blob: c90a44d17a90ccc7250f8990cb2ecfb58e4c0905 [file] [log] [blame]
/*
* Copyright (C) 2022 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.android.settings;
import static android.app.admin.DevicePolicyResources.Strings.Settings.PERSONAL_CATEGORY_HEADER;
import static android.app.admin.DevicePolicyResources.Strings.Settings.WORK_CATEGORY_HEADER;
import static android.widget.LinearLayout.LayoutParams.MATCH_PARENT;
import static android.widget.LinearLayout.LayoutParams.WRAP_CONTENT;
import android.annotation.UiThread;
import android.app.Activity;
import android.app.KeyguardManager;
import android.app.admin.DevicePolicyManager;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.content.IntentFilter;
import android.content.pm.UserInfo;
import android.content.res.TypedArray;
import android.database.DataSetObserver;
import android.graphics.drawable.Drawable;
import android.net.http.SslCertificate;
import android.os.AsyncTask;
import android.os.Bundle;
import android.os.Parcelable;
import android.os.RemoteException;
import android.os.UserHandle;
import android.os.UserManager;
import android.security.IKeyChainService;
import android.security.KeyChain;
import android.security.KeyChain.KeyChainConnection;
import android.util.ArraySet;
import android.util.Log;
import android.util.SparseArray;
import android.view.LayoutInflater;
import android.view.View;
import android.view.ViewGroup;
import android.widget.AdapterView;
import android.widget.BaseAdapter;
import android.widget.BaseExpandableListAdapter;
import android.widget.ExpandableListView;
import android.widget.FrameLayout;
import android.widget.ImageView;
import android.widget.LinearLayout;
import android.widget.ListView;
import android.widget.ProgressBar;
import android.widget.Switch;
import android.widget.TextView;
import androidx.annotation.NonNull;
import com.android.internal.annotations.GuardedBy;
import com.android.internal.app.UnlaunchableAppActivity;
import com.android.internal.widget.LockPatternUtils;
import com.android.settings.TrustedCredentialsSettings.Tab;
import com.android.settingslib.core.lifecycle.ObservableFragment;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.function.IntConsumer;
/**
* Fragment to display trusted credentials settings for one tab.
*/
public class TrustedCredentialsFragment extends ObservableFragment
implements TrustedCredentialsDialogBuilder.DelegateInterface {
public static final String ARG_POSITION = "tab";
public static final String ARG_SHOW_NEW_FOR_USER = "ARG_SHOW_NEW_FOR_USER";
private static final String TAG = "TrustedCredentialsFragment";
private DevicePolicyManager mDevicePolicyManager;
private UserManager mUserManager;
private KeyguardManager mKeyguardManager;
private int mTrustAllCaUserId;
private static final String SAVED_CONFIRMED_CREDENTIAL_USERS = "ConfirmedCredentialUsers";
private static final String SAVED_CONFIRMING_CREDENTIAL_USER = "ConfirmingCredentialUser";
private static final int REQUEST_CONFIRM_CREDENTIALS = 1;
private GroupAdapter mGroupAdapter;
private AliasOperation mAliasOperation;
private ArraySet<Integer> mConfirmedCredentialUsers;
private int mConfirmingCredentialUser;
private IntConsumer mConfirmingCredentialListener;
private final Set<AdapterData.AliasLoader> mAliasLoaders = new ArraySet<>(2);
@GuardedBy("mKeyChainConnectionByProfileId")
private final SparseArray<KeyChainConnection>
mKeyChainConnectionByProfileId = new SparseArray<>();
private ViewGroup mFragmentView;
private final BroadcastReceiver mWorkProfileChangedReceiver = new BroadcastReceiver() {
@Override
public void onReceive(Context context, Intent intent) {
String action = intent.getAction();
if (Intent.ACTION_MANAGED_PROFILE_AVAILABLE.equals(action)
|| Intent.ACTION_MANAGED_PROFILE_UNAVAILABLE.equals(action)
|| Intent.ACTION_MANAGED_PROFILE_UNLOCKED.equals(action)) {
mGroupAdapter.load();
}
}
};
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
Activity activity = getActivity();
