Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2011 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | package android.security; |
| 17 | |
Alex Klyubin | 54bb159 | 2015-05-11 12:30:03 -0700 | [diff] [blame] | 18 | import android.annotation.NonNull; |
| 19 | import android.annotation.Nullable; |
Jeff Sharkey | 0f3f60b | 2017-04-24 18:06:20 -0600 | [diff] [blame] | 20 | import android.annotation.SdkConstant; |
Jeff Sharkey | 0f3f60b | 2017-04-24 18:06:20 -0600 | [diff] [blame] | 21 | import android.annotation.SdkConstant.SdkConstantType; |
Eran Messeri | 55b8d08 | 2019-01-31 16:25:52 +0000 | [diff] [blame] | 22 | import android.annotation.WorkerThread; |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 23 | import android.app.Activity; |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 24 | import android.app.PendingIntent; |
Robin Lee | da23618 | 2016-08-12 12:46:28 +0100 | [diff] [blame] | 25 | import android.app.Service; |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 26 | import android.content.ComponentName; |
| 27 | import android.content.Context; |
| 28 | import android.content.Intent; |
| 29 | import android.content.ServiceConnection; |
Robin Lee | 39087b1 | 2015-05-05 15:57:17 +0100 | [diff] [blame] | 30 | import android.net.Uri; |
Jeff Sharkey | 0a17db1 | 2016-11-04 11:23:46 -0600 | [diff] [blame] | 31 | import android.os.Binder; |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 32 | import android.os.IBinder; |
| 33 | import android.os.Looper; |
Robin Lee | 306fe08 | 2014-06-19 14:04:24 +0000 | [diff] [blame] | 34 | import android.os.Process; |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 35 | import android.os.RemoteException; |
Robin Lee | 306fe08 | 2014-06-19 14:04:24 +0000 | [diff] [blame] | 36 | import android.os.UserHandle; |
Alex Klyubin | 4a0ff7c | 2015-06-09 13:25:20 -0700 | [diff] [blame] | 37 | import android.security.keystore.AndroidKeyStoreProvider; |
Max Bires | 13f98ce | 2018-11-02 10:50:40 -0700 | [diff] [blame] | 38 | import android.security.keystore.KeyPermanentlyInvalidatedException; |
Alex Klyubin | 3f8d4d8 | 2015-05-13 09:15:00 -0700 | [diff] [blame] | 39 | import android.security.keystore.KeyProperties; |
| 40 | |
Eran Messeri | 55b8d08 | 2019-01-31 16:25:52 +0000 | [diff] [blame] | 41 | import com.android.org.conscrypt.TrustedCertificateStore; |
| 42 | |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 43 | import java.io.ByteArrayInputStream; |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 44 | import java.io.Closeable; |
Eran Messeri | 9ccec4d | 2018-08-24 15:29:05 +0100 | [diff] [blame] | 45 | import java.io.Serializable; |
Eran Messeri | 23c438d | 2017-11-23 17:20:52 +0000 | [diff] [blame] | 46 | import java.security.KeyPair; |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 47 | import java.security.Principal; |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 48 | import java.security.PrivateKey; |
Alex Klyubin | 4a0ff7c | 2015-06-09 13:25:20 -0700 | [diff] [blame] | 49 | import java.security.UnrecoverableKeyException; |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 50 | import java.security.cert.Certificate; |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 51 | import java.security.cert.CertificateException; |
| 52 | import java.security.cert.CertificateFactory; |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 53 | import java.security.cert.X509Certificate; |
Rubin Xu | b436591 | 2016-03-23 12:13:22 +0000 | [diff] [blame] | 54 | import java.util.ArrayList; |
| 55 | import java.util.Collection; |
Brian Carlstrom | db93b78 | 2011-07-01 00:12:17 -0700 | [diff] [blame] | 56 | import java.util.List; |
Kenny Root | b91773b | 2013-09-05 13:03:16 -0700 | [diff] [blame] | 57 | import java.util.Locale; |
Robert Horvath | 54c9439 | 2019-11-14 11:42:09 +0100 | [diff] [blame^] | 58 | import java.util.concurrent.CountDownLatch; |
| 59 | import java.util.concurrent.atomic.AtomicReference; |
Kenny Root | 5423e68 | 2011-11-14 08:43:13 -0800 | [diff] [blame] | 60 | |
Eran Messeri | 9ccec4d | 2018-08-24 15:29:05 +0100 | [diff] [blame] | 61 | import javax.security.auth.x500.X500Principal; |
| 62 | |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 63 | /** |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 64 | * The {@code KeyChain} class provides access to private keys and |
| 65 | * their corresponding certificate chains in credential storage. |
| 66 | * |
| 67 | * <p>Applications accessing the {@code KeyChain} normally go through |
| 68 | * these steps: |
| 69 | * |
| 70 | * <ol> |
| 71 | * |
| 72 | * <li>Receive a callback from an {@link javax.net.ssl.X509KeyManager |
| 73 | * X509KeyManager} that a private key is requested. |
| 74 | * |
| 75 | * <li>Call {@link #choosePrivateKeyAlias |
| 76 | * choosePrivateKeyAlias} to allow the user to select from a |
| 77 | * list of currently available private keys and corresponding |
| 78 | * certificate chains. The chosen alias will be returned by the |
| 79 | * callback {@link KeyChainAliasCallback#alias}, or null if no private |
| 80 | * key is available or the user cancels the request. |
| 81 | * |
| 82 | * <li>Call {@link #getPrivateKey} and {@link #getCertificateChain} to |
| 83 | * retrieve the credentials to return to the corresponding {@link |
| 84 | * javax.net.ssl.X509KeyManager} callbacks. |
| 85 | * |
| 86 | * </ol> |
| 87 | * |
| 88 | * <p>An application may remember the value of a selected alias to |
| 89 | * avoid prompting the user with {@link #choosePrivateKeyAlias |
| 90 | * choosePrivateKeyAlias} on subsequent connections. If the alias is |
| 91 | * no longer valid, null will be returned on lookups using that value |
Brian Carlstrom | ca43c45 | 2011-06-29 18:53:17 -0700 | [diff] [blame] | 92 | * |
| 93 | * <p>An application can request the installation of private keys and |
| 94 | * certificates via the {@code Intent} provided by {@link |
| 95 | * #createInstallIntent}. Private keys installed via this {@code |
| 96 | * Intent} will be accessible via {@link #choosePrivateKeyAlias} while |
| 97 | * Certificate Authority (CA) certificates will be trusted by all |
