot_dialog_install_message">To use this app source certificate, you need to restart your device</string>
    <!-- Title of alert dialog after an app source certificate is deleted. [CHAR LIMIT=45] -->
    <string name="app_src_cert_reboot_dialog_uninstall_title">Restart to finish uninstalling</string>
    <!-- Message of alert dialog after an app source certificate is deleted. [CHAR LIMIT=NONE] -->
    <string name="app_src_cert_reboot_dialog_uninstall_message">To uninstall this app source certificate, you need to restart your device</string>
    <!-- Button to restart the device. [CHAR LIMIT=25] -->
    <string name="app_src_cert_reboot_dialog_button_restart">Restart</string>
    <!-- Button to skip restarting the device. [CHAR LIMIT=25] -->
    <string name="app_src_cert_reboot_dialog_button_not_now">Not now</string>
    <!--  Title for spell checker settings -->
    <string name="spellcheckers_settings_title">Spell checker</string>
--- a/res/xml/install_certificate_from_storage.xml
+++ b/res/xml/install_certificate_from_storage.xml
@@ -62,6 +62,18 @@
        </Preference>
        <Preference
            android:key="install_app_src_certificate"
            android:title="@string/app_src_certificate"
            settings:controller="com.android.settings.security.InstallAppSourceCertificatePreferenceController">
            <intent
                android:targetPackage="com.android.settings"
                android:targetClass="com.android.settings.security.InstallAppSourceCertificateWarning">
            </intent>
        </Preference>
    </PreferenceCategory>
 </PreferenceScreen>
--- a/src/com/android/settings/RebootDialog.java
+++ b/src/com/android/settings/RebootDialog.java
@@ -0,0 +1,64 @@
 /*
 * Copyright (C) 2019 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package com.android.settings;
 import android.annotation.StringRes;
 import android.app.Activity;
 import android.content.Context;
 import android.content.DialogInterface;
 import android.os.PowerManager;
 import androidx.appcompat.app.AlertDialog;
 /** Dialog to confirm a reboot immediately, or later. */
 public class RebootDialog implements DialogInterface.OnClickListener,
        DialogInterface.OnDismissListener {
    private final Activity mActivity;
    private final AlertDialog mDialog;
    private final String mRebootReason;
    public RebootDialog(Activity activity, @StringRes int titleRes, @StringRes int messageRes,
            String rebootReason) {
        mActivity = activity;
        mDialog = new AlertDialog.Builder(activity)
                .setTitle(titleRes)
                .setMessage(messageRes)
                .setPositiveButton(R.string.app_src_cert_reboot_dialog_button_restart, this)
                .setNegativeButton(R.string.app_src_cert_reboot_dialog_button_not_now, null)
                .setOnDismissListener(this)
                .create();
        mRebootReason = rebootReason;
    }
    /** Shows the dialog. */
    public void show() {
        mDialog.show();
    }
    @Override
    public void onClick(DialogInterface dialog, int button) {
        if (button == DialogInterface.BUTTON_POSITIVE) {
            PowerManager pm = (PowerManager) mActivity.getSystemService(Context.POWER_SERVICE);
            pm.reboot(mRebootReason);
        }
    }
    @Override
    public void onDismiss(DialogInterface dialog) {
        mActivity.finish();
    }
 }
--- a/src/com/android/settings/UserCredentialsSettings.java
+++ b/src/com/android/settings/UserCredentialsSettings.java
@@ -193,6 +193,8 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
                for (final Credential credential : credentials) {
                    if (credential.isSystem()) {
                        removeGrantsAndDelete(credential);
                    } else if (credential.isFsverity()) {
                        deleteAppSourceCredential(credential);
                    } else {
                        deleteWifiCredential(credential);
                    }
@@ -219,6 +221,16 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
                }
            }
            private void deleteAppSourceCredential(final Credential credential) {
                final KeyStore keyStore = KeyStore.getInstance();
                final EnumSet<Credential.Type> storedTypes = credential.getStoredTypes();
                if (storedTypes.contains(Credential.Type.APP_SOURCE_CERTIFICATE)) {
