Merge "Act on credential storage updates."

Author: Selim Gurun

core/java/android/net/http/CertificateChainValidator.java

@@ -25,15 +25,17 @@
 import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocket;
+import javax.net.ssl.X509TrustManager;
 import org.apache.harmony.security.provider.cert.X509CertImpl;
 import org.apache.harmony.xnet.provider.jsse.SSLParametersImpl;
+import org.apache.harmony.xnet.provider.jsse.TrustManagerImpl;
 
 /**
  * Class responsible for all server certificate validation functionality
  *
  * {@hide}
  */
-class CertificateChainValidator {
+public class CertificateChainValidator {
 
     /**
      * The singleton instance of the certificate chain validator
@@ -121,6 +123,18 @@ public static SslError verifyServerCertificates(
         return verifyServerDomainAndCertificates(serverCertificates, domain, authType);
     }
 
+    /**
+     * Handles updates to credential storage.
+     */
+    public static void handleTrustStorageUpdate() {
+
+        X509TrustManager x509TrustManager = SSLParametersImpl.getDefaultTrustManager();
+        if( x509TrustManager instanceof TrustManagerImpl ) {
+            TrustManagerImpl trustManager = (TrustManagerImpl) x509TrustManager;
+            trustManager.handleTrustStorageUpdate();
+        }
+    }
+
     /**
      * Common code of doHandshakeAndValidateServerCertificates and verifyServerCertificates.
      * Calls DomainNamevalidator to verify the domain, and TrustManager to verify the certs.

core/java/android/webkit/WebView.java

@@ -59,6 +59,7 @@
 import android.os.StrictMode;
 import android.os.SystemClock;
 import android.provider.Settings;
+import android.security.KeyChain;
 import android.speech.tts.TextToSpeech;
 import android.text.Editable;
 import android.text.InputType;
@@ -1303,6 +1304,7 @@ protected WebView(Context context, AttributeSet attrs, int defStyle,
         init();
         setupPackageListener(context);
         setupProxyListener(context);
+        setupTrustStorageListener(context);
         updateMultiTouchSupport(context);
 
         if (privateBrowsing) {
@@ -1312,6 +1314,41 @@ protected WebView(Context context, AttributeSet attrs, int defStyle,
         mAutoFillData = new WebViewCore.AutoFillData();
     }
 
+    private static class TrustStorageListener extends BroadcastReceiver {
+        @Override
+        public void onReceive(Context context, Intent intent) {
+            if (intent.getAction().equals(KeyChain.ACTION_STORAGE_CHANGED)) {
+                handleCertTrustChanged();
+            }
+        }
+    }
+    private static TrustStorageListener sTrustStorageListener;
+
+    /**
+     * Handles update to the trust storage.
+     */
+    private static void handleCertTrustChanged() {
+        // send a message for indicating trust storage change
+        WebViewCore.sendStaticMessage(EventHub.TRUST_STORAGE_UPDATED, null);
+    }
+
+    /*
+     * @param context This method expects this to be a valid context.
+     */
+    private static void setupTrustStorageListener(Context context) {
+        if (sTrustStorageListener != null ) {
+            return;
+        }
+        IntentFilter filter = new IntentFilter();
+        filter.addAction(KeyChain.ACTION_STORAGE_CHANGED);
+        sTrustStorageListener = new TrustStorageListener();
+        Intent current = 
+            context.getApplicationContext().registerReceiver(sTrustStorageListener, filter);
+        if (current != null) {
+            handleCertTrustChanged();
+        }
+    }
+
     private static class ProxyReceiver extends BroadcastReceiver {
         @Override
         public void onReceive(Context context, Intent intent) {

core/java/android/webkit/WebViewCore.java

@@ -26,6 +26,7 @@
 import android.media.MediaFile;
 import android.net.ProxyProperties;
 import android.net.Uri;
+import android.net.http.CertificateChainValidator;
 import android.os.Bundle;
 import android.os.Handler;
 import android.os.Looper;
@@ -767,6 +768,11 @@ public void handleMessage(Message msg) {
                                 Message m = (Message)msg.obj;
                                 m.sendToTarget();
                                 break;
+                            case EventHub.TRUST_STORAGE_UPDATED:
+                                // post a task to network thread for updating trust manager
+                                nativeCertTrustChanged();
+                                CertificateChainValidator.handleTrustStorageUpdate();
+                                break;
                         }
                     }
                 };
@@ -1125,6 +1131,9 @@ public class EventHub {
         static final int SELECT_WORD_AT = 214;
         static final int SELECT_ALL = 215;
 
+        // for updating state on trust storage change
+        static final int TRUST_STORAGE_UPDATED = 220;
+
         // Private handler for WebCore messages.
         private Handler mHandler;
         // Message queue for containing messages before the WebCore thread is
@@ -3077,4 +3086,6 @@ private native void nativeSelectText(int nativeClass,
     private native void nativeClearTextSelection(int nativeClass);
     private native void nativeSelectWordAt(int nativeClass, int x, int y);
     private native void nativeSelectAll(int nativeClass);
+
+    private static native void nativeCertTrustChanged();
 }

keystore/java/android/security/KeyChain.java

@@ -124,7 +124,7 @@ public final class KeyChain {
     public static final String EXTRA_SENDER = "sender";
 
     /**
-     * Action to bring up the CertInstaller
+     * Action to bring up the CertInstaller.
      */
     private static final String ACTION_INSTALL = "android.credentials.INSTALL";
 
@@ -167,6 +167,22 @@ public final class KeyChain {
     // Compatible with old android.security.Credentials.PKCS12
     public static final String EXTRA_PKCS12 = "PKCS12";
 
+
+    /**
+     * @hide TODO This is temporary and will be removed
+     * Broadcast Action: Indicates the trusted storage has changed. Sent when
+     * one of this happens:
+     *
+     * <ul>
+     * <li>a new CA is added,
+     * <li>an existing CA is removed or disabled,
+     * <li>a disabled CA is enabled,
+     * <li>trusted storage is reset (all user certs are cleared),
+     * <li>when permission to access a private key is changed.
+     * </ul>
+     */
+    public static final String ACTION_STORAGE_CHANGED = "android.security.STORAGE_CHANGED";
+
     /**
      * Returns an {@code Intent} that can be used for credential
      * installation. The intent may be used without any extras, in