| 98 | * applications through the default {@code X509TrustManager}. |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 99 | */ |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 100 | // TODO reference intent for credential installation when public |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 101 | public final class KeyChain { |
| 102 | |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 103 | /** |
| 104 | * @hide Also used by KeyChainService implementation |
| 105 | */ |
| 106 | public static final String ACCOUNT_TYPE = "com.android.keychain"; |
| 107 | |
| 108 | /** |
Kenny Root | a365906 | 2014-03-17 16:21:53 -0700 | [diff] [blame] | 109 | * Package name for KeyChain chooser. |
| 110 | */ |
| 111 | private static final String KEYCHAIN_PACKAGE = "com.android.keychain"; |
| 112 | |
| 113 | /** |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 114 | * Action to bring up the KeyChainActivity |
| 115 | */ |
| 116 | private static final String ACTION_CHOOSER = "com.android.keychain.CHOOSER"; |
| 117 | |
| 118 | /** |
Kenny Root | 1a88d83 | 2014-02-07 09:12:48 -0800 | [diff] [blame] | 119 | * Package name for the Certificate Installer. |
| 120 | */ |
| 121 | private static final String CERT_INSTALLER_PACKAGE = "com.android.certinstaller"; |
| 122 | |
| 123 | /** |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 124 | * Extra for use with {@link #ACTION_CHOOSER} |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 125 | * @hide Also used by KeyChainActivity implementation |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 126 | */ |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 127 | public static final String EXTRA_RESPONSE = "response"; |
| 128 | |
| 129 | /** |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 130 | * Extra for use with {@link #ACTION_CHOOSER} |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 131 | * @hide Also used by KeyChainActivity implementation |
| 132 | */ |
Robin Lee | 39087b1 | 2015-05-05 15:57:17 +0100 | [diff] [blame] | 133 | public static final String EXTRA_URI = "uri"; |
Robin Lee | 3798ed5 | 2015-02-03 17:55:31 +0000 | [diff] [blame] | 134 | |
| 135 | /** |
| 136 | * Extra for use with {@link #ACTION_CHOOSER} |
| 137 | * @hide Also used by KeyChainActivity implementation |
| 138 | */ |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 139 | public static final String EXTRA_ALIAS = "alias"; |
| 140 | |
| 141 | /** |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 142 | * Extra for use with {@link #ACTION_CHOOSER} |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 143 | * @hide Also used by KeyChainActivity implementation |
| 144 | */ |
| 145 | public static final String EXTRA_SENDER = "sender"; |
| 146 | |
| 147 | /** |
Eran Messeri | 9ccec4d | 2018-08-24 15:29:05 +0100 | [diff] [blame] | 148 | * Extra for use with {@link #ACTION_CHOOSER} |
| 149 | * @hide Also used by KeyChainActivity implementation |
| 150 | */ |
| 151 | public static final String EXTRA_KEY_TYPES = "key_types"; |
| 152 | |
| 153 | /** |
| 154 | * Extra for use with {@link #ACTION_CHOOSER} |
| 155 | * @hide Also used by KeyChainActivity implementation |
| 156 | */ |
| 157 | public static final String EXTRA_ISSUERS = "issuers"; |
| 158 | |
| 159 | /** |
Selim Gurun | 93ba4fe | 2012-02-14 11:48:49 -0800 | [diff] [blame] | 160 | * Action to bring up the CertInstaller. |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 161 | */ |
| 162 | private static final String ACTION_INSTALL = "android.credentials.INSTALL"; |
| 163 | |
| 164 | /** |
| 165 | * Optional extra to specify a {@code String} credential name on |
| 166 | * the {@code Intent} returned by {@link #createInstallIntent}. |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 167 | */ |
| 168 | // Compatible with old com.android.certinstaller.CredentialHelper.CERT_NAME_KEY |
| 169 | public static final String EXTRA_NAME = "name"; |
| 170 | |
| 171 | /** |
| 172 | * Optional extra to specify an X.509 certificate to install on |
| 173 | * the {@code Intent} returned by {@link #createInstallIntent}. |
| 174 | * The extra value should be a PEM or ASN.1 DER encoded {@code |
| 175 | * byte[]}. An {@link X509Certificate} can be converted to DER |
| 176 | * encoded bytes with {@link X509Certificate#getEncoded}. |
| 177 | * |
| 178 | * <p>{@link #EXTRA_NAME} may be used to provide a default alias |
| 179 | * name for the installed certificate. |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 180 | */ |
| 181 | // Compatible with old android.security.Credentials.CERTIFICATE |
| 182 | public static final String EXTRA_CERTIFICATE = "CERT"; |
| 183 | |
| 184 | /** |
| 185 | * Optional extra for use with the {@code Intent} returned by |
| 186 | * {@link #createInstallIntent} to specify a PKCS#12 key store to |
| 187 | * install. The extra value should be a {@code byte[]}. The bytes |
| 188 | * may come from an external source or be generated with {@link |
Brian Carlstrom | ca43c45 | 2011-06-29 18:53:17 -0700 | [diff] [blame] | 189 | * java.security.KeyStore#store} on a "PKCS12" instance. |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 190 | * |
| 191 | * <p>The user will be prompted for the password to load the key store. |
| 192 | * |
| 193 | * <p>The key store will be scanned for {@link |
| 194 | * java.security.KeyStore.PrivateKeyEntry} entries and both the |
| 195 | * private key and associated certificate chain will be installed. |
| 196 | * |
| 197 | * <p>{@link #EXTRA_NAME} may be used to provide a default alias |
| 198 | * name for the installed credentials. |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 199 | */ |
| 200 | // Compatible with old android.security.Credentials.PKCS12 |
| 201 | public static final String EXTRA_PKCS12 = "PKCS12"; |
| 202 | |
Selim Gurun | 93ba4fe | 2012-02-14 11:48:49 -0800 | [diff] [blame] | 203 | /** |
Selim Gurun | 93ba4fe | 2012-02-14 11:48:49 -0800 | [diff] [blame] | 204 | * Broadcast Action: Indicates the trusted storage has changed. Sent when |
| 205 | * one of this happens: |
| 206 | * |
| 207 | * <ul> |
| 208 | * <li>a new CA is added, |
