From 348fc4867e1ab474492b540e27e25b5df26fecb1 Mon Sep 17 00:00:00 2001
From: Geoffrey Borggaard <geoffreyb@google.com>
Date: Thu, 8 Aug 2013 14:32:39 -0400
Subject: [PATCH] Notify the users if a user installed SSL CA Cert is present.

Adds a tile to quick settings when a cert is present.  Message varies
depending on if this device is managed or a consumer device.
Bug: 10105918
Change-Id: Ifbe78c10638ef6e2a4661e8d18b44b8913a2cf9d
---
 .../drawable-hdpi/ic_qs_certificate_info.png  | Bin 0 -> 1241 bytes
 .../drawable-mdpi/ic_qs_certificate_info.png  | Bin 0 -> 918 bytes
 .../drawable-xhdpi/ic_qs_certificate_info.png | Bin 0 -> 3393 bytes
 packages/SystemUI/res/values/strings.xml      |  16 ++++
 .../statusbar/phone/QuickSettings.java        |  89 ++++++++++++++++++
 .../statusbar/phone/QuickSettingsModel.java   |  23 +++++
 6 files changed, 128 insertions(+)
 create mode 100644 packages/SystemUI/res/drawable-hdpi/ic_qs_certificate_info.png
 create mode 100644 packages/SystemUI/res/drawable-mdpi/ic_qs_certificate_info.png
 create mode 100644 packages/SystemUI/res/drawable-xhdpi/ic_qs_certificate_info.png

diff --git a/packages/SystemUI/res/drawable-hdpi/ic_qs_certificate_info.png b/packages/SystemUI/res/drawable-hdpi/ic_qs_certificate_info.png
new file mode 100644
index 0000000000000000000000000000000000000000..b1e0ff4d19587a21961378525ea27f6e56178254
GIT binary patch
literal 1241
zcmeAS@N?(olHy`uVBq!ia0vp^1|ZDA3?vioaBc-sEa{HEjtmSN`?>!lvI6;x#X;^)
z4C~IxyaaL-l0AZa85pY67#JE_7#My5g&JNkFq8sKd6mGxU^Rn*LA+qju0R{0KB)ko
z5Lcjr|Dym~2yAvMSON^4*peW>U<L*zHg;w?v%tdki2^>Id!PU1kJ$R>r|s%bU#{<%
z+fl-ob?4EnBm)kSk8ioA9r57&@oTxx@5z#kccpB&%~e^#58j?CWU^WGh04Nh+iO_G
z1ZDRHsV&>n@NA>;!*%s0mWh%;ix`u<-CY>}GwI#~aySb-B8!2v2N=7Z%(eqM!Nt?X
zF~sBe+G&;1w;TkHZEif#>#4$-zJp0nARs{VTGzI)+n1bg-#YxO?*ICWQ!;LxUFPts
z<o~U?bMNOpyD^jF(0_?1g*oeV-4<Q!*dgfLu|>37ebUMhBf<V$&((s@kCdqG*42*S
zalLmg?UMF7MVGrLPjbilUf+7u<=op9^~xP7Pq_R1HioR5adlOs=Jc*}n<kj62vyXq
zy;tyUcG&9N-F};H>#ly;A@w!tfNIM1Hw>|-UsTG!^{HyR%4+pY@8Q?)B^rMZPS|)c
zl83#P_1C=l3Z}*K?28Sb3%MJ}$tK)iV<_#iM!cY+MCJuwQB6sQQ|uCR^<%~vi!~RX
zTl!Av^2D}dCtIwX&ocl081%H#y6o4ZoX-B=4so$@j%l(b>{q5f{@mR?ef<hy_Slj%
z@75B&4Q(O?FOU5GD$2^Et1$iBw3*o^ytkH_=ifhjfAyA!Zo=1Rs!!d#hH16C^|Qmr
zUw)bF;aw#*<;~<!^X(ejBFu~5w{Pj%vA1&0@sugI_U-VPbi(VF>IuVe7d!14w|&;^
ztJ%Bz_c9};YChF>Oi4^DHW=>v!}n)LlFJe%m6**+o*8P~fA+A~{bUGsHrh19E%?If
zLskweUU|6w=jHh8$>_$;=)L&=j;%TCncr-B9#(XUwU7P90oEmM3=T`(96o(ym|Rm+
zRm?E^-XG>q%=_4n*ayBl`g5K}ILorm_V$_SqVX&(Cq0!zW^%@#aGHMV!%>Txo!_NS
z{awb}nipBTJ@st(HXX&9V4nMBv1&fa-xtX|x_&U(?0TGW9kZK#Z?F5(ZS#Q%OSQx`
zq9i4;B-JXpC>2OC7#SEE>l#?-8d!!HSX!AHSs9t=8kkra7<BDDkdC4uH$NpatrE9}
U-w!Ho12r&sy85}Sb4q9e0D?cJNdN!<

