Support installation of the new app source certificate
The new certificate can be installed from Settings ("Install a
certificate > App Source certificate"). The installation flow includes
a warning with user authorization to proceed, then a prompt for reboot
(now or later).
Installed certificate can be managed in "User credentials". The name is
currently a hash of hex numbers.
Upon deletion, there will also be a promot for reboot (now or later).
Test: Only see the new setting entry if feature is enabled
Test: Install from Settings, see the expected file name in
/data/misc/keysetore/user_0. Reboot also works.
Test: Able to see the certificate in Settings after installed
Test: Able to delete the certificate, which triggers confirmation dialog
to reboot. Reboot works.
Test: add certificate, see dialog, "not now" / tapping elsewhere does
nothing
Test: atest RestrictedEncryptionPreferenceControllerTest
Bug: 112038744
Change-Id: I7a4494ea0f243730df2212076588074d8774ae23
diff --git a/AndroidManifest.xml b/AndroidManifest.xml
index 3f66cb8..0ba07c3 100644
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@@ -1313,6 +1313,11 @@
android:exported="false">
</activity>
+ <activity android:name=".security.InstallAppSourceCertificateWarning"
+ android:theme="@style/GlifV3Theme.Light"
+ android:exported="false">
+ </activity>
+
<activity
android:name="Settings$DeviceAdminSettingsActivity"
android:label="@string/device_admin_settings_title">
diff --git a/res/layout/app_source_certificate_warning_dialog.xml b/res/layout/app_source_certificate_warning_dialog.xml
new file mode 100644
index 0000000..f0902c7
--- /dev/null
+++ b/res/layout/app_source_certificate_warning_dialog.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ ~ Copyright (C) 2019 The Android Open Source Project
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+<com.google.android.setupdesign.GlifLayout
+ xmlns:android="http://schemas.android.com/apk/res/android"
+ android:id="@+id/setup_wizard_layout"
+ android:layout_width="match_parent"
+ android:layout_height="match_parent">
+
+ <LinearLayout
+ style="@style/SudContentFrame"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:orientation="vertical"
+ android:gravity="center_horizontal">
+
+ <ImageView
+ android:id="@+id/sud_layout_icon"
+ style="@style/SudGlifIcon"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:gravity="center"
+ android:src="@drawable/ic_warning_googred_48dp"/>
+
+ <TextView
+ android:id="@+id/sud_layout_title"
+ style="@style/SudGlifHeaderTitle"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:gravity="center"
+ android:text="@string/app_src_certificate_warning_title"/>
+
+ <TextView
+ android:id="@+id/sud_layout_description"
+ style="@style/SudDescription.Glif"
+ android:layout_marginTop="16dp"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:text="@string/app_src_certificate_warning_description"/>
+
+ </LinearLayout>
+
+</com.google.android.setupdesign.GlifLayout>
diff --git a/res/layout/user_credential.xml b/res/layout/user_credential.xml
index f441bda..0ea46f2 100644
--- a/res/layout/user_credential.xml
+++ b/res/layout/user_credential.xml
@@ -73,5 +73,14 @@
android:textAppearance="?android:attr/textAppearanceSmall"
android:textColor="?android:attr/textColorTertiary"
android:paddingStart="?android:attr/listPreferredItemPaddingStart"/>
+
+ <TextView
+ android:id="@+id/contents_appsrccrt"
+ android:text="@string/one_appsrccrt"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:textAppearance="?android:attr/textAppearanceSmall"
+ android:textColor="?android:attr/textColorTertiary"
+ android:paddingStart="?android:attr/listPreferredItemPaddingStart"/>
</LinearLayout>
</LinearLayout>
diff --git a/res/values/strings.xml b/res/values/strings.xml
index ecfce4a..9a1e840 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -5902,6 +5902,8 @@