| 209 | * <li>an existing CA is removed or disabled, |
| 210 | * <li>a disabled CA is enabled, |
| 211 | * <li>trusted storage is reset (all user certs are cleared), |
| 212 | * <li>when permission to access a private key is changed. |
| 213 | * </ul> |
Chad Brubaker | 4de59ef | 2016-05-02 13:17:31 -0700 | [diff] [blame] | 214 | * |
Chad Brubaker | dbf01c1 | 2016-07-25 14:54:39 -0700 | [diff] [blame] | 215 | * @deprecated Use {@link #ACTION_KEYCHAIN_CHANGED}, {@link #ACTION_TRUST_STORE_CHANGED} or |
Chad Brubaker | 721afae | 2016-07-08 11:06:09 -0700 | [diff] [blame] | 216 | * {@link #ACTION_KEY_ACCESS_CHANGED}. Apps that target a version higher than |
Eran Messeri | 55b8d08 | 2019-01-31 16:25:52 +0000 | [diff] [blame] | 217 | * {@link android.os.Build.VERSION_CODES#N_MR1} will only receive this broadcast if they |
| 218 | * register for it at runtime. |
Selim Gurun | 93ba4fe | 2012-02-14 11:48:49 -0800 | [diff] [blame] | 219 | */ |
Jeff Sharkey | 0f3f60b | 2017-04-24 18:06:20 -0600 | [diff] [blame] | 220 | @SdkConstant(SdkConstantType.BROADCAST_INTENT_ACTION) |
Selim Gurun | 93ba4fe | 2012-02-14 11:48:49 -0800 | [diff] [blame] | 221 | public static final String ACTION_STORAGE_CHANGED = "android.security.STORAGE_CHANGED"; |
| 222 | |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 223 | /** |
Chad Brubaker | 4de59ef | 2016-05-02 13:17:31 -0700 | [diff] [blame] | 224 | * Broadcast Action: Indicates the contents of the keychain has changed. Sent when a KeyChain |
| 225 | * entry is added, modified or removed. |
| 226 | */ |
Jeff Sharkey | 0f3f60b | 2017-04-24 18:06:20 -0600 | [diff] [blame] | 227 | @SdkConstant(SdkConstantType.BROADCAST_INTENT_ACTION) |
Chad Brubaker | 4de59ef | 2016-05-02 13:17:31 -0700 | [diff] [blame] | 228 | public static final String ACTION_KEYCHAIN_CHANGED = "android.security.action.KEYCHAIN_CHANGED"; |
| 229 | |
| 230 | /** |
| 231 | * Broadcast Action: Indicates the contents of the trusted certificate store has changed. Sent |
| 232 | * when one the following occurs: |
| 233 | * |
| 234 | * <ul> |
| 235 | * <li>A pre-installed CA is disabled or re-enabled</li> |
| 236 | * <li>A CA is added or removed from the trust store</li> |
| 237 | * </ul> |
| 238 | */ |
Jeff Sharkey | 0f3f60b | 2017-04-24 18:06:20 -0600 | [diff] [blame] | 239 | @SdkConstant(SdkConstantType.BROADCAST_INTENT_ACTION) |
Chad Brubaker | 4de59ef | 2016-05-02 13:17:31 -0700 | [diff] [blame] | 240 | public static final String ACTION_TRUST_STORE_CHANGED = |
| 241 | "android.security.action.TRUST_STORE_CHANGED"; |
| 242 | |
| 243 | /** |
| 244 | * Broadcast Action: Indicates that the access permissions for a private key have changed. |
| 245 | * |
| 246 | */ |
Jeff Sharkey | 0f3f60b | 2017-04-24 18:06:20 -0600 | [diff] [blame] | 247 | @SdkConstant(SdkConstantType.BROADCAST_INTENT_ACTION) |
Chad Brubaker | 4de59ef | 2016-05-02 13:17:31 -0700 | [diff] [blame] | 248 | public static final String ACTION_KEY_ACCESS_CHANGED = |
| 249 | "android.security.action.KEY_ACCESS_CHANGED"; |
| 250 | |
| 251 | /** |
| 252 | * Used as a String extra field in {@link #ACTION_KEY_ACCESS_CHANGED} to supply the alias of |
| 253 | * the key. |
| 254 | */ |
| 255 | public static final String EXTRA_KEY_ALIAS = "android.security.extra.KEY_ALIAS"; |
| 256 | |
| 257 | /** |
| 258 | * Used as a boolean extra field in {@link #ACTION_KEY_ACCESS_CHANGED} to supply if the key is |
| 259 | * accessible to the application. |
| 260 | */ |
| 261 | public static final String EXTRA_KEY_ACCESSIBLE = "android.security.extra.KEY_ACCESSIBLE"; |
| 262 | |
| 263 | /** |
Eran Messeri | 6169239 | 2018-03-26 16:43:14 +0100 | [diff] [blame] | 264 | * Indicates that a call to {@link #generateKeyPair} was successful. |
| 265 | * @hide |
| 266 | */ |
| 267 | public static final int KEY_GEN_SUCCESS = 0; |
| 268 | |
| 269 | /** |
| 270 | * An alias was missing from the key specifications when calling {@link #generateKeyPair}. |
| 271 | * @hide |
| 272 | */ |
| 273 | public static final int KEY_GEN_MISSING_ALIAS = 1; |
| 274 | |
| 275 | /** |
| 276 | * A key attestation challenge was provided to {@link #generateKeyPair}, but it shouldn't |
| 277 | * have been provided. |
| 278 | * @hide |
| 279 | */ |
| 280 | public static final int KEY_GEN_SUPERFLUOUS_ATTESTATION_CHALLENGE = 2; |
| 281 | |
| 282 | /** |
| 283 | * Algorithm not supported by {@link #generateKeyPair} |
| 284 | * @hide |
| 285 | */ |
| 286 | public static final int KEY_GEN_NO_SUCH_ALGORITHM = 3; |
| 287 | |
| 288 | /** |
| 289 | * Invalid algorithm parameters when calling {@link #generateKeyPair} |
| 290 | * @hide |
| 291 | */ |
| 292 | public static final int KEY_GEN_INVALID_ALGORITHM_PARAMETERS = 4; |
| 293 | |
| 294 | /** |
| 295 | * Keystore is not available when calling {@link #generateKeyPair} |
| 296 | * @hide |
| 297 | */ |
| 298 | public static final int KEY_GEN_NO_KEYSTORE_PROVIDER = 5; |
| 299 | |
| 300 | /** |
Eran Messeri | 607a995 | 2018-07-09 17:58:26 +0100 | [diff] [blame] | 301 | * StrongBox unavailable when calling {@link #generateKeyPair} |
| 302 | * @hide |
| 303 | */ |
| 304 | public static final int KEY_GEN_STRONGBOX_UNAVAILABLE = 6; |
| 305 | |
| 306 | /** |
Eran Messeri | 6169239 | 2018-03-26 16:43:14 +0100 | [diff] [blame] | 307 | * General failure while calling {@link #generateKeyPair} |
| 308 | * @hide |
| 309 | */ |
Eran Messeri | 607a995 | 2018-07-09 17:58:26 +0100 | [diff] [blame] | 310 | public static final int KEY_GEN_FAILURE = 7; |
Eran Messeri | 6169239 | 2018-03-26 16:43:14 +0100 | [diff] [blame] | 311 | |
| 312 | /** |
| 313 | * Successful call to {@link #attestKey} |
| 314 | * @hide |
| 315 | */ |
| 316 | public static final int KEY_ATTESTATION_SUCCESS = 0; |
| 317 | |
| 318 | /** |
| 319 | * Attestation challenge missing when calling {@link #attestKey} |
| 320 | * @hide |
| 321 | */ |
| 322 | public static final int KEY_ATTESTATION_MISSING_CHALLENGE = 1; |
| 323 | |
| 324 | /** |
| 325 | * The caller requested Device ID attestation when calling {@link #attestKey}, but has no |
| 326 | * permissions to get device identifiers. |
| 327 | * @hide |
| 328 | */ |