                    keyStore.delete(Credentials.APP_SOURCE_CERTIFICATE + credential.getAlias(),
                            Process.FSVERITY_CERT_UID);
                }
            }
            private void removeGrantsAndDelete(final Credential credential) {
                final KeyChainConnection conn;
                try {
@@ -242,10 +254,21 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
            protected void onPostExecute(Credential... credentials) {
                if (targetFragment instanceof UserCredentialsSettings && targetFragment.isAdded()) {
                    final UserCredentialsSettings target = (UserCredentialsSettings) targetFragment;
                    boolean includeFsverity = false;
                    for (final Credential credential : credentials) {
                        target.announceRemoval(credential.alias);
                        if (credential.isFsverity()) {
                            includeFsverity = true;
                        }
                    }
                    target.refreshItems();
                    if (includeFsverity) {
                        new RebootDialog(
                                getActivity(),
                                R.string.app_src_cert_reboot_dialog_uninstall_title,
                                R.string.app_src_cert_reboot_dialog_uninstall_message,
                                "Reboot to make new fsverity cert effective").show();
                    }
                }
            }
        }
@@ -272,10 +295,12 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
            final int myUserId = UserHandle.myUserId();
            final int systemUid = UserHandle.getUid(myUserId, Process.SYSTEM_UID);
            final int wifiUid = UserHandle.getUid(myUserId, Process.WIFI_UID);
            final int fsverityUid = UserHandle.getUid(myUserId, Process.FSVERITY_CERT_UID);
            List<Credential> credentials = new ArrayList<>();
            credentials.addAll(getCredentialsForUid(keyStore, systemUid).values());
            credentials.addAll(getCredentialsForUid(keyStore, wifiUid).values());
            credentials.addAll(getCredentialsForUid(keyStore, fsverityUid).values());
            return credentials;
        }
@@ -402,6 +427,7 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
        credentialViewTypes.put(R.id.contents_userkey, Credential.Type.USER_KEY);
        credentialViewTypes.put(R.id.contents_usercrt, Credential.Type.USER_CERTIFICATE);
        credentialViewTypes.put(R.id.contents_cacrt, Credential.Type.CA_CERTIFICATE);
        credentialViewTypes.put(R.id.contents_appsrccrt, Credential.Type.APP_SOURCE_CERTIFICATE);
    }
    protected static View getCredentialView(Credential item, @LayoutRes int layoutResource,
@@ -411,9 +437,15 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
        }
        ((TextView) view.findViewById(R.id.alias)).setText(item.alias);
-        ((TextView) view.findViewById(R.id.purpose)).setText(item.isSystem()
+        int purpose;
-                ? R.string.credential_for_vpn_and_apps
+        if (item.isSystem()) {
-                : R.string.credential_for_wifi);
+            purpose = R.string.credential_for_vpn_and_apps;
        } else if (item.isFsverity()) {
            purpose = R.string.credential_for_fsverity;
        } else {
            purpose = R.string.credential_for_wifi;
        }
        ((TextView) view.findViewById(R.id.purpose)).setText(purpose);
        view.findViewById(R.id.contents).setVisibility(expanded ? View.VISIBLE : View.GONE);
        if (expanded) {
@@ -435,7 +467,8 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
        static enum Type {
            CA_CERTIFICATE (Credentials.CA_CERTIFICATE),
            USER_CERTIFICATE (Credentials.USER_CERTIFICATE),
-            USER_KEY(Credentials.USER_PRIVATE_KEY, Credentials.USER_SECRET_KEY);
+            USER_KEY(Credentials.USER_PRIVATE_KEY, Credentials.USER_SECRET_KEY),
            APP_SOURCE_CERTIFICATE(Credentials.APP_SOURCE_CERTIFICATE);
            final String[] prefix;
@@ -452,7 +485,8 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
        /**
         * UID under which this credential is stored. Typically {@link Process#SYSTEM_UID} but can
-         * also be {@link Process#WIFI_UID} for credentials installed as wifi certificates.