<string name="credential_for_vpn_and_apps">Installed for VPN and apps</string>
<!-- Sub-heading for a user credential installed to be used as part of a Wi-Fi configuration. [CHAR LIMIT=NONE]. -->
<string name="credential_for_wifi">Installed for Wi-Fi</string>
+ <!-- Sub-heading for a user credential installed to be used by kernel for fs-verity verification [CHAR LIMIT=NONE]. -->
+ <string name="credential_for_fsverity">Installed for app install source verification</string>
<!-- Description of dialog to reset credential storage [CHAR LIMIT=NONE] -->
<string name="credentials_reset_hint">Remove all the contents?</string>
<!-- Toast message [CHAR LIMIT=30] -->
@@ -5916,14 +5918,20 @@
<string name="user_certificate">VPN & app user certificate</string>
<!-- Title of Wi-Fi certificate [CHAR LIMIT=30] -->
<string name="wifi_certificate">Wi\u2011Fi certificate</string>
+ <!-- Title of App Source certificate [CHAR LIMIT=30] -->
+ <string name="app_src_certificate">App Source certificate</string>
<!-- Title of warning shown to the user before they can install a CA certificate [CHAR LIMIT=NONE] -->
<string name="ca_certificate_warning_title">Your privacy is at risk</string>
<!-- Description of warning shown to the user before they can install a CA certificate [CHAR LIMIT=NONE] -->
<string name="ca_certificate_warning_description">CA certificates are used by websites, apps, and VPNs for encryption. Only install CA certificates from organizations you trust. \n\n If you install a CA certificate, the certificate owner could access your information, such as passwords, messages, or credit card details, from websites you visit or apps you use - even if that information is encrypted.</string>
- <!-- Label for button to not install a CA certificate [CHAR_LIMIT=50] -->
- <string name="ca_certificate_warning_dont_install">Don\u2019t install</string>
- <!-- Label for button to continue installing a CA certificate [CHAR_LIMIT=50] -->
- <string name="ca_certificate_warning_install_anyway">Install anyways</string>
+ <!-- Label for button to not install a certificate [CHAR_LIMIT=50] -->
+ <string name="certificate_warning_dont_install">Don\u2019t install</string>
+ <!-- Label for button to continue installing a certificate [CHAR_LIMIT=50] -->
+ <string name="certificate_warning_install_anyway">Install anyways</string>
+ <!-- Title of warning shown to the user before they can install an App Source certificate [CHAR LIMIT=50] -->
+ <string name="app_src_certificate_warning_title">Install this certificate at your own risk</string>
+ <!-- Description of warning shown to the user before they can install an App Source certificate [CHAR LIMIT=NONE] -->
+ <string name="app_src_certificate_warning_description">App source certificates verify that apps are safe for your device. Only install certificates from organizations you trust.</string>
<!-- Toast message that a certificate was not installed -->
<string name="cert_not_installed">Certificate not installed</string>
@@ -6549,14 +6557,28 @@
<string name="one_usercrt">one user certificate</string>
<!-- Item found in the PKCS12 keystore being investigated [CHAR LIMIT=NONE] -->
<string name="one_cacrt">one CA certificate</string>
- <!-- Item found in thee PKCS12 keystore being investigated [CHAR LIMIT=NONE]-->
+ <!-- Item found in the PKCS12 keystore being investigated [CHAR LIMIT=NONE]-->
<string name="n_cacrts">%d CA certificates</string>
+ <!-- Item found in the PKCS12 keystore being investigated [CHAR LIMIT=NONE] -->
+ <string name="one_appsrccrt">one App Source certificate</string>
<!-- Alert dialog when viewing a set of user credentials. -->
<string name="user_credential_title">Credential details</string>
<!-- Announcement to confirm a user credential being removed. [CHAR LIMIT=NONE] -->
<string name="user_credential_removed">Removed credential: <xliff:g id="credential_name" example="signing key">%s</xliff:g></string>
