| a2a4bb3b309789fb50a15443a60b4039bc75250b |
20-Mar-2018 |
Eran Messeri <eranm@google.com> |
Inform the user about the implications of installing a CA certificate
Tell users that installing a CA certificate potentially allows the
issuer of said CA certificate to intercept all traffic to the device.
Broadly, users that install a CA certificate via the settings menu
should understand what the certificate is capable of doing.
However, apps can trigger the intent for installing a CA certificate
and may trick an unsuspecting user into installing a CA certificate
without telling the user what that implies.
Notify the user that the CA certificate can be used for intercepting
traffic if it's installed for 'VPN and apps' (a system CA).
It should be noted that since N, Android apps no longer trust
locally-installed CA certificates by default. However, many apps (such
as Chrome) intentionally opt-in to trusting such certificates.
See https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html
for more context.
Bug: 73757661
Test: Manually
Change-Id: Ibbd28faad763ba29651d4ed3b00caead3d7ad18f
ertInstaller.java
|
| e3da75d1d60441b8f778bbd8f3da963c14c26111 |
27-Feb-2018 |
Adam Vartanian <flooey@google.com> |
Merge "Limit cert file reading to 10MiB." am: ae1a16bd41 am: 3500e1ce00
am: 451eb26688
Change-Id: Ibf5ca6147628f6bcdba0e1c1305b5113679997e8
|
| c8a7fa4a04aecb884f9dc5e88b714df9b715eb9e |
23-Feb-2018 |
Adam Vartanian <flooey@google.com> |
Limit cert file reading to 10MiB.
We read the entire cert file into memory when installing it, so
reading without a limit will cause OutOfMemoryErrors if the file is
sufficiently large. This is not a security problem (if someone can
trick the user into installing new certificates, crashing the cert
installer dialog is by far the least impactful thing they could do),
but it's nice to not crash.
Bug: 32320490
Test: manual testing
Change-Id: Ib8dbfe06304481fd682297c680841705b8c4ad7c
ertInstallerMain.java
|
| 2d206b21a7f8bf60ac5d3d20d058192330889440 |
15-Oct-2017 |
mukesh agrawal <quiche@google.com> |
WiFiInstaller: catch exceptions on both delete paths am: 881958d4b9
am: f3ba2e7812
Change-Id: Id0043d9ffb740b8dbe27779712fec7ceace94c11
|
| 881958d4b9d28e8723c70a51bec3b9f1544d8e77 |
12-Oct-2017 |
mukesh agrawal <quiche@google.com> |
WiFiInstaller: catch exceptions on both delete paths
WiFiInstaller provides the ability to automatically
install a Passpoint configuration, if that configuration
is served using the 'application/x-wifi-config' MIME type.
Before installing the configuration, WiFiInstaller
reads the configuration data into memory, and then
attempts to delete the file.
If the file was provided using the DocumentsContract
API, then a failure to delete will be caught and logged.
The installation of the configuration can still succeed.
If, however, the file was provided using a ContentResolver,
then a deletion failure causes the install process to
fail.
When Chrome is used to download a Passpoint configuration
from a Passpoint provider, we see that the install reliably
fails. The failure occurs because the config file is
a) not provided using a DocumentsContract, and
b) can not be deleted.
To resolve the failure, we handle a failure to delete
a ContentResovler-provided config the same way that we
handle a failure to delete a DocumentsContract-provided
config. Namely: catch the exception, log the failure, and
continue to install the config.
We will work separately to determine why this problem is
only now surfacing. (We suspect some change in the way
that Chrome provides the file to WiFiInstaller.)
BUG: 66971720
Test: manual
Manual test
-----------
1. flash build with changes onto device
2. open passpoint.boingo.com in chrome
3. scroll to bottom of page
4. tap 'Create Profile'
5. enter username and password from bug
6. tap 'Download Profile'
7. see 'Chrome needs storage access...' prompt
8. tap 'CONTINUE'
9. see 'Allow Chrome...' prompt
10. tap 'ALLOW'
11. see 'Install Wi-Fi credentials' prompt
12. tap 'INSTALL'
13. see 'Credentials installed' dialog
14. adb logcat -d | grep 'could not delete'
10-12 17:23:23.759 17030 17030 E WifiInstaller: could not delete document content://com.android.chrome.FileProvider/downloads/BoingoPasspointProfile
(last step confirms that this patch was necessary)
Change-Id: I5cc4ac9cec8d6942f64ede696ccac3a6d9204922
iFiInstaller.java
|
| 15b2079f70c047f64a33188ce35ecdeccb59ae65 |
22-Jun-2017 |
Daichi Hirono <hirono@google.com> |
Add config to switch auto-approval for user cert
If a device does not have the lock screen, the auto-approval feature
needs to be disabled to pass CTS verifier tests, because there is no way
to show the cert notification after auto-approved.
Bug: 34111731, 62387735
Test: Ca Cert Notification Test
Change-Id: I55a0afc9573e1762547bb2a264fa01c5ffc2e077
redentialHelper.java
|
| ce2f732baab55688df7f1700898336b714c8ef23 |
24-Apr-2017 |
Rubin Xu <rubinxu@google.com> |
Fix crash in CertInstaller
Create dialog view before accessing its subview.
Bug: 37295281
Test: Manually install malformed pkcs12 files from the bug above.
Change-Id: I3a8eb039707b4ea8a1ce6c7cafe4eb0541499515
ertInstaller.java
redentialHelper.java
|
| 12e6eea983e5b077b28a67b421327335324aee39 |
13-Mar-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "WiFiInstaller: update usage of WifiManager#addOrUpdatePasspointConfiguration"
|
| 839309913316a9a768f51700d662bb232e9acf90 |
09-Mar-2017 |
Ben Lin <linben@google.com> |
Update DocumentsContract call to ensure thrown Exceptions are handled.
Test: Build compiles properly.
Bug: 36023174
Change-Id: I3dcb3def5877d4a4c5ba4d12ec60ccb4b77426ea
iFiInstaller.java
|
| b421a4a14c2f7b72b47b2e8c30999c8a8805fa07 |
06-Mar-2017 |
Peter Qiu <zqiu@google.com> |
WiFiInstaller: update usage of WifiManager#addOrUpdatePasspointConfiguration
WifiManager#addOrUpdatePasspointConfiguration is updated to return
void and throw exception on failure instead of a boolean, so update
the callsite accordingly.
