GitLab

Bug: 6369821
Change-Id: Ie038571a5dac1f301c0c3c6fb84df432e67b62c0

Change-Id: Ic6b41eaa665c623f4b050de74a088733308a9857

Change-Id: I16081d9874da72e0aa8d596c65dfd1ad4545b377

Previously the CA certs stored in the BKS KeyStore at
/system/etc/security/cacerts.bks was loaded in the Zygote. As the the
number of CAs are started to increase, this is causing more and more
memory to be used for rarely used CAs. The new AndroidCAStore KeyStore
implementation reads the CAs as needed out of individual PEM
certificate files. The files can be efficiently found because they are
named based on a hash CA's subject name, similar to OpenSSL.

Bug: 1109242

Details:

build

    Removing old cacerts.bks from GRANDFATHERED_ALL_PREBUILT and
    adding new cacerts directory to core PRODUCT_PACKAGES

	core/legacy_prebuilts.mk
	target/product/core.mk

libcore

    cacerts build changes. Move cacerts prebuilt logic to new
    CaCerts.mk from NativeCode.mk where it didn't make sense. Updated
    Android.mk's dalvik-host target to install new cacerts files.

	Android.mk
	CaCerts.mk
	NativeCode.mk

    Remove old cacerts.bks and add remove certimport.sh script used to
    generate it. Preserved the useful comments from certimport.sh in
    the new README.cacerts

	luni/src/main/files/cacerts.bks
	luni/src/main/files/certimport.sh
	luni/src/main/files/README.cacerts

    Recanonicalize cacerts files using updated vendor/google/tools/cacerts/certimport.py
    (See below discussion of certimport.py changes for details)