<!-- Placeholder for the list of installed user credentials (private keys) when the list is empty. [CHAR LIMIT=120] -->
<string name="user_credential_none_installed">No user credentials installed</string>
+ <!-- Title of alert dialog after an app source certificate is installed. [CHAR LIMIT=45] -->
+ <string name="app_src_cert_reboot_dialog_install_title">Restart to use certificate</string>
+ <!-- Message of alert dialog after an app source certificate is installed. [CHAR LIMIT=NONE] -->
+ <string name="app_src_cert_reboot_dialog_install_message">To use this app source certificate, you need to restart your device</string>
+ <!-- Title of alert dialog after an app source certificate is deleted. [CHAR LIMIT=45] -->
+ <string name="app_src_cert_reboot_dialog_uninstall_title">Restart to finish uninstalling</string>
+ <!-- Message of alert dialog after an app source certificate is deleted. [CHAR LIMIT=NONE] -->
+ <string name="app_src_cert_reboot_dialog_uninstall_message">To uninstall this app source certificate, you need to restart your device</string>
+ <!-- Button to restart the device. [CHAR LIMIT=25] -->
+ <string name="app_src_cert_reboot_dialog_button_restart">Restart</string>
+ <!-- Button to skip restarting the device. [CHAR LIMIT=25] -->
+ <string name="app_src_cert_reboot_dialog_button_not_now">Not now</string>
<!-- Title for spell checker settings -->
<string name="spellcheckers_settings_title">Spell checker</string>
diff --git a/res/xml/install_certificate_from_storage.xml b/res/xml/install_certificate_from_storage.xml
index 0cf4a36..640cb56 100644
--- a/res/xml/install_certificate_from_storage.xml
+++ b/res/xml/install_certificate_from_storage.xml
@@ -62,6 +62,18 @@
</Preference>
+ <Preference
+ android:key="install_app_src_certificate"
+ android:title="@string/app_src_certificate"
+ settings:controller="com.android.settings.security.InstallAppSourceCertificatePreferenceController">
+
+ <intent
+ android:targetPackage="com.android.settings"
+ android:targetClass="com.android.settings.security.InstallAppSourceCertificateWarning">
+ </intent>
+
+ </Preference>
+
</PreferenceCategory>
</PreferenceScreen>
\ No newline at end of file
diff --git a/src/com/android/settings/RebootDialog.java b/src/com/android/settings/RebootDialog.java
new file mode 100644
index 0000000..700d140
--- /dev/null
+++ b/src/com/android/settings/RebootDialog.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings;
+
+import android.annotation.StringRes;
+import android.app.Activity;
+import android.content.Context;
+import android.content.DialogInterface;
+import android.os.PowerManager;
+
+import androidx.appcompat.app.AlertDialog;
+
+/** Dialog to confirm a reboot immediately, or later. */
+public class RebootDialog implements DialogInterface.OnClickListener,
+ DialogInterface.OnDismissListener {
+ private final Activity mActivity;
+ private final AlertDialog mDialog;
+ private final String mRebootReason;
+
+ public RebootDialog(Activity activity, @StringRes int titleRes, @StringRes int messageRes,
+ String rebootReason) {
+ mActivity = activity;
+ mDialog = new AlertDialog.Builder(activity)
+ .setTitle(titleRes)
+ .setMessage(messageRes)
+ .setPositiveButton(R.string.app_src_cert_reboot_dialog_button_restart, this)
+ .setNegativeButton(R.string.app_src_cert_reboot_dialog_button_not_now, null)
+ .setOnDismissListener(this)
+ .create();
+ mRebootReason = rebootReason;
+ }
+
+ /** Shows the dialog. */
+ public void show() {
+ mDialog.show();
+ }
+
+ @Override
+ public void onClick(DialogInterface dialog, int button) {
+ if (button == DialogInterface.BUTTON_POSITIVE) {
+ PowerManager pm = (PowerManager) mActivity.getSystemService(Context.POWER_SERVICE);
+ pm.reboot(mRebootReason);
+ }
+ }
+
+ @Override
+ public void onDismiss(DialogInterface dialog) {
+ mActivity.finish();
+ }
+}
diff --git a/src/com/android/settings/UserCredentialsSettings.java b/src/com/android/settings/UserCredentialsSettings.java