mDevicePolicyManager = activity.getSystemService(DevicePolicyManager.class);
mUserManager = activity.getSystemService(UserManager.class);
mKeyguardManager = activity.getSystemService(KeyguardManager.class);
mTrustAllCaUserId = activity.getIntent().getIntExtra(ARG_SHOW_NEW_FOR_USER,
UserHandle.USER_NULL);
mConfirmedCredentialUsers = new ArraySet<>(2);
mConfirmingCredentialUser = UserHandle.USER_NULL;
if (savedInstanceState != null) {
mConfirmingCredentialUser = savedInstanceState.getInt(SAVED_CONFIRMING_CREDENTIAL_USER,
UserHandle.USER_NULL);
ArrayList<Integer> users = savedInstanceState.getIntegerArrayList(
SAVED_CONFIRMED_CREDENTIAL_USERS);
if (users != null) {
mConfirmedCredentialUsers.addAll(users);
}
}
IntentFilter filter = new IntentFilter();
filter.addAction(Intent.ACTION_MANAGED_PROFILE_AVAILABLE);
filter.addAction(Intent.ACTION_MANAGED_PROFILE_UNAVAILABLE);
filter.addAction(Intent.ACTION_MANAGED_PROFILE_UNLOCKED);
activity.registerReceiver(mWorkProfileChangedReceiver, filter);
}
@Override
public void onSaveInstanceState(Bundle outState) {
super.onSaveInstanceState(outState);
outState.putIntegerArrayList(SAVED_CONFIRMED_CREDENTIAL_USERS, new ArrayList<>(
mConfirmedCredentialUsers));
outState.putInt(SAVED_CONFIRMING_CREDENTIAL_USER, mConfirmingCredentialUser);
mGroupAdapter.saveState(outState);
}
@Override
public View onCreateView(
LayoutInflater inflater, ViewGroup parent, Bundle savedInstanceState) {
mFragmentView = (ViewGroup) inflater.inflate(R.layout.trusted_credentials, parent, false);
ViewGroup contentView = mFragmentView.findViewById(R.id.content);
mGroupAdapter = new GroupAdapter(
requireArguments().getInt(ARG_POSITION) == 0 ? Tab.SYSTEM : Tab.USER);
int profilesSize = mGroupAdapter.getGroupCount();
for (int i = 0; i < profilesSize; i++) {
Bundle childState = savedInstanceState == null ? null
: savedInstanceState.getBundle(mGroupAdapter.getKey(i));
createChildView(inflater, contentView, childState, i);
}
return mFragmentView;
}
private void createChildView(
LayoutInflater inflater, ViewGroup parent, Bundle childState, int i) {
boolean isWork = mGroupAdapter.getUserInfoByGroup(i).isManagedProfile();
ChildAdapter adapter = mGroupAdapter.createChildAdapter(i);
LinearLayout containerView = (LinearLayout) inflater.inflate(
R.layout.trusted_credential_list_container, parent, false);
adapter.setContainerView(containerView, childState);
int profilesSize = mGroupAdapter.getGroupCount();
adapter.showHeader(profilesSize > 1);
adapter.showDivider(isWork);
adapter.setExpandIfAvailable(profilesSize <= 2 || !isWork, childState);
if (isWork) {
parent.addView(containerView);
} else {
parent.addView(containerView, 0);
}
}
@Override
public void onResume() {
super.onResume();
mFragmentView.requestLayout();
}
@Override
public void onDestroy() {
getActivity().unregisterReceiver(mWorkProfileChangedReceiver);
for (AdapterData.AliasLoader aliasLoader : mAliasLoaders) {
aliasLoader.cancel(true);
}
mAliasLoaders.clear();
if (mAliasOperation != null) {
mAliasOperation.cancel(true);
mAliasOperation = null;
}
closeKeyChainConnections();
super.onDestroy();
}
@Override
public void onActivityResult(int requestCode, int resultCode, Intent data) {
if (requestCode == REQUEST_CONFIRM_CREDENTIALS) {
int userId = mConfirmingCredentialUser;
IntConsumer listener = mConfirmingCredentialListener;
// reset them before calling the listener because the listener may call back to start
// activity again. (though it should never happen.)
mConfirmingCredentialUser = UserHandle.USER_NULL;
mConfirmingCredentialListener = null;
if (resultCode == Activity.RESULT_OK) {
mConfirmedCredentialUsers.add(userId);
if (listener != null) {
listener.accept(userId);
}
}
}
}
private void closeKeyChainConnections() {
synchronized (mKeyChainConnectionByProfileId) {
int n = mKeyChainConnectionByProfileId.size();
for (int i = 0; i < n; ++i) {
mKeyChainConnectionByProfileId.valueAt(i).close();
}
mKeyChainConnectionByProfileId.clear();
}
}
/**
* Start work challenge activity.