literal 0
HcmV?d00001

diff --git a/packages/SystemUI/res/drawable-mdpi/ic_qs_certificate_info.png b/packages/SystemUI/res/drawable-mdpi/ic_qs_certificate_info.png
new file mode 100644
index 0000000000000000000000000000000000000000..d7104c5a9997e524e9d7491db3edfbcf90b96739
GIT binary patch
literal 918
zcmeAS@N?(olHy`uVBq!ia0vp^3LwnE3?yBabR7dyEa{HEjtmSN`?>!lvI6;x#X;^)
z4C~IxyacIC_6YK2V5m}KU}$JzVE6?TYIwoGP-?)y@G60U!D<ErgLuK5U4b@0iF*M)
zA+A9B|L_H$W)^k<edt*d<QL4qz{;f%(l~D|i`m3mKYocdJo#|AD=R`{)1Qxv9R-;V
zTnXY7-+0KF`5%Y*<6yT{3$z!de12x9cvIF%$h0au!yz;F(N#-s87cM&hl;KN4P{L7
zc6VX?&!l?~$l)yTh%5%u9$@TtGTRQQAkfprF~s8Z)X6WMnj8cgWG8sD2nvWg3hIAa
z@#ccw=H1W!#%nY^jqqLh*VOv++jFs6f1fiL=$vMd*<h5~C+-sXV5iaM^9>;rS92{|
zrKA<QQ|aKj`=)FAb|sqWtWK1&y0$gyp0LB_tJ|#mZu3sPP&&8oZl0;J(w6TRUjLqX
z=zaB#(;N~!g(l1P%k&pmC`irt&?tV}@ss~90pYj>zDZ2WjH~7Lw;z3Zvr^~aoq4{=
zfs+b7{~SL0^s1@gU)58An>Iwf=Hq0@6Wd<y!r~skUa29N=lk?mP1zcE{BIptJTryi
z`yXe^i3eTmOc<0OsQK;?Y<V~7G+XNi%>!MlroNJ6uALpH6Pog$DL_x7VaI}|GmM@S
zLS~6LTw20Cm2s!jQ}4f17&BL{Otam;XWv^h?VRn?w*CJ5_;dF9yRFQ@Hbp5J)7jg%
zRlMmIS9j`LFZZz|r;>k8ex;QzgUZ2<Z@^GiEpd$~Nl7e8wMs5Z1yT$~28PDE1{S&o
ymLUd~R;ET)MkcxjCRPRpU3(9tqiD#@PsvQH#I51?gNoZg4Gf;HelF{r5}E+6n&j;O