| 329 | public static final int KEY_ATTESTATION_CANNOT_COLLECT_DATA = 2; |
| 330 | |
| 331 | /** |
| 332 | * The underlying hardware does not support Device ID attestation or cannot attest to the |
| 333 | * identifiers that are stored on the device. This indicates permanent inability |
| 334 | * to get attestation records on the device. |
| 335 | * @hide |
| 336 | */ |
| 337 | public static final int KEY_ATTESTATION_CANNOT_ATTEST_IDS = 3; |
| 338 | |
| 339 | /** |
| 340 | * General failure when calling {@link #attestKey} |
| 341 | * @hide |
| 342 | */ |
| 343 | public static final int KEY_ATTESTATION_FAILURE = 4; |
| 344 | |
| 345 | /** |
Polina Bondarenko | a75bf0c | 2019-09-20 14:29:15 +0200 | [diff] [blame] | 346 | * Used by DPC or delegated app in |
| 347 | * {@link android.app.admin.DeviceAdminReceiver#onChoosePrivateKeyAlias} or |
| 348 | * {@link android.app.admin.DelegatedAdminReceiver#onChoosePrivateKeyAlias} to identify that |
| 349 | * the requesting app is not granted access to any key, and nor will the user be able to grant |
| 350 | * access manually. |
| 351 | */ |
| 352 | public static final String KEY_ALIAS_SELECTION_DENIED = |
Polina Bondarenko | ecc2cde | 2019-10-16 11:53:36 +0200 | [diff] [blame] | 353 | "android:alias-selection-denied"; |
Polina Bondarenko | a75bf0c | 2019-09-20 14:29:15 +0200 | [diff] [blame] | 354 | |
| 355 | /** |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 356 | * Returns an {@code Intent} that can be used for credential |
| 357 | * installation. The intent may be used without any extras, in |
| 358 | * which case the user will be able to install credentials from |
| 359 | * their own source. |
| 360 | * |
| 361 | * <p>Alternatively, {@link #EXTRA_CERTIFICATE} or {@link |
| 362 | * #EXTRA_PKCS12} maybe used to specify the bytes of an X.509 |
| 363 | * certificate or a PKCS#12 key store for installation. These |
Brian Carlstrom | ca43c45 | 2011-06-29 18:53:17 -0700 | [diff] [blame] | 364 | * extras may be combined with {@link #EXTRA_NAME} to provide a |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 365 | * default alias name for credentials being installed. |
| 366 | * |
| 367 | * <p>When used with {@link Activity#startActivityForResult}, |
| 368 | * {@link Activity#RESULT_OK} will be returned if a credential was |
| 369 | * successfully installed, otherwise {@link |
| 370 | * Activity#RESULT_CANCELED} will be returned. |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 371 | */ |
Alex Klyubin | 54bb159 | 2015-05-11 12:30:03 -0700 | [diff] [blame] | 372 | @NonNull |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 373 | public static Intent createInstallIntent() { |
| 374 | Intent intent = new Intent(ACTION_INSTALL); |
Kenny Root | 1a88d83 | 2014-02-07 09:12:48 -0800 | [diff] [blame] | 375 | intent.setClassName(CERT_INSTALLER_PACKAGE, |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 376 | "com.android.certinstaller.CertInstallerMain"); |
| 377 | return intent; |
| 378 | } |
| 379 | |
| 380 | /** |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 381 | * Launches an {@code Activity} for the user to select the alias |
| 382 | * for a private key and certificate pair for authentication. The |
| 383 | * selected alias or null will be returned via the |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 384 | * KeyChainAliasCallback callback. |
| 385 | * |
Eran Messeri | 0bc50f9 | 2018-06-01 16:03:39 +0100 | [diff] [blame] | 386 | * <p>A device policy controller (as a device or profile owner) can |
| 387 | * intercept the request before the activity is shown, to pick a |
| 388 | * specific private key alias by implementing |
| 389 | * {@link android.app.admin.DeviceAdminReceiver#onChoosePrivateKeyAlias |
| 390 | * onChoosePrivateKeyAlias}. |
Robin Lee | 3798ed5 | 2015-02-03 17:55:31 +0000 | [diff] [blame] | 391 | * |
| 392 | * <p>{@code keyTypes} and {@code issuers} may be used to |
Eran Messeri | 9ccec4d | 2018-08-24 15:29:05 +0100 | [diff] [blame] | 393 | * narrow down suggested choices to the user. If either {@code keyTypes} |
| 394 | * or {@code issuers} is specified and non-empty, and there are no |
| 395 | * matching certificates in the KeyChain, then the certificate |
| 396 | * selection prompt would be suppressed entirely. |
Robin Lee | 3798ed5 | 2015-02-03 17:55:31 +0000 | [diff] [blame] | 397 | * |
| 398 | * <p>{@code host} and {@code port} may be used to give the user |
| 399 | * more context about the server requesting the credentials. |
| 400 | * |
Eran Messeri | 0bc50f9 | 2018-06-01 16:03:39 +0100 | [diff] [blame] | 401 | * <p>{@code alias} allows the caller to preselect an existing |
Robin Lee | 3798ed5 | 2015-02-03 17:55:31 +0000 | [diff] [blame] | 402 | * alias which will still be subject to user confirmation. |
| 403 | * |
| 404 | * @param activity The {@link Activity} context to use for |
| 405 | * launching the new sub-Activity to prompt the user to select |
| 406 | * a private key; used only to call startActivity(); must not |
| 407 | * be null. |
| 408 | * @param response Callback to invoke when the request completes; |
Mike Harris | cd0eb71 | 2018-04-26 15:20:10 -0700 | [diff] [blame] | 409 | * must not be null. |
Robin Lee | 3798ed5 | 2015-02-03 17:55:31 +0000 | [diff] [blame] | 410 | * @param keyTypes The acceptable types of asymmetric keys such as |
Eran Messeri | 9ccec4d | 2018-08-24 15:29:05 +0100 | [diff] [blame] | 411 | * "RSA", "EC" or null. |
Robin Lee | 3798ed5 | 2015-02-03 17:55:31 +0000 | [diff] [blame] | 412 | * @param issuers The acceptable certificate issuers for the |
| 413 | * certificate matching the private key, or null. |
| 414 | * @param host The host name of the server requesting the |
| 415 | * certificate, or null if unavailable. |
| 416 | * @param port The port number of the server requesting the |
| 417 | * certificate, or -1 if unavailable. |
| 418 | * @param alias The alias to preselect if available, or null if |
| 419 | * unavailable. |
| 420 | */ |
Alex Klyubin | 54bb159 | 2015-05-11 12:30:03 -0700 | [diff] [blame] | 421 | public static void choosePrivateKeyAlias(@NonNull Activity activity, |