*
* @return true if screenlock exists
*/
private boolean startConfirmCredential(int userId) {
Intent newIntent = mKeyguardManager.createConfirmDeviceCredentialIntent(null, null, userId);
if (newIntent == null) {
return false;
}
mConfirmingCredentialUser = userId;
startActivityForResult(newIntent, REQUEST_CONFIRM_CREDENTIALS);
return true;
}
/**
* Adapter for expandable list view of certificates. Groups in the view correspond to profiles
* whereas children correspond to certificates.
*/
private class GroupAdapter extends BaseExpandableListAdapter implements
ExpandableListView.OnGroupClickListener, ExpandableListView.OnChildClickListener {
private final AdapterData mData;
private final ArrayList<ChildAdapter> mChildAdapters = new ArrayList<>();
private GroupAdapter(Tab tab) {
mData = new AdapterData(tab, this);
load();
}
@Override
public int getGroupCount() {
return mData.mCertHoldersByUserId.size();
}
@Override
public int getChildrenCount(int groupPosition) {
List<CertHolder> certHolders = mData.mCertHoldersByUserId.valueAt(groupPosition);
if (certHolders != null) {
return certHolders.size();
}
return 0;
}
@Override
public UserHandle getGroup(int groupPosition) {
return new UserHandle(mData.mCertHoldersByUserId.keyAt(groupPosition));
}
@Override
public CertHolder getChild(int groupPosition, int childPosition) {
return mData.mCertHoldersByUserId.get(getUserIdByGroup(groupPosition)).get(
childPosition);
}
@Override
public long getGroupId(int groupPosition) {
return getUserIdByGroup(groupPosition);
}
private int getUserIdByGroup(int groupPosition) {
return mData.mCertHoldersByUserId.keyAt(groupPosition);
}
public UserInfo getUserInfoByGroup(int groupPosition) {
return mUserManager.getUserInfo(getUserIdByGroup(groupPosition));
}
@Override
public long getChildId(int groupPosition, int childPosition) {
return childPosition;
}
@Override
public boolean hasStableIds() {
return false;
}
@Override
public View getGroupView(int groupPosition, boolean isExpanded, View convertView,
ViewGroup parent) {
if (convertView == null) {
LayoutInflater inflater = (LayoutInflater) getActivity()
.getSystemService(Context.LAYOUT_INFLATER_SERVICE);
convertView = Utils.inflateCategoryHeader(inflater, parent);
}
TextView title = convertView.findViewById(android.R.id.title);
if (getUserInfoByGroup(groupPosition).isManagedProfile()) {
title.setText(mDevicePolicyManager.getResources().getString(WORK_CATEGORY_HEADER,
() -> getString(R.string.category_work)));
} else {
title.setText(mDevicePolicyManager.getResources().getString(
PERSONAL_CATEGORY_HEADER,
() -> getString(R.string.category_personal)));
}
title.setTextAlignment(View.TEXT_ALIGNMENT_VIEW_END);
return convertView;
}
@Override
public View getChildView(int groupPosition, int childPosition, boolean isLastChild,
View convertView, ViewGroup parent) {
return getViewForCertificate(getChild(groupPosition, childPosition), mData.mTab,
convertView, parent);
}
@Override
public boolean isChildSelectable(int groupPosition, int childPosition) {
return true;
}
@Override
public boolean onChildClick(ExpandableListView expandableListView, View view,
int groupPosition, int childPosition, long id) {
showCertDialog(getChild(groupPosition, childPosition));
return true;
}
@Override
public boolean onGroupClick(ExpandableListView expandableListView, View view,
int groupPosition, long id) {
return !checkGroupExpandableAndStartWarningActivity(groupPosition);
}
public void load() {
mData.new AliasLoader().execute();
}
public void remove(CertHolder certHolder) {
mData.remove(certHolder);
}
ChildAdapter createChildAdapter(int groupPosition) {
ChildAdapter childAdapter = new ChildAdapter(this, groupPosition);
