1 /*
2  * Copyright (C) 2012 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package com.android.server;
18 
19 import android.content.Context;
20 import android.content.ContentResolver;
21 import android.database.ContentObserver;
22 import android.os.Binder;
23 import android.os.FileUtils;
24 import android.provider.Settings;
25 import android.util.Slog;
26 
27 import java.io.File;
28 import java.io.FileOutputStream;
29 import java.io.IOException;
30 
31 import libcore.io.IoUtils;
32 
33 /**
34  * <p>CertBlacklister provides a simple mechanism for updating the platform blacklists for SSL
35  * certificate public keys and serial numbers.
36  */
37 public class CertBlacklister extends Binder {
38 
39     private static final String TAG = "CertBlacklister";
40 
41     private static final String BLACKLIST_ROOT = System.getenv("ANDROID_DATA") + "/misc/keychain/";
42 
43     public static final String PUBKEY_PATH = BLACKLIST_ROOT + "pubkey_blacklist.txt";
44     public static final String SERIAL_PATH = BLACKLIST_ROOT + "serial_blacklist.txt";
45 
46     public static final String PUBKEY_BLACKLIST_KEY = "pubkey_blacklist";
47     public static final String SERIAL_BLACKLIST_KEY = "serial_blacklist";
48 
49     private static class BlacklistObserver extends ContentObserver {
50 
51         private final String mKey;
52         private final String mName;
53         private final String mPath;
54         private final File mTmpDir;
55         private final ContentResolver mContentResolver;
56 
BlacklistObserver(String key, String name, String path, ContentResolver cr)57         public BlacklistObserver(String key, String name, String path, ContentResolver cr) {
58             super(null);
59             mKey = key;
60             mName = name;
61             mPath = path;
62             mTmpDir = new File(mPath).getParentFile();
63             mContentResolver = cr;
64         }
65 
66         @Override
onChange(boolean selfChange)67         public void onChange(boolean selfChange) {
68             super.onChange(selfChange);
69             writeBlacklist();
70         }
71 
getValue()72         public String getValue() {
73             return Settings.Secure.getString(mContentResolver, mKey);
74         }
75 
writeBlacklist()76         private void writeBlacklist() {
77             new Thread("BlacklistUpdater") {
78                 public void run() {
79                     synchronized(mTmpDir) {
80                         String blacklist = getValue();
81                         if (blacklist != null) {
82                             Slog.i(TAG, "Certificate blacklist changed, updating...");
83                             FileOutputStream out = null;
84                             try {
85                                 // create a temporary file
86                                 File tmp = File.createTempFile("journal", "", mTmpDir);
87                                 // mark it -rw-r--r--
88                                 tmp.setReadable(true, false);
89                                 // write to it
90                                 out = new FileOutputStream(tmp);
91                                 out.write(blacklist.getBytes());
92                                 // sync to disk
93                                 FileUtils.sync(out);
94                                 // atomic rename
95                                 tmp.renameTo(new File(mPath));
96                                 Slog.i(TAG, "Certificate blacklist updated");
97                             } catch (IOException e) {
98                                 Slog.e(TAG, "Failed to write blacklist", e);
99                             } finally {
100                                 IoUtils.closeQuietly(out);
101                             }
102                         }
103                     }
104                 }
105             }.start();
106         }
107     }
108 
CertBlacklister(Context context)109     public CertBlacklister(Context context) {
110         registerObservers(context.getContentResolver());
111     }
112 
buildPubkeyObserver(ContentResolver cr)113     private BlacklistObserver buildPubkeyObserver(ContentResolver cr) {
114         return new BlacklistObserver(PUBKEY_BLACKLIST_KEY,
115                     "pubkey",
116                     PUBKEY_PATH,
117                     cr);
118     }
119 
buildSerialObserver(ContentResolver cr)120     private BlacklistObserver buildSerialObserver(ContentResolver cr) {
121         return new BlacklistObserver(SERIAL_BLACKLIST_KEY,
122                     "serial",
123                     SERIAL_PATH,
124                     cr);
125     }
126 
registerObservers(ContentResolver cr)127     private void registerObservers(ContentResolver cr) {
128         // set up the public key denylist observer
129         cr.registerContentObserver(
130             Settings.Secure.getUriFor(PUBKEY_BLACKLIST_KEY),
131             true,
132             buildPubkeyObserver(cr)
133         );
134 
135         // set up the serial number denylist observer
136         cr.registerContentObserver(
137             Settings.Secure.getUriFor(SERIAL_BLACKLIST_KEY),
138             true,
139             buildSerialObserver(cr)
140         );
141     }
142 }
143