Chia-chi Yeh | 9b7a3f1 | 2009-09-18 12:00:12 +0800 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2009 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package android.security; |
| 18 | |
Artur Satayev | 53fe966 | 2019-12-10 17:47:55 +0000 | [diff] [blame^] | 19 | import android.compat.annotation.UnsupportedAppUsage; |
Eran Messeri | d6ee4aa | 2019-09-10 17:23:48 +0100 | [diff] [blame] | 20 | |
Brian Carlstrom | 0efca17 | 2012-09-04 23:01:07 -0700 | [diff] [blame] | 21 | import com.android.org.bouncycastle.util.io.pem.PemObject; |
| 22 | import com.android.org.bouncycastle.util.io.pem.PemReader; |
| 23 | import com.android.org.bouncycastle.util.io.pem.PemWriter; |
Shawn Willden | 8d8c747 | 2016-02-02 08:27:39 -0700 | [diff] [blame] | 24 | |
Brian Carlstrom | 9d7faa9 | 2011-06-07 13:45:33 -0700 | [diff] [blame] | 25 | import java.io.ByteArrayInputStream; |
| 26 | import java.io.ByteArrayOutputStream; |
| 27 | import java.io.IOException; |
| 28 | import java.io.InputStreamReader; |
| 29 | import java.io.OutputStreamWriter; |
| 30 | import java.io.Reader; |
| 31 | import java.io.Writer; |
Elliott Hughes | d396a44 | 2013-06-28 16:24:48 -0700 | [diff] [blame] | 32 | import java.nio.charset.StandardCharsets; |
Brian Carlstrom | 0efca17 | 2012-09-04 23:01:07 -0700 | [diff] [blame] | 33 | import java.security.cert.Certificate; |
| 34 | import java.security.cert.CertificateEncodingException; |
| 35 | import java.security.cert.CertificateException; |
| 36 | import java.security.cert.CertificateFactory; |
Kenny Root | 5423e68 | 2011-11-14 08:43:13 -0800 | [diff] [blame] | 37 | import java.security.cert.X509Certificate; |
Brian Carlstrom | 9d7faa9 | 2011-06-07 13:45:33 -0700 | [diff] [blame] | 38 | import java.util.ArrayList; |
| 39 | import java.util.List; |
Chia-chi Yeh | 9b7a3f1 | 2009-09-18 12:00:12 +0800 | [diff] [blame] | 40 | |
| 41 | /** |
| 42 | * {@hide} |
| 43 | */ |
| 44 | public class Credentials { |
| 45 | private static final String LOGTAG = "Credentials"; |
Chia-chi Yeh | 4403917 | 2009-09-21 11:53:59 +0800 | [diff] [blame] | 46 | |
Chia-chi Yeh | 4403917 | 2009-09-21 11:53:59 +0800 | [diff] [blame] | 47 | public static final String INSTALL_ACTION = "android.credentials.INSTALL"; |
| 48 | |
Kenny Root | 3e7be43 | 2013-03-28 09:25:51 -0700 | [diff] [blame] | 49 | public static final String INSTALL_AS_USER_ACTION = "android.credentials.INSTALL_AS_USER"; |
| 50 | |
Chia-chi Yeh | 9b7a3f1 | 2009-09-18 12:00:12 +0800 | [diff] [blame] | 51 | /** Key prefix for CA certificates. */ |
| 52 | public static final String CA_CERTIFICATE = "CACERT_"; |
| 53 | |
| 54 | /** Key prefix for user certificates. */ |
| 55 | public static final String USER_CERTIFICATE = "USRCERT_"; |
| 56 | |
Janis Danisevskis | 64338c0 | 2017-04-19 09:17:17 -0700 | [diff] [blame] | 57 | /** Key prefix for user private and secret keys. */ |