mChildAdapters.add(childAdapter);
return childAdapter;
}
public boolean checkGroupExpandableAndStartWarningActivity(int groupPosition) {
return checkGroupExpandableAndStartWarningActivity(groupPosition, true);
}
public boolean checkGroupExpandableAndStartWarningActivity(int groupPosition,
boolean startActivity) {
UserHandle groupUser = getGroup(groupPosition);
int groupUserId = groupUser.getIdentifier();
if (mUserManager.isQuietModeEnabled(groupUser)) {
if (startActivity) {
Intent intent =
UnlaunchableAppActivity.createInQuietModeDialogIntent(groupUserId);
getActivity().startActivity(intent);
}
return false;
} else if (!mUserManager.isUserUnlocked(groupUser)) {
LockPatternUtils lockPatternUtils = new LockPatternUtils(getActivity());
if (lockPatternUtils.isSeparateProfileChallengeEnabled(groupUserId)) {
if (startActivity) {
startConfirmCredential(groupUserId);
}
return false;
}
}
return true;
}
private View getViewForCertificate(CertHolder certHolder, Tab mTab, View convertView,
ViewGroup parent) {
ViewHolder holder;
if (convertView == null) {
holder = new ViewHolder();
LayoutInflater inflater = LayoutInflater.from(getActivity());
convertView = inflater.inflate(R.layout.trusted_credential, parent, false);
convertView.setTag(holder);
holder.mSubjectPrimaryView =
convertView.findViewById(R.id.trusted_credential_subject_primary);
holder.mSubjectSecondaryView =
convertView.findViewById(R.id.trusted_credential_subject_secondary);
holder.mSwitch = convertView.findViewById(R.id.trusted_credential_status);
holder.mSwitch.setOnClickListener(view -> {
removeOrInstallCert((CertHolder) view.getTag());
});
} else {
holder = (ViewHolder) convertView.getTag();
}
holder.mSubjectPrimaryView.setText(certHolder.mSubjectPrimary);
holder.mSubjectSecondaryView.setText(certHolder.mSubjectSecondary);
if (mTab.mSwitch) {
holder.mSwitch.setChecked(!certHolder.mDeleted);
holder.mSwitch.setEnabled(!mUserManager.hasUserRestriction(
UserManager.DISALLOW_CONFIG_CREDENTIALS,
new UserHandle(certHolder.mProfileId)));
holder.mSwitch.setVisibility(View.VISIBLE);
holder.mSwitch.setTag(certHolder);
}
return convertView;
}
private void saveState(Bundle outState) {
for (int groupPosition = 0, mChildAdaptersSize = mChildAdapters.size();
groupPosition < mChildAdaptersSize; groupPosition++) {
ChildAdapter childAdapter = mChildAdapters.get(groupPosition);
outState.putBundle(getKey(groupPosition), childAdapter.saveState());
}
}
@NonNull
private String getKey(int groupPosition) {
return "Group" + getUserIdByGroup(groupPosition);
}
private class ViewHolder {
private TextView mSubjectPrimaryView;
private TextView mSubjectSecondaryView;
private Switch mSwitch;
}
}
private class ChildAdapter extends BaseAdapter implements View.OnClickListener,
AdapterView.OnItemClickListener {
private static final String KEY_CONTAINER = "Container";
private static final String KEY_IS_LIST_EXPANDED = "IsListExpanded";
private final int[] mGroupExpandedStateSet = {com.android.internal.R.attr.state_expanded};
private final int[] mEmptyStateSet = {};
private final LinearLayout.LayoutParams mHideContainerLayoutParams =
new LinearLayout.LayoutParams(MATCH_PARENT, WRAP_CONTENT, 0f);
private final LinearLayout.LayoutParams mHideListLayoutParams =
new LinearLayout.LayoutParams(MATCH_PARENT, 0);
private final LinearLayout.LayoutParams mShowLayoutParams = new LinearLayout.LayoutParams(
LinearLayout.LayoutParams.MATCH_PARENT, MATCH_PARENT, 1f);
private final GroupAdapter mParent;
private final int mGroupPosition;
/*
* This class doesn't hold the actual data. Events should notify parent.
* When notifying DataSet events in this class, events should be forwarded to mParent.