index d322819..4983a36 100644
--- a/src/com/android/settings/UserCredentialsSettings.java
+++ b/src/com/android/settings/UserCredentialsSettings.java
@@ -193,6 +193,8 @@
for (final Credential credential : credentials) {
if (credential.isSystem()) {
removeGrantsAndDelete(credential);
+ } else if (credential.isFsverity()) {
+ deleteAppSourceCredential(credential);
} else {
deleteWifiCredential(credential);
}
@@ -219,6 +221,16 @@
}
}
+ private void deleteAppSourceCredential(final Credential credential) {
+ final KeyStore keyStore = KeyStore.getInstance();
+ final EnumSet<Credential.Type> storedTypes = credential.getStoredTypes();
+
+ if (storedTypes.contains(Credential.Type.APP_SOURCE_CERTIFICATE)) {
+ keyStore.delete(Credentials.APP_SOURCE_CERTIFICATE + credential.getAlias(),
+ Process.FSVERITY_CERT_UID);
+ }
+ }
+
private void removeGrantsAndDelete(final Credential credential) {
final KeyChainConnection conn;
try {
@@ -242,10 +254,21 @@
protected void onPostExecute(Credential... credentials) {
if (targetFragment instanceof UserCredentialsSettings && targetFragment.isAdded()) {
final UserCredentialsSettings target = (UserCredentialsSettings) targetFragment;
+ boolean includeFsverity = false;
for (final Credential credential : credentials) {
target.announceRemoval(credential.alias);
+ if (credential.isFsverity()) {
+ includeFsverity = true;
+ }
}
target.refreshItems();
+ if (includeFsverity) {
+ new RebootDialog(
+ getActivity(),
+ R.string.app_src_cert_reboot_dialog_uninstall_title,
+ R.string.app_src_cert_reboot_dialog_uninstall_message,
+ "Reboot to make new fsverity cert effective").show();
+ }
}
}
}
@@ -272,10 +295,12 @@
final int myUserId = UserHandle.myUserId();
final int systemUid = UserHandle.getUid(myUserId, Process.SYSTEM_UID);
final int wifiUid = UserHandle.getUid(myUserId, Process.WIFI_UID);
+ final int fsverityUid = UserHandle.getUid(myUserId, Process.FSVERITY_CERT_UID);
List<Credential> credentials = new ArrayList<>();
credentials.addAll(getCredentialsForUid(keyStore, systemUid).values());
credentials.addAll(getCredentialsForUid(keyStore, wifiUid).values());
+ credentials.addAll(getCredentialsForUid(keyStore, fsverityUid).values());
return credentials;
}
@@ -402,6 +427,7 @@
credentialViewTypes.put(R.id.contents_userkey, Credential.Type.USER_KEY);
credentialViewTypes.put(R.id.contents_usercrt, Credential.Type.USER_CERTIFICATE);
credentialViewTypes.put(R.id.contents_cacrt, Credential.Type.CA_CERTIFICATE);
+ credentialViewTypes.put(R.id.contents_appsrccrt, Credential.Type.APP_SOURCE_CERTIFICATE);
}
protected static View getCredentialView(Credential item, @LayoutRes int layoutResource,
@@ -411,9 +437,15 @@
}
((TextView) view.findViewById(R.id.alias)).setText(item.alias);
- ((TextView) view.findViewById(R.id.purpose)).setText(item.isSystem()
- ? R.string.credential_for_vpn_and_apps
- : R.string.credential_for_wifi);
+ int purpose;
+ if (item.isSystem()) {
+ purpose = R.string.credential_for_vpn_and_apps;
+ } else if (item.isFsverity()) {
+ purpose = R.string.credential_for_fsverity;
+ } else {
+ purpose = R.string.credential_for_wifi;
+ }
+ ((TextView) view.findViewById(R.id.purpose)).setText(purpose);
view.findViewById(R.id.contents).setVisibility(expanded ? View.VISIBLE : View.GONE);
if (expanded) {
@@ -435,7 +467,8 @@
static enum Type {
CA_CERTIFICATE (Credentials.CA_CERTIFICATE),
USER_CERTIFICATE (Credentials.USER_CERTIFICATE),
- USER_KEY(Credentials.USER_PRIVATE_KEY, Credentials.USER_SECRET_KEY);
+ USER_KEY(Credentials.USER_PRIVATE_KEY, Credentials.USER_SECRET_KEY),
+ APP_SOURCE_CERTIFICATE(Credentials.APP_SOURCE_CERTIFICATE);
final String[] prefix;
@@ -452,7 +485,8 @@
/**
* UID under which this credential is stored. Typically {@link Process#SYSTEM_UID} but can
- * also be {@link Process#WIFI_UID} for credentials installed as wifi certificates.
