diff options
| author | Sarah Chin <sarahchin@google.com> | 2023-08-25 21:56:04 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2023-08-25 21:56:04 +0000 |
| commit | 7361a47fe0ca24906d7dc9b48ef2f68e1fcfabc5 (patch) | |
| tree | 27f3015e8d3e1db53b72a24852c0d0c20a71e61f | |
| parent | 1f677d70dc667f29b1c23b41c46f83de0e0c7e0f (diff) | |
| parent | 654794bc129852aaff53a6851508ed1d761814e5 (diff) | |
| download | gsma_services-7361a47fe0ca24906d7dc9b48ef2f68e1fcfabc5.tar.gz | |
Fix TS.43 auth library for java style am: c78c3d4b4b am: 63776e18f2 am: 654794bc12
Original change: https://android-review.googlesource.com/c/platform/frameworks/libs/gsma_services/+/2727077
Change-Id: Idc30efbc1ae06ac0b33f3683230e980b0ee5a094
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
4 files changed, 109 insertions, 46 deletions
diff --git a/ts43authentication/Android.bp b/ts43authentication/Android.bp index f9178a4..1a13d63 100644 --- a/ts43authentication/Android.bp +++ b/ts43authentication/Android.bp @@ -11,6 +11,7 @@ java_library { "src/**/*.java", ], static_libs: [ + "androidx.annotation_annotation", "service-entitlement", ], } diff --git a/ts43authentication/AndroidManifest.xml b/ts43authentication/AndroidManifest.xml new file mode 100644 index 0000000..81d94f1 --- /dev/null +++ b/ts43authentication/AndroidManifest.xml @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + ~ Copyright (C) 2023 The Android Open Source Project + ~ + ~ Licensed under the Apache License, Version 2.0 (the "License"); + ~ you may not use this file except in compliance with the License. + ~ You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> + +<manifest xmlns:android="http://schemas.android.com/apk/res/android" + xmlns:tools="http://schemas.android.com/tools" + package="com.android.libraries.ts43authentication"> + <uses-sdk android:minSdkVersion="28"/> +</manifest> diff --git a/ts43authentication/src/com/android/libraries/ts43authentication/AuthenticationException.java b/ts43authentication/src/com/android/libraries/ts43authentication/AuthenticationException.java index 45f72c8..707a7bf 100644 --- a/ts43authentication/src/com/android/libraries/ts43authentication/AuthenticationException.java +++ b/ts43authentication/src/com/android/libraries/ts43authentication/AuthenticationException.java @@ -19,8 +19,12 @@ package com.android.libraries.ts43authentication; import android.os.OutcomeReceiver; import android.os.PersistableBundle; +import androidx.annotation.IntDef; + import com.android.libraries.entitlement.ServiceEntitlementException; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; import java.net.URL; import java.util.concurrent.Executor; @@ -86,6 +90,24 @@ public class AuthenticationException extends Exception { public static final int ERROR_INVALID_HTTP_RESPONSE = 8; /** + * Authentication errors that can be returned by the TS.43 authentication library or + * service entitlement library. + */ + @Retention(RetentionPolicy.SOURCE) + @IntDef({ + ERROR_UNSPECIFIED, + ERROR_INVALID_APP_NAME, + ERROR_MUST_USE_OIDC, + ERROR_SERVICE_NOT_AVAILABLE, + ERROR_ICC_AUTHENTICATION_NOT_AVAILABLE, + ERROR_EAP_AKA_SYNCHRONIZATION_FAILURE, + ERROR_MAXIMUM_EAP_AKA_ATTEMPTS, + ERROR_HTTP_RESPONSE_FAILED, + ERROR_INVALID_HTTP_RESPONSE, + }) + public @interface AuthenticationError {} + + /** * The HTTP status code has not been specified. */ public static final int HTTP_STATUS_CODE_UNSPECIFIED = -1; @@ -96,12 +118,12 @@ public class AuthenticationException extends Exception { */ public static final String RETRY_AFTER_UNSPECIFIED = ""; - private final int mError; + @AuthenticationError private final int mError; private final int mHttpStatusCode; private final String mRetryAfter; - private AuthenticationException(int error, int httpStatusCode, String retryAfter, - String