* i.e. this.notifyDataSetChanged -> mParent.notifyDataSetChanged -> mObserver.onChanged
* -> outsideObservers.onChanged() (e.g. ListView)
*/
private final DataSetObserver mObserver = new DataSetObserver() {
@Override
public void onChanged() {
super.onChanged();
TrustedCredentialsFragment.ChildAdapter.super.notifyDataSetChanged();
}
@Override
public void onInvalidated() {
super.onInvalidated();
TrustedCredentialsFragment.ChildAdapter.super.notifyDataSetInvalidated();
}
};
private boolean mIsListExpanded = true;
private LinearLayout mContainerView;
private ViewGroup mHeaderView;
private ListView mListView;
private ImageView mIndicatorView;
private ChildAdapter(GroupAdapter parent, int groupPosition) {
mParent = parent;
mGroupPosition = groupPosition;
mParent.registerDataSetObserver(mObserver);
}
@Override
public int getCount() {
return mParent.getChildrenCount(mGroupPosition);
}
@Override
public CertHolder getItem(int position) {
return mParent.getChild(mGroupPosition, position);
}
@Override
public long getItemId(int position) {
return mParent.getChildId(mGroupPosition, position);
}
@Override
public View getView(int position, View convertView, ViewGroup parent) {
return mParent.getChildView(mGroupPosition, position, false, convertView, parent);
}
// DataSet events
@Override
public void notifyDataSetChanged() {
// Don't call super as the parent will propagate this event back later in mObserver
mParent.notifyDataSetChanged();
}
@Override
public void notifyDataSetInvalidated() {
// Don't call super as the parent will propagate this event back later in mObserver
mParent.notifyDataSetInvalidated();
}
// View related codes
@Override
public void onClick(View view) {
mIsListExpanded = checkGroupExpandableAndStartWarningActivity() && !mIsListExpanded;
refreshViews();
}
@Override
public void onItemClick(AdapterView<?> adapterView, View view, int pos, long id) {
showCertDialog(getItem(pos));
}
public void setContainerView(LinearLayout containerView, Bundle savedState) {
mContainerView = containerView;
// Handle manually because multiple groups with same id elements.
mContainerView.setSaveFromParentEnabled(false);
mListView = mContainerView.findViewById(R.id.cert_list);
mListView.setAdapter(this);
mListView.setOnItemClickListener(this);
mListView.setItemsCanFocus(true);
mHeaderView = mContainerView.findViewById(R.id.header_view);
mHeaderView.setOnClickListener(this);
mIndicatorView = mHeaderView.findViewById(R.id.group_indicator);
mIndicatorView.setImageDrawable(getGroupIndicator());
FrameLayout headerContentContainer =
mHeaderView.findViewById(R.id.header_content_container);
headerContentContainer.addView(
mParent.getGroupView(mGroupPosition, true /* parent ignores it */, null,
headerContentContainer));
if (savedState != null) {
SparseArray<Parcelable> containerStates =
savedState.getSparseParcelableArray(KEY_CONTAINER, Parcelable.class);
if (containerStates != null) {
mContainerView.restoreHierarchyState(containerStates);
}
}
}
public void showHeader(boolean showHeader) {
mHeaderView.setVisibility(showHeader ? View.VISIBLE : View.GONE);
}
public void showDivider(boolean showDivider) {
View dividerView = mHeaderView.findViewById(R.id.header_divider);
dividerView.setVisibility(showDivider ? View.VISIBLE : View.GONE);
}
public void setExpandIfAvailable(boolean expanded, Bundle savedState) {
if (savedState != null) {
expanded = savedState.getBoolean(KEY_IS_LIST_EXPANDED);
}
mIsListExpanded = expanded && mParent.checkGroupExpandableAndStartWarningActivity(
mGroupPosition, false /* startActivity */);
refreshViews();
}
private boolean checkGroupExpandableAndStartWarningActivity() {
return mParent.checkGroupExpandableAndStartWarningActivity(mGroupPosition);
}
private void refreshViews() {
mIndicatorView.setImageState(mIsListExpanded ? mGroupExpandedStateSet
: mEmptyStateSet, false);
mListView.setLayoutParams(mIsListExpanded ? mShowLayoutParams
: mHideListLayoutParams);
mContainerView.setLayoutParams(mIsListExpanded ? mShowLayoutParams
: mHideContainerLayoutParams);
}
// Get group indicator from styles of ExpandableListView
private Drawable getGroupIndicator() {
TypedArray a = getActivity().obtainStyledAttributes(null,