literal 0
HcmV?d00001

diff --git a/packages/SystemUI/res/drawable-xhdpi/ic_qs_certificate_info.png b/packages/SystemUI/res/drawable-xhdpi/ic_qs_certificate_info.png
new file mode 100644
index 0000000000000000000000000000000000000000..1bb29027b4bfee5571c595afdf347049747a7025
GIT binary patch
literal 3393
zcmV-H4ZiY;P)<h;3K|Lk000e1NJLTq002M$002M;1^@s6s%dfF000U>X+uL$Nkc;*
zP;zf(X>4Tx07wm;mUmQB*%pV-y*Itk5+Wca^cs2zAksTX6$DX<Nq|rShJ+?|L<L3^
z5h+$=RKNj8hazJ|6bplbV%G`s5KzX!QA9=M-HdAq@2xfS-kSZ#S>M^`x7XQc?|s+0
z08spb1j2M!0f022SQPH-!CVp(%f$Br7!UytSOLJ{W@ZFO_(THK{JlMynW#v{v-a*T
zfMmPdEWc1DbJqWVks>!kBnAKqMb$PuekK>?0+ds;#ThdH1j_W4DKdsJG8Ul;qO2n0
z#IJ1jr{*iW$(WZW<e?f_&KbNko{YOt-kK%hql^ThT$m-`XQO-vWxZ5MngHeZDAUvU
zoJ;^P6q#Sl=O&?Si84hL8SaVl0ssh<#5ufj4vYCYXr2Igrf1}e1c^yvrV-beY31n1
zX8Q57Q~6>sE0n`c;fQ!l&-AnmjxZO1uWyz`0VP>&nP`#itsL#`S=Q!g`M=rU9)45(
zJ;-|dRq-b5&z?byo>|{)?5r=n76A4nTALlSzLiw~v~31J<>9PP?;rs31pu_(obw)r
zY+jPY;tVGXi|p)da{-@gE-UCa`=5eu%D;v=_nFJ?`&K)q7e9d`Nfk3?MdhZarb|T3
z%nS~f&t(1g5dY)AIcd$w!z`Siz!&j_=v7hZlnI21XuE|xfmo0(WD10T)!}~_HYW!e
zew}L+XmwuzeT6wtxJd`dZ#@7*BLgIEKY9Xv>st^p3dp{^Xswa2bB{85{^$B13tWnB
z;Y>jyQ|9&zk7RNsqAVGs--K+z0uqo1bf5|}fi5rtEMN^BfHQCd-XH*kfJhJnmIE$G
z0%<@5vOzxB0181d*a3EfYH$G5fqKvcPJ%XY23!PJzzuK<41h;K3WmW;Fah3yX$XSw
z5EY_9s*o0>51B&N5F1(uc|$=^I1~fLLy3?Ol0f;;Ca4%HgQ}rJP(Ab`bQ-z{U4#0d
z2hboi2K@njgb|nm(_szR0JebHusa+GN5aeCM0gdP2N%HG;Yzp`J`T6S7vUT504#-H
z!jlL<$Or?`Mpy_N@kBz9SR?@vA#0H$qyni$nvf2p8@Y{0k#Xb$28W?xm>3qu8RLgp
zjNxKdVb)?wFx8l2m{v>|<~C*!GlBVnrDD~wrdTJeKXwT=5u1%I#8zOBU|X=4u>;s)
z>^mF|$G{ol9B_WP7+f-LHLe7=57&&lfa}8z;U@8Tyei%l?}87(bMRt(A-)QK9Dg3)
zj~~XrCy)tR1Z#p1A(kK{Y$Q|=8VKhI{e%(1G*N-5Pjn)N5P8I0VkxnX*g?EW941ba
z6iJ387g8iCnY4jaNopcpCOsy-A(P2EWJhusSwLP-t|XrzUnLKcKTwn?CKOLf97RIe
zPB}`sKzTrUL#0v;sBY9)s+hW+T2H-1eM)^VN0T#`^Oxhvt&^*fYnAJldnHel*Ozyf
zUoM{~Um<@={-*r60#U(0!Bc^wuvVc);k3d%g-J!4qLpHZVwz%!VuRu}#Ze`^l7W)9
z5>Kf>>9Eozr6C$Z)1`URxU@~QI@)F0FdauXr2Es8>BaOP=)Lp_WhG@><tXJG<r?L)
z%2EcxFktvIQW>R;lZ?BJkMlI<xzFRz+cvLhUjMu)mH8@eDtwh9m1dOzm5-`SRd3Z4
z)t#zss!!A~Y9?x7YT0W0)h?@z&!^9Kp3j|MH2>uMhw8ApiF&yDYW2hFJ?fJhni{?u
z85&g@mo&yT8JcdI$(rSw=QPK(Xj%)k1X|@<=e1rim6`6$RAwc!i#egKuI;BS(LSWz
zt39n_sIypSqfWEV6J3%nTQ@<sT(?tqLQhLCSTA3%QSYHXQJ<}!q`ybMTYt*H&>-4i
zi$R;gsG*9XzhRzXqv2yCs*$VFDx+GXJH|L;wsDH_KI2;^u!)^Xl1YupO;gy^-c(?^
z&$Q1BYvyPsG^;hc$D**@Sy`+`)}T4VJji^bd7Jqw3q6Zii=7tT7GEswEK@D(EFW1Z