+ * also be {@link Process#WIFI_UID} for credentials installed as wifi certificates, or
+ * {@link Process#FSVERITY_CERT_UID} for app source certificates.
*/
final int uid;
@@ -462,6 +496,7 @@
* <li>{@link Credentials.CA_CERTIFICATE}</li>
* <li>{@link Credentials.USER_CERTIFICATE}</li>
* <li>{@link Credentials.USER_KEY}</li>
+ * <li>{@link Credentials.APP_SOURCE_CERTIFICATE}</li>
* </ul>
*/
final EnumSet<Type> storedTypes = EnumSet.noneOf(Type.class);
@@ -512,6 +547,10 @@
return UserHandle.getAppId(uid) == Process.SYSTEM_UID;
}
+ public boolean isFsverity() {
+ return UserHandle.getAppId(uid) == Process.FSVERITY_CERT_UID;
+ }
+
public String getAlias() { return alias; }
public EnumSet<Type> getStoredTypes() {
diff --git a/src/com/android/settings/security/CredentialStorage.java b/src/com/android/settings/security/CredentialStorage.java
index 5e64723..28d4f63 100644
--- a/src/com/android/settings/security/CredentialStorage.java
+++ b/src/com/android/settings/security/CredentialStorage.java
@@ -44,6 +44,7 @@
import com.android.internal.widget.LockPatternUtils;
import com.android.settings.R;
+import com.android.settings.RebootDialog;
import com.android.settings.password.ChooseLockSettingsHelper;
import com.android.settings.vpn2.VpnUtils;
@@ -130,10 +131,10 @@
if (uid != KeyStore.UID_SELF && !UserHandle.isSameUser(uid, Process.myUid())) {
final int dstUserId = UserHandle.getUserId(uid);
- // Restrict install target to the wifi uid.
- if (uid != Process.WIFI_UID) {
+ // Restrict install target to the known uid.
+ if (uid != Process.WIFI_UID && uid != Process.FSVERITY_CERT_UID) {
Log.e(TAG, "Failed to install credentials as uid " + uid + ": cross-user installs"
- + " may only target wifi uids");
+ + " may only target known uids");
return true;
}
@@ -309,6 +310,16 @@
Log.i(TAG, String.format("Successfully installed alias %s to uid %d.",
alias, uid));
+ if (uid == Process.FSVERITY_CERT_UID) {
+ new RebootDialog(
+ this,
+ R.string.app_src_cert_reboot_dialog_install_title,
+ R.string.app_src_cert_reboot_dialog_install_message,
+ "Reboot to make new fsverity cert effective").show();
+ setResult(RESULT_OK);
+ return;
+ }
+
// Send the broadcast.
final Intent broadcast = new Intent(KeyChain.ACTION_KEYCHAIN_CHANGED);
sendBroadcast(broadcast);
diff --git a/src/com/android/settings/security/InstallAppSourceCertificatePreferenceController.java b/src/com/android/settings/security/InstallAppSourceCertificatePreferenceController.java
new file mode 100644
index 0000000..86c02cd
--- /dev/null
+++ b/src/com/android/settings/security/InstallAppSourceCertificatePreferenceController.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.security;
+
+import android.content.Context;
+import android.os.SystemProperties;
+
+import com.android.internal.annotations.VisibleForTesting;
+import com.android.settings.core.BasePreferenceController;
+
+class InstallAppSourceCertificatePreferenceController extends
+ BasePreferenceController {
+
+ private static final String APK_VERITY_PROPERTY = "ro.apk_verity.mode";
+ private static final int APK_VERITY_MODE_ENABLED = 2;
+
+ InstallAppSourceCertificatePreferenceController(Context context, String key) {
+ super(context, key);
+ }
+
+ @Override
+ public int getAvailabilityStatus() {
+ return isApkVerityEnabled() ? AVAILABLE : UNSUPPORTED_ON_DEVICE;
+ }
+
+ @VisibleForTesting
+ static boolean isApkVerityEnabled() {
+ // TODO(victorhsieh): replace this with a new API in PackageManager once it is landed.
