Add handleTrustStorageUpdate
This pruns all the stored trusted issuers so that changes to the system
or user CA store are detected. Currently this is only exposed as a
TestApi, but it can be hooked up to the trusted storage change event
in a future commit.
Bug: 27526668
Change-Id: Ic426254babab9a3177c968bc05b45e95eaac1fdd
diff --git a/api/test-current.txt b/api/test-current.txt
index 264b5eb..3ac60ba 100644
--- a/api/test-current.txt
+++ b/api/test-current.txt
@@ -34341,6 +34341,7 @@
public class NetworkSecurityPolicy {
method public static android.security.NetworkSecurityPolicy getInstance();
+ method public void handleTrustStorageUpdate();
method public boolean isCleartextTrafficPermitted();
method public boolean isCleartextTrafficPermitted(java.lang.String);
}
diff --git a/core/java/android/security/NetworkSecurityPolicy.java b/core/java/android/security/NetworkSecurityPolicy.java
index 733a092..9530aca 100644
--- a/core/java/android/security/NetworkSecurityPolicy.java
+++ b/core/java/android/security/NetworkSecurityPolicy.java
@@ -16,6 +16,7 @@
package android.security;
+import android.annotation.TestApi;
import android.content.Context;
import android.content.pm.PackageManager;
import android.security.net.config.ApplicationConfig;
@@ -104,4 +105,13 @@
ManifestConfigSource source = new ManifestConfigSource(appContext);
return new ApplicationConfig(source);
}
+
+ /**
+ * Handle an update to the system or user certificate stores.
+ * @hide
+ */
+ @TestApi
+ public void handleTrustStorageUpdate() {
+ ApplicationConfig.getDefaultInstance().handleTrustStorageUpdate();
+ }
}
diff --git a/core/java/android/security/net/config/ApplicationConfig.java b/core/java/android/security/net/config/ApplicationConfig.java
index 4de36cd..fadea56 100644
--- a/core/java/android/security/net/config/ApplicationConfig.java
+++ b/core/java/android/security/net/config/ApplicationConfig.java
@@ -17,6 +17,7 @@
package android.security.net.config;
import android.util.Pair;
+import java.util.HashSet;
import java.util.Locale;
import java.util.Set;
import javax.net.ssl.X509TrustManager;
@@ -146,6 +147,20 @@
return getConfigForHostname(hostname).isCleartextTrafficPermitted();
}
+ public void handleTrustStorageUpdate() {
+ ensureInitialized();
+ mDefaultConfig.handleTrustStorageUpdate();
+ if (mConfigs != null) {
+ Set<NetworkSecurityConfig> updatedConfigs =
+ new HashSet<NetworkSecurityConfig>(mConfigs.size());
+ for (Pair<Domain, NetworkSecurityConfig> entry : mConfigs) {
+ if (updatedConfigs.add(entry.second)) {
+ entry.second.handleTrustStorageUpdate();
+ }
+ }
+ }
+ }
+
private void ensureInitialized() {
synchronized(mLock) {
if (mInitialized) {
diff --git a/core/java/android/security/net/config/CertificateSource.java b/core/java/android/security/net/config/CertificateSource.java
index f3272e4..4bcc405 100644
--- a/core/java/android/security/net/config/CertificateSource.java
+++ b/core/java/android/security/net/config/CertificateSource.java
@@ -25,4 +25,5 @@
X509Certificate findBySubjectAndPublicKey(X509Certificate cert);
X509Certificate findByIssuerAndSignature(X509Certificate cert);
Set<X509Certificate> findAllByIssuerAndSignature(X509Certificate cert);
+ void handleTrustStorageUpdate();
}
diff --git a/core/java/android/security/net/config/CertificatesEntryRef.java b/core/java/android/security/net/config/CertificatesEntryRef.java
index 742d430..45cd0f0 100644
--- a/core/java/android/security/net/config/CertificatesEntryRef.java
+++ b/core/java/android/security/net/config/CertificatesEntryRef.java
@@ -64,4 +64,8 @@
public Set<X509Certificate> findAllCertificatesByIssuerAndSignature(X509Certificate cert) {
return mSource.findAllByIssuerAndSignature(cert);
}
+
+ public void handleTrustStorageUpdate() {
+ mSource.handleTrustStorageUpdate();
+ }
}
diff --git a/core/java/android/security/net/config/DirectoryCertificateSource.java b/core/java/android/security/net/config/DirectoryCertificateSource.java
index b2c068c..e3c9d65 100644
--- a/core/java/android/security/net/config/DirectoryCertificateSource.java
+++ b/core/java/android/security/net/config/DirectoryCertificateSource.java
@@ -126,6 +126,13 @@
});
}
+ @Override
+ public void handleTrustStorageUpdate() {
+ synchronized (mLock) {
+ mCertificates = null;
+ }
+ }
+
private static interface CertSelector {
boolean match(X509Certificate cert);
}
diff --git a/core/java/android/security/net/config/KeyStoreCertificateSource.java b/core/java/android/security/net/config/KeyStoreCertificateSource.java
index ba5dd83..c68f385 100644
--- a/core/java/android/security/net/config/KeyStoreCertificateSource.java
+++ b/core/java/android/security/net/config/KeyStoreCertificateSource.java
@@ -105,4 +105,9 @@
}
return certs;
}
+
+ @Override
+ public void handleTrustStorageUpdate() {
+ // Nothing to do.
