DPM: installKeyPair variant: caller can self-grant
If 'requestAccess' is true, the caller (either profile/device owner or a
designated certificate installer) will be granted usage of the keypair
on successful installation.
This has no security implications for a profile/device owner which would
already be able to self-grant. Delegated certificate installers did not
have this ability before.
This is only allowed at install-time- not afterward.
Bug: 24746231
Change-Id: Ia0ec290bb0bcde1d8137c188e2667cb7718dbfd7
diff --git a/api/current.txt b/api/current.txt
index abc9e9a..2b8d0ab 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -5886,6 +5886,7 @@
method public boolean hasGrantedPolicy(android.content.ComponentName, int);
method public boolean installCaCert(android.content.ComponentName, byte[]);
method public boolean installKeyPair(android.content.ComponentName, java.security.PrivateKey, java.security.cert.Certificate, java.lang.String);
+ method public boolean installKeyPair(android.content.ComponentName, java.security.PrivateKey, java.security.cert.Certificate, java.lang.String, boolean);
method public boolean isActivePasswordSufficient();
method public boolean isAdminActive(android.content.ComponentName);
method public boolean isApplicationHidden(android.content.ComponentName, java.lang.String);
diff --git a/api/system-current.txt b/api/system-current.txt
index b36d7e8..5a3d8de 100644
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -6031,6 +6031,7 @@
method public boolean hasGrantedPolicy(android.content.ComponentName, int);
method public boolean installCaCert(android.content.ComponentName, byte[]);
method public boolean installKeyPair(android.content.ComponentName, java.security.PrivateKey, java.security.cert.Certificate, java.lang.String);
+ method public boolean installKeyPair(android.content.ComponentName, java.security.PrivateKey, java.security.cert.Certificate, java.lang.String, boolean);
method public boolean isActivePasswordSufficient();
method public boolean isAdminActive(android.content.ComponentName);
method public boolean isApplicationHidden(android.content.ComponentName, java.lang.String);
diff --git a/api/test-current.txt b/api/test-current.txt
index 3878fbf..1e432dc 100644
--- a/api/test-current.txt
+++ b/api/test-current.txt
@@ -5888,6 +5888,7 @@
method public boolean hasGrantedPolicy(android.content.ComponentName, int);
method public boolean installCaCert(android.content.ComponentName, byte[]);
method public boolean installKeyPair(android.content.ComponentName, java.security.PrivateKey, java.security.cert.Certificate, java.lang.String);
+ method public boolean installKeyPair(android.content.ComponentName, java.security.PrivateKey, java.security.cert.Certificate, java.lang.String, boolean);
method public boolean isActivePasswordSufficient();
method public boolean isAdminActive(android.content.ComponentName);
method public boolean isApplicationHidden(android.content.ComponentName, java.lang.String);
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
index ae63a2f..cbb6732 100644
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -2677,8 +2677,16 @@
}
/**
- * Called by a device or profile owner to install a certificate and private key pair. The
- * keypair will be visible to all apps within the profile.
+ * Called by a device or profile owner, or delegated certificate installer, to install a
+ * certificate and corresponding private key. All apps within the profile will be able to access
+ * the certificate and use the private key, given direct user approval.
+ *
+ * <p>Access to the installed credentials will not be granted to the caller of this API without
+ * direct user approval. This is for security - should a certificate installer become
+ * compromised, certificates it had already installed will be protected.
+ *
+ * <p>If the installer must have access to the credentials, call
+ * {@link #installKeyPair(ComponentName, PrivateKey, Certificate, String, boolean)} instead.
*
* @param admin Which {@link DeviceAdminReceiver} this request is associated with, or
* {@code null} if calling from a delegated certificate installer.
@@ -2690,11 +2698,35 @@
*/
public boolean installKeyPair(@Nullable ComponentName admin, @NonNull PrivateKey privKey,
@NonNull Certificate cert, @NonNull String alias) {
+ return installKeyPair(admin, privKey, cert, alias, false);
+ }
+
+ /**
+ * Called by a device or profile owner, or delegated certificate installer, to install a
+ * certificate and corresponding private key. All apps within the profile will be able to access
+ * the certificate and use the private key, given direct user approval.