Bug: 35856174
Test: make -j32
Change-Id: Id56ee82916397a26432a22addfb59ffddddefe79
iFiInstaller.java
|
| ce31c594ff0e3a82923d719a03940293422ac02b |
02-Feb-2017 |
Peter Qiu <zqiu@google.com> |
WiFiInstaller: Passpoint API rename update
ConfigBuilder has been renamed to ConfigParser to avoid confusions
with the builder pattern used in the Framework API. So update the
callsite accordingly.
Bug: 34862444
Test: None
Change-Id: I71d61a7e6c0a44b7004ca83f927eda008d02cb25
iFiInstaller.java
|
| 15eb8cad9a117e7e3d2bf37d44bc721df3c56019 |
25-Jan-2017 |
Peter Qiu <zqiu@google.com> |
WifiInstaller: use updated PasspointConfiguration APIs
PasspointConfiguration APIs are updated to use private
variables with public accessor methods instead of public variables.
So update the code to use the accessor methods instead of using
variables directly.
Bug: 34627062
Test: make -j32
Change-Id: I96e06a16440eba02ea2d39db1ef5a0e5016e0f7a
iFiInstaller.java
|
| a88d7852fdca57f52cd91b912be445f042ef4901 |
16-Dec-2016 |
Peter Qiu <zqiu@google.com> |
WifiInstaller: Passpoint configuration API update
WifiManager#addPasspointConfiguration is renamed to
WifiManager#addOrUpdatePasspointConfiguration. So update the
callsite accordingly.
Bug: 33587910
Test: make -j32
Change-Id: I29c64ee5ee68db5449d0e46c90436e8555e672e4
iFiInstaller.java
|
| 54a13951da47e32f10e6f108f311f4f3d542eb63 |
25-Oct-2016 |
Peter Qiu <zqiu@google.com> |
WifiInstaller: use new Passpoint API
New API is added to WifiManager for provisioning Passpoint
configurations, so use that API instead of using the API
for adding Wifi networks.
Additional changes:
- Remove the restriction on only allowing the installation when
WiFi is enabled, since the new APIs have no such limitation and
the installation of a configuration should not depend on the state
of the WiFi.
- Previously, the configuration file deletion was done by the parser
(in WifiService). This doesn't make sense since the configuration
data file is owned by the app not the parser. So instead, the file
will be deleted by the app (WifiInstaller).
Bug: 32282288
Test: Download and install a Boingo profile
Change-Id: I4af737f25cbe2e5c815a9abe83f98cc13970a2cc
iFiInstaller.java
|
| 89703ddeb050ce3f7163948574e1152fbd949ff7 |
14-Jun-2016 |
Rubin Xu <rubinxu@google.com> |
Skip non KeyEntry from PKCS12 file during extraction.
Change-Id: I76880fc3a39c092cfc007450f59c477a2bdaf48e
Fix: 29315994
redentialHelper.java
|
| 38856d6bd1acc648b18aceb9af4d68e25f314fb6 |
13-Apr-2016 |
Victor Chang <vichang@google.com> |
Approve CA certs automatically in CertInstaller
- Since the cert is installed by real user, the cert is approved by the user
- It avoids cert pending approval notification posted by DPM
- Also, show screenlock only it has ca certs
Test:
- if no screenlock, it doesn't ask user to unlock. User will be asked to set a screenlock after naming the cert
- work chanllenge is shown if the cert is installed from work profile
Bug: 28161447
Change-Id: I3eea305fc6d8023f7a30a1644b7b0c2a873a3b75
ertInstaller.java
redentialHelper.java
til.java
|
| 5e8156f9c9ed774b570154b0bb61a9e543ba8c3d |
23-Mar-2016 |
Rubin Xu <rubinxu@google.com> |
When installing client cert, do not add CA certs to trusted credentials
Bug: 18239590
Change-Id: I10b056c3bb86fdc371e92f0b2313425f9d1e125f
ertInstaller.java
redentialHelper.java
|
| 55e502076150f9ccde2af7e2c5e0ad4468b10c26 |
21-Mar-2016 |
Aga Wronska <agawronska@google.com> |
Add back DocumentsContract.EXTRA_SHOW_ADVANCED flag, because it was
brought back to DocuemtnsUI
Revert "Fix build break from removal of DocumentsContract.EXTRA_SHOW_ADVANCED"
This reverts commit d31bf9e911fd006736ce74b870d0cad4896ff5f9.
Bug: 27683276
Change-Id: I92c631461f0201552d2df39e3347af9b2b6b3d71
ertInstallerMain.java
|
| 1cfd4a00b6caffcddf94c1c8e07ec1fe726c636e |
02-Mar-2016 |
George Mount <mount@google.com> |
Fix build break from removal of DocumentsContract.EXTRA_SHOW_ADVANCED
Change-Id: Ibd4b5e5f01042c3b126499f98020606327faa10d
ertInstallerMain.java
|
| 1925ce864d3e465ed6f5259aa035401e8d937a70 |
22-Feb-2016 |
Robin Lee <rgl@google.com> |
Merge "Skip password dialog if PKCS#12 has no password" into nyc-dev
|
| 6f511d4f1c698350f3e2bffcd6d7a90d01eb47cd |
22-Feb-2016 |
Robin Lee <rgl@google.com> |
Trust CA certificates added for the whole OS only
Excludes any CA certificates installed for wifi-only from being used for
anything else. Does not take effect retroactively against certs which
were already installed.
The CAs will continue to be saved to a part of the keystore accessible
by services running under WIFI_UID.
Bug: 26324357
Bug: 25780055
Change-Id: Ifeb9daf24c9f9a22b2b2daf247d5622c707c9885
ertInstaller.java
redentialHelper.java
|
| 69f2f0bd44b702debf8503236fcf3dc1a9eb26c5 |
12-Feb-2016 |
Robin Lee <rgl@google.com> |
Skip password dialog if PKCS#12 has no password
Just an extra unnecessary step for the user, eg. in the case of a file
generated locally just as an interchange format.