message) { + private AuthenticationException(@AuthenticationError int error, int httpStatusCode, + String retryAfter, String message) { super(message); mError = error; mHttpStatusCode = httpStatusCode; @@ -109,7 +131,8 @@ public class AuthenticationException extends Exception { } /** - * Create an AuthenticationException for the given authentication error. + * Create an AuthenticationException for the given {@link AuthenticationError}. + * * @param error The authentication error. * @param message The detail message with more information about the exception. */ @@ -119,6 +142,7 @@ public class AuthenticationException extends Exception { /** * Create an AuthenticationException from the given {@link ServiceEntitlementException}. + * * @param exception The service entitlement exception from the TS.43 library. */ public AuthenticationException(ServiceEntitlementException exception) { @@ -131,7 +155,7 @@ public class AuthenticationException extends Exception { * The error code for why authentication failed, or {@link #ERROR_UNSPECIFIED} if it is * unspecified. */ - public int getError() { + @AuthenticationError public int getError() { return mError; } @@ -153,7 +177,7 @@ public class AuthenticationException extends Exception { return mRetryAfter; } - private static int convertToAuthenticationError(int errorCode) { + @AuthenticationError private static int convertToAuthenticationError(int errorCode) { switch (errorCode) { case ServiceEntitlementException.ERROR_PHONE_NOT_AVAILABLE: case ServiceEntitlementException.ERROR_SERVER_NOT_CONNECTABLE: diff --git a/ts43authentication/src/com/android/libraries/ts43authentication/Ts43AuthenticationLibrary.java b/ts43authentication/src/com/android/libraries/ts43authentication/Ts43AuthenticationLibrary.java index 23cd411..5a443b5 100644 --- a/ts43authentication/src/com/android/libraries/ts43authentication/Ts43AuthenticationLibrary.java +++ b/ts43authentication/src/com/android/libraries/ts43authentication/Ts43AuthenticationLibrary.java @@ -30,15 +30,21 @@ import android.os.PersistableBundle; import android.telephony.SubscriptionInfo; import android.util.Log; +import androidx.annotation.Nullable; +import androidx.annotation.StringDef; + import com.android.libraries.entitlement.ServiceEntitlementException; import com.android.libraries.entitlement.Ts43Authentication; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; import java.net.URL; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.ArrayList; import java.util.HexFormat; +import java.util.List; import java.util.concurrent.Executor; import java.util.concurrent.locks.ReentrantLock; @@ -48,7 +54,7 @@ import java.util.concurrent.locks.ReentrantLock; * {@link AuthenticationException} on failure. */ public class Ts43AuthenticationLibrary extends Handler { - private static final String TAG = "Ts43AuthenticationLibrary"; + private static final String TAG = "Ts43AuthLibrary"; /** * Configuration key for the list of {@code SHA256} signing certificates and packages that are @@ -76,6 +82,16 @@ public class Ts43AuthenticationLibrary extends Handler { */ public static final String KEY_APPEND_SHA_TO_APP_NAME_BOOL = "append_sha_to_app_name"; + /** + * Configuration keys for the {@link PersistableBundle} passed to authentication requests. + */ + @Retention(RetentionPolicy.SOURCE) + @StringDef({ + KEY_ALLOWED_CERTIFICATES_STRING_ARRAY, + KEY_APPEND_SHA_TO_APP_NAME_BOOL, + }) + public @interface ConfigurationKey {} + private static final int EVENT_REQUEST_EAP_AKA_AUTHENTICATION = 0; private static final int EVENT_REQUEST_OIDC_AUTHENTICATION_SERVER = 1; private static final int EVENT_REQUEST_OIDC_AUTHENTICATION = 2; @@ -86,6 +102,7 @@ public class Ts43AuthenticationLibrary extends Handler { /** * Create an instance of the TS.43 Authentication Library. + * * @param