zSp`^awCb?>!`j4}Yh7b~$A)U-W3$et-R8BesV(1jzwLcHnq9En7Q0Tn&-M=XBKs!$
zF$X<|c!#|X_t<oHD7%Dx)e-CH;keH6jN=C<dnd8eNvGePS<WfW4bGzr3>WYh)GZit
z(Q)Cp9CDE^WG;+fcyOWARoj*0TI>4EP1lX*cEoMO-Pk?Z{kZ!p4@(b`M~lalr<3Oz
z&kJ6Nm#<fmSFg8{_hRpA@25UGK8Ze!J`=unzN>vN_+kA5{dW4@^Vjg_`q%qU1ULk&
z3Fr!>1V#i_2R;ij2@(Z$1jE4r!MlPVFVbHmT+|i<Li|H^g**v03|$raa~LixG^{4<
zdAL=0et35TEn-DPL&UpCkI2%<M~jUXOBQ!V$w$RS)kjT5dqtN;OP5$IS+nFuj9QE!
zracxP8x?ybc5<or(%nmk<Lu%J<L)jqT$Z!!+H$q!smsr<kYB-BaVj1gA06Ki|A`aA
zspU+r^k2Dm<pkH0yNCOd=f*4NjqzRhW&Du@mxQu}(L|TTU5R5!u1OV1;{s1XwcvHK
zU-E(Esg#hEqbW0~(W%X8gtYjy(?TU-im)qPGd(B0FT*sWFhjb^Y1Qsk6QV%TkxVFa
zS!TPKj{Z#bNQ@+#C4*TDvud*5XGdk9%2CV_=Je#6<ZjCy$@9tkel=z_cXemJcK(L^
z!8Pt{4y}dOu3X!>PIq0wy5aS{>yK?9ZAjVh%SOwMWgFjair&;wpi!{CU}&@N=Eg#~
zLQ&zpEzVmGY{hI9Z0+4<v#n~|mm*%#^<vB7isDZt+>-0xS$$Xe-OToc?Y*V;rTcf_
zb_jRe-RZjXSeas3UfIyD;9afd%<`i0x4T#DzE)vdabOQ=k7SRuGN`h>O0Q~1)u-yD
z>VX=Mn&!Rgd$;YK+Q-}1zu#?t(*cbG#Ronf6db&N$oEidtwC+YVcg-Y!_VuY>bk#Y
ze_ww@?MU&F&qswvrN_dLb=5o6*Egs)ls3YRlE$&)amR1{;Ppd$6RYV^Go!iq1UMl%
z@#4q$AMc(FJlT1QeX8jv{h#)>&{~RGq1N2iiMFIRX?sk2-|2wUogK~{EkB$8eDsX=
znVPf8XG_nK&J~=SIiGia@<PUi@r#KUhdNhuKDxBz(w(lbuHMUmm#<#&xpJx7z5D!C
zm#b&4IbAz_oqfIShW(A!9=o2FU+jKq>9y}|z3FhX{g&gcj=lwb=lWgyFW&aLedUh-
zof`v-2Kw$UzI*>(+&$@i-u=-BsSjR1%z8NeX#HdC<Dw@DPb!|OKdt@M_}6Bsz4Yv$
z*I>`Hh-Z(6xI-`hmHDqv!v)W&&nrf>M(RhcN6(D;jNN*%^u_SYjF;2ng}*8Ow)d6M
ztDk;%`@Lsk$;9w$(d(H%O5UixIr`T2ZRcd@<kNR)@201U-mAVp_JRGO`(yOSk?HJD
z_)nFejX!sM3H<VSCT(Ws-}i*``!YINegFUhyGcYrRCwC$o2_mFK@i8UG!+DiqX{G!
z`V5EQ6-e6z)li8j1_cQkg@6}85j=QY1p?KCC%}=^)U<+TJ55HA$sFw6?H;!<oBR#A
z{or?dJ3F(po>I!YW_bcY00@92RRGmMO;8)uL$&d@8a{I|0Lq{aXb$>R`sEYrbg&Jl
z0AxWe&`OyrD{M2HW&k-*AGA~U$`1R;r42v>wAJ_nU!V<W37Ue2s44!o!DmjDE%teK
z0D1gYkChM508|BKG}_GIvjePqtjuu?X93_JdFwx*F{otVEtRmXpChxuPZ~fS^vw)r
z51N3A78chcw!LTi{l+mR0^l`Z5Npsw0=D}B`{Llg+6GV$`13OxChCN#odrOs+XCP-
z)BYFKJ>yoki({algKru@o>}nzJAO*Re*TGpu+_B=x}7YT>DE>0aca5&CejFiM!+|p
zHqVY*6B=;=<d~_yHn8A5g5HQK1{TIO^C{%w0O&KTtO-;1&b+M`Lne}1seV)dS;n!M
z7@DrO0C+e?>Of_q0BAAW+oA&iip;jT6$JqG=SKz?tY?e@9jaom{V@|y2nC?byrGhE
zC)QVD#$OHtpu@Pdt_3`)E8PhLfcp3Y2LTLpHby~}X#mqVJh)rX9np>9K71z7ss-Sl
z31ejp56-3)IE*aO@LE9!K#f$|SeTwk0Pt|^hoz<iph+q%9R{!@eKd6dv`M9@!vLnF
zkG2kg9;q~R7{HM9(Gvjj3CJQSW>7XlCji_qTj8pM0IE^9!bvzoNdSoD4B2*vlK>FQ
z9kv}1u?--0K!gj4jU56IJ0vDSQ3;F7!HCtPF&hA^9F1N5;b_pt=&Fv#B|$<`WF$#S
z(&QvjGD52C=#o=q53R#OGg;aXku2@IkSs0f@=7jD$dwtnG!;@;cWq8CP6_}4kZ%0}
X4!+H(+8dxO00000NkvXXu0mjfV19BC