Bug: 27155157
Change-Id: Iafb948172e6a8d33b1742a06e5d0c69dc0658d78
ertInstaller.java
redentialHelper.java
|
| aff933748edf3d4e9ea0a5ed6adc03fdbb748207 |
12-Jan-2016 |
Jan Nordqvist <jannq@google.com> |
Drop checks for locked WiFi key store when installing keys/certs.
The security provided by the PIN lock is not considered to provide
any added value over disk encryption for the protection of the WiFi
key store.
In addition the PIN lock is major hurdle for onboarding 802.1X users
who do need a trust cert installed.
BUG=25887356
Change-Id: Ifb8004679ab6b1f155751ff18e29be27e4dce65f
iFiInstaller.java
|
| 33c079a90b605b550b04915be70217f7a3fe61b6 |
13-Oct-2015 |
Vinod Krishnan <vinodkrishnan@google.com> |
Nemo CTS: Call the right class for SSL
Bug: 24305493
Change-Id: I9486c96aa531f72ae7dee1282903bc96eb7faf1c
ertInstaller.java
redentialHelper.java
|
| 909641b23712b9066b514442b236dfc47c1e3279 |
05-Aug-2015 |
Sanket Padawe <sanketpadawe@google.com> |
Offload time consuming task to background while installing HS profile.
+ Avoid Wifi api calls when wifi is disabled.
Bug: 22921398
Change-Id: I21b0db5b2926c4bbd5473d84855ec1ef2e83734b
iFiInstaller.java
|
| fb90c6fc3726b1bcfdbb2bd3db03c731a5316790 |
01-Aug-2015 |
Jan Nordqvist <jannq@google.com> |
Added logging in a few error paths for wifi config installation.
Bug: 22790527
Change-Id: I8f4bb40a572ae4e7f855e4bf4b028f9b889c5af1
iFiInstaller.java
|
| 580c5f5ab98c391d113db67c6a304e4dd179f508 |
09-Jul-2015 |
Jan Nordqvist <jannq@google.com> |
Allowing rewrite of Passpoint credential.
Bug: 21779835
Change-Id: I5b551f332f6d487896359147137cb1fc605b109a
iFiInstaller.java
|
| e44e990b25d2d29062c9cb9cd160a6361f71e6fe |
23-Jun-2015 |
Jan Nordqvist <jannq@google.com> |
Fixed missing white-space.
Change-Id: Ie2a5eb7367b79d6c38a2af7bddd82fbc5bee3a26
iFiInstaller.java
|
| 477d2ea4810dea406ffb285f778186e40e871018 |
23-Jun-2015 |
Sanket Padawe <sanketpadawe@google.com> |
Merge "Add dialog when installing HS 2.0 credentials while wifi is off." into mnc-dev
|
| 66177c3dfd449df65b3fdafdd2921c38c6385db4 |
23-Jun-2015 |
Sanket Padawe <sanketpadawe@google.com> |
Add dialog when installing HS 2.0 credentials while wifi is off.
Bug: 22010833
Change-Id: Ic59fbf7ec197bc4431508c7d1d495c047c0e20cc
redentialsInstallDialog.java
iFiInstaller.java
|
| 0694d5c4498466208bb21df6197787a6c12c7fba |
23-Jun-2015 |
Jan Nordqvist <jannq@google.com> |
Catching runtime exception in WifiInstaller.
Bug: 21958895
Change-Id: Ia483c9307e653e88d7d6050ef70963093f1b5f2b
iFiInstaller.java
|
| a1e4110e70501f98c05a4a3c3c2832f32c48607b |
03-Jun-2015 |
Vinit Deshpande <vinitd@google.com> |
am 756c09a..655de81 from mirror-m-wireless-internal-release
655de81 EXTRA_MIME_TYPES is String[], not Object[].
Change-Id: I906d281e7f2a87be127aa281eb79098adbc66996
|
| 122def31973a25d878f33ce59288792aea27a32d |
14-May-2015 |
Sanket Padawe <sanketpadawe@google.com> |
Hotspot 2.0 credential UI code
Bug: 20182930
Change-Id: Iaac91833555f399acf8746ba11dd3007022205bd
redentialsInstallDialog.java
iFiInstaller.java
|
| 655de814c465f4e20cfb122cf4c6d9a5670562aa |
18-Apr-2015 |
Jeff Sharkey <jsharkey@android.com> |
EXTRA_MIME_TYPES is String[], not Object[].
Bug: 20299782
Change-Id: I532225717c913ecc340edfdfe8fc974c778d495b
Cherry pick from master.
b/20126912
ertInstallerMain.java
|
| 62d9c4356a79c4d1ddf0621c8707bd0141365b63 |
24-Apr-2015 |
Etan Cohen <etancohen@google.com> |
Merge commit '7c543b7' into merge2
|
| 756c09a808d0bc6cb3e4144a7c56b0391ef7ee11 |
24-Apr-2015 |
Jan Nordqvist <jannq@google.com> |
Removed some logging.
Change-Id: I946091ae1a1aecc34fc890564b9d98fe6d1872f1
ertInstallerMain.java
iFiInstaller.java
|
| 324ea236c2dfdc0593b0047eddf3a37dff1cb3fb |
18-Apr-2015 |
Jeff Sharkey <jsharkey@android.com> |
EXTRA_MIME_TYPES is String[], not Object[].
Bug: 20299782
Change-Id: I532225717c913ecc340edfdfe8fc974c778d495b
ertInstallerMain.java
|
| 7c543b71d8b60d2e2885c361ef73481c8f1eb27f |
17-Apr-2015 |
Jan Nordqvist <jannq@google.com> |
Changed logging tag.
Change-Id: Ibdfeed92805bde4cd7ac0a7ffdd239cb467cbbfd
iFiInstaller.java
|
| 8eca13babaafda875ad715c716371513002ed31e |
16-Apr-2015 |
Jan Nordqvist <jannq@google.com> |
Launching PIN entry dialog if keystore access is required and the keystore is locked.
