/*
|
* Copyright (C) 2012 The Android Open Source Project
|
*
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
* you may not use this file except in compliance with the License.
|
* You may obtain a copy of the License at
|
*
|
* http://www.apache.org/licenses/LICENSE-2.0
|
*
|
* Unless required by applicable law or agreed to in writing, software
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
* See the License for the specific language governing permissions and
|
* limitations under the License.
|
*/
|
|
package com.android.server;
|
|
import android.content.Context;
|
import android.content.ContentResolver;
|
import android.database.ContentObserver;
|
import android.os.Binder;
|
import android.os.FileUtils;
|
import android.provider.Settings;
|
import android.util.Slog;
|
|
import java.io.File;
|
import java.io.FileOutputStream;
|
import java.io.IOException;
|
|
import libcore.io.IoUtils;
|
|
/**
|
* <p>CertBlacklister provides a simple mechanism for updating the platform blacklists for SSL
|
* certificate public keys and serial numbers.
|
*/
|
public class CertBlacklister extends Binder {
|
|
private static final String TAG = "CertBlacklister";
|
|
private static final String BLACKLIST_ROOT = System.getenv("ANDROID_DATA") + "/misc/keychain/";
|
|
public static final String PUBKEY_PATH = BLACKLIST_ROOT + "pubkey_blacklist.txt";
|
public static final String SERIAL_PATH = BLACKLIST_ROOT + "serial_blacklist.txt";
|
|
public static final String PUBKEY_BLACKLIST_KEY = "pubkey_blacklist";
|
public static final String SERIAL_BLACKLIST_KEY = "serial_blacklist";
|
|
private static class BlacklistObserver extends ContentObserver {
|
|
private final String mKey;
|
private final String mName;
|
private final String mPath;
|
private final File mTmpDir;
|
private final ContentResolver mContentResolver;
|
|
public BlacklistObserver(String key, String name, String path, ContentResolver cr) {
|
super(null);
|
mKey = key;
|
mName = name;
|
mPath = path;
|
mTmpDir = new File(mPath).getParentFile();
|
mContentResolver = cr;
|
}
|
|
@Override
|
public void onChange(boolean selfChange) {
|
super.onChange(selfChange);
|
writeBlacklist();
|
}
|
|
public String getValue() {
|
return Settings.Secure.getString(mContentResolver, mKey);
|
}
|
|
private void writeBlacklist() {
|
new Thread("BlacklistUpdater") {
|
public void run() {
|
synchronized(mTmpDir) {
|
String blacklist = getValue();
|
if (blacklist != null) {
|
Slog.i(TAG, "Certificate blacklist changed, updating...");
|
FileOutputStream out = null;
|
try {
|
// create a temporary file
|
File tmp = File.createTempFile("journal", "", mTmpDir);
|
// mark it -rw-r--r--
|
tmp.setReadable(true, false);
|
// write to it
|
out = new FileOutputStream(tmp);
|
out.write(blacklist.getBytes());
|
// sync to disk
|
FileUtils.sync(out);
|
// atomic rename
|
tmp.renameTo(new File(mPath));
|
Slog.i(TAG, "Certificate blacklist updated");
|
} catch (IOException e) {
|
Slog.e(TAG, "Failed to write blacklist", e);
|
} finally {
|
IoUtils.closeQuietly(out);
|
}
|
}
|
}
|
}
|
}.start();
|
}
|
}
|
|
public CertBlacklister(Context context) {
|
registerObservers(context.getContentResolver());
|
}
|
|
private BlacklistObserver buildPubkeyObserver(ContentResolver cr) {
|
return new BlacklistObserver(PUBKEY_BLACKLIST_KEY,
|
"pubkey",
|
PUBKEY_PATH,
|
cr);
|
}
|
|
private BlacklistObserver buildSerialObserver(ContentResolver cr) {
|
return new BlacklistObserver(SERIAL_BLACKLIST_KEY,
|
"serial",
|
SERIAL_PATH,
|
cr);
|
}
|
|
private void registerObservers(ContentResolver cr) {
|
// set up the public key blacklist observer
|
cr.registerContentObserver(
|
Settings.Secure.getUriFor(PUBKEY_BLACKLIST_KEY),
|
true,
|
buildPubkeyObserver(cr)
|
);
|
|
// set up the serial number blacklist observer
|
cr.registerContentObserver(
|
Settings.Secure.getUriFor(SERIAL_BLACKLIST_KEY),
|
true,
|
buildSerialObserver(cr)
|
);
|
}
|
}
|
