Add support for managed certificates

[ZVNexus]

Currently for Android we have two certificate prefixes, "system:" and "user:". System certificates are baked into the build and cannot be changed after the fact. User certificates can be installed after the fact, but they only get used for that user. For a device owner that wants to control certificates across the entire device this is problematic.

Introduce a new "managed" store that can be used across all users. Certificates that get installed via the DevicePolicyManager APIs should be placed here.

[ZVNexus]

Hello, wanted to get some input on whether the idea of this is feasible (still need to add tests for managed certificates specifically).

The usecase here specifically is when multiple users are present, and the device owner has installed a CA certificate but it's not accessible in the other users.

[prbprbprb]

It's certainly an interesting use case, and it might be feasible on a rooted device, but it has some significant issues.

Mostly, it relies on an old behaviour (pre-Nougat) whereby user installed (or managed in your case) certificates are treated as fully trusted for TLS. Since the introduction of Network Security Configuration (NSC) in Nougat, this is no longer the case. Since that time, the NSC logic in the framework calculates the correct set of trusted CAs for each application and injects that into Conscrypt as a TrustedCertificateStoreAdapter. One major effect of this is that user-added certificates are no longer trusted for TLS unless the application opts into that behaviour.

There's good reason for this, the Android security philosophy is to protect users and apps from each other and to protect both from third party threats. If an application or user can install an arbitrary root CA (possibly by tricking the user) and have it trusted by all apps then all TLS connections are open to attack, web sites can be spoofed etc etc.

Additionally, from a stability point of view, you can't change the signature of installCertificate() without changing the code in Settings which installs certificates to match. And as Conscrypt ships to older releases via Mainline effectively that means you can't change that API... You'd have to add a new one, and update Settings to look for it, probably by reflection.

All that said, I think what you're trying to do is valid so long as you accept the limitation that managed certificates can't be trusted by default and apps will still have to opt in. This is exactly analogous to what happens with Enterprise-installed certificates in a work profile. It's just a bigger project than you think (welcome to Android!), and can't be done with Conscrypt modifications alone. If you still want to pursue it, I'd suggest opening a Feature Request at the Android Issye Tracker and maybe ask them to route it to the Conscrypt so we can loop in the right people.

[ZVNexus]

Additionally, from a stability point of view, you can't change the signature of installCertificate() without changing the code in Settings which installs certificates to match.

I do have some platform commits for this change, uploaded them to Gerrit: https://android-review.googlesource.com/q/topic:%22managed-certificates%22. I added back the old installCertificate() interface that just calls the new one for backwards compatibility, always returns false for isManaged since older platforms won't have support for this anyways.

All that said, I think what you're trying to do is valid so long as you accept the limitation that managed certificates can't be trusted by default and apps will still have to opt in.

Yeah, have a change for Chromium lined up to read from managed certificates as well, if these changes get merged into platform.

I'd suggest opening a Feature Request at the Android Issue Tracker and maybe ask them to route it to the Conscrypt so we can loop in the right people.

Done, issue can be found at https://issuetracker.google.com/issues/331927559. I attached the bug ID to the commits before uploading to Gerrit.