+ }
}
diff --git a/core/java/android/security/net/config/NetworkSecurityConfig.java b/core/java/android/security/net/config/NetworkSecurityConfig.java
index 6d6a92a..b3a37d0 100644
--- a/core/java/android/security/net/config/NetworkSecurityConfig.java
+++ b/core/java/android/security/net/config/NetworkSecurityConfig.java
@@ -117,12 +117,6 @@
}
}
- void onTrustStoreChange() {
- synchronized (mAnchorsLock) {
- mAnchors = null;
- }
- }
-
/** @hide */
public TrustAnchor findTrustAnchorBySubjectAndPublicKey(X509Certificate cert) {
for (CertificatesEntryRef ref : mCertificatesEntryRefs) {
@@ -154,6 +148,16 @@
return certs;
}
+ public void handleTrustStorageUpdate() {
+ synchronized (mAnchorsLock) {
+ mAnchors = null;
+ for (CertificatesEntryRef ref : mCertificatesEntryRefs) {
+ ref.handleTrustStorageUpdate();
+ }
+ }
+ getTrustManager().handleTrustStorageUpdate();
+ }
+
/**
* Return a {@link Builder} for the default {@code NetworkSecurityConfig}.
*
diff --git a/core/java/android/security/net/config/NetworkSecurityTrustManager.java b/core/java/android/security/net/config/NetworkSecurityTrustManager.java
index 81cad79..f2c718cd 100644
--- a/core/java/android/security/net/config/NetworkSecurityTrustManager.java
+++ b/core/java/android/security/net/config/NetworkSecurityTrustManager.java
@@ -157,4 +157,11 @@
return mIssuers.clone();
}
}
+
+ public void handleTrustStorageUpdate() {
+ synchronized (mIssuersLock) {
+ mIssuers = null;
+ mDelegate.handleTrustStorageUpdate();
+ }
+ }
}
diff --git a/core/java/android/security/net/config/ResourceCertificateSource.java b/core/java/android/security/net/config/ResourceCertificateSource.java
index 22fbee2..78669c5 100644
--- a/core/java/android/security/net/config/ResourceCertificateSource.java
+++ b/core/java/android/security/net/config/ResourceCertificateSource.java
@@ -115,4 +115,9 @@
}
return certs;
}
+
+ @Override
+ public void handleTrustStorageUpdate() {
+ // Nothing to do, resource sources never change.
+ }
}
diff --git a/tests/NetworkSecurityConfigTest/src/android/security/net/config/TestCertificateSource.java b/tests/NetworkSecurityConfigTest/src/android/security/net/config/TestCertificateSource.java
index 4c12c2d..0412bc7 100644
--- a/tests/NetworkSecurityConfigTest/src/android/security/net/config/TestCertificateSource.java
+++ b/tests/NetworkSecurityConfigTest/src/android/security/net/config/TestCertificateSource.java
@@ -65,4 +65,9 @@
}
return certs;
}
+
+ @Override
+ public void handleTrustStorageUpdate() {
+ // Nothing to do.
+ }
}