literal 0
HcmV?d00001

diff --git a/packages/SystemUI/res/values/strings.xml b/packages/SystemUI/res/values/strings.xml
index c849aa6d8e96d..fbf0b68505444 100644
--- a/packages/SystemUI/res/values/strings.xml
+++ b/packages/SystemUI/res/values/strings.xml
@@ -506,4 +506,20 @@
 
     <!-- Glyph to be overlaid atop the battery when the level is extremely low. Do not translate. -->
     <string name="battery_meter_very_low_overlay_symbol">!</string>
+
+    <!-- Shows up when there is a user SSL CA Cert installed on the
+         device.  Indicates to the user that SSL traffic can be intercepted.  [CHAR LIMIT=NONE] -->
+    <string name="ssl_ca_cert_warning">Network may be monitored</string>
+    <!-- Button to close the SSL CA cert warning dialog box.  [CHAR LIMIT=NONE] -->
+    <string name="done_button">Done</string>
+    <!-- Title of Dialog warning users of SSL monitoring. [CHAR LIMIT=NONE] -->
+    <string name="ssl_ca_cert_dialog_title">Network Monitoring</string>
+    <!-- Text of message to show to users whose administrator has installed a SSL CA Cert.
+         [CHAR LIMIT=NONE] -->
+    <string name="ssl_ca_cert_info_message">This device is managed by: <xliff:g id="managing_domain">%s</xliff:g>.\n\nYour administrator is capable of monitoring your network activity, including emails, apps, and secure websites.\n\nFor more information,contact your administrator.</string>
+    <!-- Text of warning to show to users that have a SSL CA Cert installed.  [CHAR LIMIT=NONE] -->
+    <string name="ssl_ca_cert_warning_message">A third party is capable of monitoring your network\nactivity, including emails, apps, and secure websites.\n\nA trusted credential installed on your device is making this possible.</string>
+    <!-- Label on button that will take the user to the Trusted Credentials settings page.
+         [CHAR LIMIT=NONE]-->
+    <string name="ssl_ca_cert_settings_button">Check trusted credentials</string>
 </resources>
diff --git a/packages/SystemUI/src/com/android/systemui/statusbar/phone/QuickSettings.java b/packages/SystemUI/src/com/android/systemui/statusbar/phone/QuickSettings.java
index 5f034a8c752c1..b9c6fef9c5d78 100644
--- a/packages/SystemUI/src/com/android/systemui/statusbar/phone/QuickSettings.java
+++ b/packages/SystemUI/src/com/android/systemui/statusbar/phone/QuickSettings.java
@@ -20,6 +20,7 @@ import android.app.ActivityManagerNative;
 import android.app.AlertDialog;
 import android.app.Dialog;
 import android.app.PendingIntent;
+import android.app.admin.DevicePolicyManager;
 import android.bluetooth.BluetoothAdapter;
 import android.content.BroadcastReceiver;
 import android.content.ComponentName;
@@ -49,6 +50,7 @@ import android.provider.ContactsContract;
 import android.provider.ContactsContract.CommonDataKinds.Phone;
 import android.provider.ContactsContract.Profile;
 import android.provider.Settings;
+import android.security.KeyChain;
 import android.util.Log;
 import android.util.Pair;
 import android.view.LayoutInflater;
@@ -89,6 +91,7 @@ class QuickSettings {
     private ViewGroup mContainerView;
 