Change-Id: I723f741176fb776e8791bd4f838140d109139493
iFiInstaller.java
|
| 994932f1949316fe5520d6c690e6bd9b49b88ba6 |
26-Mar-2015 |
Jan Nordqvist <jannq@google.com> |
Basic WiFi config installer app.
Change-Id: I12e26955f4057db7a1772eacfec6ce9fa58f4437
ertInstallerMain.java
iFiInstaller.java
|
| b34887b7eea710fe6897e6e4f4f1994c710c9ad3 |
11-Sep-2014 |
Sungsoo Lim <sungsoo@google.com> |
Fix build
Change-Id: Idf9385e3f4f844fabd795fc634740f929497a19b
ertInstallerMain.java
|
| 2482baf745fb3cd9aca6aff8b29fe13adde622e5 |
11-Sep-2014 |
Kenny Root <kroot@google.com> |
am b3f3f024: am 9fa804c6: am 26e6becc: am 69506291: resolved conflicts for merge of 48d20b70 to klp-dev
* commit 'b3f3f024fc092114421e70b5b0f40c49d586fd48':
Check component class instead of action
|
| 695062916d4fdc01efbf7e4e925ff1fea636f8c3 |
11-Sep-2014 |
Kenny Root <kroot@google.com> |
resolved conflicts for merge of 48d20b70 to klp-dev
Change-Id: Ie07b8ef90a2447f26cdef5b30169793416bfbc0c
|
| 19d80c1b3e5410202e94884db0a76fc8f9574c57 |
19-Jun-2014 |
Julia Reynolds <juliacr@google.com> |
Merge "Block certificate installation if user restriction enabled."
|
| 5aac53173509f394e67acd75b98c4d0731c86f76 |
08-May-2014 |
Kenny Root <kroot@google.com> |
Check component class instead of action
Ensure the called intent was filtered for permission by
ActivityManagerService by checking the ComponentName instead of the
action.
(cherry picked from commit 38a956408f45c9a7cbb48b79c67257b9207fda30)
Bug: 14441285
Change-Id: I3a848ef2375ddfa7c9b35389524419993a6b3693
ertInstallerMain.java
|
| b7fe475f26f62a2d6d846922a0ff3ea8f823d735 |
12-Jun-2014 |
Julia Reynolds <juliacr@google.com> |
Block certificate installation if user restriction enabled.
Bug: 14081992
Change-Id: Ic7f04cc3555144512ca100b31d77ddec15e28546
ertInstallerMain.java
|
| 38a956408f45c9a7cbb48b79c67257b9207fda30 |
08-May-2014 |
Kenny Root <kroot@google.com> |
Check component class instead of action
Ensure the called intent was filtered for permission by
ActivityManagerService by checking the ComponentName instead of the
action.
Bug: 14441285
Change-Id: I3a848ef2375ddfa7c9b35389524419993a6b3693
ertInstallerMain.java
|
| 88ded90b784beb372c49b1187ee69bdd4595cd10 |
25-Oct-2013 |
Jeff Sharkey <jsharkey@android.com> |
Pick certificates using OPEN_DOC intent.
Instead of blindly scanning just primary internal storage, use the
new DocumentsUI intents to let the user select certificates from
any storage backend. This includes both primary and secondary
external storage devices.
Bug: 11354402
Change-Id: Ia0b4bf1b30c83eb1a64b070cd2f99ad5e6498786
ertFile.java
ertFileList.java
ertInstallerMain.java
|
| 7de56669876ed330f0ab4e603619273de1f51048 |
17-Apr-2013 |
Kenny Root <kroot@google.com> |
Add spinner to select Wi-Fi
For the regular installation path, we now need to show a spinner so we
don't regress from previous behavior where we can install certs for wifi
from the main installation screen.
You can also get to this from the Wi-Fi AP list, so only show it when
the intended use is ambiguous.
Bug: 8600545
Change-Id: I8e9c905ff84142ed7c1f50bf77eb3fb5574f8df1
ertInstaller.java
redentialHelper.java
|
| c3d5df9307977f27ca4048055f003282a7095ee8 |
13-Apr-2013 |
Kenny Root <kroot@google.com> |
keystore: remove old APIs
Remove the call sites that don't have the flags specified. This is to
ensure that callers know what flags they're setting.
Bug: 8122243
Change-Id: I4b7a8b9327cde5cbfe30c28870f8c31376a5b690
ertInstaller.java
|
| 8823287fa10d30e3ebacf4a60befbef2a8cdef31 |
08-Apr-2013 |
Kenny Root <kroot@google.com> |
Allow multiuser use of keystore
Since keystore has been refactored to let muliple users use it
simultaneously, we can remove all the restrictions put into place to
prevent it.
(cherry picked from commit 89f8f9ab58947ba67f95c5784dc4288bf78a2fdf)
Bug: 7249554
Change-Id: I05e8804e35d762ad473d1649fdba34e4182a2c68
ertInstaller.java
|
| 53622fc40b88047a1bc1f2dd6c97a5ad8e8c8f66 |
28-Mar-2013 |
Kenny Root <kroot@google.com> |
Add ability to install credentials as other UID
We need the ability to install from the system UID to wifi UID
to explicitly bind WiFi credentials to the WiFi profile. This adds the
ability for Wifi Settings to invoke installation of a PKCS12 file for
the wifi UID.
