tequilaOS/platform_build
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_build/core
History
Brian Carlstrom 84d1ee8ab3 Avoid loading all CA certs into Zygote memory, lazily load instead (1 of 3) 
Previously the CA certs stored in the BKS KeyStore at
/system/etc/security/cacerts.bks was loaded in the Zygote. As the the
number of CAs are started to increase, this is causing more and more
memory to be used for rarely used CAs. The new AndroidCAStore KeyStore
implementation reads the CAs as needed out of individual PEM
certificate files. The files can be efficiently found because they are
named based on a hash CA's subject name, similar to OpenSSL.

Bug: 1109242

Details:

build

    Removing old cacerts.bks from GRANDFATHERED_ALL_PREBUILT and
    adding new cacerts directory to core PRODUCT_PACKAGES

	core/legacy_prebuilts.mk
	target/product/core.mk

libcore

    cacerts build changes. Move cacerts prebuilt logic to new
    CaCerts.mk from NativeCode.mk where it didn't make sense. Updated
    Android.mk's dalvik-host target to install new cacerts files.

	Android.mk
	CaCerts.mk
	NativeCode.mk

    Remove old cacerts.bks and add remove certimport.sh script used to
    generate it.

	luni/src/main/files/cacerts.bks
	luni/src/main/files/certimport.sh

    Recanonicalize cacerts files using updated vendor/google/tools/cacerts/certimport.py
    (See below discussion of certimport.py changes for details)

