5 files changed, 34 insertions, 21 deletions

diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
index 10b6052bec69..e5807e84a70e 100644
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
@@ -82,6 +82,7 @@ import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.security.spec.InvalidKeySpecException;
 import java.util.Arrays;
+import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
@@ -272,9 +273,10 @@ public class RecoverableKeyStoreManager {
         CertPath certPath;
         X509Certificate rootCert =
                 mTestCertHelper.getRootCertificate(rootCertificateAlias);
+        Date validationDate = mTestCertHelper.getValidationDate(rootCertificateAlias);
         try {
             Log.d(TAG, "Getting and validating a random endpoint certificate");
-            certPath = certXml.getRandomEndpointCert(rootCert);
+            certPath = certXml.getRandomEndpointCert(rootCert, validationDate);
         } catch (CertValidationException e) {
             Log.e(TAG, "Invalid endpoint cert", e);
             throw new ServiceSpecificException(ERROR_INVALID_CERTIFICATE, e.getMessage());
@@ -348,10 +350,11 @@ public class RecoverableKeyStoreManager {
 
         X509Certificate rootCert =
                 mTestCertHelper.getRootCertificate(rootCertificateAlias);
+        Date validationDate = mTestCertHelper.getValidationDate(rootCertificateAlias);
         try {
-            sigXml.verifyFileSignature(rootCert, recoveryServiceCertFile);
+            sigXml.verifyFileSignature(rootCert, recoveryServiceCertFile, validationDate);
         } catch (CertValidationException e) {
-            Log.d(TAG, "The signature over the cert file is invalid."
+            Log.e(TAG, "The signature over the cert file is invalid."
                     + " Cert: " + HexDump.toHexString(recoveryServiceCertFile)
                     + " Sig: " + HexDump.toHexString(recoveryServiceSigFile));
             throw new ServiceSpecificException(ERROR_INVALID_CERTIFICATE, e.getMessage());
@@ -601,8 +604,9 @@ public class RecoverableKeyStoreManager {
         }
 
         try {
-            CertUtils.validateCertPath(
-                    mTestCertHelper.getRootCertificate(rootCertificateAlias), certPath);
+            Date validationDate = mTestCertHelper.getValidationDate(rootCertificateAlias);
+            CertUtils.validateCertPath(mTestCertHelper.getRootCertificate(rootCertificateAlias),
+                    certPath, validationDate);
         } catch (CertValidationException e) {
             Log.e(TAG, "Failed to validate the given cert path", e);
             throw new ServiceSpecificException(ERROR_INVALID_CERTIFICATE, e.getMessage());
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/TestOnlyInsecureCertificateHelper.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/TestOnlyInsecureCertificateHelper.java
index c963f799245f..4a1cae2037f9 100644
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/TestOnlyInsecureCertificateHelper.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/TestOnlyInsecureCertificateHelper.java
@@ -29,6 +29,7 @@ import android.util.Pair;
 import com.android.internal.widget.LockPatternUtils;
 
 import java.security.cert.X509Certificate;
+import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -67,6 +68,18 @@ public class TestOnlyInsecureCertificateHelper {
         return rootCertificate;
     }
 
+    /**
+     * Returns hardcoded validation date for e2e tests.
+     */
+    public @Nullable Date getValidationDate(String rootCertificateAlias) {
+        if (isTestOnlyCertificateAlias(rootCertificateAlias)) {
+            // Certificate used for e2e test is expired.
+            return new Date(2019 - 1900, 1, 30);
+        } else {
+            return null; // Use current time
+        }
+    }
+
     public @NonNull String getDefaultCertificateAliasIfEmpty(
             @Nullable String rootCertificateAlias) {
         if (rootCertificateAlias == null || rootCertificateAlias.isEmpty()) {
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/certificate/CertUtils.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/certificate/CertUtils.java
index 26e82704b357..088127526d18 100644
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/certificate/CertUtils.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/certificate/CertUtils.java
@@ -305,12 +305,13 @@ public final class CertUtils {
      *
      * @param trustedRoot the trusted root certificate
      * @param certPath the certificate path to be validated
+     * @param validationDate use null for current time
      * @throws CertValidationException if the given certificate path is invalid, e.g., is expired,
      *                                 or does not have a valid signature
      */
-    public static void validateCertPath(X509Certificate trustedRoot, CertPath certPath)
-            throws CertValidationException {
-        validateCertPath(/*validationDate=*/ null, trustedRoot, certPath);
+    public static void validateCertPath(X509Certificate trustedRoot, CertPath certPath,
+                @Nullable Date validationDate) throws CertValidationException {
+        validateCertPath(validationDate, trustedRoot, certPath);
     }
 
     /**
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/certificate/CertXml.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/certificate/CertXml.java
index ff22a8dc934f..d159a84f0468 100644
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/certificate/CertXml.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/certificate/CertXml.java
@@ -76,15 +76,16 @@ public final class CertXml {
      * and returns the certificate path including the chosen certificate if it is valid.
      *
      * @param trustedRoot the trusted root certificate
+     * @param validationDate use null for current time
      * @return the certificate path including the chosen certificate if the certificate is valid
      * @throws CertValidationException if the chosen certificate cannot be validated based on the
      *                                 trusted root certificate
      */
-    public CertPath getRandomEndpointCert(X509Certificate trustedRoot)
-            throws CertValidationException {
+    public CertPath getRandomEndpointCert(X509Certificate trustedRoot,
+            @Nullable Date validationDate)throws CertValidationException {
         return getEndpointCert(
                 new SecureRandom().nextInt(this.endpointCerts.size()),
-                /*validationDate=*/ null,
+                validationDate,
                 trustedRoot);
     }
 
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/certificate/SigXml.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/certificate/SigXml.java
index e75be8574254..c3f4f55b2dd7 100644
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/certificate/SigXml.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/certificate/SigXml.java
@@ -18,7 +18,7 @@ package com.android.server.locksettings.recoverablekeystore.certificate;
 
 import android.annotation.Nullable;
 
-import com.android.internal.annotations.VisibleForTesting;
+import org.w3c.dom.Element;
 
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -26,8 +26,6 @@ import java.util.Collections;
 import java.util.Date;
 import java.util.List;
 
-import org.w3c.dom.Element;
-
 /**
  * Parses and holds the XML file containing the signature of the XML file containing the list of THM
  * public-key certificates.
@@ -58,17 +56,13 @@ public final class SigXml {
      *
      * @param trustedRoot     the trusted root certificate
      * @param signedFileBytes the original file content that has been signed
+     * @param validationDate use null for current time
+     *
      * @throws CertValidationException if the signature verification fails, or the signer's
      *                                 certificate contained in this XML file cannot be validated
      *                                 based on the trusted root certificate
      */
-    public void verifyFileSignature(X509Certificate trustedRoot, byte[] signedFileBytes)
-            throws CertValidationException {
-        verifyFileSignature(trustedRoot, signedFileBytes, /*validationDate=*/ null);
-    }
-
-    @VisibleForTesting
-    void verifyFileSignature(
+    public void verifyFileSignature(
             X509Certificate trustedRoot, byte[] signedFileBytes, @Nullable Date validationDate)
             throws CertValidationException {
         CertUtils.validateCert(validationDate, trustedRoot, intermediateCerts, signerCert);