Chia-chi Yeh | 9b7a3f1 | 2009-09-18 12:00:12 +0800 | [diff] [blame] | 58 | public static final String USER_PRIVATE_KEY = "USRPKEY_"; |
| 59 | |
Janis Danisevskis | 64338c0 | 2017-04-19 09:17:17 -0700 | [diff] [blame] | 60 | /** Key prefix for user secret keys. |
| 61 | * @deprecated use {@code USER_PRIVATE_KEY} for this category instead. |
| 62 | */ |
Alex Klyubin | baf2838 | 2015-03-26 14:46:55 -0700 | [diff] [blame] | 63 | public static final String USER_SECRET_KEY = "USRSKEY_"; |
| 64 | |
Chia-chi Yeh | 9b7a3f1 | 2009-09-18 12:00:12 +0800 | [diff] [blame] | 65 | /** Key prefix for VPN. */ |
| 66 | public static final String VPN = "VPN_"; |
| 67 | |
Benedict Wong | 048e248 | 2019-11-05 12:53:27 -0800 | [diff] [blame] | 68 | /** Key prefix for platform VPNs. */ |
| 69 | public static final String PLATFORM_VPN = "PLATFORM_VPN_"; |
| 70 | |
Chia-chi Yeh | 9b7a3f1 | 2009-09-18 12:00:12 +0800 | [diff] [blame] | 71 | /** Key prefix for WIFI. */ |
| 72 | public static final String WIFI = "WIFI_"; |
| 73 | |
Victor Hsieh | de6cd47 | 2019-10-30 10:02:20 -0700 | [diff] [blame] | 74 | /** Key prefix for App Source certificates. */ |
| 75 | public static final String APP_SOURCE_CERTIFICATE = "FSV_"; |
| 76 | |
Jeff Sharkey | 69ddab4 | 2012-08-25 00:05:46 -0700 | [diff] [blame] | 77 | /** Key containing suffix of lockdown VPN profile. */ |
| 78 | public static final String LOCKDOWN_VPN = "LOCKDOWN_VPN"; |
| 79 | |
Alex Johnston | fde2869 | 2019-10-15 10:18:03 +0100 | [diff] [blame] | 80 | /** Name of CA certificate usage. */ |
| 81 | public static final String CERTIFICATE_USAGE_CA = "ca"; |
| 82 | |
| 83 | /** Name of User certificate usage. */ |
| 84 | public static final String CERTIFICATE_USAGE_USER = "user"; |
| 85 | |
| 86 | /** Name of WIFI certificate usage. */ |
| 87 | public static final String CERTIFICATE_USAGE_WIFI = "wifi"; |
| 88 | |
Victor Hsieh | de6cd47 | 2019-10-30 10:02:20 -0700 | [diff] [blame] | 89 | /** Name of App Source certificate usage. */ |
| 90 | public static final String CERTIFICATE_USAGE_APP_SOURCE = "appsrc"; |
| 91 | |
Chia-chi Yeh | 9b7a3f1 | 2009-09-18 12:00:12 +0800 | [diff] [blame] | 92 | /** Data type for public keys. */ |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 93 | public static final String EXTRA_PUBLIC_KEY = "KEY"; |
Chia-chi Yeh | 9b7a3f1 | 2009-09-18 12:00:12 +0800 | [diff] [blame] | 94 | |
| 95 | /** Data type for private keys. */ |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 96 | public static final String EXTRA_PRIVATE_KEY = "PKEY"; |
Chia-chi Yeh | 9b7a3f1 | 2009-09-18 12:00:12 +0800 | [diff] [blame] | 97 | |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 98 | // historically used by Android |
| 99 | public static final String EXTENSION_CRT = ".crt"; |
| 100 | public static final String EXTENSION_P12 = ".p12"; |
| 101 | // commonly used on Windows |
| 102 | public static final String EXTENSION_CER = ".cer"; |
| 103 | public static final String EXTENSION_PFX = ".pfx"; |