	luni/src/main/files/cacerts/00673b5b.0
	luni/src/main/files/cacerts/03e16f6c.0
	luni/src/main/files/cacerts/08aef7bb.0
	luni/src/main/files/cacerts/0d188d89.0
	luni/src/main/files/cacerts/10531352.0
	luni/src/main/files/cacerts/111e6273.0
	luni/src/main/files/cacerts/1155c94b.0
	luni/src/main/files/cacerts/119afc2e.0
	luni/src/main/files/cacerts/11a09b38.0
	luni/src/main/files/cacerts/12d55845.0
	luni/src/main/files/cacerts/17b51fe6.0
	luni/src/main/files/cacerts/1920cacb.0
	luni/src/main/files/cacerts/1dac3003.0
	luni/src/main/files/cacerts/1dbdda5b.0
	luni/src/main/files/cacerts/1dcd6f4c.0
	luni/src/main/files/cacerts/1df5ec47.0
	luni/src/main/files/cacerts/1e8e7201.0
	luni/src/main/files/cacerts/1eb37bdf.0
	luni/src/main/files/cacerts/219d9499.0
	luni/src/main/files/cacerts/23f4c490.0
	luni/src/main/files/cacerts/27af790d.0
	luni/src/main/files/cacerts/2afc57aa.0
	luni/src/main/files/cacerts/2e8714cb.0
	luni/src/main/files/cacerts/2fa87019.0
	luni/src/main/files/cacerts/2fb1850a.0
	luni/src/main/files/cacerts/33815e15.0
	luni/src/main/files/cacerts/343eb6cb.0
	luni/src/main/files/cacerts/399e7759.0
	luni/src/main/files/cacerts/3a3b02ce.0
	luni/src/main/files/cacerts/3ad48a91.0
	luni/src/main/files/cacerts/3c58f906.0
	luni/src/main/files/cacerts/3c860d51.0
	luni/src/main/files/cacerts/3d441de8.0
	luni/src/main/files/cacerts/3e7271e8.0
	luni/src/main/files/cacerts/418595b9.0
	luni/src/main/files/cacerts/455f1b52.0
	luni/src/main/files/cacerts/46b2fd3b.0
	luni/src/main/files/cacerts/48478734.0
	luni/src/main/files/cacerts/4d654d1d.0
	luni/src/main/files/cacerts/4e18c148.0
	luni/src/main/files/cacerts/4fbd6bfa.0
	luni/src/main/files/cacerts/5021a0a2.0
	luni/src/main/files/cacerts/5046c355.0
	luni/src/main/files/cacerts/524d9b43.0
	luni/src/main/files/cacerts/56b8a0b6.0
	luni/src/main/files/cacerts/57692373.0
	luni/src/main/files/cacerts/58a44af1.0
	luni/src/main/files/cacerts/594f1775.0
	luni/src/main/files/cacerts/5a3f0ff8.0
	luni/src/main/files/cacerts/5a5372fc.0
	luni/src/main/files/cacerts/5cf9d536.0
	luni/src/main/files/cacerts/5e4e69e7.0
	luni/src/main/files/cacerts/60afe812.0
	luni/src/main/files/cacerts/635ccfd5.0
	luni/src/main/files/cacerts/67495436.0
	luni/src/main/files/cacerts/69105f4f.0
	luni/src/main/files/cacerts/6adf0799.0
	luni/src/main/files/cacerts/6e8bf996.0
	luni/src/main/files/cacerts/6fcc125d.0
	luni/src/main/files/cacerts/72f369af.0
	luni/src/main/files/cacerts/72fa7371.0
	luni/src/main/files/cacerts/74c26bd0.0
	luni/src/main/files/cacerts/75680d2e.0
	luni/src/main/files/cacerts/7651b327.0
	luni/src/main/files/cacerts/76579174.0
	luni/src/main/files/cacerts/7999be0d.0
	luni/src/main/files/cacerts/7a481e66.0
	luni/src/main/files/cacerts/7a819ef2.0
	luni/src/main/files/cacerts/7d3cd826.0
	luni/src/main/files/cacerts/7d453d8f.0
	luni/src/main/files/cacerts/81b9768f.0
	luni/src/main/files/cacerts/8470719d.0
	luni/src/main/files/cacerts/84cba82f.0
	luni/src/main/files/cacerts/85cde254.0
	luni/src/main/files/cacerts/86212b19.0
	luni/src/main/files/cacerts/87753b0d.0
	luni/src/main/files/cacerts/882de061.0
	luni/src/main/files/cacerts/895cad1a.0
	luni/src/main/files/cacerts/89c02a45.0
	luni/src/main/files/cacerts/8f7b96c4.0
	luni/src/main/files/cacerts/9339512a.0
	luni/src/main/files/cacerts/9685a493.0
	luni/src/main/files/cacerts/9772ca32.0
	luni/src/main/files/cacerts/9d6523ce.0
	luni/src/main/files/cacerts/9dbefe7b.0
	luni/src/main/files/cacerts/9f533518.0
	luni/src/main/files/cacerts/a0bc6fbb.0
	luni/src/main/files/cacerts/a15b3b6b.0
	luni/src/main/files/cacerts/a3896b44.0
	luni/src/main/files/cacerts/a7605362.0
	luni/src/main/files/cacerts/a7d2cf64.0
	luni/src/main/files/cacerts/ab5346f4.0
	luni/src/main/files/cacerts/add67345.0
	luni/src/main/files/cacerts/b0f3e76e.0
	luni/src/main/files/cacerts/bc3f2570.0
	luni/src/main/files/cacerts/bcdd5959.0
	luni/src/main/files/cacerts/bda4cc84.0
	luni/src/main/files/cacerts/bdacca6f.0
	luni/src/main/files/cacerts/bf64f35b.0
	luni/src/main/files/cacerts/c0cafbd2.0
	luni/src/main/files/cacerts/c215bc69.0
	luni/src/main/files/cacerts/c33a80d4.0
	luni/src/main/files/cacerts/c527e4ab.0
	luni/src/main/files/cacerts/c7e2a638.0
	luni/src/main/files/cacerts/c8763593.0
	luni/src/main/files/cacerts/ccc52f49.0
	luni/src/main/files/cacerts/cdaebb72.0
	luni/src/main/files/cacerts/cf701eeb.0
	luni/src/main/files/cacerts/d16a5865.0
	luni/src/main/files/cacerts/d537fba6.0
	luni/src/main/files/cacerts/d64f06f3.0
	luni/src/main/files/cacerts/d777342d.0
	luni/src/main/files/cacerts/d8274e24.0
	luni/src/main/files/cacerts/dbc54cab.0
	luni/src/main/files/cacerts/ddc328ff.0
	luni/src/main/files/cacerts/e48193cf.0
	luni/src/main/files/cacerts/e60bf0c0.0
	luni/src/main/files/cacerts/e775ed2d.0
	luni/src/main/files/cacerts/e7b8d656.0
	luni/src/main/files/cacerts/e8651083.0
	luni/src/main/files/cacerts/ea169617.0
	luni/src/main/files/cacerts/eb375c3e.0
	luni/src/main/files/cacerts/ed049835.0
	luni/src/main/files/cacerts/ed524cf5.0
	luni/src/main/files/cacerts/ee7cd6fb.0
	luni/src/main/files/cacerts/f4996e82.0
	luni/src/main/files/cacerts/f58a60fe.0
	luni/src/main/files/cacerts/f61bff45.0
	luni/src/main/files/cacerts/f80cc7f6.0
	luni/src/main/files/cacerts/fac084d7.0
	luni/src/main/files/cacerts/facacbc6.0
	luni/src/main/files/cacerts/fde84897.0
	luni/src/main/files/cacerts/ff783690.0