com.android.internal.R.styleable.ExpandableListView,
com.android.internal.R.attr.expandableListViewStyle, 0);
Drawable groupIndicator = a.getDrawable(
com.android.internal.R.styleable.ExpandableListView_groupIndicator);
a.recycle();
return groupIndicator;
}
private Bundle saveState() {
Bundle bundle = new Bundle();
SparseArray<Parcelable> states = new SparseArray<>();
mContainerView.saveHierarchyState(states);
bundle.putSparseParcelableArray(KEY_CONTAINER, states);
bundle.putBoolean(KEY_IS_LIST_EXPANDED, mIsListExpanded);
return bundle;
}
}
private class AdapterData {
private final SparseArray<List<CertHolder>> mCertHoldersByUserId =
new SparseArray<>();
private final Tab mTab;
private final GroupAdapter mAdapter;
private AdapterData(Tab tab, GroupAdapter adapter) {
mAdapter = adapter;
mTab = tab;
}
private class AliasLoader extends AsyncTask<Void, Integer, SparseArray<List<CertHolder>>> {
private ProgressBar mProgressBar;
private View mContentView;
private Context mContext;
AliasLoader() {
mContext = getActivity();
mAliasLoaders.add(this);
List<UserHandle> profiles = mUserManager.getUserProfiles();
for (UserHandle profile : profiles) {
mCertHoldersByUserId.put(profile.getIdentifier(), new ArrayList<>());
}
}
private boolean shouldSkipProfile(UserHandle userHandle) {
return mUserManager.isQuietModeEnabled(userHandle)
|| !mUserManager.isUserUnlocked(userHandle.getIdentifier());
}
@Override
protected void onPreExecute() {
mProgressBar = mFragmentView.findViewById(R.id.progress);
mContentView = mFragmentView.findViewById(R.id.content);
mProgressBar.setVisibility(View.VISIBLE);
mContentView.setVisibility(View.GONE);
}
@Override
protected SparseArray<List<CertHolder>> doInBackground(Void... params) {
SparseArray<List<CertHolder>> certHoldersByProfile =
new SparseArray<>();
try {
synchronized (mKeyChainConnectionByProfileId) {
List<UserHandle> profiles = mUserManager.getUserProfiles();
// First we get all aliases for all profiles in order to show progress
// correctly. Otherwise this could all be in a single loop.
SparseArray<List<String>> aliasesByProfileId =
new SparseArray<>(profiles.size());
int max = 0;
int progress = 0;
for (UserHandle profile : profiles) {
int profileId = profile.getIdentifier();
if (shouldSkipProfile(profile)) {
continue;
}
KeyChainConnection keyChainConnection = KeyChain.bindAsUser(mContext,
profile);
// Saving the connection for later use on the certificate dialog.
mKeyChainConnectionByProfileId.put(profileId, keyChainConnection);
IKeyChainService service = keyChainConnection.getService();
List<String> aliases = mTab.getAliases(service);
if (isCancelled()) {
return new SparseArray<>();
}
max += aliases.size();
aliasesByProfileId.put(profileId, aliases);
}
for (UserHandle profile : profiles) {
int profileId = profile.getIdentifier();
List<String> aliases = aliasesByProfileId.get(profileId);
if (isCancelled()) {
return new SparseArray<>();
}
KeyChainConnection keyChainConnection =
mKeyChainConnectionByProfileId.get(
profileId);
if (shouldSkipProfile(profile) || aliases == null
|| keyChainConnection == null) {
certHoldersByProfile.put(profileId, new ArrayList<>(0));
continue;
}
IKeyChainService service = keyChainConnection.getService();
List<CertHolder> certHolders = new ArrayList<>(max);
for (String alias : aliases) {
byte[] encodedCertificate = service.getEncodedCaCertificate(alias,
true);
X509Certificate cert = KeyChain.toCertificate(encodedCertificate);
certHolders.add(new CertHolder(service, mAdapter,
mTab, alias, cert, profileId));
publishProgress(++progress, max);
}
Collections.sort(certHolders);
certHoldersByProfile.put(profileId, certHolders);
}
return certHoldersByProfile;
}
} catch (RemoteException e) {
Log.e(TAG, "Remote exception while loading aliases.", e);
return new SparseArray<>();
} catch (InterruptedException e) {
Log.e(TAG, "InterruptedException while loading aliases.", e);
return new SparseArray<>();
}
}
@Override
protected void onProgressUpdate(Integer... progressAndMax) {
int progress = progressAndMax[0];
int max = progressAndMax[1];
if (max != mProgressBar.getMax()) {
mProgressBar.setMax(max);
}