| 104 | |
Brian Carlstrom | 9d7faa9 | 2011-06-07 13:45:33 -0700 | [diff] [blame] | 105 | /** |
Kenny Root | 3e7be43 | 2013-03-28 09:25:51 -0700 | [diff] [blame] | 106 | * Intent extra: install the certificate bundle as this UID instead of |
| 107 | * system. |
| 108 | */ |
| 109 | public static final String EXTRA_INSTALL_AS_UID = "install_as_uid"; |
| 110 | |
| 111 | /** |
Alex Johnston | fde2869 | 2019-10-15 10:18:03 +0100 | [diff] [blame] | 112 | * Intent extra: type of the certificate to install |
| 113 | */ |
| 114 | public static final String EXTRA_CERTIFICATE_USAGE = "certificate_install_usage"; |
| 115 | |
| 116 | /** |
Eran Messeri | d6ee4aa | 2019-09-10 17:23:48 +0100 | [diff] [blame] | 117 | * Intent extra: name for the user's key pair. |
Kenny Root | 5423e68 | 2011-11-14 08:43:13 -0800 | [diff] [blame] | 118 | */ |
Eran Messeri | d6ee4aa | 2019-09-10 17:23:48 +0100 | [diff] [blame] | 119 | public static final String EXTRA_USER_KEY_ALIAS = "user_key_pair_name"; |
Kenny Root | 5423e68 | 2011-11-14 08:43:13 -0800 | [diff] [blame] | 120 | |
| 121 | /** |
| 122 | * Intent extra: data for the user's private key in PEM-encoded PKCS#8. |
| 123 | */ |
| 124 | public static final String EXTRA_USER_PRIVATE_KEY_DATA = "user_private_key_data"; |
| 125 | |
| 126 | /** |
Kenny Root | 5423e68 | 2011-11-14 08:43:13 -0800 | [diff] [blame] | 127 | * Intent extra: data for the user's certificate in PEM-encoded X.509. |
| 128 | */ |
| 129 | public static final String EXTRA_USER_CERTIFICATE_DATA = "user_certificate_data"; |
| 130 | |
| 131 | /** |
Kenny Root | 5423e68 | 2011-11-14 08:43:13 -0800 | [diff] [blame] | 132 | * Intent extra: data for CA certificate chain in PEM-encoded X.509. |
| 133 | */ |
| 134 | public static final String EXTRA_CA_CERTIFICATES_DATA = "ca_certificates_data"; |
| 135 | |
| 136 | /** |
Brian Carlstrom | 0efca17 | 2012-09-04 23:01:07 -0700 | [diff] [blame] | 137 | * Convert objects to a PEM format which is used for |
| 138 | * CA_CERTIFICATE and USER_CERTIFICATE entries. |
Brian Carlstrom | 9d7faa9 | 2011-06-07 13:45:33 -0700 | [diff] [blame] | 139 | */ |
Andrei Onea | 4aa2a20 | 2019-02-27 14:22:05 +0000 | [diff] [blame] | 140 | @UnsupportedAppUsage |
Brian Carlstrom | 0efca17 | 2012-09-04 23:01:07 -0700 | [diff] [blame] | 141 | public static byte[] convertToPem(Certificate... objects) |
| 142 | throws IOException, CertificateEncodingException { |
Brian Carlstrom | 9d7faa9 | 2011-06-07 13:45:33 -0700 | [diff] [blame] | 143 | ByteArrayOutputStream bao = new ByteArrayOutputStream(); |
Elliott Hughes | d396a44 | 2013-06-28 16:24:48 -0700 | [diff] [blame] | 144 | Writer writer = new OutputStreamWriter(bao, StandardCharsets.US_ASCII); |
Brian Carlstrom | 0efca17 | 2012-09-04 23:01:07 -0700 | [diff] [blame] | 145 | PemWriter pw = new PemWriter(writer); |
| 146 | for (Certificate o : objects) { |
| 147 | pw.writeObject(new PemObject("CERTIFICATE", o.getEncoded())); |