    Change IntegralToString.intToHexString to take width argument to
    allow for leading zero padding. Updated existing callers to
    specify 0 padding desired. Add testing of new padding
    functionality.

	luni/src/main/java/java/lang/Character.java
	luni/src/main/java/java/lang/Integer.java
	luni/src/main/java/java/lang/IntegralToString.java
	luni/src/test/java/libcore/java/lang/IntegralToStringTest.java

    Improved to throw Exceptions with proper causes

	luni/src/main/java/java/security/KeyStore.java
	luni/src/main/java/java/security/Policy.java
	luni/src/main/java/java/security/cert/CertificateFactory.java
	luni/src/main/java/javax/crypto/Cipher.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSignature.java

    Indentation fixes

	luni/src/main/java/java/security/SecureRandom.java

    Fix X509CRLSelector.getIssuerNames to clone result and added test to cover this.

	luni/src/main/java/java/security/cert/X509CRLSelector.java
	luni/src/test/java/libcore/java/security/cert/X509CRLSelectorTest.java

    Fixed bug where we created an X500Principal via a String
    representation instead of from its original encoded bytes. This
    led to a difficult to track down bug where CA 418595b9.0 where the
    NativeCode.X509_NAME_hash of a Harmony (but not BouncyCastle)
    X509Certificate would not hash to the expected value because the
    encoded form used an ASN.1 PrintableString instead of the
    UTF8String form found in the original certificate.

	luni/src/main/java/org/apache/harmony/security/x501/Name.java

    Add a new RootKeyStoreSpi and register it as the
    AndroidCAStore. This new read-only KeyStore implementation that
    looks for certificates in $ANDROID_ROOT/etc/security/cacerts/
    directory, which is /system/etc/security/cacerts/ on devices. The
    files are stored in the directory based on the older md5 based
    OpenSSL X509_NAME_hash function (now referred to as
    X509_NAME_hash_old in OpenSSL 1.0)

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java

    Added OpenSSL compatible X509_NAME_hash and X509_NAME_hash_old
    functions for producting an int hash value from an X500Principal.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java

