Skip to content

GitLab

Switch branch/tag
Find file BlameHistoryPermalink
  • Brian Carlstrom's avatar
    Avoid loading all CA certs into Zygote memory, lazily load instead (2 of 3) · 347b2a60
    Brian Carlstrom authored 
    Previously the CA certs stored in the BKS KeyStore at
/system/etc/security/cacerts.bks was loaded in the Zygote. As the the
number of CAs are started to increase, this is causing more and more
memory to be used for rarely used CAs. The new AndroidCAStore KeyStore
implementation reads the CAs as needed out of individual PEM
certificate files. The files can be efficiently found because they are
named based on a hash CA's subject name, similar to OpenSSL.

Bug: 1109242

Details:

build

    Removing old cacerts.bks from GRANDFATHERED_ALL_PREBUILT and
    adding new cacerts directory to core PRODUCT_PACKAGES

	core/legacy_prebuilts.mk
	target/product/core.mk

libcore

    cacerts build changes. Move cacerts prebuilt logic to new
    CaCerts.mk from NativeCode.mk where it didn't make sense. Updated
    Android.mk's dalvik-host target to install new cacerts files.

	Android.mk
	CaCerts.mk
	NativeCode.mk

    Remove old cacerts.bks and add remove certimport.sh script used to
    generate it. Preserved the useful comments from certimport.sh in
    the new README.cacerts

	luni/src/main/files/cacerts.bks
	luni/src/main/files/certimport.sh
	luni/src/main/files/README.cacerts

    Recanonicalize cacerts files using updated vendor/google/tools/cacerts/certimport.py
    (See below discussion of certimport.py changes for details)