context The application context. * @param looper The looper to run authentication requests on. */ @@ -97,18 +114,18 @@ public class Ts43AuthenticationLibrary extends Handler { private static class EapAkaAuthenticationRequest { private final String mAppName; - private final String mAppVersion; + @Nullable private final String mAppVersion; private final int mSlotIndex; private final URL mEntitlementServerAddress; - private final String mEntitlementVersion; + @Nullable private final String mEntitlementVersion; private final String mAppId; private final Executor mExecutor; private final OutcomeReceiver< Ts43Authentication.Ts43AuthToken, AuthenticationException> mCallback; - private EapAkaAuthenticationRequest(String appName, String appVersion, int slotIndex, - URL entitlementServerAddress, String entitlementVersion, String appId, - Executor executor, OutcomeReceiver< + private EapAkaAuthenticationRequest(String appName, @Nullable String appVersion, + int slotIndex, URL entitlementServerAddress, @Nullable String entitlementVersion, + String appId, Executor executor, OutcomeReceiver< Ts43Authentication.Ts43AuthToken, AuthenticationException> callback) { mAppName = appName; mAppVersion = appVersion; @@ -123,17 +140,18 @@ public class Ts43AuthenticationLibrary extends Handler { private static class OidcAuthenticationServerRequest { private final String mAppName; - private final String mAppVersion; + @Nullable private final String mAppVersion; private final int mSlotIndex; private final URL mEntitlementServerAddress; - private final String mEntitlementVersion; + @Nullable private final String mEntitlementVersion; private final String mAppId; private final Executor mExecutor; private final OutcomeReceiver<URL, AuthenticationException> mCallback; - private OidcAuthenticationServerRequest(String appName, String appVersion, int slotIndex, - URL entitlementServerAddress, String entitlementVersion, String appId, - Executor executor, OutcomeReceiver<URL, AuthenticationException> callback) { + private OidcAuthenticationServerRequest(String appName, @Nullable String appVersion, + int slotIndex, URL entitlementServerAddress, @Nullable String entitlementVersion, + String appId, Executor executor, + OutcomeReceiver<URL, AuthenticationException> callback) { mAppName = appName; mAppVersion = appVersion; mSlotIndex = slotIndex; @@ -147,14 +165,14 @@ public class Ts43AuthenticationLibrary extends Handler { private static class OidcAuthenticationRequest { private final URL mEntitlementServerAddress; - private final String mEntitlementVersion; + @Nullable private final String mEntitlementVersion; private final URL mAesUrl; private final Executor mExecutor; private final OutcomeReceiver< Ts43Authentication.Ts43AuthToken, AuthenticationException> mCallback; - private OidcAuthenticationRequest(URL entitlementServerAddress, String entitlementVersion, - URL aesUrl, Executor executor, OutcomeReceiver< + private OidcAuthenticationRequest(URL entitlementServerAddress, + @Nullable String entitlementVersion, URL aesUrl, Executor executor, OutcomeReceiver< Ts43Authentication.Ts43AuthToken, AuthenticationException> callback) { mEntitlementServerAddress = entitlementServerAddress; mEntitlementVersion = entitlementVersion; @@ -169,8 +187,7 @@ public class Ts43AuthenticationLibrary extends Handler { * TS.43 Service Entitlement Configuration section 2.8.1. * * @param configs The configurations that should be applied to this authentication request. - * The keys of the bundle must be one {@link #KEY_ALLOWED_CERTIFICATES_STRING_ARRAY} or - * {@link #KEY_APPEND_SHA_TO_APP_NAME_BOOL}. + * The keys of the bundle must be in {@link ConfigurationKey}. * @param packageName The package name for the calling application, used to validate the * identity of the calling application. This