    Changed TrustManagerFactoryImpl to use AndroidCAStore for its default KeyStore

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerFactoryImpl.java

    Changed TrustManagerImpl to be AndroidCAStore aware. If it detects
    an AndroidCAStore, it avoids generating the acceptedIssuers array
    at constructions, since doing so would force us to parse all
    certificates in the store and the value is only typically used by
    SSLServerSockets when requesting a client certifcate. Because we
    don't load all the trusted CAs into the IndexedPKIXParameters at
    startup in the case of AndroidCAStore, we now check for new CAs
    when examining the cert chain for unnecessary TrustAnchors and for
    a newly discovered issuer at the end of the chain before
    validation.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java

    Updated KeyStoreTest to cope with read only KeyStore. Update
    test_cacerts_bks (now renamed test_cacerts) to use the
    AndroidCAStore for validating system CA certificate
    validity. Register AndroidCAStore as an expected KeyStore type
    with StandardNames.

	luni/src/test/java/libcore/java/security/KeyStoreTest.java
	support/src/test/java/libcore/java/security/StandardNames.java

    Added test of X500Principal serialization while investigating Name
    encoding issue. However, the actual Name bug was found and
    verified by the new test_cacerts test.

	luni/src/test/java/libcore/javax/security/auth/x500/X500PrincipalTest.java

vendor/google

    Change canonical format for checked in cacerts to have PEM
    certificate at the top, as required by Harmony's X.509
    CertificateFactory.