	luni/src/main/files/cacerts/00673b5b.0
	luni/src/main/files/cacerts/03e16f6c.0
	luni/src/main/files/cacerts/08aef7bb.0
	luni/src/main/files/cacerts/0d188d89.0
	luni/src/main/files/cacerts/10531352.0
	luni/src/main/files/cacerts/111e6273.0
	luni/src/main/files/cacerts/1155c94b.0
	luni/src/main/files/cacerts/119afc2e.0
	luni/src/main/files/cacerts/11a09b38.0
	luni/src/main/files/cacerts/12d55845.0
	luni/src/main/files/cacerts/17b51fe6.0
	luni/src/main/files/cacerts/1920cacb.0
	luni/src/main/files/cacerts/1dac3003.0
	luni/src/main/files/cacerts/1dbdda5b.0
	luni/src/main/files/cacerts/1dcd6f4c.0
	luni/src/main/files/cacerts/1df5ec47.0
	luni/src/main/files/cacerts/1e8e7201.0
	luni/src/main/files/cacerts/1eb37bdf.0
	luni/src/main/files/cacerts/219d9499.0
	luni/src/main/files/cacerts/23f4c490.0
	luni/src/main/files/cacerts/27af790d.0
	luni/src/main/files/cacerts/2afc57aa.0
	luni/src/main/files/cacerts/2e8714cb.0
	luni/src/main/files/cacerts/2fa87019.0
	luni/src/main/files/cacerts/2fb1850a.0
	luni/src/main/files/cacerts/33815e15.0
	luni/src/main/files/cacerts/343eb6cb.0
	luni/src/main/files/cacerts/399e7759.0
	luni/src/main/files/cacerts/3a3b02ce.0
	luni/src/main/files/cacerts/3ad48a91.0
	luni/src/main/files/cacerts/3c58f906.0
	luni/src/main/files/cacerts/3c860d51.0
	luni/src/main/files/cacerts/3d441de8.0
	luni/src/main/files/cacerts/3e7271e8.0
	luni/src/main/files/cacerts/418595b9.0
	luni/src/main/files/cacerts/455f1b52.0
	luni/src/main/files/cacerts/46b2fd3b.0
	luni/src/main/files/cacerts/48478734.0
	luni/src/main/files/cacerts/4d654d1d.0
	luni/src/main/files/cacerts/4e18c148.0
	luni/src/main/files/cacerts/4fbd6bfa.0
	luni/src/main/files/cacerts/5021a0a2.0
	luni/src/main/files/cacerts/5046c355.0
	luni/src/main/files/cacerts/524d9b43.0
	luni/src/main/files/cacerts/56b8a0b6.0
	luni/src/main/files/cacerts/57692373.0
	luni/src/main/files/cacerts/58a44af1.0
	luni/src/main/files/cacerts/594f1775.0
	luni/src/main/files/cacerts/5a3f0ff8.0
	luni/src/main/files/cacerts/5a5372fc.0
	luni/src/main/files/cacerts/5cf9d536.0
	luni/src/main/files/cacerts/5e4e69e7.0
	luni/src/main/files/cacerts/60afe812.0
	luni/src/main/files/cacerts/635ccfd5.0
	luni/src/main/files/cacerts/67495436.0
	luni/src/main/files/cacerts/69105f4f.0
	luni/src/main/files/cacerts/6adf0799.0
	luni/src/main/files/cacerts/6e8bf996.0
	luni/src/main/files/cacerts/6fcc125d.0
	luni/src/main/files/cacerts/72f369af.0
	luni/src/main/files/cacerts/72fa7371.0
	luni/src/main/files/cacerts/74c26bd0.0
	luni/src/main/files/cacerts/75680d2e.0
	luni/src/main/files/cacerts/7651b327.0
	luni/src/main/files/cacerts/76579174.0
	luni/src/main/files/cacerts/7999be0d.0
	luni/src/main/files/cacerts/7a481e66.0
	luni/src/main/files/cacerts/7a819ef2.0
	luni/src/main/files/cacerts/7d3cd826.0
	luni/src/main/files/cacerts/7d453d8f.0
	luni/src/main/files/cacerts/81b9768f.0
	luni/src/main/files/cacerts/8470719d.0
	luni/src/main/files/cacerts/84cba82f.0
	luni/src/main/files/cacerts/85cde254.0
	luni/src/main/files/cacerts/86212b19.0
	luni/src/main/files/cacerts/87753b0d.0
	luni/src/main/files/cacerts/882de061.0
	luni/src/main/files/cacerts/895cad1a.0
	luni/src/main/files/cacerts/89c02a45.0
	luni/src/main/files/cacerts/8f7b96c4.0
	luni/src/main/files/cacerts/9339512a.0
	luni/src/main/files/cacerts/9685a493.0
	luni/src/main/files/cacerts/9772ca32.0
	luni/src/main/files/cacerts/9d6523ce.0
	luni/src/main/files/cacerts/9dbefe7b.0
	luni/src/main/files/cacerts/9f533518.0
	luni/src/main/files/cacerts/a0bc6fbb.0
	luni/src/main/files/cacerts/a15b3b6b.0
	luni/src/main/files/cacerts/a3896b44.0
	luni/src/main/files/cacerts/a7605362.0
	luni/src/main/files/cacerts/a7d2cf64.0
	luni/src/main/files/cacerts/ab5346f4.0
	luni/src/main/files/cacerts/add67345.0
	luni/src/main/files/cacerts/b0f3e76e.0
	luni/src/main/files/cacerts/bc3f2570.0
	luni/src/main/files/cacerts/bcdd5959.0
	luni/src/main/files/cacerts/bda4cc84.0
	luni/src/main/files/cacerts/bdacca6f.0
	luni/src/main/files/cacerts/bf64f35b.0
	luni/src/main/files/cacerts/c0cafbd2.0
	luni/src/main/files/cacerts/c215bc69.0
	luni/src/main/files/cacerts/c33a80d4.0
	luni/src/main/files/cacerts/c527e4ab.0
	luni/src/main/files/cacerts/c7e2a638.0
	luni/src/main/files/cacerts/c8763593.0
	luni/src/main/files/cacerts/ccc52f49.0
	luni/src/main/files/cacerts/cdaebb72.0
	luni/src/main/files/cacerts/cf701eeb.0
	luni/src/main/files/cacerts/d16a5865.0
	luni/src/main/files/cacerts/d537fba6.0
	luni/src/main/files/cacerts/d64f06f3.0
	luni/src/main/files/cacerts/d777342d.0
	luni/src/main/files/cacerts/d8274e24.0
	luni/src/main/files/cacerts/dbc54cab.0
	luni/src/main/files/cacerts/ddc328ff.0
	luni/src/main/files/cacerts/e48193cf.0
	luni/src/main/files/cacerts/e60bf0c0.0
	luni/src/main/files/cacerts/e775ed2d.0
	luni/src/main/files/cacerts/e7b8d656.0
	luni/src/main/files/cacerts/e8651083.0
	luni/src/main/files/cacerts/ea169617.0
	luni/src/main/files/cacerts/eb375c3e.0
	luni/src/main/files/cacerts/ed049835.0
	luni/src/main/files/cacerts/ed524cf5.0
	luni/src/main/files/cacerts/ee7cd6fb.0
	luni/src/main/files/cacerts/f4996e82.0
	luni/src/main/files/cacerts/f58a60fe.0
	luni/src/main/files/cacerts/f61bff45.0
	luni/src/main/files/cacerts/f80cc7f6.0
	luni/src/main/files/cacerts/fac084d7.0
	luni/src/main/files/cacerts/facacbc6.0
	luni/src/main/files/cacerts/fde84897.0
	luni/src/main/files/cacerts/ff783690.0

