frameworks/base
Adding IKeyChainService APIs for CertInstaller and Settings use
keystore/java/android/security/IKeyChainService.aidl
libcore
Improve exceptions to include more information
luni/src/main/java/javax/security/auth/x500/X500Principal.java
Move guts of RootKeyStoreSpi to TrustedCertificateStore, leaving only KeyStoreSpi methods.
Added support for adding user CAs in a separate directory for system.
Added support for removing system CAs by placing a copy in a sytem directory
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStore.java
Formerly static methods on RootKeyStoreSpi are now instance methods on TrustedCertificateStore
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
Added test for NativeCrypto.X509_NAME_hash_old and X509_NAME_hash
to make sure the implementing algorithms doe not change since
TrustedCertificateStore depend on X509_NAME_hash_old (OpenSSL
changed the algorithm from MD5 to SHA1 when moving from 0.9.8 to
1.0.0)
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Extensive test of new TrustedCertificateStore behavior
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStoreTest.java
TestKeyStore improvements
- Refactored TestKeyStore to provide simpler createCA method (and
internal createCertificate)
- Cleaned up to remove use of BouncyCastle specific X509Principal
in the TestKeyStore API when the public X500Principal would do.
- Cleaned up TestKeyStore support methods to not throw Exception
to remove need for static blocks for catch clauses in tests.
support/src/test/java/libcore/java/security/TestKeyStore.java
luni/src/test/java/libcore/java/security/KeyStoreTest.java
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Added private PKIXParameters contructor for use by
IndexedPKIXParameters to avoid wart of having to lookup and pass
a TrustAnchor to satisfy the super-class sanity check.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java
luni/src/main/java/java/security/cert/PKIXParameters.java
packages/apps/CertInstaller
Change CertInstaller to call IKeyChainService.installCertificate
for CA certs to pass them to the KeyChainServiceTest which will
make them available to all apps through the
TrustedCertificateStore. Change PKCS12 extraction to use AsyncTask.
src/com/android/certinstaller/CertInstaller.java
Added installCaCertsToKeyChain and hasCaCerts accessor for use by
CertInstaller. Use hasUserCertificate() internally. Cleanup coding
style.
src/com/android/certinstaller/CredentialHelper.java
packages/apps/KeyChain
Added MANAGE_ACCOUNTS so that IKeyChainService.reset
implementation can remove KeyChain accounts.
AndroidManifest.xml
Implement new IKeyChainService methods:
- Added IKeyChainService.installCaCertificate to install certs
provided by CertInstaller using the TrustedCertificateStore.
- Added IKeyChainService.reset to allow Settings to remove the
KeyChain accounts so that any app granted access to keystore
credentials are revoked when the keystore is reset.
src/com/android/keychain/KeyChainService.java
packages/apps/Settings
Changed com.android.credentials.RESET credential reset action to
also call IKeyChainService.reset to remove any installed user CAs
and remove KeyChain accounts to have AccountManager revoke
credential granted to private keys removed during the RESET.
src/com/android/settings/CredentialStorage.java
Added toast text value for failure case
res/values/strings.xml
system/core
Have init create world readable /data/misc/keychain to allow apps
to access user added CA certificates installed by the CertInstaller.
rootdir/init.rc
Change-Id: I768ca8e8e990ff333ce0f7069a0935173498c5ed
Fix for bug 3415286. The persistent properties are normally read early
in the boot process after /data is mounted. However, for an encrypted
system, at that point /data is a tmpfs ramdisk. This change adds a new
command to init (load_persist_props) to read the persistent properties,
and adds an action to init.rc to load the persistent properties. This
action is triggered by setting a property in vold, but that's in a
different CL.
Change-Id: I74b3057974ee6029c29d956b76fef5566700d471
This is to allow OpenGL ES rendering from the system process,
and help with debugging.
Bug: 4086003
Change-Id: I732e95f4fcaa358f430cc195d8e63a69263bffdc
This change forces the start of the RIL daemon used to provide
3G connectivity to the system. It should normally be started
automatically by init.rc but there is a bug within
system/core/init/builtins.c that prevents this to happen.
Fixes the "No network connectivity" bug while the network
interface and route were properly setup.
Change-Id: Ieec0f513aabf92b8a59f0a86f64a16e97057c3c3
Now that rild can be killed in a reasonable amount of time, move it
from the core class to late_start. I was going to move it to main,
but it would get killed and restarted right after the disk crypto
password was entered, which is when the late_start class is started,
and I was seeing issues with rild not re-connecting to the network
when it was killed and restarted.
Change-Id: I60479ddb853953029890fc816538d615ef5a96ab
The net.eth0.gw system property is used by the ConnectivityService
to set the default route when it detects that 3G connectivity is
established. Because the property was undefined, the route was
unset which broke networking.
+ Format / document init.goldfish.sh
Change-Id: I1133cf6c093609300315cd0ea363c9e139b42521
This fixes the goldfish-specific config scripts used by init and ueventd
to properly setup the system under emulation. This fixes a lot of broken-ess
introduced by recent permission changes in the system.
Note that there are still several problems after this patch is applied, but
at least it becomes possible to get an adb connection to the emulated system,
Change-Id: Iff47bbf0fe5cb759fa93089284bb0f71e32405a2
Changes in init.stingray.rc now prevent rild from making sockets
or named pipes on /data. Now that rild no longer prevents /data
from being unmounted, we can put it in the core class, which doesn't
restart when we enable encryption. This speeds up the boot by 20+
seconds.
Change-Id: I737baf804e089f4ddbd664eaa1e675a7bd62e699
Changes in init.stingray.rc now prevent rild from making sockets
or named pipes on /data. Now that rild no longer prevents /data
from being unmounted, we can put it in the core class, which doesn't
restart when we enable encryption. This speeds up the boot by 20+
seconds.
Change-Id: I71c426dab1b725e401116234167d41c7ccd958c1