+ *
+ * <p>The caller of this API may grant itself access to the credential immediately, without user
+ * approval. It is a best practice not to request this unless strictly necessary since it opens
+ * up additional security vulnerabilities.
+ *
+ * @param admin Which {@link DeviceAdminReceiver} this request is associated with, or
+ * {@code null} if calling from a delegated certificate installer.
+ * @param privKey The private key to install.
+ * @param cert The certificate to install.
+ * @param alias The private key alias under which to install the certificate. If a certificate
+ * with that alias already exists, it will be overwritten.
+ * @param requestAccess {@code true} to request that the calling app be granted access to the
+ * credentials immediately. Otherwise, access to the credentials will be gated by user approval.
+ * @return {@code true} if the keys were installed, {@code false} otherwise.
+ */
+ public boolean installKeyPair(@Nullable ComponentName admin, @NonNull PrivateKey privKey,
+ @NonNull Certificate cert, @NonNull String alias, boolean requestAccess) {
try {
final byte[] pemCert = Credentials.convertToPem(cert);
final byte[] pkcs8Key = KeyFactory.getInstance(privKey.getAlgorithm())
.getKeySpec(privKey, PKCS8EncodedKeySpec.class).getEncoded();
- return mService.installKeyPair(admin, pkcs8Key, pemCert, alias);
+ return mService.installKeyPair(admin, pkcs8Key, pemCert, alias, requestAccess);
} catch (RemoteException e) {
Log.w(TAG, REMOTE_EXCEPTION_MESSAGE, e);
} catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
@@ -2706,8 +2738,8 @@
}
/**
- * Called by a device or profile owner to remove all user credentials installed under a given
- * alias.
+ * Called by a device or profile owner, or delegated certificate installer, to remove all user
+ * credentials installed under a given alias.
*
* @param admin Which {@link DeviceAdminReceiver} this request is associated with, or
* {@code null} if calling from a delegated certificate installer.
diff --git a/core/java/android/app/admin/IDevicePolicyManager.aidl b/core/java/android/app/admin/IDevicePolicyManager.aidl
index e9af872..c6dd01b 100644
--- a/core/java/android/app/admin/IDevicePolicyManager.aidl
+++ b/core/java/android/app/admin/IDevicePolicyManager.aidl
@@ -145,7 +145,8 @@
void uninstallCaCerts(in ComponentName admin, in String[] aliases);
void enforceCanManageCaCerts(in ComponentName admin);
- boolean installKeyPair(in ComponentName who, in byte[] privKeyBuffer, in byte[] certBuffer, String alias);
+ boolean installKeyPair(in ComponentName who, in byte[] privKeyBuffer, in byte[] certBuffer,
+ String alias, boolean requestAccess);
boolean removeKeyPair(in ComponentName who, String alias);
void choosePrivateKeyAlias(int uid, in Uri uri, in String alias, IBinder aliasCallback);
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 33225eb..d01af1a 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -4090,16 +4090,24 @@
}
@Override
- public boolean installKeyPair(ComponentName who, byte[] privKey, byte[] cert, String alias) {
+ public boolean installKeyPair(ComponentName who, byte[] privKey, byte[] cert, String alias,
+ boolean requestAccess) {
enforceCanManageInstalledKeys(who);
- final UserHandle userHandle = new UserHandle(UserHandle.getCallingUserId());
+ final int callingUid = mInjector.binderGetCallingUid();
final long id = mInjector.binderClearCallingIdentity();
try {
- final KeyChainConnection keyChainConnection = KeyChain.bindAsUser(mContext, userHandle);
+ final KeyChainConnection keyChainConnection =
+ KeyChain.bindAsUser(mContext, UserHandle.getUserHandleForUid(callingUid));
try {
IKeyChainService keyChain = keyChainConnection.getService();
- return keyChain.installKeyPair(privKey, cert, alias);
+ if (!keyChain.installKeyPair(privKey, cert, alias)) {
+ return false;
+ }
+ if (requestAccess) {
+ keyChain.setGrant(callingUid, alias, true);
+ }
+ return true;
} catch (RemoteException e) {
Log.e(LOG_TAG, "Installing certificate", e);
} finally {