will be sent as-is as the {@code app_name} * in the HTTP GET request to the entitlement server unless @@ -193,8 +210,8 @@ public class Ts43AuthenticationLibrary extends Handler { * {@link AuthenticationException} with the failure details. */ public void requestEapAkaAuthentication(PersistableBundle configs, String packageName, - String appVersion, int slotIndex, URL entitlementServerAddress, - String entitlementVersion, String appId, Executor executor, OutcomeReceiver< + @Nullable String appVersion, int slotIndex, URL entitlementServerAddress, + @Nullable String entitlementVersion, String appId, Executor executor, OutcomeReceiver< Ts43Authentication.Ts43AuthToken, AuthenticationException> callback) { String[] allowedPackageInfo = configs.getStringArray(KEY_ALLOWED_CERTIFICATES_STRING_ARRAY); String certificate = getMatchingCertificate(allowedPackageInfo, packageName); @@ -220,8 +237,7 @@ public class Ts43AuthenticationLibrary extends Handler { * authentication token. * * @param configs The configurations that should be applied to this authentication request. - * The keys of the bundle must be one of {@link #KEY_ALLOWED_CERTIFICATES_STRING_ARRAY} - * or {@link #KEY_APPEND_SHA_TO_APP_NAME_BOOL}. + * The keys of the bundle must be in {@link ConfigurationKey}. * @param packageName The package name for the calling application, used to validate the * identity of the calling application. This will be sent as-is as the {@code app_name} * in the HTTP GET request to the entitlement server unless @@ -246,8 +262,8 @@ public class Ts43AuthenticationLibrary extends Handler { * {@link AuthenticationException} with the failure details. */ public void requestOidcAuthenticationServer(PersistableBundle configs, - String packageName, String appVersion, int slotIndex, - URL entitlementServerAddress, String entitlementVersion, + String packageName, @Nullable String appVersion, int slotIndex, + URL entitlementServerAddress, @Nullable String entitlementVersion, String appId, Executor executor, OutcomeReceiver<URL, AuthenticationException> callback) { String[] allowedPackageInfo = configs.getStringArray(KEY_ALLOWED_CERTIFICATES_STRING_ARRAY); @@ -270,8 +286,7 @@ public class Ts43AuthenticationLibrary extends Handler { * TS.43 Service Entitlement Configuration section 2.8.2. * * @param configs The configurations that should be applied to this authentication request. - * The keys of the bundle must be one of {@link #KEY_ALLOWED_CERTIFICATES_STRING_ARRAY} - * or {@link #KEY_APPEND_SHA_TO_APP_NAME_BOOL}. + * The keys of the bundle must be in {@link ConfigurationKey}. * @param packageName The package name for the calling application, used to validate the * identity of the calling application. * @param entitlementServerAddress The entitlement server address. @@ -288,8 +303,7 @@ public class Ts43AuthenticationLibrary extends Handler { */ public void requestOidcAuthentication(PersistableBundle configs, String packageName, URL entitlementServerAddress, - String entitlementVersion, URL aesUrl, - Executor executor, + @Nullable String entitlementVersion, URL aesUrl, Executor executor, OutcomeReceiver< Ts43Authentication.Ts43AuthToken, AuthenticationException> callback) { String[] allowedPackageInfo = configs.getStringArray(KEY_ALLOWED_CERTIFICATES_STRING_ARRAY); @@ -305,7 +319,8 @@ public class Ts43AuthenticationLibrary extends Handler { } } - private String getMatchingCertificate(String[] allowedPackageInfo, String packageName) { + @Nullable private String getMatchingCertificate(@Nullable String[] allowedPackageInfo, + String packageName) { if (allowedPackageInfo == null || allowedPackageInfo.length == 0) { // No need to find a matching certificates if the allowlist is empty. Log.d(TAG, "No need to find a matching certificate because the allowlist is