/* * Copyright (C) 2009 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.android.certinstaller; import android.app.KeyguardManager; import android.content.Context; import android.content.Intent; import android.net.Uri; import android.os.Bundle; import android.os.UserManager; import android.preference.PreferenceActivity; import android.provider.DocumentsContract; import android.security.Credentials; import android.security.KeyChain; import android.util.Log; import android.widget.Toast; import libcore.io.IoUtils; import java.io.BufferedInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; import java.util.HashMap; import java.util.Map; /** * The main class for installing certificates to the system keystore. It reacts * to the public {@link Credentials#INSTALL_ACTION} intent. */ public class CertInstallerMain extends PreferenceActivity { private static final String TAG = "CertInstaller"; private static final int REQUEST_INSTALL = 1; private static final int REQUEST_OPEN_DOCUMENT = 2; private static final int REQUEST_CONFIRM_CREDENTIALS = 3; private static final String INSTALL_CERT_AS_USER_CLASS = ".InstallCertAsUser"; public static final String WIFI_CONFIG = "wifi-config"; public static final String WIFI_CONFIG_DATA = "wifi-config-data"; public static final String WIFI_CONFIG_FILE = "wifi-config-file"; private static Map MIME_MAPPINGS = new HashMap<>(); static { MIME_MAPPINGS.put("application/x-x509-ca-cert", KeyChain.EXTRA_CERTIFICATE); MIME_MAPPINGS.put("application/x-x509-user-cert", KeyChain.EXTRA_CERTIFICATE); MIME_MAPPINGS.put("application/x-x509-server-cert", KeyChain.EXTRA_CERTIFICATE); MIME_MAPPINGS.put("application/x-pem-file", KeyChain.EXTRA_CERTIFICATE); MIME_MAPPINGS.put("application/pkix-cert", KeyChain.EXTRA_CERTIFICATE); MIME_MAPPINGS.put("application/x-pkcs12", KeyChain.EXTRA_PKCS12); MIME_MAPPINGS.put("application/x-wifi-config", WIFI_CONFIG); } @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setResult(RESULT_CANCELED); UserManager userManager = (UserManager) getSystemService(Context.USER_SERVICE); if (userManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_CREDENTIALS) || userManager.isGuestUser()) { finish(); return; } final Intent intent = getIntent(); final String action = intent.getAction(); if (Credentials.INSTALL_ACTION.equals(action) || Credentials.INSTALL_AS_USER_ACTION.equals(action)) { Bundle bundle = intent.getExtras(); /* * There is a special INSTALL_AS_USER action that this activity is * aliased to, but you have to have a permission to call it. If the * caller got here any other way, remove the extra that we allow in * that INSTALL_AS_USER path. */ String calledClass = intent.getComponent().getClassName(); String installAsUserClassName = getPackageName() + INSTALL_CERT_AS_USER_CLASS; if (bundle != null && !installAsUserClassName.equals(calledClass)) { bundle.remove(Credentials.EXTRA_INSTALL_AS_UID); } // If bundle is empty of any actual credentials, ask user to open. // Otherwise, pass extras to CertInstaller to install those credentials. // Either way, we use KeyChain.EXTRA_NAME as the default name if available. if (nullOrEmptyBundle(bundle) || bundleContainsNameOnly(bundle) || bundleContainsInstallAsUidOnly(bundle) || bundleContainsExtraCertificateUsageOnly(bundle)) { // Confirm credentials if there's only a CA certificate if (installingCaCertificate(bundle)) { confirmDeviceCredential(); } else { startOpenDocumentActivity(); } } else { startInstallActivity(intent); } } else if (Intent.ACTION_VIEW.equals(action)) { startInstallActivity(intent.getType(), intent.getData()); } } private boolean nullOrEmptyBundle(Bundle bundle) { return bundle == null || bundle.isEmpty(); } private boolean bundleContainsNameOnly(Bundle bundle) { return bundle.size() == 1 && bundle.containsKey(KeyChain.EXTRA_NAME); } private boolean bundleContainsInstallAsUidOnly(Bundle bundle) { return bundle.size() == 1 && bundle.containsKey(Credentials.EXTRA_INSTALL_AS_UID); } private boolean bundleContainsExtraCertificateUsageOnly(Bundle bundle) { return bundle.size() == 1 && bundle.containsKey(Credentials.EXTRA_CERTIFICATE_USAGE); } private boolean installingCaCertificate(Bundle bundle) { return bundle != null && bundle.size() == 1 && Credentials.CERTIFICATE_USAGE_CA.equals( bundle.getString(Credentials.EXTRA_CERTIFICATE_USAGE)); } private void confirmDeviceCredential() { KeyguardManager keyguardManager = getSystemService(KeyguardManager.class); Intent intent = keyguardManager.createConfirmDeviceCredentialIntent(null, null); if (intent == null) { // No screenlock startOpenDocumentActivity(); } else { startActivityForResult(intent, REQUEST_CONFIRM_CREDENTIALS); } } // The maximum amount of data to read into memory before aborting. // Without a limit, a sufficiently-large file will run us out of memory. A // typical certificate or WiFi config is under 10k, so 10MiB should be more // than sufficient. See b/32320490. private static final int READ_LIMIT = 10 * 1024 * 1024; /** * Reads the given InputStream until EOF or more than READ_LIMIT bytes have * been read, whichever happens first. If the maximum limit is reached, throws * IOException. */ private static byte[] readWithLimit(InputStream in) throws IOException { ByteArrayOutputStream bytes = new ByteArrayOutputStream(); byte[] buffer = new byte[1024]; int bytesRead = 0; int count; while ((count = in.read(buffer)) != -1) { bytes.write(buffer, 0, count); bytesRead += count; if (bytesRead > READ_LIMIT) { throw new IOException("Data file exceeded maximum size."); } } return bytes.toByteArray(); } private void startInstallActivity(Intent intent) { final Intent installIntent = new Intent(this, CertInstaller.class); if (intent.getExtras() != null && intent.getExtras().getString(Intent.EXTRA_REFERRER) != null) { Log.v(TAG, String.format( "Removing referrer extra with value %s which was not meant to be included", intent.getBundleExtra(Intent.EXTRA_REFERRER))); intent.removeExtra(Intent.EXTRA_REFERRER); } installIntent.putExtras(intent); // The referrer is passed as an extra because the launched-from package needs to be // obtained here and not in the CertInstaller. // It is also safe to add the referrer as an extra because the CertInstaller activity // is not exported, which means it cannot be called from other apps. installIntent.putExtra(Intent.EXTRA_REFERRER, getLaunchedFromPackage()); startActivityForResult(installIntent, REQUEST_INSTALL); } private void startInstallActivity(String mimeType, Uri uri) { if (mimeType == null) { mimeType = getContentResolver().getType(uri); } String target = MIME_MAPPINGS.get(mimeType); if (target == null) { Log.e(TAG, "Unknown MIME type: " + mimeType + ". " + Log.getStackTraceString(new Throwable())); Toast.makeText(this, R.string.invalid_certificate_title, Toast.LENGTH_LONG).show(); return; } if (WIFI_CONFIG.equals(target)) { startWifiInstallActivity(mimeType, uri); } else { InputStream in = null; try { in = getContentResolver().openInputStream(uri); final byte[] raw = readWithLimit(in); Intent intent = getIntent(); intent.putExtra(target, raw); startInstallActivity(intent); } catch (IOException e) { Log.e(TAG, "Failed to read certificate: " + e); Toast.makeText(this, R.string.cert_read_error, Toast.LENGTH_LONG).show(); } finally { IoUtils.closeQuietly(in); } } } private void startWifiInstallActivity(String mimeType, Uri uri) { Intent intent = new Intent(this, WiFiInstaller.class); try (BufferedInputStream in = new BufferedInputStream(getContentResolver().openInputStream(uri))) { byte[] data = readWithLimit(in); intent.putExtra(WIFI_CONFIG_FILE, uri.toString()); intent.putExtra(WIFI_CONFIG_DATA, data); intent.putExtra(WIFI_CONFIG, mimeType); startActivityForResult(intent, REQUEST_INSTALL); } catch (IOException e) { Log.e(TAG, "Failed to read wifi config: " + e); Toast.makeText(this, R.string.cert_read_error, Toast.LENGTH_LONG).show(); } } private void startOpenDocumentActivity() { final String[] mimeTypes = MIME_MAPPINGS.keySet().toArray(new String[0]); final Intent openIntent = new Intent(Intent.ACTION_OPEN_DOCUMENT); openIntent.setType("*/*"); openIntent.putExtra(Intent.EXTRA_MIME_TYPES, mimeTypes); openIntent.putExtra(DocumentsContract.EXTRA_SHOW_ADVANCED, true); startActivityForResult(openIntent, REQUEST_OPEN_DOCUMENT); } @Override protected void onActivityResult(int requestCode, int resultCode, Intent data) { switch (requestCode) { case REQUEST_INSTALL: setResult(resultCode); finish(); break; case REQUEST_OPEN_DOCUMENT: if (resultCode == RESULT_OK) { startInstallActivity(null, data.getData()); } else { finish(); } break; case REQUEST_CONFIRM_CREDENTIALS: if (resultCode == RESULT_OK) { startOpenDocumentActivity(); return; } // Failed to confirm credentials, do nothing. finish(); break; default: Log.w(TAG, "unknown request code: " + requestCode); break; } } }