Brian Carlstrom | 9d7faa9 | 2011-06-07 13:45:33 -0700 | [diff] [blame] | 148 | } |
| 149 | pw.close(); |
| 150 | return bao.toByteArray(); |
| 151 | } |
| 152 | /** |
| 153 | * Convert objects from PEM format, which is used for |
Brian Carlstrom | 0efca17 | 2012-09-04 23:01:07 -0700 | [diff] [blame] | 154 | * CA_CERTIFICATE and USER_CERTIFICATE entries. |
Brian Carlstrom | 9d7faa9 | 2011-06-07 13:45:33 -0700 | [diff] [blame] | 155 | */ |
Brian Carlstrom | 0efca17 | 2012-09-04 23:01:07 -0700 | [diff] [blame] | 156 | public static List<X509Certificate> convertFromPem(byte[] bytes) |
| 157 | throws IOException, CertificateException { |
Brian Carlstrom | 9d7faa9 | 2011-06-07 13:45:33 -0700 | [diff] [blame] | 158 | ByteArrayInputStream bai = new ByteArrayInputStream(bytes); |
Elliott Hughes | d396a44 | 2013-06-28 16:24:48 -0700 | [diff] [blame] | 159 | Reader reader = new InputStreamReader(bai, StandardCharsets.US_ASCII); |
Brian Carlstrom | 0efca17 | 2012-09-04 23:01:07 -0700 | [diff] [blame] | 160 | PemReader pr = new PemReader(reader); |
Brian Carlstrom | 9d7faa9 | 2011-06-07 13:45:33 -0700 | [diff] [blame] | 161 | |
Shawn Willden | 8d8c747 | 2016-02-02 08:27:39 -0700 | [diff] [blame] | 162 | try { |
| 163 | CertificateFactory cf = CertificateFactory.getInstance("X509"); |
Brian Carlstrom | 0efca17 | 2012-09-04 23:01:07 -0700 | [diff] [blame] | 164 | |
Shawn Willden | 8d8c747 | 2016-02-02 08:27:39 -0700 | [diff] [blame] | 165 | List<X509Certificate> result = new ArrayList<X509Certificate>(); |
| 166 | PemObject o; |
| 167 | while ((o = pr.readPemObject()) != null) { |
| 168 | if (o.getType().equals("CERTIFICATE")) { |
| 169 | Certificate c = cf.generateCertificate(new ByteArrayInputStream(o.getContent())); |
| 170 | result.add((X509Certificate) c); |
| 171 | } else { |
| 172 | throw new IllegalArgumentException("Unknown type " + o.getType()); |
| 173 | } |
Brian Carlstrom | 0efca17 | 2012-09-04 23:01:07 -0700 | [diff] [blame] | 174 | } |
Shawn Willden | 8d8c747 | 2016-02-02 08:27:39 -0700 | [diff] [blame] | 175 | return result; |
| 176 | } finally { |
| 177 | pr.close(); |
Brian Carlstrom | 9d7faa9 | 2011-06-07 13:45:33 -0700 | [diff] [blame] | 178 | } |
Brian Carlstrom | 9d7faa9 | 2011-06-07 13:45:33 -0700 | [diff] [blame] | 179 | } |
| 180 | |
Kenny Root | db02671 | 2012-08-20 10:48:46 -0700 | [diff] [blame] | 181 | /** |
Robin Lee | e4487ea | 2016-02-29 17:43:54 +0000 | [diff] [blame] | 182 | * Delete all types (private key, user certificate, CA certificate) for a |
Kenny Root | db02671 | 2012-08-20 10:48:46 -0700 | [diff] [blame] | 183 | * particular {@code alias}. All three can exist for any given alias. |
Robin Lee | e4487ea | 2016-02-29 17:43:54 +0000 | [diff] [blame] | 184 | * Returns {@code true} if the alias no longer contains any types. |
Kenny Root | db02671 | 2012-08-20 10:48:46 -0700 | [diff] [blame] | 185 | */ |