	luni/src/main/files/cacerts/00673b5b.0
	luni/src/main/files/cacerts/03e16f6c.0
	luni/src/main/files/cacerts/08aef7bb.0
	luni/src/main/files/cacerts/0d188d89.0
	luni/src/main/files/cacerts/10531352.0
	luni/src/main/files/cacerts/111e6273.0
	luni/src/main/files/cacerts/1155c94b.0
	luni/src/main/files/cacerts/119afc2e.0
	luni/src/main/files/cacerts/11a09b38.0
	luni/src/main/files/cacerts/12d55845.0
	luni/src/main/files/cacerts/17b51fe6.0
	luni/src/main/files/cacerts/1920cacb.0
	luni/src/main/files/cacerts/1dac3003.0
	luni/src/main/files/cacerts/1dbdda5b.0
	luni/src/main/files/cacerts/1dcd6f4c.0
	luni/src/main/files/cacerts/1df5ec47.0
	luni/src/main/files/cacerts/1e8e7201.0
	luni/src/main/files/cacerts/1eb37bdf.0
	luni/src/main/files/cacerts/219d9499.0
	luni/src/main/files/cacerts/23f4c490.0
	luni/src/main/files/cacerts/27af790d.0
	luni/src/main/files/cacerts/2afc57aa.0
	luni/src/main/files/cacerts/2e8714cb.0
	luni/src/main/files/cacerts/2fa87019.0
	luni/src/main/files/cacerts/2fb1850a.0
	luni/src/main/files/cacerts/33815e15.0
	luni/src/main/files/cacerts/343eb6cb.0
	luni/src/main/files/cacerts/399e7759.0
	luni/src/main/files/cacerts/3a3b02ce.0
	luni/src/main/files/cacerts/3ad48a91.0
	luni/src/main/files/cacerts/3c58f906.0
	luni/src/main/files/cacerts/3c860d51.0
	luni/src/main/files/cacerts/3d441de8.0
	luni/src/main/files/cacerts/3e7271e8.0
	luni/src/main/files/cacerts/418595b9.0
	luni/src/main/files/cacerts/455f1b52.0
	luni/src/main/files/cacerts/46b2fd3b.0
	luni/src/main/files/cacerts/48478734.0
	luni/src/main/files/cacerts/4d654d1d.0
	luni/src/main/files/cacerts/4e18c148.0
	luni/src/main/files/cacerts/4fbd6bfa.0
	luni/src/main/files/cacerts/5021a0a2.0
	luni/src/main/files/cacerts/5046c355.0
	luni/src/main/files/cacerts/524d9b43.0
	luni/src/main/files/cacerts/56b8a0b6.0
	luni/src/main/files/cacerts/57692373.0
	luni/src/main/files/cacerts/58a44af1.0
	luni/src/main/files/cacerts/594f1775.0
	luni/src/main/files/cacerts/5a3f0ff8.0
	luni/src/main/files/cacerts/5a5372fc.0
	luni/src/main/files/cacerts/5cf9d536.0
	luni/src/main/files/cacerts/5e4e69e7.0
	luni/src/main/files/cacerts/60afe812.0
	luni/src/main/files/cacerts/635ccfd5.0
	luni/src/main/files/cacerts/67495436.0
	luni/src/main/files/cacerts/69105f4f.0
	luni/src/main/files/cacerts/6adf0799.0
	luni/src/main/files/cacerts/6e8bf996.0
	luni/src/main/files/cacerts/6fcc125d.0
	luni/src/main/files/cacerts/72f369af.0
	luni/src/main/files/cacerts/72fa7371.0
	luni/src/main/files/cacerts/74c26bd0.0
	luni/src/main/files/cacerts/75680d2e.0
	luni/src/main/files/cacerts/7651b327.0
	luni/src/main/files/cacerts/76579174.0
	luni/src/main/files/cacerts/7999be0d.0
	luni/src/main/files/cacerts/7a481e66.0
	luni/src/main/files/cacerts/7a819ef2.0
	luni/src/main/files/cacerts/7d3cd826.0
	luni/src/main/files/cacerts/7d453d8f.0
	luni/src/main/files/cacerts/81b9768f.0
	luni/src/main/files/cacerts/8470719d.0
	luni/src/main/files/cacerts/84cba82f.0
	luni/src/main/files/cacerts/85cde254.0
	luni/src/main/files/cacerts/86212b19.0
	luni/src/main/files/cacerts/87753b0d.0
	luni/src/main/files/cacerts/882de061.0
	luni/src/main/files/cacerts/895cad1a.0
	luni/src/main/files/cacerts/89c02a45.0
	luni/src/main/files/cacerts/8f7b96c4.0
	luni/src/main/files/cacerts/9339512a.0
	luni/src/main/files/cacerts/9685a493.0
	luni/src/main/files/cacerts/9772ca32.0
	luni/src/main/files/cacerts/9d6523ce.0
	luni/src/main/files/cacerts/9dbefe7b.0
	luni/src/main/files/cacerts/9f533518.0
	luni/src/main/files/cacerts/a0bc6fbb.0
	luni/src/main/files/cacerts/a15b3b6b.0
	luni/src/main/files/cacerts/a3896b44.0
	luni/src/main/files/cacerts/a7605362.0
	luni/src/main/files/cacerts/a7d2cf64.0
	luni/src/main/files/cacerts/ab5346f4.0
	luni/src/main/files/cacerts/add67345.0
	luni/src/main/files/cacerts/b0f3e76e.0
	luni/src/main/files/cacerts/bc3f2570.0
	luni/src/main/files/cacerts/bcdd5959.0
	luni/src/main/files/cacerts/bda4cc84.0
	luni/src/main/files/cacerts/bdacca6f.0
	luni/src/main/files/cacerts/bf64f35b.0
	luni/src/main/files/cacerts/c0cafbd2.0
	luni/src/main/files/cacerts/c215bc69.0
	luni/src/main/files/cacerts/c33a80d4.0
	luni/src/main/files/cacerts/c527e4ab.0
	luni/src/main/files/cacerts/c7e2a638.0
	luni/src/main/files/cacerts/c8763593.0
	luni/src/main/files/cacerts/ccc52f49.0
	luni/src/main/files/cacerts/cdaebb72.0
	luni/src/main/files/cacerts/cf701eeb.0
	luni/src/main/files/cacerts/d16a5865.0
	luni/src/main/files/cacerts/d537fba6.0
	luni/src/main/files/cacerts/d64f06f3.0
	luni/src/main/files/cacerts/d777342d.0
	luni/src/main/files/cacerts/d8274e24.0
	luni/src/main/files/cacerts/dbc54cab.0
	luni/src/main/files/cacerts/ddc328ff.0
	luni/src/main/files/cacerts/e48193cf.0
	luni/src/main/files/cacerts/e60bf0c0.0
	luni/src/main/files/cacerts/e775ed2d.0
	luni/src/main/files/cacerts/e7b8d656.0
	luni/src/main/files/cacerts/e8651083.0
	luni/src/main/files/cacerts/ea169617.0
	luni/src/main/files/cacerts/eb375c3e.0
	luni/src/main/files/cacerts/ed049835.0
	luni/src/main/files/cacerts/ed524cf5.0
	luni/src/main/files/cacerts/ee7cd6fb.0
	luni/src/main/files/cacerts/f4996e82.0
	luni/src/main/files/cacerts/f58a60fe.0
	luni/src/main/files/cacerts/f61bff45.0
	luni/src/main/files/cacerts/f80cc7f6.0
	luni/src/main/files/cacerts/fac084d7.0
	luni/src/main/files/cacerts/facacbc6.0
	luni/src/main/files/cacerts/fde84897.0
	luni/src/main/files/cacerts/ff783690.0

    Change IntegralToString.intToHexString to take width argument to
    allow for leading zero padding. Updated existing callers to
    specify 0 padding desired. Add testing of new padding
    functionality.

	luni/src/main/java/java/lang/Character.java
	luni/src/main/java/java/lang/Integer.java
	luni/src/main/java/java/lang/IntegralToString.java
	luni/src/test/java/libcore/java/lang/IntegralToStringTest.java

    Improved to throw Exceptions with proper causes

	luni/src/main/java/java/security/KeyStore.java
	luni/src/main/java/java/security/Policy.java
	luni/src/main/java/java/security/cert/CertificateFactory.java
	luni/src/main/java/javax/crypto/Cipher.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSignature.java

    Indentation fixes

	luni/src/main/java/java/security/SecureRandom.java

    Fix X509CRLSelector.getIssuerNames to clone result and added test to cover this.