| 422 | @NonNull KeyChainAliasCallback response, |
Mike Harris | cd0eb71 | 2018-04-26 15:20:10 -0700 | [diff] [blame] | 423 | @Nullable @KeyProperties.KeyAlgorithmEnum String[] keyTypes, |
| 424 | @Nullable Principal[] issuers, |
Alex Klyubin | 54bb159 | 2015-05-11 12:30:03 -0700 | [diff] [blame] | 425 | @Nullable String host, int port, @Nullable String alias) { |
Robin Lee | 39087b1 | 2015-05-05 15:57:17 +0100 | [diff] [blame] | 426 | Uri uri = null; |
| 427 | if (host != null) { |
| 428 | uri = new Uri.Builder() |
| 429 | .authority(host + (port != -1 ? ":" + port : "")) |
| 430 | .build(); |
| 431 | } |
| 432 | choosePrivateKeyAlias(activity, response, keyTypes, issuers, uri, alias); |
Robin Lee | 3798ed5 | 2015-02-03 17:55:31 +0000 | [diff] [blame] | 433 | } |
| 434 | |
| 435 | /** |
| 436 | * Launches an {@code Activity} for the user to select the alias |
| 437 | * for a private key and certificate pair for authentication. The |
| 438 | * selected alias or null will be returned via the |
| 439 | * KeyChainAliasCallback callback. |
| 440 | * |
Eran Messeri | 0bc50f9 | 2018-06-01 16:03:39 +0100 | [diff] [blame] | 441 | * <p>A device policy controller (as a device or profile owner) can |
| 442 | * intercept the request before the activity is shown, to pick a |
| 443 | * specific private key alias by implementing |
| 444 | * {@link android.app.admin.DeviceAdminReceiver#onChoosePrivateKeyAlias |
| 445 | * onChoosePrivateKeyAlias}. |
Robin Lee | 3798ed5 | 2015-02-03 17:55:31 +0000 | [diff] [blame] | 446 | * |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 447 | * <p>{@code keyTypes} and {@code issuers} may be used to |
Eran Messeri | 9ccec4d | 2018-08-24 15:29:05 +0100 | [diff] [blame] | 448 | * narrow down suggested choices to the user. If either {@code keyTypes} |
| 449 | * or {@code issuers} is specified and non-empty, and there are no |
| 450 | * matching certificates in the KeyChain, then the certificate |
| 451 | * selection prompt would be suppressed entirely. |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 452 | * |
Eran Messeri | 0bc50f9 | 2018-06-01 16:03:39 +0100 | [diff] [blame] | 453 | * <p>{@code uri} may be used to give the user more context about |
| 454 | * the server requesting the credentials. |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 455 | * |
Eran Messeri | 0bc50f9 | 2018-06-01 16:03:39 +0100 | [diff] [blame] | 456 | * <p>{@code alias} allows the caller to preselect an existing |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 457 | * alias which will still be subject to user confirmation. |
| 458 | * |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 459 | * @param activity The {@link Activity} context to use for |
| 460 | * launching the new sub-Activity to prompt the user to select |
| 461 | * a private key; used only to call startActivity(); must not |
| 462 | * be null. |
| 463 | * @param response Callback to invoke when the request completes; |
Mike Harris | cd0eb71 | 2018-04-26 15:20:10 -0700 | [diff] [blame] | 464 | * must not be null. |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 465 | * @param keyTypes The acceptable types of asymmetric keys such as |
Eran Messeri | 9ccec4d | 2018-08-24 15:29:05 +0100 | [diff] [blame] | 466 | * "RSA", "EC" or null. |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 467 | * @param issuers The acceptable certificate issuers for the |
| 468 | * certificate matching the private key, or null. |
Robin Lee | 39087b1 | 2015-05-05 15:57:17 +0100 | [diff] [blame] | 469 | * @param uri The full URI the server is requesting the certificate |
Robin Lee | 3798ed5 | 2015-02-03 17:55:31 +0000 | [diff] [blame] | 470 | * for, or null if unavailable. |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 471 | * @param alias The alias to preselect if available, or null if |
| 472 | * unavailable. |
Eran Messeri | 9ccec4d | 2018-08-24 15:29:05 +0100 | [diff] [blame] | 473 | * @throws IllegalArgumentException if the specified issuers are not |
| 474 | * of type {@code X500Principal}. |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 475 | */ |
Alex Klyubin | 54bb159 | 2015-05-11 12:30:03 -0700 | [diff] [blame] | 476 | public static void choosePrivateKeyAlias(@NonNull Activity activity, |
| 477 | @NonNull KeyChainAliasCallback response, |
Mike Harris | cd0eb71 | 2018-04-26 15:20:10 -0700 | [diff] [blame] | 478 | @Nullable @KeyProperties.KeyAlgorithmEnum String[] keyTypes, |
| 479 | @Nullable Principal[] issuers, |
Robin Lee | 39087b1 | 2015-05-05 15:57:17 +0100 | [diff] [blame] | 480 | @Nullable Uri uri, @Nullable String alias) { |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 481 | /* |
Eran Messeri | 9ccec4d | 2018-08-24 15:29:05 +0100 | [diff] [blame] | 482 | * Specifying keyTypes excludes certificates with different key types |
| 483 | * from the list of certificates presented to the user. |
| 484 | * In practice today, most servers would require RSA or EC |
| 485 | * certificates. |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 486 | * |
Eran Messeri | 9ccec4d | 2018-08-24 15:29:05 +0100 | [diff] [blame] | 487 | * Specifying issuers narrows down the list by filtering out |
| 488 | * certificates with issuers which are not matching the provided ones. |
| 489 | * This has been reported to Chrome several times (crbug.com/731769). |
| 490 | * There's no concrete description on what to do when the client has no |
| 491 | * certificates that match the provided issuers. |
| 492 | * To be conservative, Android will not present the user with any |
| 493 | * certificates to choose from. |
| 494 | * If the list of issuers is empty then the client may send any |
| 495 | * certificate, see: |
| 496 | * https://tools.ietf.org/html/rfc5246#section-7.4.4 |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 497 | */ |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 498 | if (activity == null) { |
| 499 | throw new NullPointerException("activity == null"); |
| 500 | } |
| 501 | if (response == null) { |
| 502 | throw new NullPointerException("response == null"); |
| 503 | } |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 504 | Intent intent = new Intent(ACTION_CHOOSER); |