Alex Klyubin | dcdaf87 | 2015-05-13 15:57:09 -0700 | [diff] [blame] | 186 | public static boolean deleteAllTypesForAlias(KeyStore keystore, String alias) { |
Alex Klyubin | 3876b1b | 2015-09-09 14:55:03 -0700 | [diff] [blame] | 187 | return deleteAllTypesForAlias(keystore, alias, KeyStore.UID_SELF); |
| 188 | } |
| 189 | |
| 190 | /** |
Robin Lee | e4487ea | 2016-02-29 17:43:54 +0000 | [diff] [blame] | 191 | * Delete all types (private key, user certificate, CA certificate) for a |
Alex Klyubin | 3876b1b | 2015-09-09 14:55:03 -0700 | [diff] [blame] | 192 | * particular {@code alias}. All three can exist for any given alias. |
Robin Lee | e4487ea | 2016-02-29 17:43:54 +0000 | [diff] [blame] | 193 | * Returns {@code true} if the alias no longer contains any types. |
Alex Klyubin | 3876b1b | 2015-09-09 14:55:03 -0700 | [diff] [blame] | 194 | */ |
| 195 | public static boolean deleteAllTypesForAlias(KeyStore keystore, String alias, int uid) { |
Kenny Root | db02671 | 2012-08-20 10:48:46 -0700 | [diff] [blame] | 196 | /* |
| 197 | * Make sure every type is deleted. There can be all three types, so |
| 198 | * don't use a conditional here. |
| 199 | */ |
Janis Danisevskis | 64338c0 | 2017-04-19 09:17:17 -0700 | [diff] [blame] | 200 | return deleteUserKeyTypeForAlias(keystore, alias, uid) |
Robin Lee | e4487ea | 2016-02-29 17:43:54 +0000 | [diff] [blame] | 201 | & deleteCertificateTypesForAlias(keystore, alias, uid); |
Kenny Root | 802768d | 2012-08-21 15:23:35 -0700 | [diff] [blame] | 202 | } |
| 203 | |
| 204 | /** |
Robin Lee | e4487ea | 2016-02-29 17:43:54 +0000 | [diff] [blame] | 205 | * Delete certificate types (user certificate, CA certificate) for a |
| 206 | * particular {@code alias}. Both can exist for any given alias. |
| 207 | * Returns {@code true} if the alias no longer contains either type. |
Kenny Root | 802768d | 2012-08-21 15:23:35 -0700 | [diff] [blame] | 208 | */ |
Alex Klyubin | dcdaf87 | 2015-05-13 15:57:09 -0700 | [diff] [blame] | 209 | public static boolean deleteCertificateTypesForAlias(KeyStore keystore, String alias) { |
Alex Klyubin | 3876b1b | 2015-09-09 14:55:03 -0700 | [diff] [blame] | 210 | return deleteCertificateTypesForAlias(keystore, alias, KeyStore.UID_SELF); |
| 211 | } |
| 212 | |
| 213 | /** |
Robin Lee | e4487ea | 2016-02-29 17:43:54 +0000 | [diff] [blame] | 214 | * Delete certificate types (user certificate, CA certificate) for a |
| 215 | * particular {@code alias}. Both can exist for any given alias. |
| 216 | * Returns {@code true} if the alias no longer contains either type. |
Alex Klyubin | 3876b1b | 2015-09-09 14:55:03 -0700 | [diff] [blame] | 217 | */ |
| 218 | public static boolean deleteCertificateTypesForAlias(KeyStore keystore, String alias, int uid) { |
Kenny Root | 802768d | 2012-08-21 15:23:35 -0700 | [diff] [blame] | 219 | /* |
| 220 | * Make sure every certificate type is deleted. There can be two types, |
| 221 | * so don't use a conditional here. |
| 222 | */ |