    Change IntegralToString.intToHexString to take width argument to
    allow for leading zero padding. Updated existing callers to
    specify 0 padding desired. Add testing of new padding
    functionality.

	luni/src/main/java/java/lang/Character.java
	luni/src/main/java/java/lang/Integer.java
	luni/src/main/java/java/lang/IntegralToString.java
	luni/src/test/java/libcore/java/lang/IntegralToStringTest.java

    Improved to throw Exceptions with proper causes

	luni/src/main/java/java/security/KeyStore.java
	luni/src/main/java/java/security/Policy.java
	luni/src/main/java/java/security/cert/CertificateFactory.java
	luni/src/main/java/javax/crypto/Cipher.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSignature.java

    Indentation fixes

	luni/src/main/java/java/security/SecureRandom.java

    Fix X509CRLSelector.getIssuerNames to clone result and added test to cover this.

	luni/src/main/java/java/security/cert/X509CRLSelector.java
	luni/src/test/java/libcore/java/security/cert/X509CRLSelectorTest.java

    Fixed bug where we created an X500Principal via a String
    representation instead of from its original encoded bytes. This
    led to a difficult to track down bug where CA 418595b9.0 where the
    NativeCode.X509_NAME_hash of a Harmony (but not BouncyCastle)
    X509Certificate would not hash to the expected value because the
    encoded form used an ASN.1 PrintableString instead of the
    UTF8String form found in the original certificate.

	luni/src/main/java/org/apache/harmony/security/x501/Name.java

    Add a new RootKeyStoreSpi and register it as the
    AndroidCAStore. This new read-only KeyStore implementation that
    looks for certificates in $ANDROID_ROOT/etc/security/cacerts/
    directory, which is /system/etc/security/cacerts/ on devices. The
    files are stored in the directory based on the older md5 based
    OpenSSL X509_NAME_hash function (now referred to as
    X509_NAME_hash_old in OpenSSL 1.0)

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java

    Added OpenSSL compatible X509_NAME_hash and X509_NAME_hash_old
    functions for producting an int hash value from an X500Principal.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java

    Changed TrustManagerFactoryImpl to use AndroidCAStore for its default KeyStore

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerFactoryImpl.java

    Changed TrustManagerImpl to be AndroidCAStore aware. If it detects
    an AndroidCAStore, it avoids generating the acceptedIssuers array
    at constructions, since doing so would force us to parse all
    certificates in the store and the value is only typically used by
    SSLServerSockets when requesting a client certifcate. Because we
    don't load all the trusted CAs into the IndexedPKIXParameters at
    startup in the case of AndroidCAStore, we now check for new CAs
    when examining the cert chain for unnecessary TrustAnchors and for
    a newly discovered issuer at the end of the chain before
    validation.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java

    Updated KeyStoreTest to cope with read only KeyStore. Update
    test_cacerts_bks (now renamed test_cacerts) to use the
    AndroidCAStore for validating system CA certificate
    validity. Register AndroidCAStore as an expected KeyStore type
    with StandardNames.

	luni/src/test/java/libcore/java/security/KeyStoreTest.java
	support/src/test/java/libcore/java/security/StandardNames.java

    Added test of X500Principal serialization while investigating Name
    encoding issue. However, the actual Name bug was found and
    verified by the new test_cacerts test.

	luni/src/test/java/libcore/javax/security/auth/x500/X500PrincipalTest.java

vendor/google

    Change canonical format for checked in cacerts to have PEM
    certificate at the top, as required by Harmony's X.509
    CertificateFactory.

	tools/cacerts/certimport.py

Change-Id: If0c9de430f13babb07f96a1177897c536f3db08d
    347b2a60
CaCerts.mk 2.1 KB