+ return SystemProperties.getInt(APK_VERITY_PROPERTY, 0) == APK_VERITY_MODE_ENABLED;
+ }
+}
diff --git a/src/com/android/settings/security/InstallAppSourceCertificateWarning.java b/src/com/android/settings/security/InstallAppSourceCertificateWarning.java
new file mode 100644
index 0000000..9ea1b0e
--- /dev/null
+++ b/src/com/android/settings/security/InstallAppSourceCertificateWarning.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.settings.security;
+
+import android.annotation.Nullable;
+import android.app.Activity;
+import android.content.Intent;
+import android.os.Bundle;
+import android.security.Credentials;
+import android.view.View;
+import android.widget.Toast;
+
+import com.android.settings.R;
+
+import com.google.android.setupcompat.template.FooterBarMixin;
+import com.google.android.setupcompat.template.FooterButton;
+import com.google.android.setupdesign.GlifLayout;
+
+/**
+ * Creates a warning dialog explaining the consequences of installing a certificate
+ * This is displayed before an app source certificate can be installed from Settings.
+ */
+public class InstallAppSourceCertificateWarning extends Activity {
+ @Override
+ public void onCreate(@Nullable Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+
+ setContentView(R.layout.app_source_certificate_warning_dialog);
+ final GlifLayout layout = findViewById(R.id.setup_wizard_layout);
+
+ final FooterBarMixin mixin = layout.getMixin(FooterBarMixin.class);
+ mixin.setSecondaryButton(
+ new FooterButton.Builder(this)
+ .setText(R.string.certificate_warning_install_anyway)
+ .setListener(installCertificate())
+ .setButtonType(FooterButton.ButtonType.OTHER)
+ .setTheme(R.style.SudGlifButton_Secondary)
+ .build()
+ );
+
+ mixin.setPrimaryButton(
+ new FooterButton.Builder(this)
+ .setText(R.string.certificate_warning_dont_install)
+ .setListener(returnToInstallCertificateFromStorage())
+ .setButtonType(FooterButton.ButtonType.NEXT)
+ .setTheme(R.style.SudGlifButton_Primary)
+ .build()
+ );
+ }
+
+ private View.OnClickListener installCertificate() {
+ return v -> {
+ final Intent intent = new Intent();
+ intent.setAction(Credentials.INSTALL_ACTION);
+ intent.putExtra(Credentials.EXTRA_CERTIFICATE_USAGE,
+ Credentials.CERTIFICATE_USAGE_APP_SOURCE);
+ startActivity(intent);
+ finish();
+ };
+ }
+
+ private View.OnClickListener returnToInstallCertificateFromStorage() {
+ return v -> {
+ Toast.makeText(this, R.string.cert_not_installed, Toast.LENGTH_SHORT).show();
+ finish();
+ };
+ }
+
+}
diff --git a/src/com/android/settings/security/InstallCaCertificateWarning.java b/src/com/android/settings/security/InstallCaCertificateWarning.java
index 701d9f4..91faae1 100644
--- a/src/com/android/settings/security/InstallCaCertificateWarning.java
+++ b/src/com/android/settings/security/InstallCaCertificateWarning.java
@@ -46,7 +46,7 @@
final FooterBarMixin mixin = layout.getMixin(FooterBarMixin.class);
mixin.setSecondaryButton(
new FooterButton.Builder(this)
- .setText(R.string.ca_certificate_warning_install_anyway)
+ .setText(R.string.certificate_warning_install_anyway)
.setListener(installCaCertificate())
.setButtonType(FooterButton.ButtonType.OTHER)
.setTheme(R.style.SudGlifButton_Secondary)
@@ -55,7 +55,7 @@
mixin.setPrimaryButton(
new FooterButton.Builder(this)
- .setText(R.string.ca_certificate_warning_dont_install)
+ .setText(R.string.certificate_warning_dont_install)
.setListener(returnToInstallCertificateFromStorage())
.setButtonType(FooterButton.ButtonType.NEXT)
.setTheme(R.style.SudGlifButton_Primary)
diff --git a/src/com/android/settings/security/InstallCertificateFromStorage.java b/src/com/android/settings/security/InstallCertificateFromStorage.java
index 3810531..c5a93f0 100644
--- a/src/com/android/settings/security/InstallCertificateFromStorage.java
+++ b/src/com/android/settings/security/InstallCertificateFromStorage.java
@@ -60,6 +60,7 @@
private static List<AbstractPreferenceController> buildPreferenceControllers(Context context,
Lifecycle lifecycle) {
+ // TODO(eranm,victorhsieh): use "settings:controller" in xml and remove the following.