+         * also be {@link Process#WIFI_UID} for credentials installed as wifi certificates, or
         * {@link Process#FSVERITY_CERT_UID} for app source certificates.
         */
        final int uid;
@@ -462,6 +496,7 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
         *   <li>{@link Credentials.CA_CERTIFICATE}</li>
         *   <li>{@link Credentials.USER_CERTIFICATE}</li>
         *   <li>{@link Credentials.USER_KEY}</li>
         *   <li>{@link Credentials.APP_SOURCE_CERTIFICATE}</li>
         * </ul>
         */
        final EnumSet<Type> storedTypes = EnumSet.noneOf(Type.class);
@@ -512,6 +547,10 @@ public class UserCredentialsSettings extends SettingsPreferenceFragment
            return UserHandle.getAppId(uid) == Process.SYSTEM_UID;
        }
        public boolean isFsverity() {
            return UserHandle.getAppId(uid) == Process.FSVERITY_CERT_UID;
        }
        public String getAlias() { return alias; }
        public EnumSet<Type> getStoredTypes() {
--- a/src/com/android/settings/security/CredentialStorage.java
+++ b/src/com/android/settings/security/CredentialStorage.java
@@ -44,6 +44,7 @@ import androidx.fragment.app.FragmentActivity;
 import com.android.internal.widget.LockPatternUtils;
 import com.android.settings.R;
 import com.android.settings.RebootDialog;
 import com.android.settings.password.ChooseLockSettingsHelper;
 import com.android.settings.vpn2.VpnUtils;
@@ -130,10 +131,10 @@ public final class CredentialStorage extends FragmentActivity {
        if (uid != KeyStore.UID_SELF && !UserHandle.isSameUser(uid, Process.myUid())) {
            final int dstUserId = UserHandle.getUserId(uid);
-            // Restrict install target to the wifi uid.
+            // Restrict install target to the known uid.
-            if (uid != Process.WIFI_UID) {
+            if (uid != Process.WIFI_UID && uid != Process.FSVERITY_CERT_UID) {
                Log.e(TAG, "Failed to install credentials as uid " + uid + ": cross-user installs"
-                        + " may only target wifi uids");
+                        + " may only target known uids");
                return true;
            }
@@ -309,6 +310,16 @@ public final class CredentialStorage extends FragmentActivity {
        Log.i(TAG, String.format("Successfully installed alias %s to uid %d.",
                alias, uid));
        if (uid == Process.FSVERITY_CERT_UID) {
            new RebootDialog(
                    this,
                    R.string.app_src_cert_reboot_dialog_install_title,
                    R.string.app_src_cert_reboot_dialog_install_message,
                    "Reboot to make new fsverity cert effective").show();
            setResult(RESULT_OK);
            return;
        }
        // Send the broadcast.
        final Intent broadcast = new Intent(KeyChain.ACTION_KEYCHAIN_CHANGED);
        sendBroadcast(broadcast);
--- a/src/com/android/settings/security/InstallAppSourceCertificatePreferenceController.java
+++ b/src/com/android/settings/security/InstallAppSourceCertificatePreferenceController.java
@@ -0,0 +1,45 @@
 /*
 * Copyright (C) 2019 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package com.android.settings.security;
 import android.content.Context;
 import android.os.SystemProperties;
 import com.android.internal.annotations.VisibleForTesting;
 import com.android.settings.core.BasePreferenceController;
 class InstallAppSourceCertificatePreferenceController extends
        BasePreferenceController {
    private static final String APK_VERITY_PROPERTY = "ro.apk_verity.mode";
    private static final int APK_VERITY_MODE_ENABLED = 2;
    InstallAppSourceCertificatePreferenceController(Context context, String key) {
        super(context, key);
    }
    @Override
    public int getAvailabilityStatus() {
        return isApkVerityEnabled() ? AVAILABLE : UNSUPPORTED_ON_DEVICE;
    }
    @VisibleForTesting
    static boolean isApkVerityEnabled() {
        // TODO(victorhsieh): replace this with a new API in PackageManager once it is landed.