     private DisplayManager mDisplayManager;
+    private DevicePolicyManager mDevicePolicyManager;
     private WifiDisplayStatus mWifiDisplayStatus;
     private PhoneStatusBar mStatusBarService;
     private BluetoothState mBluetoothState;
@@ -100,6 +103,7 @@ class QuickSettings {
     private LocationController mLocationController;
 
     private AsyncTask<Void, Void, Pair<String, Drawable>> mUserInfoTask;
+    private AsyncTask<Void, Void, Pair<Boolean, Boolean>> mQueryCertTask;
 
     private LevelListDrawable mBatteryLevels;
     private LevelListDrawable mChargingBatteryLevels;
@@ -116,6 +120,8 @@ class QuickSettings {
 
     public QuickSettings(Context context, QuickSettingsContainerView container) {
         mDisplayManager = (DisplayManager) context.getSystemService(Context.DISPLAY_SERVICE);
+        mDevicePolicyManager
+            = (DevicePolicyManager) context.getSystemService(Context.DEVICE_POLICY_SERVICE);
         mContext = context;
         mContainerView = container;
         mModel = new QuickSettingsModel(context);
@@ -137,6 +143,7 @@ class QuickSettings {
         filter.addAction(BluetoothAdapter.ACTION_STATE_CHANGED);
         filter.addAction(Intent.ACTION_USER_SWITCHED);
         filter.addAction(Intent.ACTION_CONFIGURATION_CHANGED);
+        filter.addAction(KeyChain.ACTION_STORAGE_CHANGED);
         mContext.registerReceiver(mReceiver, filter);
 
         IntentFilter profileFilter = new IntentFilter();
@@ -181,6 +188,26 @@ class QuickSettings {
         rotationLockController.addRotationLockControllerCallback(mModel);
     }
 
+    private void queryForSslCaCerts() {
+        mQueryCertTask = new AsyncTask<Void, Void, Pair<Boolean, Boolean>>() {
+            @Override
+            protected Pair<Boolean, Boolean> doInBackground(Void... params) {
+                boolean hasCert = mDevicePolicyManager.hasAnyCaCertsInstalled();
+                boolean isManaged = mDevicePolicyManager.getDeviceOwner() != null;
+
+                return Pair.create(hasCert, isManaged);
+            }
+            @Override
+            protected void onPostExecute(Pair<Boolean, Boolean> result) {
+                super.onPostExecute(result);
+                boolean hasCert = result.first;
+                boolean isManaged = result.second;
+                mModel.setSslCaCertWarningTileInfo(hasCert, isManaged);
+            }
+        };
+        mQueryCertTask.execute();
+    }
+
     private void queryForUserInformation() {
         Context currentUserContext = null;
         UserInfo userInfo = null;
@@ -254,6 +281,7 @@ class QuickSettings {
         addTemporaryTiles(mContainerView, inflater);
 
         queryForUserInformation();
+        queryForSslCaCerts();
         mTilesSetUp = true;
     }
 
@@ -721,6 +749,25 @@ class QuickSettings {
         });
         parent.addView(imeTile);
         */
+
+        // SSL CA Cert Warning.
+        final QuickSettingsBasicTile sslCaCertWarningTile = new QuickSettingsBasicTile(mContext);
+        sslCaCertWarningTile.setOnClickListener(new View.OnClickListener() {
+            @Override
+            public void onClick(View v) {
+                collapsePanels();
+                showSslCaCertWarningDialog();
+            }
+        });
+
+        sslCaCertWarningTile.setImageResource(
+                com.android.internal.R.drawable.indicator_input_error);
+        sslCaCertWarningTile.setTextResource(R.string.ssl_ca_cert_warning);
+
+        mModel.addSslCaCertWarningTile(sslCaCertWarningTile,
+                new QuickSettingsModel.BasicRefreshCallback(sslCaCertWarningTile)
+                        .setShowWhenEnabled(true));
+        parent.addView(sslCaCertWarningTile);
     }
 
     void updateResources() {
@@ -777,6 +824,45 @@ class QuickSettings {
         dialog.show();
     }
 