Bug: 8183258
Change-Id: I26970e563d68311b60dcdc78cd529322c5807368
ertFile.java
ertFileList.java
ertInstallerMain.java
redentialHelper.java
|
| 5d45af7ce08042bae0ff7523fe894eac1c0ebc52 |
14-Feb-2013 |
Kenny Root <kroot@google.com> |
KeyStore: stop using state()
Change-Id: I22daeb0f9873854af789a74ac3c7da2a32e34475
ertInstaller.java
|
| fba4bf924c4655024d6175523f3112fc09e7affc |
16-Sep-2012 |
Kenny Root <kroot@google.com> |
Do not allow non-primary user to install certs
Change-Id: If0896215a4fe1fc0d982a74bd6fee8551e4671fd
ertInstaller.java
|
| 99b10f59dd827314bd7fc124d6d0a84c56351ce2 |
05-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
Tracking upgrade to bouncycastle 1.47
Change-Id: Ic6744ae517ab1d3b49de45edd05979dd164bfade
redentialHelper.java
|
| 83df03c8f5d61d37e2fda501c67937f970b7af0c |
16-Apr-2012 |
Brian Carlstrom <bdc@google.com> |
Allow empty passwords when installing from a PKCS#12 file
Bug: http://code.google.com/p/android/issues/detail?id=28189
Change-Id: I6ce96eba0e7e583e49a17179d3f3c66df5f13a29
ertInstaller.java
|
| f4616bf8c0b3bff8863d627c3c003fa9234cb225 |
31-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Broader support for KeyChain.EXTRA_NAME
Previously EXTRA_NAME only supplied the default name when used with
KeyChain.EXTRA_CERTIFICATE. It now also provides the default name with
KeyChain.EXTRA_PKCS12, overriding the value found within the PKCS#12
file. In addition, will be used as the default alias name when
credentials are installed from external storage as opposed to via
an extra.
Bug: 6129421
Change-Id: I63c06a866fc62bfa56636011b766d3dcae7764bd
ertFile.java
ertInstallerMain.java
redentialHelper.java
|
| 7d99ba835013491e9d3d540a937e5e0a742b1ab4 |
08-Mar-2012 |
Kenny Root <kroot@google.com> |
Convert to new KeyStore format
The keystore no longer stores private keys in the clear, so it shouldn't
have its private key material in PEM. It will just be an opaque handle
for a private key.
Change-Id: I939169338d0f7dc39743c9904166454f2cad49cc
redentialHelper.java
|
| 885c0a68bb4a91d461914c43c2e42a565394aa59 |
03-Feb-2012 |
Shuhrat Dehkanov <uzbmaster@gmail.com> |
Remove PKCS12_PASSWORD_DIALOG and NAME_CREDENTIAL_DIALOG in order to correctly recreate it on onCreateDialog
If an empty password or name is supplied for certificate password or certificate name dialogs, respectively,
showDialog is called without removing them. As a result onCreateDialog is not called leaving the dialog without visible UI to the user.
Steps to reproduce:
1. Put password protected certificate to the SD card.
2. Navigate to Settings > Security and initiate certificate installation.
3. Provide an empty password and press OK.
3.1. Provide an empty name for NAME_CREDENTIAL_DIALOG related issue.
Change-Id: I83ffd680313eb9c69214113d3091a70910a80ae2
Signed-off-by: Shuhrat Dehkanov <uzbmaster@gmail.com>
ertInstaller.java
iewHelper.java
|
| c256369ee7fe39051f35bc9b04dfad78f9644d80 |
13-Sep-2011 |
Ben Komalo <benkomalo@google.com> |
Make cert name selected by default.
This makes it easy to replace if it's a big giberrish string.
Bug: 5280250
Change-Id: Iaedee686a3c56133f4e417a40f9175a194181c6c
ertInstaller.java
|
| c1615f66f7dbe5a76aefca862d96e0b5a6e123ff |
22-Jul-2011 |
Ben Komalo <benkomalo@google.com> |
Handle VIEW intents for cert installer
Bug: 4556536
Change-Id: I1d3b8e4b80415e2df9dfe334f0d9e195ab0e19ff
ertInstallerMain.java
|
| 6952ee2bb146db2979aff3cfd6d18cbdebd8a7e9 |
22-Jul-2011 |
Brian Carlstrom <bdc@google.com> |
Rotation fixes for CertInstaller
When rotating, the dialog would be dismissed, which the handler took
as a user negative action and called toastErrorAndFinish. Fixed by
having click handlers on the buttons themselves.
Bug: 5051850
Change-Id: I5f1aeb6c918b2b7b6bebf096ee25ff8247b5877d
ertInstaller.java
|
| 77e1f401b283429aab853c2324da574dc293ab42 |
22-Jul-2011 |
Brian Carlstrom <bdc@google.com> |
Restore installation of CAs from PKCS#12 files
Bug: 5037971
Change-Id: I35770bc5f536ee4ceb51c5fac655e7e5b9b8d89d
redentialHelper.java
|
| a0bdabb40db36f2adf458c32055e5c7ee817105a |
10-Jul-2011 |
Brian Carlstrom <bdc@google.com> |
Remove PKEY_MAP entry when empty
Change-Id: I7a532209d906f0e2194fccaf5eafd8602f3cb57a
ertInstaller.java
|
| a921a7f6b86e2564f70e841c0b10b368f6b8d495 |
07-Jul-2011 |
Brian Carlstrom <bdc@google.com> |
Canceling cert installation should not delete the file
Also fix to exit CertFileList when list becomes empty
Bug: 4600283
Change-Id: Ib0a27f8d2f9ee4be8da02625e9f919bcfa6e791b
ertFile.java
ertFileList.java
ertInstaller.java
|
| 00736f76392c742e9c72c51f158ad7020f22524c |
29-Jun-2011 |
Brian Carlstrom <bdc@google.com> |
Tracking move to KeyChain credential installation API
Bug: 3497064
Change-Id: I4d49354f4687f95d8239ea98d79bd61d06c4ce82
ertFile.java
ertFileList.java
ertInstaller.java
redentialHelper.java
|
| fcd5fb26acec88e98c3bedb41d4510888f7890cd |
24-Jun-2011 |
Brian Carlstrom <bdc@google.com> |
Replace KeyChainActivity placeholder UI with more polished dialog (3 of 5)
frameworks/base
Extended KeyChain.chooserPrivateKeyAlias to allow caller to supply
preferred choice to be selected in chooser. This allows Email
settings to highlight the current choice when allowing user to
change settings.
keystore/java/android/security/KeyChain.java
api/current.txt
Implemented KeyChain functionality to pass host and port
information to KeyChainActivity for display.
keystore/java/android/security/KeyChain.java
KeyChain now sends a PendingIntent as part of the Intent it sends
to the KeyChainActivity which can be used to identify the caller
in reliable way.
keystore/java/android/security/KeyChain.java
Moved .pfx/.p12/.cer/.crt constants to Credentials for reuse.