        return SystemProperties.getInt(APK_VERITY_PROPERTY, 0) == APK_VERITY_MODE_ENABLED;
    }
 }
--- a/src/com/android/settings/security/InstallAppSourceCertificateWarning.java
+++ b/src/com/android/settings/security/InstallAppSourceCertificateWarning.java
@@ -0,0 +1,83 @@
 /*
 * Copyright (C) 2019 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package com.android.settings.security;
 import android.annotation.Nullable;
 import android.app.Activity;
 import android.content.Intent;
 import android.os.Bundle;
 import android.security.Credentials;
 import android.view.View;
 import android.widget.Toast;
 import com.android.settings.R;
 import com.google.android.setupcompat.template.FooterBarMixin;
 import com.google.android.setupcompat.template.FooterButton;
 import com.google.android.setupdesign.GlifLayout;
 /**
 * Creates a warning dialog explaining the consequences of installing a certificate
 * This is displayed before an app source certificate can be installed from Settings.
 */
 public class InstallAppSourceCertificateWarning extends Activity {
    @Override
    public void onCreate(@Nullable Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.app_source_certificate_warning_dialog);
        final GlifLayout layout = findViewById(R.id.setup_wizard_layout);
        final FooterBarMixin mixin = layout.getMixin(FooterBarMixin.class);
        mixin.setSecondaryButton(
                new FooterButton.Builder(this)
                        .setText(R.string.certificate_warning_install_anyway)
                        .setListener(installCertificate())
                        .setButtonType(FooterButton.ButtonType.OTHER)
                        .setTheme(R.style.SudGlifButton_Secondary)
                        .build()
        );
        mixin.setPrimaryButton(
                new FooterButton.Builder(this)
                        .setText(R.string.certificate_warning_dont_install)
                        .setListener(returnToInstallCertificateFromStorage())
                        .setButtonType(FooterButton.ButtonType.NEXT)
                        .setTheme(R.style.SudGlifButton_Primary)
                        .build()
        );
    }
    private View.OnClickListener installCertificate() {
        return v -> {
            final Intent intent = new Intent();
            intent.setAction(Credentials.INSTALL_ACTION);
            intent.putExtra(Credentials.EXTRA_CERTIFICATE_USAGE,
                    Credentials.CERTIFICATE_USAGE_APP_SOURCE);
            startActivity(intent);
            finish();
        };
    }
    private View.OnClickListener returnToInstallCertificateFromStorage() {
        return v -> {
            Toast.makeText(this, R.string.cert_not_installed, Toast.LENGTH_SHORT).show();
            finish();
        };
    }
 }
--- a/src/com/android/settings/security/InstallCaCertificateWarning.java
+++ b/src/com/android/settings/security/InstallCaCertificateWarning.java
@@ -46,7 +46,7 @@ public class InstallCaCertificateWarning extends Activity {
        final FooterBarMixin mixin = layout.getMixin(FooterBarMixin.class);
        mixin.setSecondaryButton(
                new FooterButton.Builder(this)
-                        .setText(R.string.ca_certificate_warning_install_anyway)
+                        .setText(R.string.certificate_warning_install_anyway)
                        .setListener(installCaCertificate())
                        .setButtonType(FooterButton.ButtonType.OTHER)
                        .setTheme(R.style.SudGlifButton_Secondary)
@@ -55,7 +55,7 @@ public class InstallCaCertificateWarning extends Activity {
        mixin.setPrimaryButton(
                new FooterButton.Builder(this)
-                        .setText(R.string.ca_certificate_warning_dont_install)
+                        .setText(R.string.certificate_warning_dont_install)
                        .setListener(returnToInstallCertificateFromStorage())
                        .setButtonType(FooterButton.ButtonType.NEXT)
                        .setTheme(R.style.SudGlifButton_Primary)
--- a/src/com/android/settings/security/InstallCertificateFromStorage.java
+++ b/src/com/android/settings/security/InstallCertificateFromStorage.java
@@ -60,6 +60,7 @@ public class InstallCertificateFromStorage extends DashboardFragment {
    private static List<AbstractPreferenceController> buildPreferenceControllers(Context context,
            Lifecycle lifecycle) {
        // TODO(eranm,victorhsieh): use "settings:controller" in xml and remove the following.