+    private void showSslCaCertWarningDialog() {
+        final AlertDialog.Builder builder = new AlertDialog.Builder(mContext);
+        builder.setTitle(R.string.ssl_ca_cert_dialog_title);
+        builder.setCancelable(true);
+        final boolean hasDeviceOwner = mDevicePolicyManager.getDeviceOwner() != null;
+        int buttonLabel;
+        if (hasDeviceOwner) {
+            // Institutional case.  Show informational message.
+            String message = mContext.getResources().getString(R.string.ssl_ca_cert_info_message,
+                    mDevicePolicyManager.getDeviceOwnerName());
+            builder.setMessage(message);
+            buttonLabel = R.string.done_button;
+        } else {
+            // Consumer case.  Show scary warning.
+            builder.setMessage(R.string.ssl_ca_cert_warning_message);
+            buttonLabel = R.string.ssl_ca_cert_settings_button;
+        }
+
+        builder.setPositiveButton(buttonLabel, new OnClickListener() {
+            @Override
+            public void onClick(DialogInterface dialog, int which) {
+                // do something.
+                if (hasDeviceOwner) {
+                    // Close
+                } else {
+                    startSettingsActivity("com.android.settings.TRUSTED_CREDENTIALS_USER");
+                }
+            }
+        });
+
+        final Dialog dialog = builder.create();
+        dialog.getWindow().setType(WindowManager.LayoutParams.TYPE_SYSTEM_ALERT);
+        try {
+            WindowManagerGlobal.getWindowManagerService().dismissKeyguard();
+        } catch (RemoteException e) {
+        }
+        dialog.show();
+    }
+
     private void updateWifiDisplayStatus() {
         mWifiDisplayStatus = mDisplayManager.getWifiDisplayStatus();
         applyWifiDisplayStatus();
@@ -801,6 +887,7 @@ class QuickSettings {
         }
         if (mTilesSetUp) {
             queryForUserInformation();
+            queryForSslCaCerts();
         }
     }
 
@@ -829,6 +916,8 @@ class QuickSettings {
                 if (mUseDefaultAvatar) {
                     queryForUserInformation();
                 }
+            } else if (KeyChain.ACTION_STORAGE_CHANGED.equals(action)) {
+                queryForSslCaCerts();
             }
         }
     };
diff --git a/packages/SystemUI/src/com/android/systemui/statusbar/phone/QuickSettingsModel.java b/packages/SystemUI/src/com/android/systemui/statusbar/phone/QuickSettingsModel.java
index 02a3690e33424..98e480aa588b2 100644
--- a/packages/SystemUI/src/com/android/systemui/statusbar/phone/QuickSettingsModel.java
+++ b/packages/SystemUI/src/com/android/systemui/statusbar/phone/QuickSettingsModel.java
@@ -263,6 +263,10 @@ class QuickSettingsModel implements BluetoothStateChangeCallback,
     private RefreshCallback mSettingsCallback;
     private State mSettingsState = new State();
 
+    private QuickSettingsTileView mSslCaCertWarningTile;
+    private RefreshCallback mSslCaCertWarningCallback;
+    private State mSslCaCertWarningState = new State();
+
     private RotationLockController mRotationLockController;
 
     public QuickSettingsModel(Context context) {
@@ -747,4 +751,23 @@ class QuickSettingsModel implements BluetoothStateChangeCallback,
     void refreshBrightnessTile() {
         onBrightnessLevelChanged();
     }
+
+    // SSL CA Cert warning.
+    public void addSslCaCertWarningTile(QuickSettingsTileView view, RefreshCallback cb) {
+        mSslCaCertWarningTile = view;
+        mSslCaCertWarningCallback = cb;
+        // Set a sane default while we wait for the AsyncTask to finish (no cert).
+        setSslCaCertWarningTileInfo(false, true);
+    }
+    public void setSslCaCertWarningTileInfo(boolean hasCert, boolean isManaged) {
+        Resources r = mContext.getResources();
+        mSslCaCertWarningState.enabled = hasCert;
+        if (isManaged) {
+            mSslCaCertWarningState.iconId = R.drawable.ic_qs_certificate_info;
+        } else {
+            mSslCaCertWarningState.iconId = android.R.drawable.stat_notify_error;
+        }
+        mSslCaCertWarningState.label = r.getString(R.string.ssl_ca_cert_warning);
+        mSslCaCertWarningCallback.refreshView(mSslCaCertWarningTile, mSslCaCertWarningState);
+    }
 }