Added Credentials.install variant with no value for use from KeyChainActivity
keystore/java/android/security/Credentials.java
packages/apps/CertInstaller
Source of extension constants now in Credentials
src/com/android/certinstaller/CertFile.java
packages/apps/Browser
Have browser supply host and port information to KeyChain.choosePrivateKeyAlias
Tracking KeyChain.choosePrivateKeyAlias API change
src/com/android/browser/Tab.java
packages/apps/Email
Tracking KeyChain.choosePrivateKeyAlias API change
src/com/android/email/view/CertificateSelector.java
packages/apps/KeyChain
KeyChain now depends on bouncycastle X509Name for formatting
X500Principals, since the 4 X500Principal formatting options could
not format emailAddress attributes in a human readable way and its
the most important attribute to display for client certificates in
most cases.
Android.mk
Changing the UI to a dialog, make the activity style transparent.
AndroidManifest.xml
res/values/styles.xml
Layout for chooser dialog
res/layout/cert_chooser.xml
Layout for list items in chooser
res/layout/cert_item.xml
New resources for dialog including comments for translators.
res/values/strings.xml
New dialog based KeyChainActivity. Now also shows requesting app
and requesting server. Now can preselect a specified alias. New
link directly to CertInstaller.
src/com/android/keychain/KeyChainActivity.java
Fix KeyChainTestActivity to work with TestKeyStore changes that
were causing network activity on the UI to look up the name of
localhost. Also track KeyChain.choosePrivateKeyAlias API change.
tests/src/com/android/keychain/tests/KeyChainTestActivity.java
Change-Id: I789faaf65cb36ddc16ce8cd1e8a803b0bde745e3
ertFile.java
|
| 2942ff86b52c8a12c5d137d94ce4a21300575887 |
07-Jun-2011 |
Brian Carlstrom <bdc@google.com> |
Move CredentialHelper.convertToPem to frameworks/base for reuse by KeyChain
Change-Id: I96d5a23201c070a7d0ce8856d189e54e3b05e3bd
redentialHelper.java
|
| c8150af204ffd38ac46635ff8793261045490ea2 |
03-Jun-2011 |
Brian Carlstrom <bdc@google.com> |
Remove local reuse in CredentialHelper.isCa
While reviewing to isCa to understand how the NullPointerException
handling changed since Honeycomb, rewrite isCa to be clearer about
reusing local variables to be clearer about what is what and when.
Change-Id: Icf0c3d08666e2be18da4f12f93e92ab998d18fd7
redentialHelper.java
|
| 2aa55a29f1384da5fc574646c936760b67c205c9 |
31-May-2011 |
Brian Carlstrom <bdc@google.com> |
Integrating keystore with keyguard (Part 2 of 4)
Summary:
frameworks/base
keystore rewrite
keyguard integration with keystore on keyguard entry or keyguard change
KeyStore API simplification
packages/apps/Settings
Removed com.android.credentials.SET_PASSWORD intent support
Added keyguard requirement for keystore use
packages/apps/CertInstaller
Tracking KeyStore API changes
Fix for NPE in CertInstaller when certificate lacks basic constraints
packages/apps/KeyChain
Tracking KeyStore API changes
Details:
frameworks/base
Move keystore from C to C++ while rewriting password
implementation. Removed global variables. Added many comments.
cmds/keystore/Android.mk
cmds/keystore/keystore.h
cmds/keystore/keystore.c => cmds/keystore/keystore.cpp
cmds/keystore/keystore_cli.c => cmds/keystore/keystore_cli.cpp
Changed saveLockPattern and saveLockPassword to notify the keystore
on changes so that the keystore master key can be reencrypted when
the keyguard changes.
core/java/com/android/internal/widget/LockPatternUtils.java
Changed unlock screens to pass values for keystore unlock or initialization
policy/src/com/android/internal/policy/impl/PasswordUnlockScreen.java
policy/src/com/android/internal/policy/impl/PatternUnlockScreen.java
KeyStore API changes
- renamed test() to state(), which now return a State enum
- made APIs with byte[] key arguments private
- added new KeyStore.isEmpty used to determine if a keyguard is required
keystore/java/android/security/KeyStore.java
In addition to tracking KeyStore API changes, added new testIsEmpty
and improved some existing tests to validate expect values.
keystore/tests/src/android/security/KeyStoreTest.java
packages/apps/Settings
Removing com.android.credentials.SET_PASSWORD intent with the
removal of the ability to set an explicit keystore password now
that the keyguard value is used. Changed to ensure keyguard is
enabled for keystore install or unlock. Cleaned up interwoven
dialog handing into discrete dialog helper classes.
AndroidManifest.xml
src/com/android/settings/CredentialStorage.java
Remove layout for entering new password
res/layout/credentials_dialog.xml
Remove enable credentials checkbox
res/xml/security_settings_misc.xml
src/com/android/settings/SecuritySettings.java
Added ability to specify minimum quality key to ChooseLockGeneric
Activity. Used by CredentialStorage, but could also be used by
CryptKeeperSettings. Changed ChooseLockGeneric to understand
minimum quality for keystore in addition to DPM and device
encryption.
src/com/android/settings/ChooseLockGeneric.java
Changed to use getActivePasswordQuality from
getKeyguardStoredPasswordQuality based on experience in
CredentialStorage. Removed bogus class javadoc.