	luni/src/main/java/java/security/cert/X509CRLSelector.java
	luni/src/test/java/libcore/java/security/cert/X509CRLSelectorTest.java

    Fixed bug where we created an X500Principal via a String
    representation instead of from its original encoded bytes. This
    led to a difficult to track down bug where CA 418595b9.0 where the
    NativeCode.X509_NAME_hash of a Harmony (but not BouncyCastle)
    X509Certificate would not hash to the expected value because the
    encoded form used an ASN.1 PrintableString instead of the
    UTF8String form found in the original certificate.

	luni/src/main/java/org/apache/harmony/security/x501/Name.java

    Add a new RootKeyStoreSpi and register it as the
    AndroidCAStore. This new read-only KeyStore implementation that
    looks for certificates in $ANDROID_ROOT/etc/security/cacerts/
    directory, which is /system/etc/security/cacerts/ on devices. The
    files are stored in the directory based on the older md5 based
    OpenSSL X509_NAME_hash function (now referred to as
    X509_NAME_hash_old in OpenSSL 1.0)

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java

    Added OpenSSL compatible X509_NAME_hash and X509_NAME_hash_old
    functions for producting an int hash value from an X500Principal.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java

    Changed TrustManagerFactoryImpl to use AndroidCAStore for its default KeyStore

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerFactoryImpl.java

    Changed TrustManagerImpl to be AndroidCAStore aware. If it detects
    an AndroidCAStore, it avoids generating the acceptedIssuers array
    at constructions, since doing so would force us to parse all
    certificates in the store and the value is only typically used by
    SSLServerSockets when requesting a client certifcate. Because we
    don't load all the trusted CAs into the IndexedPKIXParameters at
    startup in the case of AndroidCAStore, we now check for new CAs
    when examining the cert chain for unnecessary TrustAnchors and for
    a newly discovered issuer at the end of the chain before
    validation.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java

    Updated KeyStoreTest to cope with read only KeyStore. Update
    test_cacerts_bks (now renamed test_cacerts) to use the
    AndroidCAStore for validating system CA certificate
    validity. Register AndroidCAStore as an expected KeyStore type
    with StandardNames.

	luni/src/test/java/libcore/java/security/KeyStoreTest.java
	support/src/test/java/libcore/java/security/StandardNames.java

    Added test of X500Principal serialization while investigating Name
    encoding issue. However, the actual Name bug was found and
    verified by the new test_cacerts test.

	luni/src/test/java/libcore/javax/security/auth/x500/X500PrincipalTest.java

vendor/google

    Change canonical format for checked in cacerts to have PEM
    certificate at the top, as required by Harmony's X.509
    CertificateFactory.

	tools/cacerts/certimport.py

Change-Id: If0c9de430f13babb07f96a1177897c536f3db08d

Change-Id: If02a0973eb7ba0291a75397dda5f221b810890de

Change-Id: I64970355bbe775e54a4eb4360e00b1771ddea2f2

Change-Id: I9df312fc2f887372e3fdb35863fa572020eb36f2

Change-Id: I0c5e29ac750b9605b1e8f823d6998d31a933b7a4

Change-Id: I108f731c55e2ccff6fbe201614a169f89431a720

Change-Id: I0dcadda241e7fd2a7429f9dd43d1ff5e945e5467

This is a backport of the minimal changes from master (flan) to fix IPv6
multicasting. Specifically, it fixes NetworkInterface to report IPv6 addresses,
it fixes GenericIPMreq so we pass the interface indexes down to native code,
it replaces our old copy of harmony's MulticastSocketTest with the current
upstream version (to avoid bogus failures), and it brings back one small
"unrelated" fix to OSNetworkSystem.cpp that's necessary to prevent failures
in later parts of tests we used to fail too early to notice secondary
problems.

This passes all the (fixed) MulticastSocketTest tests, causes no regressions
in the whole net.AllTests suite, and fixes the user-submitted application
that started the investigation.

Bug: 1750581

native code, and make each have a set of rules for building on the host.

I also tightened up how sub.mk processing works and documented it
a little better.

Change-Id: I8a7a4c5697b2f22c4d69941dba381d6452200911

file outside of the Android build directory and was
not getting cleaned up after the build.

  the RI so that the required test annotation
  classes are copied over from core.jar. Means
  we don't have to maintain duplicate versions
  of these classes (and there will be less
  verifier complaints), so these are going away
  in the process.
  Original author: jorgp
  Merged from: //branches/cupcake/...
  Original author: android-build

Automated import of CL 144390

  the RI so that the required test annotation
  classes are copied over from core.jar. Means
  we don't have to maintain duplicate versions
  of these classes (and there will be less
  verifier complaints), so these are going away
  in the process.
  Original author: jorgp
  Merged from: //branches/cupcake/...

Automated import of CL 144230

  the RI so that the required test annotation
  classes are copied over from core.jar. Means
  we don't have to maintain duplicate versions
  of these classes (and there will be less
  verifier complaints), so these are going away
  in the process.
  BUG=1285921

Automated import of CL 144229