mProgressBar.setProgress(progress);
}
@Override
protected void onPostExecute(SparseArray<List<CertHolder>> certHolders) {
mCertHoldersByUserId.clear();
int n = certHolders.size();
for (int i = 0; i < n; ++i) {
mCertHoldersByUserId.put(certHolders.keyAt(i), certHolders.valueAt(i));
}
mAdapter.notifyDataSetChanged();
mProgressBar.setVisibility(View.GONE);
mContentView.setVisibility(View.VISIBLE);
mProgressBar.setProgress(0);
mAliasLoaders.remove(this);
showTrustAllCaDialogIfNeeded();
}
private boolean isUserTabAndTrustAllCertMode() {
return isTrustAllCaCertModeInProgress() && mTab == Tab.USER;
}
@UiThread
private void showTrustAllCaDialogIfNeeded() {
if (!isUserTabAndTrustAllCertMode()) {
return;
}
List<CertHolder> certHolders = mCertHoldersByUserId.get(mTrustAllCaUserId);
if (certHolders == null) {
return;
}
List<CertHolder> unapprovedUserCertHolders = new ArrayList<>();
DevicePolicyManager dpm = mContext.getSystemService(DevicePolicyManager.class);
for (CertHolder cert : certHolders) {
if (cert != null && !dpm.isCaCertApproved(cert.mAlias, mTrustAllCaUserId)) {
unapprovedUserCertHolders.add(cert);
}
}
if (unapprovedUserCertHolders.size() == 0) {
Log.w(TAG, "no cert is pending approval for user " + mTrustAllCaUserId);
return;
}
showTrustAllCaDialog(unapprovedUserCertHolders);
}
}
public void remove(CertHolder certHolder) {
if (mCertHoldersByUserId != null) {
List<CertHolder> certs = mCertHoldersByUserId.get(certHolder.mProfileId);
if (certs != null) {
certs.remove(certHolder);
}
}
}
}
/* package */ static class CertHolder implements Comparable<CertHolder> {
public int mProfileId;
private final IKeyChainService mService;
private final GroupAdapter mAdapter;
private final Tab mTab;
private final String mAlias;
private final X509Certificate mX509Cert;
private final SslCertificate mSslCert;
private final String mSubjectPrimary;
private final String mSubjectSecondary;
private boolean mDeleted;
private CertHolder(IKeyChainService service,
GroupAdapter adapter,
Tab tab,
String alias,
X509Certificate x509Cert,
int profileId) {
mProfileId = profileId;
mService = service;
mAdapter = adapter;
mTab = tab;
mAlias = alias;
mX509Cert = x509Cert;
mSslCert = new SslCertificate(x509Cert);
String cn = mSslCert.getIssuedTo().getCName();
String o = mSslCert.getIssuedTo().getOName();
String ou = mSslCert.getIssuedTo().getUName();
// if we have a O, use O as primary subject, secondary prefer CN over OU
// if we don't have an O, use CN as primary, empty secondary
// if we don't have O or CN, use DName as primary, empty secondary
if (!o.isEmpty()) {
if (!cn.isEmpty()) {
mSubjectPrimary = o;
mSubjectSecondary = cn;
} else {
mSubjectPrimary = o;
mSubjectSecondary = ou;
}
} else {
if (!cn.isEmpty()) {
mSubjectPrimary = cn;
mSubjectSecondary = "";
} else {
mSubjectPrimary = mSslCert.getIssuedTo().getDName();
mSubjectSecondary = "";
}
}
try {
mDeleted = mTab.deleted(mService, mAlias);
} catch (RemoteException e) {
Log.e(TAG, "Remote exception while checking if alias " + mAlias + " is deleted.",
e);
mDeleted = false;
}
}
@Override
public int compareTo(CertHolder o) {
int primary = this.mSubjectPrimary.compareToIgnoreCase(o.mSubjectPrimary);
if (primary != 0) {
return primary;
}
return this.mSubjectSecondary.compareToIgnoreCase(o.mSubjectSecondary);
}
@Override
public boolean equals(Object o) {
if (!(o instanceof CertHolder)) {
return false;
}
CertHolder other = (CertHolder) o;
return mAlias.equals(other.mAlias);
}
@Override
public int hashCode() {
return mAlias.hashCode();
}
public int getUserId() {
return mProfileId;
}
public String getAlias() {
return mAlias;
}
public boolean isSystemCert() {
return mTab == Tab.SYSTEM;
}
public boolean isDeleted() {
return mDeleted;
}
}
private boolean isTrustAllCaCertModeInProgress() {
return mTrustAllCaUserId != UserHandle.USER_NULL;
}
private void showTrustAllCaDialog(List<CertHolder> unapprovedCertHolders) {
CertHolder[] arr =
unapprovedCertHolders.toArray(new CertHolder[unapprovedCertHolders.size()]);
new TrustedCredentialsDialogBuilder(getActivity(), this)
.setCertHolders(arr)
.setOnDismissListener(dialogInterface -> {
// Avoid starting dialog again after Activity restart.