Kenny Root | a365906 | 2014-03-17 16:21:53 -0700 | [diff] [blame] | 505 | intent.setPackage(KEYCHAIN_PACKAGE); |
Fred Quintana | ab8b84a | 2011-07-13 14:55:39 -0700 | [diff] [blame] | 506 | intent.putExtra(EXTRA_RESPONSE, new AliasResponse(response)); |
Robin Lee | 39087b1 | 2015-05-05 15:57:17 +0100 | [diff] [blame] | 507 | intent.putExtra(EXTRA_URI, uri); |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 508 | intent.putExtra(EXTRA_ALIAS, alias); |
Eran Messeri | 9ccec4d | 2018-08-24 15:29:05 +0100 | [diff] [blame] | 509 | intent.putExtra(EXTRA_KEY_TYPES, keyTypes); |
| 510 | ArrayList<byte[]> issuersList = new ArrayList(); |
| 511 | if (issuers != null) { |
| 512 | for (Principal issuer: issuers) { |
| 513 | // In a TLS client context (like Chrome), issuers would only |
| 514 | // be specified as X500Principals. No other use cases for |
| 515 | // specifying principals have been brought up. Under these |
| 516 | // circumstances, only allow issuers specified as |
| 517 | // X500Principals. |
| 518 | if (!(issuer instanceof X500Principal)) { |
| 519 | throw new IllegalArgumentException(String.format( |
| 520 | "Issuer %s is of type %s, not X500Principal", |
| 521 | issuer.toString(), issuer.getClass())); |
| 522 | } |
| 523 | // Pass the DER-encoded issuer as that's the most accurate |
| 524 | // representation and what is sent over the wire. |
| 525 | issuersList.add(((X500Principal) issuer).getEncoded()); |
| 526 | } |
| 527 | } |
| 528 | intent.putExtra(EXTRA_ISSUERS, (Serializable) issuersList); |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 529 | // the PendingIntent is used to get calling package name |
| 530 | intent.putExtra(EXTRA_SENDER, PendingIntent.getActivity(activity, 0, new Intent(), 0)); |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 531 | activity.startActivity(intent); |
| 532 | } |
| 533 | |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 534 | private static class AliasResponse extends IKeyChainAliasCallback.Stub { |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 535 | private final KeyChainAliasCallback keyChainAliasResponse; |
Fred Quintana | ab8b84a | 2011-07-13 14:55:39 -0700 | [diff] [blame] | 536 | private AliasResponse(KeyChainAliasCallback keyChainAliasResponse) { |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 537 | this.keyChainAliasResponse = keyChainAliasResponse; |
| 538 | } |
| 539 | @Override public void alias(String alias) { |
Fred Quintana | ab8b84a | 2011-07-13 14:55:39 -0700 | [diff] [blame] | 540 | keyChainAliasResponse.alias(alias); |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 541 | } |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 542 | } |
| 543 | |
| 544 | /** |
Eran Messeri | 55b8d08 | 2019-01-31 16:25:52 +0000 | [diff] [blame] | 545 | * Returns the {@code PrivateKey} for the requested alias, or null if the alias does not exist |
| 546 | * or the caller has no permission to access it (see note on exceptions below). |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 547 | * |
Robin Lee | 59e3baa | 2015-06-30 10:48:06 -0700 | [diff] [blame] | 548 | * <p> This method may block while waiting for a connection to another process, and must never |
| 549 | * be called from the main thread. |
Robin Lee | da23618 | 2016-08-12 12:46:28 +0100 | [diff] [blame] | 550 | * <p> As {@link Activity} and {@link Service} contexts are short-lived and can be destroyed |
| 551 | * at any time from the main thread, it is safer to rely on a long-lived context such as one |
| 552 | * returned from {@link Context#getApplicationContext()}. |
Robin Lee | 59e3baa | 2015-06-30 10:48:06 -0700 | [diff] [blame] | 553 | * |
Eran Messeri | 55b8d08 | 2019-01-31 16:25:52 +0000 | [diff] [blame] | 554 | * <p> If the caller provides a valid alias to which it was not granted access, then the |
| 555 | * caller must invoke {@link #choosePrivateKeyAlias} again to get another valid alias |
| 556 | * or a grant to access the same alias. |
| 557 | * <p>On Android versions prior to Q, when a key associated with the specified alias is |
| 558 | * unavailable, the method will throw a {@code KeyChainException} rather than return null. |
| 559 | * If the exception's cause (as obtained by calling {@code KeyChainException.getCause()}) |
| 560 | * is a throwable of type {@code IllegalStateException} then the caller lacks a grant |
| 561 | * to access the key and certificates associated with this alias. |
| 562 | * |
Robin Lee | 59e3baa | 2015-06-30 10:48:06 -0700 | [diff] [blame] | 563 | * @param alias The alias of the desired private key, typically returned via |
| 564 | * {@link KeyChainAliasCallback#alias}. |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 565 | * @throws KeyChainException if the alias was valid but there was some problem accessing it. |
Robin Lee | 59e3baa | 2015-06-30 10:48:06 -0700 | [diff] [blame] | 566 | * @throws IllegalStateException if called from the main thread. |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 567 | */ |
Robin Lee | 59e3baa | 2015-06-30 10:48:06 -0700 | [diff] [blame] | 568 | @Nullable @WorkerThread |
Alex Klyubin | 54bb159 | 2015-05-11 12:30:03 -0700 | [diff] [blame] | 569 | public static PrivateKey getPrivateKey(@NonNull Context context, @NonNull String alias) |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 570 | throws KeyChainException, InterruptedException { |
Eran Messeri | 23c438d | 2017-11-23 17:20:52 +0000 | [diff] [blame] | 571 | KeyPair keyPair = getKeyPair(context, alias); |
| 572 | if (keyPair != null) { |
| 573 | return keyPair.getPrivate(); |
| 574 | } |
| 575 | |
| 576 | return null; |
| 577 | } |
| 578 | |
| 579 | /** @hide */ |
| 580 | @Nullable @WorkerThread |
| 581 | public static KeyPair getKeyPair(@NonNull Context context, @NonNull String alias) |
| 582 | throws KeyChainException, InterruptedException { |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 583 | if (alias == null) { |
| 584 | throw new NullPointerException("alias == null"); |
| 585 | } |
Shawn Willden | dea6614 | 2016-11-16 06:01:06 -0700 | [diff] [blame] | 586 | if (context == null) { |
