From 41d2dd2f266eb8dc50afcda253f04f1c7e9ccc0e Mon Sep 17 00:00:00 2001 From: Bo Zhu Date: Fri, 30 Mar 2018 12:20:06 -0700 Subject: [PATCH] Expose e.getMessage() from the exceptions in RecoverableKeyStore Bug: 77327780 Test: runtest frameworks-services -p \ com.android.server.locksettings.recoverablekeystore Change-Id: Ibf04d6405e6468bfdfef0a8cb8e6e96bffbbf3a2 --- .../keystore/recovery/RecoveryController.java | 6 +++--- .../keystore/recovery/RecoverySession.java | 6 +++--- .../RecoverableKeyStoreManager.java | 18 ++++++------------ .../RecoverableKeyStoreManagerTest.java | 8 +++++--- 4 files changed, 17 insertions(+), 21 deletions(-) diff --git a/core/java/android/security/keystore/recovery/RecoveryController.java b/core/java/android/security/keystore/recovery/RecoveryController.java index a006fa6ab2efe..281822a342f98 100644 --- a/core/java/android/security/keystore/recovery/RecoveryController.java +++ b/core/java/android/security/keystore/recovery/RecoveryController.java @@ -43,7 +43,7 @@ import java.util.Map; /** * Backs up cryptographic keys to remote secure hardware, encrypted with the user's lock screen. * - *

A system app with the {@link android.Manifest#RECOVER_KEYSTORE} permission may generate or + *

A system app with the {@code android.permission.RECOVER_KEYSTORE} permission may generate or * import recoverable keys using this class. To generate a key, the app must call * {@link #generateKey(String)} with the desired alias for the key. This returns an AndroidKeyStore * reference to a 256-bit {@link javax.crypto.SecretKey}, which can be used for AES/GCM/NoPadding. @@ -292,7 +292,7 @@ public class RecoveryController { } catch (ServiceSpecificException e) { if (e.errorCode == ERROR_BAD_CERTIFICATE_FORMAT || e.errorCode == ERROR_INVALID_CERTIFICATE) { - throw new CertificateException(e.getMessage()); + throw new CertificateException("Invalid certificate for recovery service", e); } throw wrapUnexpectedServiceSpecificException(e); } @@ -338,7 +338,7 @@ public class RecoveryController { } catch (ServiceSpecificException e) { if (e.errorCode == ERROR_BAD_CERTIFICATE_FORMAT || e.errorCode == ERROR_INVALID_CERTIFICATE) { - throw new CertificateException(e.getMessage()); + throw new CertificateException("Invalid certificate for recovery service", e); } throw wrapUnexpectedServiceSpecificException(e); } diff --git a/core/java/android/security/keystore/recovery/RecoverySession.java b/core/java/android/security/keystore/recovery/RecoverySession.java index 80845d9e04915..835338940905d 100644 --- a/core/java/android/security/keystore/recovery/RecoverySession.java +++ b/core/java/android/security/keystore/recovery/RecoverySession.java @@ -102,7 +102,7 @@ public class RecoverySession implements AutoCloseable { } catch (ServiceSpecificException e) { if (e.errorCode == RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT || e.errorCode == RecoveryController.ERROR_INVALID_CERTIFICATE) { - throw new CertificateException(e.getMessage()); + throw new CertificateException("Invalid certificate for recovery session", e); } throw mRecoveryController.wrapUnexpectedServiceSpecificException(e); } @@ -137,7 +137,7 @@ public class RecoverySession implements AutoCloseable { } catch (ServiceSpecificException e) { if (e.errorCode == RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT || e.errorCode == RecoveryController.ERROR_INVALID_CERTIFICATE) { - throw new CertificateException(e.getMessage()); + throw new CertificateException("Invalid certificate for recovery session", e); } throw mRecoveryController.wrapUnexpectedServiceSpecificException(e); } @@ -191,7 +191,7 @@ public class RecoverySession implements AutoCloseable { } catch (ServiceSpecificException e) { if (e.errorCode == RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT || e.errorCode == RecoveryController.ERROR_INVALID_CERTIFICATE) { - throw new CertificateException(e.getMessage()); + throw new CertificateException("Invalid certificate for recovery session", e); } throw mRecoveryController.wrapUnexpectedServiceSpecificException(e); } diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java index ff4c6782accb0..9f6ac10378ba0 100644 --- a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java +++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java @@ -227,8 +227,7 @@ public class RecoverableKeyStoreManager { certPath = certXml.getRandomEndpointCert(rootCert); } catch (CertValidationException e) { Log.e(TAG, "Invalid endpoint cert", e); - throw new ServiceSpecificException( - ERROR_INVALID_CERTIFICATE, "Failed to validate certificate."); + throw new ServiceSpecificException(ERROR_INVALID_CERTIFICATE, e.getMessage()); } boolean wasInitialized = mDatabase.getRecoveryServiceCertPath(userId, uid, @@ -249,8 +248,7 @@ public class RecoverableKeyStoreManager { } } catch (CertificateEncodingException e) { Log.e(TAG, "Failed to encode CertPath", e); - throw new ServiceSpecificException( - ERROR_BAD_CERTIFICATE_FORMAT, "Failed to encode CertPath."); + throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); } } @@ -281,8 +279,7 @@ public class RecoverableKeyStoreManager { } catch (CertParsingException e) { Log.d(TAG, "Failed to parse the sig file: " + HexDump.toHexString( recoveryServiceSigFile)); - throw new ServiceSpecificException( - ERROR_BAD_CERTIFICATE_FORMAT, "Failed to parse the sig file."); + throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); } X509Certificate rootCert = @@ -293,8 +290,7 @@ public class RecoverableKeyStoreManager { Log.d(TAG, "The signature over the cert file is invalid." + " Cert: " + HexDump.toHexString(recoveryServiceCertFile) + " Sig: " + HexDump.toHexString(recoveryServiceSigFile)); - throw new ServiceSpecificException( - ERROR_INVALID_CERTIFICATE, "The signature over the cert file is invalid."); + throw new ServiceSpecificException(ERROR_INVALID_CERTIFICATE, e.getMessage()); } initRecoveryService(rootCertificateAlias, recoveryServiceCertFile); @@ -471,8 +467,7 @@ public class RecoverableKeyStoreManager { try { publicKey = KeySyncUtils.deserializePublicKey(verifierPublicKey); } catch (InvalidKeySpecException e) { - throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, - "Not a valid X509 key"); + throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); } // The raw public key bytes contained in vaultParams must match the ones given in // verifierPublicKey; otherwise, the user secret may be decrypted by a key that is not owned @@ -537,8 +532,7 @@ public class RecoverableKeyStoreManager { try { certPath = verifierCertPath.getCertPath(); } catch (CertificateException e) { - throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, - "Failed decode the certificate path"); + throw new ServiceSpecificException(ERROR_BAD_CERTIFICATE_FORMAT, e.getMessage()); } try { diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java index f4ec867333ad1..5efe5d2d655ee 100644 --- a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java +++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java @@ -18,6 +18,8 @@ package com.android.server.locksettings.recoverablekeystore; import static android.security.keystore.recovery.KeyChainProtectionParams.TYPE_LOCKSCREEN; import static android.security.keystore.recovery.KeyChainProtectionParams.UI_FORMAT_PASSWORD; +import static android.security.keystore.recovery.RecoveryController.ERROR_BAD_CERTIFICATE_FORMAT; +import static android.security.keystore.recovery.RecoveryController.ERROR_INVALID_CERTIFICATE; import static com.google.common.truth.Truth.assertThat; import static org.junit.Assert.assertArrayEquals; @@ -386,7 +388,7 @@ public class RecoverableKeyStoreManagerTest { modifiedCertXml); fail("should have thrown"); } catch (ServiceSpecificException e) { - assertThat(e.getMessage()).contains("validate cert"); + assertThat(e.errorCode).isEqualTo(ERROR_INVALID_CERTIFICATE); } } @@ -518,7 +520,7 @@ public class RecoverableKeyStoreManagerTest { getUtf8Bytes("wrong-sig-file-format")); fail("should have thrown"); } catch (ServiceSpecificException e) { - assertThat(e.getMessage()).contains("parse the sig file"); + assertThat(e.errorCode).isEqualTo(ERROR_BAD_CERTIFICATE_FORMAT); } } @@ -530,7 +532,7 @@ public class RecoverableKeyStoreManagerTest { INSECURE_CERTIFICATE_ALIAS, TestData.getCertXml(), TestData.getSigXml()); fail("should have thrown"); } catch (ServiceSpecificException e) { - assertThat(e.getMessage()).contains("signature over the cert file is invalid"); + assertThat(e.errorCode).isEqualTo(ERROR_INVALID_CERTIFICATE); } }