src/com/android/settings/CryptKeeperSettings.java
Tracking KeyStore API changes
src/com/android/settings/vpn/VpnSettings.java
src/com/android/settings/wifi/WifiSettings.java
Removing now unused string resources
res/values-af/strings.xml
res/values-am/strings.xml
res/values-ar/strings.xml
res/values-bg/strings.xml
res/values-ca/strings.xml
res/values-cs/strings.xml
res/values-da/strings.xml
res/values-de/strings.xml
res/values-el/strings.xml
res/values-en-rGB/strings.xml
res/values-es-rUS/strings.xml
res/values-es/strings.xml
res/values-fa/strings.xml
res/values-fi/strings.xml
res/values-fr/strings.xml
res/values-hr/strings.xml
res/values-hu/strings.xml
res/values-in/strings.xml
res/values-it/strings.xml
res/values-iw/strings.xml
res/values-ja/strings.xml
res/values-ko/strings.xml
res/values-lt/strings.xml
res/values-lv/strings.xml
res/values-ms/strings.xml
res/values-nb/strings.xml
res/values-nl/strings.xml
res/values-pl/strings.xml
res/values-pt-rPT/strings.xml
res/values-pt/strings.xml
res/values-rm/strings.xml
res/values-ro/strings.xml
res/values-ru/strings.xml
res/values-sk/strings.xml
res/values-sl/strings.xml
res/values-sr/strings.xml
res/values-sv/strings.xml
res/values-sw/strings.xml
res/values-th/strings.xml
res/values-tl/strings.xml
res/values-tr/strings.xml
res/values-uk/strings.xml
res/values-vi/strings.xml
res/values-zh-rCN/strings.xml
res/values-zh-rTW/strings.xml
res/values-zu/strings.xml
res/values/strings.xml
packages/apps/CertInstaller
Tracking KeyStore API changes
src/com/android/certinstaller/CertInstaller.java
Fix for NPE in CertInstaller when certificate lacks basic constraints
src/com/android/certinstaller/CredentialHelper.java
packages/apps/KeyChain
Tracking KeyStore API changes
src/com/android/keychain/KeyChainActivity.java
src/com/android/keychain/KeyChainService.java
support/src/com/android/keychain/tests/support/IKeyChainServiceTestSupport.aidl
support/src/com/android/keychain/tests/support/KeyChainServiceTestSupport.java
tests/src/com/android/keychain/tests/KeyChainServiceTest.java
Change-Id: I280f54b9305c3b5549ae2dfc8eb890493806cc78
ertInstaller.java
redentialHelper.java
|
| 6b80d82a43499fcf8939c23e87a57297dfad9205 |
18-May-2011 |
Brian Carlstrom <bdc@google.com> |
Merge "Add support for .cer and .pfx for certificates and PKCS#12 files"
|
| f3ece3c05b05b6780d9bee0dd90de0df891207e0 |
18-May-2011 |
Brian Carlstrom <bdc@google.com> |
Add support for .cer and .pfx for certificates and PKCS#12 files
Change-Id: Ie37afbb61aa4cdc52275d661232d188db125446d
ertFile.java
|
| ead4057af45c80af262613d93abd85c49ef98db2 |
18-May-2011 |
Brian Carlstrom <bdc@google.com> |
Move to KeyChain.bind
Change-Id: I7040a855705b72fcf5d7477db279affa6009bc72
ertInstaller.java
|
| 30389d0148993679892385e007596a56ed46b6ac |
18-May-2011 |
Brian Carlstrom <bdc@google.com> |
CertInstaller should use RESULT_OK to communicate success to callers
Change-Id: I6f25ffab113573169badd7cb116381f3412fbf31
ertFile.java
ertFileList.java
ertInstaller.java
ertInstallerMain.java
|
| 59f9a2721b1917c74e53f28f9d24e26e29fe0221 |
12-May-2011 |
Brian Carlstrom <bdc@google.com> |
Make CertInstaller installed CA certs trusted by applications via default TrustManager (3 of 6)
frameworks/base
Adding IKeyChainService APIs for CertInstaller and Settings use
keystore/java/android/security/IKeyChainService.aidl
libcore
Improve exceptions to include more information
luni/src/main/java/javax/security/auth/x500/X500Principal.java
Move guts of RootKeyStoreSpi to TrustedCertificateStore, leaving only KeyStoreSpi methods.
Added support for adding user CAs in a separate directory for system.
Added support for removing system CAs by placing a copy in a sytem directory
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStore.java
Formerly static methods on RootKeyStoreSpi are now instance methods on TrustedCertificateStore
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
Added test for NativeCrypto.X509_NAME_hash_old and X509_NAME_hash
to make sure the implementing algorithms doe not change since
TrustedCertificateStore depend on X509_NAME_hash_old (OpenSSL
changed the algorithm from MD5 to SHA1 when moving from 0.9.8 to
1.0.0)
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Extensive test of new TrustedCertificateStore behavior
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStoreTest.java
TestKeyStore improvements
- Refactored TestKeyStore to provide simpler createCA method (and
internal createCertificate)
- Cleaned up to remove use of BouncyCastle specific X509Principal
in the TestKeyStore API when the public X500Principal would do.
- Cleaned up TestKeyStore support methods to not throw Exception
to remove need for static blocks for catch clauses in tests.
support/src/test/java/libcore/java/security/TestKeyStore.java
luni/src/test/java/libcore/java/security/KeyStoreTest.java
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Added private PKIXParameters contructor for use by
IndexedPKIXParameters to avoid wart of having to lookup and pass
a TrustAnchor to satisfy the super-class sanity check.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java
luni/src/main/java/java/security/cert/PKIXParameters.java
packages/apps/CertInstaller
Change CertInstaller to call IKeyChainService.installCertificate
for CA certs to pass them to the KeyChainServiceTest which will
make them available to all apps through the
TrustedCertificateStore. Change PKCS12 extraction to use AsyncTask.
src/com/android/certinstaller/CertInstaller.java
Added installCaCertsToKeyChain and hasCaCerts accessor for use by
CertInstaller. Use hasUserCertificate() internally. Cleanup coding
style.
src/com/android/certinstaller/CredentialHelper.java
packages/apps/KeyChain
Added MANAGE_ACCOUNTS so that IKeyChainService.reset
implementation can remove KeyChain accounts.
AndroidManifest.xml
Implement new IKeyChainService methods:
- Added IKeyChainService.installCaCertificate to install certs
provided by CertInstaller using the TrustedCertificateStore.