Alex Klyubin | 3876b1b | 2015-09-09 14:55:03 -0700 | [diff] [blame] | 223 | return keystore.delete(Credentials.USER_CERTIFICATE + alias, uid) |
Robin Lee | e4487ea | 2016-02-29 17:43:54 +0000 | [diff] [blame] | 224 | & keystore.delete(Credentials.CA_CERTIFICATE + alias, uid); |
Kenny Root | db02671 | 2012-08-20 10:48:46 -0700 | [diff] [blame] | 225 | } |
Alex Klyubin | baf2838 | 2015-03-26 14:46:55 -0700 | [diff] [blame] | 226 | |
| 227 | /** |
Janis Danisevskis | 64338c0 | 2017-04-19 09:17:17 -0700 | [diff] [blame] | 228 | * Delete user key for a particular {@code alias}. |
Robin Lee | e4487ea | 2016-02-29 17:43:54 +0000 | [diff] [blame] | 229 | * Returns {@code true} if the entry no longer exists. |
Alex Klyubin | baf2838 | 2015-03-26 14:46:55 -0700 | [diff] [blame] | 230 | */ |
Janis Danisevskis | 64338c0 | 2017-04-19 09:17:17 -0700 | [diff] [blame] | 231 | public static boolean deleteUserKeyTypeForAlias(KeyStore keystore, String alias) { |
| 232 | return deleteUserKeyTypeForAlias(keystore, alias, KeyStore.UID_SELF); |
Alex Klyubin | 3876b1b | 2015-09-09 14:55:03 -0700 | [diff] [blame] | 233 | } |
| 234 | |
| 235 | /** |
Janis Danisevskis | 64338c0 | 2017-04-19 09:17:17 -0700 | [diff] [blame] | 236 | * Delete user key for a particular {@code alias}. |
Robin Lee | e4487ea | 2016-02-29 17:43:54 +0000 | [diff] [blame] | 237 | * Returns {@code true} if the entry no longer exists. |
Alex Klyubin | 3876b1b | 2015-09-09 14:55:03 -0700 | [diff] [blame] | 238 | */ |
Janis Danisevskis | 64338c0 | 2017-04-19 09:17:17 -0700 | [diff] [blame] | 239 | public static boolean deleteUserKeyTypeForAlias(KeyStore keystore, String alias, int uid) { |
Janis Danisevskis | 906147c | 2018-11-06 14:14:05 -0800 | [diff] [blame] | 240 | int ret = keystore.delete2(Credentials.USER_PRIVATE_KEY + alias, uid); |
| 241 | if (ret == KeyStore.KEY_NOT_FOUND) { |
| 242 | return keystore.delete(Credentials.USER_SECRET_KEY + alias, uid); |
| 243 | } |
| 244 | return ret == KeyStore.NO_ERROR; |
Alex Klyubin | baf2838 | 2015-03-26 14:46:55 -0700 | [diff] [blame] | 245 | } |
| 246 | |
| 247 | /** |
Janis Danisevskis | 64338c0 | 2017-04-19 09:17:17 -0700 | [diff] [blame] | 248 | * Delete legacy prefixed entry for a particular {@code alias} |
Robin Lee | e4487ea | 2016-02-29 17:43:54 +0000 | [diff] [blame] | 249 | * Returns {@code true} if the entry no longer exists. |
Alex Klyubin | baf2838 | 2015-03-26 14:46:55 -0700 | [diff] [blame] | 250 | */ |
Janis Danisevskis | 64338c0 | 2017-04-19 09:17:17 -0700 | [diff] [blame] | 251 | public static boolean deleteLegacyKeyForAlias(KeyStore keystore, String alias, int uid) { |
Alex Klyubin | 3876b1b | 2015-09-09 14:55:03 -0700 | [diff] [blame] | 252 | return keystore.delete(Credentials.USER_SECRET_KEY + alias, uid); |
Alex Klyubin | baf2838 | 2015-03-26 14:46:55 -0700 | [diff] [blame] | 253 | } |
Chia-chi Yeh | 9b7a3f1 | 2009-09-18 12:00:12 +0800 | [diff] [blame] | 254 | } |