        final List<AbstractPreferenceController> controllers = new ArrayList<>();
        controllers.add(new InstallCaCertificatePreferenceController(context));
        controllers.add(new InstallUserCertificatePreferenceController(context));
--- a/tests/robotests/src/com/android/settings/security/InstallCertificateFromStorageTest.java
+++ b/tests/robotests/src/com/android/settings/security/InstallCertificateFromStorageTest.java
@@ -67,6 +67,7 @@ public class InstallCertificateFromStorageTest {
        mTestKeys.add("install_ca_certificate");
        mTestKeys.add("install_user_certificate");
        mTestKeys.add("install_wifi_certificate");
        mTestKeys.add("install_app_src_certificate");
    }
    @Test
--- a/tests/robotests/src/com/android/settings/security/RestrictedEncryptionPreferenceControllerTest.java
+++ b/tests/robotests/src/com/android/settings/security/RestrictedEncryptionPreferenceControllerTest.java
@@ -37,6 +37,9 @@ import org.robolectric.annotation.Config;
@Config(shadows = ShadowUserManager.class)
 public class RestrictedEncryptionPreferenceControllerTest {
    private static final String APK_VERITY_PROPERTY = "ro.apk_verity.mode";
    private static final int APK_VERITY_MODE_ENABLED = 2;
    private Context mContext;
    private ShadowUserManager mUserManager;
    private CredentialStoragePreferenceController mCredentialStoragePreferenceController;
@@ -46,6 +49,8 @@ public class RestrictedEncryptionPreferenceControllerTest {
    private InstallCaCertificatePreferenceController mInstallCaCertificatePreferenceController;
    private InstallUserCertificatePreferenceController mInstallUserCertificatePreferenceController;
    private InstallWifiCertificatePreferenceController mInstallWifiCertificatePreferenceController;
    private InstallAppSourceCertificatePreferenceController
            mInstallAppSourceCertificatePreferenceController;
    private Lifecycle mLifecycle;
    private LifecycleOwner mLifecycleOwner;
@@ -64,6 +69,9 @@ public class RestrictedEncryptionPreferenceControllerTest {
                new UserCredentialsPreferenceController(mContext);
        mInstallCaCertificatePreferenceController =
                new InstallCaCertificatePreferenceController(mContext);
        mInstallAppSourceCertificatePreferenceController =
                new InstallAppSourceCertificatePreferenceController(
                        mContext, "install_app_src_certificate");
        mInstallUserCertificatePreferenceController =
                new InstallUserCertificatePreferenceController(mContext);
        mInstallWifiCertificatePreferenceController =
@@ -80,6 +88,8 @@ public class RestrictedEncryptionPreferenceControllerTest {
        assertThat(mInstallCaCertificatePreferenceController.isAvailable()).isTrue();
        assertThat(mInstallUserCertificatePreferenceController.isAvailable()).isTrue();
        assertThat(mInstallWifiCertificatePreferenceController.isAvailable()).isTrue();
        assertThat(mInstallAppSourceCertificatePreferenceController.isAvailable())
                .isEqualTo(InstallAppSourceCertificatePreferenceController.isApkVerityEnabled());
    }
    @Test