empty"); @@ -315,9 +330,9 @@ public class Ts43AuthenticationLibrary extends Handler { // At this point an allowlist exists. A matching certificate must be found in order for // the authentication request to be validated. If this method returns {@code null} because // a matching certificate is unable to be found, the authentication request will be denied. - ArrayList<String> allowedCertificates = + List<String> allowedCertificates = getAllowedCertificatesForPackage(allowedPackageInfo, packageName); - if (allowedCertificates.size() == 0) { + if (allowedCertificates.isEmpty()) { // If there are no allowed certificates for the given package, return null. Log.e(TAG, "No allowed certificates found for package: " + packageName); return null; @@ -353,12 +368,12 @@ public class Ts43AuthenticationLibrary extends Handler { return null; } - private ArrayList<String> getAllowedCertificatesForPackage(String[] allowedPackageInfo, + private List<String> getAllowedCertificatesForPackage(String[] allowedPackageInfo, String packageName) { - ArrayList<String> allowedCertificates = new ArrayList<>(); + List<String> allowedCertificates = new ArrayList<>(); for (String packageInfo : allowedPackageInfo) { // packageInfo format: 1) "SHA256" or 2) "SHA256:package1,package2,package3..." - String[] splitPackageInfo = packageInfo.split(":"); + String[] splitPackageInfo = packageInfo.split(":", -1); if (splitPackageInfo.length == 1) { // Case 1: Certificate only allowedCertificates.add(packageInfo); @@ -366,7 +381,7 @@ public class Ts43AuthenticationLibrary extends Handler { // Case 2: Certificate and allowed packages String certificate = splitPackageInfo[0]; String packages = splitPackageInfo[1]; - for (String allowedPackage : packages.split(",")) { + for (String allowedPackage : packages.split(",", -1)) { // Add the certificate only if the package name is specified in the allowlist. if (allowedPackage.equals(packageName)) { allowedCertificates.add(certificate); @@ -378,11 +393,11 @@ public class Ts43AuthenticationLibrary extends Handler { return allowedCertificates; } - private Signature getMainPackageSignature(String packageName) { + @Nullable private Signature getMainPackageSignature(String packageName) { PackageInfo packageInfo; try { - packageInfo = mPackageManager.getPackageInfo( - packageName, PackageManager.GET_SIGNING_CERTIFICATES); + packageInfo = mPackageManager.getPackageInfo(packageName, + PackageManager.PackageInfoFlags.of(PackageManager.GET_SIGNING_CERTIFICATES)); } catch (PackageManager.NameNotFoundException e) { Log.e(TAG, "Unable to find package name: " + packageName); return null; @@ -403,7 +418,7 @@ public class Ts43AuthenticationLibrary extends Handler { } } } - if (signatures == null && signatures[index] != null) { + if (signatures == null || signatures[index] == null) { Log.e(TAG, "Unable to find package signatures for package: " + packageName); return null; } else { @@ -413,8 +428,8 @@ public class Ts43AuthenticationLibrary extends Handler { } } - private boolean isCallingPackageAllowed(String[] allowedPackageInfo, String packageName, - String certificate) { + private boolean isCallingPackageAllowed(@Nullable String[] allowedPackageInfo, + String packageName, @Nullable String certificate) { // Check that the package name matches that of the calling package. if (!isPackageNameValidForCaller(packageName)) { return false; @@ -440,7 +455,8 @@ public class Ts43AuthenticationLibrary extends Handler { return false; } - private String getAppName(PersistableBundle configs, String packageName, String certificate) { + private String getAppName(PersistableBundle configs, String packageName, + @Nullable String certificate) { if (configs.getBoolean(KEY_APPEND_SHA_TO_APP_NAME_BOOL) && certificate != null) { return certificate + "|" + packageName; } |