From beae8c67dc15cb084dfbde488db9b2f1dd348683 Mon Sep 17 00:00:00 2001 From: Max Bires Date: Wed, 6 Mar 2019 14:18:07 -0800 Subject: [PATCH] Fixing engineGetCertificateChain exception If a certificate is self signed, then currently KeyStore will still attempt to find the CA certificate. When it obviously fails to find it, a key not found exception is propagated up and thrown. This CL suppresses that exception, as it seems to exclusively be thrown in this condition, which is WAI. Having the stack trace show up can be very misleading to developers. Test: atest cts/tests/tests/keystore/src/android/keystore/cts Change-Id: I192f54d3d8355c183e830ab09314932e8800f7ed --- .../security/keystore/AndroidKeyStoreSpi.java | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java index 4c007cb70ba2b..baf50e556019b 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreSpi.java @@ -16,7 +16,6 @@ package android.security.keystore; -import libcore.util.EmptyArray; import android.security.Credentials; import android.security.GateKeeper; import android.security.KeyStore; @@ -30,6 +29,8 @@ import android.security.keystore.SecureKeyImportUnavailableException; import android.security.keystore.WrappedKeyEntry; import android.util.Log; +import libcore.util.EmptyArray; + import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; @@ -115,7 +116,14 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { final Certificate[] caList; - final byte[] caBytes = mKeyStore.get(Credentials.CA_CERTIFICATE + alias, mUid); + // Suppress the key not found warning for this call. It seems that this error is exclusively + // being thrown when there is a self signed certificate chain, so when the keystore service + // attempts to query for the CA details, it obviously fails to find them and returns a + // key not found exception. This is WAI, and throwing a stack trace here can be very + // misleading since the trace is not clear. + final byte[] caBytes = mKeyStore.get(Credentials.CA_CERTIFICATE + alias, + mUid, + true /* suppressKeyNotFoundWarning */); if (caBytes != null) { final Collection caChain = toCertificates(caBytes);