- Added IKeyChainService.reset to allow Settings to remove the
KeyChain accounts so that any app granted access to keystore
credentials are revoked when the keystore is reset.
src/com/android/keychain/KeyChainService.java
packages/apps/Settings
Changed com.android.credentials.RESET credential reset action to
also call IKeyChainService.reset to remove any installed user CAs
and remove KeyChain accounts to have AccountManager revoke
credential granted to private keys removed during the RESET.
src/com/android/settings/CredentialStorage.java
Added toast text value for failure case
res/values/strings.xml
system/core
Have init create world readable /data/misc/keychain to allow apps
to access user added CA certificates installed by the CertInstaller.
rootdir/init.rc
Change-Id: Idc4e6dd927cf829268a684061e14412623f89d80
ertInstaller.java
redentialHelper.java
|
| 1415616fbef76346e586b927fada32f6ccdc6091 |
25-Jan-2011 |
Brian Carlstrom <bdc@google.com> |
Tracking jarjar of org.bouncycastle to com.android.org.bouncycastle
Bug: 3086427
Change-Id: Ic1a08a990af04263dab98853174fe5cfaeb5c219
redentialHelper.java
|
| 192624b5076b440b3cb78d4332402a21c93a6b07 |
20-Jan-2011 |
Chia-chi Yeh <chiachi@android.com> |
Update the intent path.
Change-Id: I1a1d8c2acce19d6db98d3a0950743aab3d4af46e
redentialHelper.java
|
| 9e7d5195f12519206a4febb72c9a7c053a69bc20 |
25-Nov-2010 |
Jean-Baptiste Queru <jbq@google.com> |
am 93f11ccc: am 9193d8bc: Merge "code cleanup : unused import statement, local vars and static finals."
* commit '93f11ccc2a6b85ff30ebb38fbc11d2d0ea464ab6':
code cleanup : unused import statement, local vars and static finals.
|
| 93f11ccc2a6b85ff30ebb38fbc11d2d0ea464ab6 |
25-Nov-2010 |
Jean-Baptiste Queru <jbq@google.com> |
am 9193d8bc: Merge "code cleanup : unused import statement, local vars and static finals."
* commit '9193d8bcca6a02f92250ed4796908c6561c32945':
code cleanup : unused import statement, local vars and static finals.
|
| 3e17f9f04b9f7d153757bfd2f34a5fe60698adcb |
06-Nov-2010 |
Mohammad Shamsi <m.h.shams@gmail.com> |
code cleanup : unused import statement, local vars and static finals.
Change-Id: I49b96ce37385989fb2208cecbf4cddcdd0e0d240
ertFile.java
ertFileList.java
redentialHelper.java
til.java
|
| 20b4c01ac3dbdc67e424c98a29e7abbfbd1ced3a |
26-Oct-2010 |
John Huang <jsh@google.com> |
am 95ae8966: Merge "Use explicit intent for installing system credentials" into gingerbread
|
| 6ed6d465ff2b460e5517db3c7136a417dc77b410 |
26-Oct-2010 |
Hung-ying Tyan <tyanh@google.com> |
Use explicit intent for installing system credentials
Bug: 3020049
Change-Id: Iae999db70ee1a4e12d660c9335232b2429b8a5db
redentialHelper.java
|
| 8eeadc240ebdeb5274035b3d1158d8e907897970 |
09-Jun-2010 |
Hung-ying Tyan <tyanh@google.com> |
CertInstaller: fix crash on invalid certificate
Change-Id: I527c328b76b66357fec6127b79f314c8ebf90b7c
ertInstaller.java
redentialHelper.java
|
| 832878cac1a136b1952de51cc2417d4e18188403 |
11-Feb-2010 |
Hung-ying Tyan <tyanh@google.com> |
Fix two certinstaller bugs.
+ Certinstaller does not handle key pair correctly when keystore is locked.
http://b/issue?id=2351926
+ Certinstaller crashes when installing from SD card where the "download"
folder does not exist.
+ Remove redundant res IDs.
ertFile.java
ertInstaller.java
|
| d674440a49f278793aa2a2bb01c231f8cea7f8c0 |
24-Oct-2009 |
Hung-ying Tyan <tyanh@google.com> |
Handling missing sd card in certinstaller.
http://b/issue?id=2211438
ertFile.java
ertFileList.java
ertInstallerMain.java
til.java
|
| 7b4cee910e1e755d2f0468a5f79aaa97e926a3a9 |
23-Oct-2009 |
Hung-ying Tyan <tyanh@google.com> |
Add support for installing certs in PEM from SD card
ertFile.java
ertFileList.java
|
| 3e722cadf66802194267460fe5de77e6c18530eb |
15-Oct-2009 |
Hung-ying Tyan <tyanh@google.com> |
An overhaul on certinstaller.
* Fix state handling, identifying first-time-only execution etc.
* Fix the case where more than one alias exists in a pkcs12 keystore.
(http://b/issue?id=2202474)
* Improve UX: go ahead to install when there's only one cert file on SD card.
* Improve UX: make background transparent when not browsing files.
* Break the code into multiple activies and helper classes.
ertFile.java
ertFileList.java
ertInstaller.java
ertInstallerMain.java
redentialHelper.java
til.java
iewHelper.java
|
| 1c0ebf4585c9cf9c0a451b46bb237b92c14dfe07 |
01-Oct-2009 |
Hung-ying Tyan <tyanh@google.com> |
Fix a bug where dialog is reopened when app dies.
ertInstaller.java
|
| d9cbc585f14dfde2f226fa172d335666424fd3fb |
30-Sep-2009 |
Hung-ying Tyan <tyanh@google.com> |
Some minor fixes.
* Sdcard --> SdCard.
* change some variable names to more descriptive ones.
* check isFinishing() in createFileList().
* throw a toast when no pkcs12 file is found on sdcard.
ertInstaller.java
|
| c87a48ac1c22403b690330f0cf7a1890f9a0c4eb |
28-Sep-2009 |
Hung-ying Tyan <tyanh@google.com> |
Fix the issue where cert comes later than keypair.
ertInstaller.java
|
| bedff945a7dffd019035154f78018b350e47ee66 |
24-Sep-2009 |
Chia-chi Yeh <chiachi@android.com> |
CertInstaller: remove wrong import entries.
ertInstaller.java
|
| 338b375c3a5e89edbfb235629834c9d684a3ddeb |
24-Sep-2009 |
Chung-yih Wang <cywang@google.com> |
Just change to an empty class for fixing the filename issue.
ertInstaller.java
|
| 6765abbeac1c2902cc4efaa55ffefb9c3221fe0e |
15-Sep-2009 |
Hung-ying Tyan <tyanh@google.com> |
Initial implementation of CertInstaller
ertInstaller.java
|