New API for query trust of a fs-verity certificate

The corresponding service is also added.

The API can be used by a store to know whether their certificate is
trusted on the device. As optimization, they only need to download
.fsv_sig signature file if it will be used.

The API can also be used to gradually switch to stronger key. The store
can query with their certificates in priority order and download the best
signature.

Test: Passed new GTS working in progress
Bug: 142573505
Change-Id: Ic788cd04aeaed35ad62113fe9e7535b8fa63b5ee

4 files changed, 125 insertions, 0 deletions

diff --git a/core/java/android/app/SystemServiceRegistry.java b/core/java/android/app/SystemServiceRegistry.java
index ce21db335615..7574c4903434 100644
--- a/core/java/android/app/SystemServiceRegistry.java
+++ b/core/java/android/app/SystemServiceRegistry.java
@@ -159,6 +159,8 @@ import android.permission.PermissionControllerManager;
 import android.permission.PermissionManager;
 import android.print.IPrintManager;
 import android.print.PrintManager;
+import android.security.FileIntegrityManager;
+import android.security.IFileIntegrityService;
 import android.service.oemlock.IOemLockService;
 import android.service.oemlock.OemLockManager;
 import android.service.persistentdata.IPersistentDataBlockService;
@@ -1208,6 +1210,7 @@ public final class SystemServiceRegistry {
                         return new DynamicSystemManager(
                                 IDynamicSystemService.Stub.asInterface(b));
                     }});
+
         registerService(Context.BATTERY_STATS_SERVICE, BatteryStatsManager.class,
                 new CachedServiceFetcher<BatteryStatsManager>() {
                     @Override
@@ -1241,6 +1244,17 @@ public final class SystemServiceRegistry {
                         return new IncrementalManager(
                                 IIncrementalManagerNative.Stub.asInterface(b));
                     }});
+
+        registerService(Context.FILE_INTEGRITY_SERVICE, FileIntegrityManager.class,
+                new CachedServiceFetcher<FileIntegrityManager>() {
+                    @Override
+                    public FileIntegrityManager createService(ContextImpl ctx)
+                            throws ServiceNotFoundException {
+                        IBinder b = ServiceManager.getServiceOrThrow(
+                                Context.FILE_INTEGRITY_SERVICE);
+                        return new FileIntegrityManager(
+                                IFileIntegrityService.Stub.asInterface(b));
+                    }});
         //CHECKSTYLE:ON IndentationCheck
 
         sInitializing = true;
diff --git a/core/java/android/content/Context.java b/core/java/android/content/Context.java
index 85424119e37c..1d32045e1986 100644
--- a/core/java/android/content/Context.java
+++ b/core/java/android/content/Context.java
@@ -5036,6 +5036,14 @@ public abstract class Context {
     public static final String INCREMENTAL_SERVICE = "incremental_service";
 
     /**
+     * Use with {@link #getSystemService(String)} to retrieve an
+     * {@link android.security.FileIntegrityManager}.
+     * @see #getSystemService(String)
+     * @see android.security.FileIntegrityManager
+     */
+    public static final String FILE_INTEGRITY_SERVICE = "file_integrity";
+
+    /**
      * Determine whether the given permission is allowed for a particular
      * process and user ID running in the system.
      *
diff --git a/core/java/android/security/FileIntegrityManager.java b/core/java/android/security/FileIntegrityManager.java
new file mode 100644
index 000000000000..cdd6584e9b35
--- /dev/null
+++ b/core/java/android/security/FileIntegrityManager.java
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security;
+
+import android.annotation.NonNull;
+import android.annotation.RequiresPermission;
+import android.annotation.SystemService;
+import android.content.Context;
+import android.os.RemoteException;
+
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+
+/**
+ * This class provides access to file integrity related operations.
+ */
+@SystemService(Context.FILE_INTEGRITY_SERVICE)
+public final class FileIntegrityManager {
+    @NonNull private final IFileIntegrityService mService;
+
+    /** @hide */
+    public FileIntegrityManager(@NonNull IFileIntegrityService service) {
+        mService = service;
+    }
+
+    /**
+     * Returns true if APK Verity is supported on the device. When supported, an APK can be
+     * installed with a fs-verity signature (if verified with trusted App Source Certificate) for
+     * continuous on-access verification.
+     */
+    public boolean isApkVeritySupported() {
+        try {
+            // Go through the service just to avoid exposing the vendor controlled system property
+            // to all apps.
+            return mService.isApkVeritySupported();
+        } catch (RemoteException e) {
+            throw e.rethrowFromSystemServer();
+        }
+    }
+
+    /**
+     * Returns whether the given certificate can be used to prove app's install source. Always
+     * return false if the feature is not supported.
+     *
+     * <p>A store can use this API to decide if a signature file needs to be downloaded. Also, if a
+     * store has shipped different certificates before (e.g. with stronger and weaker key), it can
+     * also use this API to download the best signature on the running device.
+     *
+     * @return whether the certificate is trusted in the system
+     */
+    @RequiresPermission(anyOf = {
+            android.Manifest.permission.INSTALL_PACKAGES,
+            android.Manifest.permission.REQUEST_INSTALL_PACKAGES
+    })
+    public boolean isAppSourceCertificateTrusted(@NonNull X509Certificate certificate)
+            throws CertificateEncodingException {
+        try {
+            return mService.isAppSourceCertificateTrusted(certificate.getEncoded());
+        } catch (RemoteException e) {
+            throw e.rethrowFromSystemServer();
+        }
+    }
+}
diff --git a/core/java/android/security/IFileIntegrityService.aidl b/core/java/android/security/IFileIntegrityService.aidl
new file mode 100644
index 000000000000..ebb8bcb85350
--- /dev/null
+++ b/core/java/android/security/IFileIntegrityService.aidl
@@ -0,0 +1,26 @@
+/*
+ * Copyright 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security;
+
+/**
+ * Binder interface to communicate with FileIntegrityService.
+ * @hide
+ */
+interface IFileIntegrityService {
+    boolean isApkVeritySupported();
+    boolean isAppSourceCertificateTrusted(in byte[] certificateBytes);
+}