Add conscrypt updatable certificates.
This cl contains changes for SystemCertificateSource so that certificates are taken from conscrypt apex files by default and if that fails, we fallback to the usual system location.
Test: atest TrustedCertificateStoreTest
Change-Id: I1ec6d29a52c07531a6a0c85b2e2405f63470bd5f
diff --git a/core/java/android/security/net/config/SystemCertificateSource.java b/core/java/android/security/net/config/SystemCertificateSource.java
index cfb195b..4892312 100644
--- a/core/java/android/security/net/config/SystemCertificateSource.java
+++ b/core/java/android/security/net/config/SystemCertificateSource.java
@@ -18,6 +18,7 @@
import android.os.Environment;
import android.os.UserHandle;
+
import java.io.File;
/**
@@ -32,11 +33,20 @@
private final File mUserRemovedCaDir;
private SystemCertificateSource() {
- super(new File(System.getenv("ANDROID_ROOT") + "/etc/security/cacerts"));
+ super(getDirectory());
File configDir = Environment.getUserConfigDirectory(UserHandle.myUserId());
mUserRemovedCaDir = new File(configDir, "cacerts-removed");
}
+ private static File getDirectory() {
+ // TODO(miguelaranda): figure out correct code path.
+ File updatable_dir = new File("/apex/com.android.conscrypt/cacerts");
+ if (updatable_dir.exists()) {
+ return updatable_dir;
+ }
+ return new File(System.getenv("ANDROID_ROOT") + "/etc/security/cacerts");
+ }
+
public static SystemCertificateSource getInstance() {
return NoPreloadHolder.INSTANCE;
}