getActivity().getIntent().removeExtra(ARG_SHOW_NEW_FOR_USER);
mTrustAllCaUserId = UserHandle.USER_NULL;
})
.show();
}
private void showCertDialog(final CertHolder certHolder) {
new TrustedCredentialsDialogBuilder(getActivity(), this)
.setCertHolder(certHolder)
.show();
}
@Override
public List<X509Certificate> getX509CertsFromCertHolder(CertHolder certHolder) {
List<X509Certificate> certificates = null;
try {
synchronized (mKeyChainConnectionByProfileId) {
KeyChainConnection keyChainConnection = mKeyChainConnectionByProfileId.get(
certHolder.mProfileId);
IKeyChainService service = keyChainConnection.getService();
List<String> chain = service.getCaCertificateChainAliases(certHolder.mAlias, true);
certificates = new ArrayList<>(chain.size());
for (String s : chain) {
byte[] encodedCertificate = service.getEncodedCaCertificate(s, true);
X509Certificate certificate = KeyChain.toCertificate(encodedCertificate);
certificates.add(certificate);
}
}
} catch (RemoteException ex) {
Log.e(TAG, "RemoteException while retrieving certificate chain for root "
+ certHolder.mAlias, ex);
}
return certificates;
}
@Override
public void removeOrInstallCert(CertHolder certHolder) {
new AliasOperation(certHolder).execute();
}
@Override
public boolean startConfirmCredentialIfNotConfirmed(int userId,
IntConsumer onCredentialConfirmedListener) {
if (mConfirmedCredentialUsers.contains(userId)) {
// Credential has been confirmed. Don't start activity.
return false;
}
boolean result = startConfirmCredential(userId);
if (result) {
mConfirmingCredentialListener = onCredentialConfirmedListener;
}
return result;
}
private class AliasOperation extends AsyncTask<Void, Void, Boolean> {
private final CertHolder mCertHolder;
private AliasOperation(CertHolder certHolder) {
mCertHolder = certHolder;
mAliasOperation = this;
}
@Override
protected Boolean doInBackground(Void... params) {
try {
synchronized (mKeyChainConnectionByProfileId) {
KeyChainConnection keyChainConnection = mKeyChainConnectionByProfileId.get(
mCertHolder.mProfileId);
IKeyChainService service = keyChainConnection.getService();
if (mCertHolder.mDeleted) {
byte[] bytes = mCertHolder.mX509Cert.getEncoded();
service.installCaCertificate(bytes);
return true;
} else {
return service.deleteCaCertificate(mCertHolder.mAlias);
}
}
} catch (CertificateEncodingException | SecurityException | IllegalStateException
| RemoteException e) {
Log.w(TAG, "Error while toggling alias " + mCertHolder.mAlias, e);
return false;
}
}
@Override
protected void onPostExecute(Boolean ok) {
if (ok) {
if (mCertHolder.mTab.mSwitch) {
mCertHolder.mDeleted = !mCertHolder.mDeleted;
} else {
mCertHolder.mAdapter.remove(mCertHolder);
}
mCertHolder.mAdapter.notifyDataSetChanged();
} else {
// bail, reload to reset to known state
mCertHolder.mAdapter.load();
}
mAliasOperation = null;
}
}
}