final List<AbstractPreferenceController> controllers = new ArrayList<>();
controllers.add(new InstallCaCertificatePreferenceController(context));
controllers.add(new InstallUserCertificatePreferenceController(context));
diff --git a/tests/robotests/src/com/android/settings/security/InstallCertificateFromStorageTest.java b/tests/robotests/src/com/android/settings/security/InstallCertificateFromStorageTest.java
index 61c39fc..03bdb08 100644
--- a/tests/robotests/src/com/android/settings/security/InstallCertificateFromStorageTest.java
+++ b/tests/robotests/src/com/android/settings/security/InstallCertificateFromStorageTest.java
@@ -67,6 +67,7 @@
mTestKeys.add("install_ca_certificate");
mTestKeys.add("install_user_certificate");
mTestKeys.add("install_wifi_certificate");
+ mTestKeys.add("install_app_src_certificate");
}
@Test
diff --git a/tests/robotests/src/com/android/settings/security/RestrictedEncryptionPreferenceControllerTest.java b/tests/robotests/src/com/android/settings/security/RestrictedEncryptionPreferenceControllerTest.java
index 78ad5e5..7d3b117 100644
--- a/tests/robotests/src/com/android/settings/security/RestrictedEncryptionPreferenceControllerTest.java
+++ b/tests/robotests/src/com/android/settings/security/RestrictedEncryptionPreferenceControllerTest.java
@@ -37,6 +37,9 @@
@Config(shadows = ShadowUserManager.class)
public class RestrictedEncryptionPreferenceControllerTest {
+ private static final String APK_VERITY_PROPERTY = "ro.apk_verity.mode";
+ private static final int APK_VERITY_MODE_ENABLED = 2;
+
private Context mContext;
private ShadowUserManager mUserManager;
private CredentialStoragePreferenceController mCredentialStoragePreferenceController;
@@ -46,6 +49,8 @@
private InstallCaCertificatePreferenceController mInstallCaCertificatePreferenceController;
private InstallUserCertificatePreferenceController mInstallUserCertificatePreferenceController;
private InstallWifiCertificatePreferenceController mInstallWifiCertificatePreferenceController;
+ private InstallAppSourceCertificatePreferenceController
+ mInstallAppSourceCertificatePreferenceController;
private Lifecycle mLifecycle;
private LifecycleOwner mLifecycleOwner;
@@ -64,6 +69,9 @@
new UserCredentialsPreferenceController(mContext);
mInstallCaCertificatePreferenceController =
new InstallCaCertificatePreferenceController(mContext);
+ mInstallAppSourceCertificatePreferenceController =
+ new InstallAppSourceCertificatePreferenceController(
+ mContext, "install_app_src_certificate");
mInstallUserCertificatePreferenceController =
new InstallUserCertificatePreferenceController(mContext);
mInstallWifiCertificatePreferenceController =
@@ -80,6 +88,8 @@
assertThat(mInstallCaCertificatePreferenceController.isAvailable()).isTrue();
assertThat(mInstallUserCertificatePreferenceController.isAvailable()).isTrue();
assertThat(mInstallWifiCertificatePreferenceController.isAvailable()).isTrue();
+ assertThat(mInstallAppSourceCertificatePreferenceController.isAvailable())
+ .isEqualTo(InstallAppSourceCertificatePreferenceController.isApkVerityEnabled());
}
@Test