| 587 | throw new NullPointerException("context == null"); |
| 588 | } |
Robin Lee | 28d68b1 | 2016-07-22 16:32:32 +0100 | [diff] [blame] | 589 | |
| 590 | final String keyId; |
| 591 | try (KeyChainConnection keyChainConnection = bind(context.getApplicationContext())) { |
| 592 | keyId = keyChainConnection.getService().requestPrivateKey(alias); |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 593 | } catch (RemoteException e) { |
| 594 | throw new KeyChainException(e); |
| 595 | } catch (RuntimeException e) { |
| 596 | // only certain RuntimeExceptions can be propagated across the IKeyChainService call |
| 597 | throw new KeyChainException(e); |
Robin Lee | 28d68b1 | 2016-07-22 16:32:32 +0100 | [diff] [blame] | 598 | } |
| 599 | |
| 600 | if (keyId == null) { |
| 601 | return null; |
| 602 | } else { |
| 603 | try { |
Eran Messeri | 23c438d | 2017-11-23 17:20:52 +0000 | [diff] [blame] | 604 | return AndroidKeyStoreProvider.loadAndroidKeyStoreKeyPairFromKeystore( |
Robin Lee | 28d68b1 | 2016-07-22 16:32:32 +0100 | [diff] [blame] | 605 | KeyStore.getInstance(), keyId, KeyStore.UID_SELF); |
Max Bires | 13f98ce | 2018-11-02 10:50:40 -0700 | [diff] [blame] | 606 | } catch (RuntimeException | UnrecoverableKeyException | KeyPermanentlyInvalidatedException e) { |
Robin Lee | 28d68b1 | 2016-07-22 16:32:32 +0100 | [diff] [blame] | 607 | throw new KeyChainException(e); |
| 608 | } |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 609 | } |
| 610 | } |
| 611 | |
| 612 | /** |
Eran Messeri | 55b8d08 | 2019-01-31 16:25:52 +0000 | [diff] [blame] | 613 | * Returns the {@code X509Certificate} chain for the requested alias, or null if the alias |
| 614 | * does not exist or the caller has no permission to access it (see note on exceptions |
| 615 | * in {@link #getPrivateKey}). |
| 616 | * |
Rubin Xu | b436591 | 2016-03-23 12:13:22 +0000 | [diff] [blame] | 617 | * <p> |
| 618 | * <strong>Note:</strong> If a certificate chain was explicitly specified when the alias was |
| 619 | * installed, this method will return that chain. If only the client certificate was specified |
| 620 | * at the installation time, this method will try to build a certificate chain using all |
| 621 | * available trust anchors (preinstalled and user-added). |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 622 | * |
Robin Lee | 59e3baa | 2015-06-30 10:48:06 -0700 | [diff] [blame] | 623 | * <p> This method may block while waiting for a connection to another process, and must never |
| 624 | * be called from the main thread. |
Robin Lee | da23618 | 2016-08-12 12:46:28 +0100 | [diff] [blame] | 625 | * <p> As {@link Activity} and {@link Service} contexts are short-lived and can be destroyed |
| 626 | * at any time from the main thread, it is safer to rely on a long-lived context such as one |
| 627 | * returned from {@link Context#getApplicationContext()}. |
Eran Messeri | 55b8d08 | 2019-01-31 16:25:52 +0000 | [diff] [blame] | 628 | * <p> In case the caller specifies an alias for which it lacks a grant, it must call |
| 629 | * {@link #choosePrivateKeyAlias} again. See {@link #getPrivateKey} for more details on |
| 630 | * coping with this scenario. |
Robin Lee | 59e3baa | 2015-06-30 10:48:06 -0700 | [diff] [blame] | 631 | * |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 632 | * @param alias The alias of the desired certificate chain, typically |
| 633 | * returned via {@link KeyChainAliasCallback#alias}. |
| 634 | * @throws KeyChainException if the alias was valid but there was some problem accessing it. |
Robin Lee | 59e3baa | 2015-06-30 10:48:06 -0700 | [diff] [blame] | 635 | * @throws IllegalStateException if called from the main thread. |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 636 | */ |
Robin Lee | 59e3baa | 2015-06-30 10:48:06 -0700 | [diff] [blame] | 637 | @Nullable @WorkerThread |
Alex Klyubin | 54bb159 | 2015-05-11 12:30:03 -0700 | [diff] [blame] | 638 | public static X509Certificate[] getCertificateChain(@NonNull Context context, |
| 639 | @NonNull String alias) throws KeyChainException, InterruptedException { |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 640 | if (alias == null) { |
| 641 | throw new NullPointerException("alias == null"); |
| 642 | } |
Kenny Root | 0150e48 | 2013-02-13 15:22:50 -0800 | [diff] [blame] | 643 | |
Robin Lee | 28d68b1 | 2016-07-22 16:32:32 +0100 | [diff] [blame] | 644 | final byte[] certificateBytes; |
| 645 | final byte[] certChainBytes; |
| 646 | try (KeyChainConnection keyChainConnection = bind(context.getApplicationContext())) { |
| 647 | IKeyChainService keyChainService = keyChainConnection.getService(); |
| 648 | certificateBytes = keyChainService.getCertificate(alias); |
Kenny Root | 0150e48 | 2013-02-13 15:22:50 -0800 | [diff] [blame] | 649 | if (certificateBytes == null) { |
| 650 | return null; |
| 651 | } |
Robin Lee | 28d68b1 | 2016-07-22 16:32:32 +0100 | [diff] [blame] | 652 | certChainBytes = keyChainService.getCaCertificates(alias); |
| 653 | } catch (RemoteException e) { |
| 654 | throw new KeyChainException(e); |
| 655 | } catch (RuntimeException e) { |
| 656 | // only certain RuntimeExceptions can be propagated across the IKeyChainService call |
| 657 | throw new KeyChainException(e); |
| 658 | } |
| 659 | |
| 660 | try { |
Rubin Xu | b436591 | 2016-03-23 12:13:22 +0000 | [diff] [blame] | 661 | X509Certificate leafCert = toCertificate(certificateBytes); |
Rubin Xu | b436591 | 2016-03-23 12:13:22 +0000 | [diff] [blame] | 662 | // If the keypair is installed with a certificate chain by either |
| 663 | // DevicePolicyManager.installKeyPair or CertInstaller, return that chain. |
| 664 | if (certChainBytes != null && certChainBytes.length != 0) { |
| 665 | Collection<X509Certificate> chain = toCertificates(certChainBytes); |
| 666 | ArrayList<X509Certificate> fullChain = new ArrayList<>(chain.size() + 1); |
| 667 | fullChain.add(leafCert); |
| 668 | fullChain.addAll(chain); |
| 669 | return fullChain.toArray(new X509Certificate[fullChain.size()]); |
| 670 | } else { |
| 671 | // If there isn't a certificate chain, either due to a pre-existing keypair |