	tools/cacerts/certimport.py

Change-Id: I35164580e04c6f79404de9e3139694c30c57eb8b
2011-04-29 00:48:44 -07:00
..
combo Merge "Add LOCAL_GROUP_STATIC_LIBRARIES" 2011-04-27 09:34:13 -07:00
tasks update to use the new apicheck 2011-04-08 17:32:52 -07:00
apicheck_msg_current.txt Current.xml and friends are now .txt instead. 2011-04-08 15:03:48 -07:00
apicheck_msg_last.txt auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
armelf.x auto import from //branches/cupcake/...@137873 2009-03-11 12:11:54 -07:00
armelf.xsc auto import from //branches/cupcake/...@137873 2009-03-11 12:11:54 -07:00
armelflib.x auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
base_rules.mk Handle MODULE_LICENSE_MPL the same as MODULE_LICENSE_GPL. 2011-03-03 14:57:10 -08:00
binary.mk Add LOCAL_GROUP_STATIC_LIBRARIES 2011-04-25 14:22:41 -07:00
build-system.html Add new variable TARGET_SHELL := ash (default; or mksh) 2010-08-24 18:08:47 -07:00
build_id.mk set ID back to honeycomb (please do not merge) 2011-02-02 10:04:50 -08:00
checktree auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
cleanbuild.mk Move screen density config from PRODUCT_LOCALES to PRODUCT_AAPT_CONFIG 2011-03-15 13:19:30 -07:00
cleanspec.mk Brian's vendor/ change requires a clean build. 2010-09-19 12:04:23 -04:00
clear_vars.mk Add LOCAL_GROUP_STATIC_LIBRARIES 2011-04-25 14:22:41 -07:00
config.mk update to use the new apicheck 2011-04-08 17:32:52 -07:00
copy_headers.mk auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
definitions.mk Add LOCAL_GROUP_STATIC_LIBRARIES 2011-04-25 14:22:41 -07:00
device.mk auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
dex_preopt.mk am 4d3ac24d: am 84ed6fa2: Disable "-t" for acp. 2011-01-19 14:41:25 -08:00
distdir.mk auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
droiddoc.mk am d68519af: am 9e59ec29: Merge "Allow LOCAL_ADDITIONAL_DEPENDENCIES for droiddoc modules." into gingerbread 2010-09-16 09:43:20 -07:00
dumpvar.mk am f41934fc: am 26d8c589: Merge "Display the TARGET_ARCH_VARIANT" 2010-11-19 10:38:49 -08:00
dynamic_binary.mk Make a copy of symbol files after prelinking is removed. 2011-03-14 11:44:57 -07:00
envsetup.mk am 554eeb6c: am 493306f7: Merge "Fix TARGET_PREBUILT_TAG so that get_build_var can retrieve the correct value across architectures" 2010-11-19 16:56:26 -08:00
executable.mk build: remove prelinker build build system 2011-03-12 14:59:46 -08:00
filter_symbols.sh auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
find-jdk-tools-jar.sh am 8755e2b2: am e84739e9: Merge "Fix find-jdk-tools-jar to be cygwin-friendly." 2011-03-11 16:05:53 -08:00
help.mk make help: prints a handy list of useful targets 2010-10-28 15:40:06 -04:00
host_executable.mk auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
host_java_library.mk Add LOCAL_JARJAR_RULES support for BUILD_HOST_JAVA_LIBRARY 2011-01-26 15:13:42 -08:00
host_native_test.mk Flags common for native tests 2010-07-21 11:22:52 -07:00
host_prebuilt.mk auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
host_shared_library.mk auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
host_static_library.mk Make the host static library build rule know about 2009-10-15 16:28:56 -07:00
java.mk Use manifest minSdkVersion as "--target-api" in LOCAL_DX_FLAGS 2011-04-07 11:45:01 -07:00
java_library.mk Tracking merge of dalvik-dev to master 2011-04-01 15:45:58 -07:00
legacy_prebuilts.mk Avoid loading all CA certs into Zygote memory, lazily load instead (1 of 3) 2011-04-29 00:48:44 -07:00
main.mk am 009e6022: am cb6a22f5: am 2e4e3c94: Merge "Allow swtmenubar module to be buildable on Windows." 2011-04-15 17:33:20 -07:00
Makefile resolved conflicts for merge of bd0c91c8 to gingerbread-plus-aosp 2011-03-31 17:00:13 -07:00
multi_prebuilt.mk CHERRY-PICK: propogate module tags for prebuilts 2010-10-07 09:44:50 -07:00
native_test.mk Add $(LOCAL_MODULE) as part of the installed path. 2010-07-26 16:25:55 -07:00
node_fns.mk fix makefile inheritance system 2010-02-18 12:23:35 -08:00
notice_files.mk build speedup: Do not use shell 'find' function to look for NOTICE files. 2011-03-29 14:27:27 +02:00
package.mk Set the default app sdk verstion to LOCAL_SDK_VERSION 2011-04-08 17:27:35 -07:00
pathmap.mk am 4a6e7d7c: am 43d406e5: Merge "add drm/ directory to include it as part of frameworks" 2010-08-16 15:18:51 -07:00
phony_package.mk core: Make fake packages have real installed files for proper dependencies 2010-09-27 17:37:59 -07:00
prebuilt.mk Fix dependency of prebuilt target non-static Java libraries. 2011-03-23 12:01:49 -07:00
process_wrapper.sh auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
process_wrapper_gdb.cmds auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
process_wrapper_gdb.sh auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
product.mk am 095dbffd: am 5d4808db: put extra recovery keys in the product definition 2011-03-16 12:35:26 -07:00
product_config.mk am 095dbffd: am 5d4808db: put extra recovery keys in the product definition 2011-03-16 12:35:26 -07:00
proguard.flags Make ProGuard keep necessary members for serializable classes 2010-08-11 08:24:46 +08:00
proguard_tests.flags Fix and enable proguard on packages. 2010-02-11 13:41:10 -08:00
raw_executable.mk Support to build native libraries with prebuilt NDK 2010-07-13 16:29:18 -07:00
raw_static_library.mk auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
root.mk auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
shared_library.mk Add NDK crtbegin_so.o and crtend_so.o if they exist. 2011-04-08 14:57:36 -07:00
static_java_library.mk auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
static_library.mk Support to build native libraries with prebuilt NDK 2010-07-13 16:29:18 -07:00
user_tags.mk build: remove prelinker build build system 2011-03-12 14:59:46 -08:00
version_defaults.mk Onward and upward! And ice cream for all! 2011-03-24 16:59:32 -07:00