| 672 | // installed before N, or no chain is explicitly installed under the new logic, |
| 673 | // fall back to old behavior of constructing the chain from trusted credentials. |
| 674 | // |
| 675 | // This logic exists to maintain old behaviour for already installed keypair, at |
| 676 | // the cost of potentially returning extra certificate chain for new clients who |
| 677 | // explicitly installed only the client certificate without a chain. The latter |
| 678 | // case is actually no different from pre-N behaviour of getCertificateChain(), |
| 679 | // in that sense this change introduces no regression. Besides the returned chain |
| 680 | // is still valid so the consumer of the chain should have no problem verifying it. |
| 681 | TrustedCertificateStore store = new TrustedCertificateStore(); |
| 682 | List<X509Certificate> chain = store.getCertificateChain(leafCert); |
| 683 | return chain.toArray(new X509Certificate[chain.size()]); |
| 684 | } |
Robin Lee | 28d68b1 | 2016-07-22 16:32:32 +0100 | [diff] [blame] | 685 | } catch (CertificateException | RuntimeException e) { |
Kenny Root | cfba6a0 | 2013-05-06 15:00:58 -0700 | [diff] [blame] | 686 | throw new KeyChainException(e); |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 687 | } |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 688 | } |
| 689 | |
Kenny Root | bf556ac | 2013-04-01 15:10:22 -0700 | [diff] [blame] | 690 | /** |
| 691 | * Returns {@code true} if the current device's {@code KeyChain} supports a |
| 692 | * specific {@code PrivateKey} type indicated by {@code algorithm} (e.g., |
| 693 | * "RSA"). |
| 694 | */ |
Alex Klyubin | 4d5443f | 2015-05-06 15:43:52 -0700 | [diff] [blame] | 695 | public static boolean isKeyAlgorithmSupported( |
Alex Klyubin | 3f8d4d8 | 2015-05-13 09:15:00 -0700 | [diff] [blame] | 696 | @NonNull @KeyProperties.KeyAlgorithmEnum String algorithm) { |
Kenny Root | b91773b | 2013-09-05 13:03:16 -0700 | [diff] [blame] | 697 | final String algUpper = algorithm.toUpperCase(Locale.US); |
Alex Klyubin | 3f8d4d8 | 2015-05-13 09:15:00 -0700 | [diff] [blame] | 698 | return KeyProperties.KEY_ALGORITHM_EC.equals(algUpper) |
| 699 | || KeyProperties.KEY_ALGORITHM_RSA.equals(algUpper); |
Kenny Root | bf556ac | 2013-04-01 15:10:22 -0700 | [diff] [blame] | 700 | } |
| 701 | |
| 702 | /** |
| 703 | * Returns {@code true} if the current device's {@code KeyChain} binds any |
| 704 | * {@code PrivateKey} of the given {@code algorithm} to the device once |
| 705 | * imported or generated. This can be used to tell if there is special |
| 706 | * hardware support that can be used to bind keys to the device in a way |
| 707 | * that makes it non-exportable. |
Alex Klyubin | 469cbf5 | 2015-06-04 12:36:27 -0700 | [diff] [blame] | 708 | * |
| 709 | * @deprecated Whether the key is bound to the secure hardware is known only |
| 710 | * once the key has been imported. To find out, use: |
| 711 | * <pre>{@code |
| 712 | * PrivateKey key = ...; // private key from KeyChain |
| 713 | * |
| 714 | * KeyFactory keyFactory = |
| 715 | * KeyFactory.getInstance(key.getAlgorithm(), "AndroidKeyStore"); |
| 716 | * KeyInfo keyInfo = keyFactory.getKeySpec(key, KeyInfo.class); |
Neil Fuller | 71fbb81 | 2015-11-30 09:51:33 +0000 | [diff] [blame] | 717 | * if (keyInfo.isInsideSecureHardware()) { |
Alex Klyubin | 469cbf5 | 2015-06-04 12:36:27 -0700 | [diff] [blame] | 718 | * // The key is bound to the secure hardware of this Android |
Neil Fuller | 71fbb81 | 2015-11-30 09:51:33 +0000 | [diff] [blame] | 719 | * }}</pre> |
Kenny Root | bf556ac | 2013-04-01 15:10:22 -0700 | [diff] [blame] | 720 | */ |
Alex Klyubin | 469cbf5 | 2015-06-04 12:36:27 -0700 | [diff] [blame] | 721 | @Deprecated |
Alex Klyubin | 4d5443f | 2015-05-06 15:43:52 -0700 | [diff] [blame] | 722 | public static boolean isBoundKeyAlgorithm( |
Alex Klyubin | 3f8d4d8 | 2015-05-13 09:15:00 -0700 | [diff] [blame] | 723 | @NonNull @KeyProperties.KeyAlgorithmEnum String algorithm) { |
Kenny Root | 5b7e90a | 2013-04-02 11:23:41 -0700 | [diff] [blame] | 724 | if (!isKeyAlgorithmSupported(algorithm)) { |
Kenny Root | bf556ac | 2013-04-01 15:10:22 -0700 | [diff] [blame] | 725 | return false; |
| 726 | } |
| 727 | |
Kenny Root | b91773b | 2013-09-05 13:03:16 -0700 | [diff] [blame] | 728 | return KeyStore.getInstance().isHardwareBacked(algorithm); |
Kenny Root | bf556ac | 2013-04-01 15:10:22 -0700 | [diff] [blame] | 729 | } |
| 730 | |
Zoltan Szatmary-Ban | f0ae135 | 2014-08-18 10:48:33 +0100 | [diff] [blame] | 731 | /** @hide */ |
Alex Klyubin | 54bb159 | 2015-05-11 12:30:03 -0700 | [diff] [blame] | 732 | @NonNull |
| 733 | public static X509Certificate toCertificate(@NonNull byte[] bytes) { |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 734 | if (bytes == null) { |
Brian Carlstrom | 8e9929c | 2011-05-17 00:40:28 -0700 | [diff] [blame] | 735 | throw new IllegalArgumentException("bytes == null"); |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 736 | } |
| 737 | try { |
| 738 | CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); |
| 739 | Certificate cert = certFactory.generateCertificate(new ByteArrayInputStream(bytes)); |
| 740 | return (X509Certificate) cert; |
| 741 | } catch (CertificateException e) { |
| 742 | throw new AssertionError(e); |
| 743 | } |
| 744 | } |
| 745 | |
Rubin Xu | b436591 | 2016-03-23 12:13:22 +0000 | [diff] [blame] | 746 | /** @hide */ |
| 747 | @NonNull |
| 748 | public static Collection<X509Certificate> toCertificates(@NonNull byte[] bytes) { |
| 749 | if (bytes == null) { |
| 750 | throw new IllegalArgumentException("bytes == null"); |
| 751 | } |
| 752 | try { |
| 753 | CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); |
| 754 | return (Collection<X509Certificate>) certFactory.generateCertificates( |
| 755 | new ByteArrayInputStream(bytes)); |
| 756 | } catch (CertificateException e) { |
| 757 | throw new AssertionError(e); |
| 758 | } |
| 759 | } |
| 760 | |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 761 | /** |
| 762 | * @hide for reuse by CertInstaller and Settings. |
| 763 | * @see KeyChain#bind |
| 764 | */ |
Robin Lee | 7f5c91c | 2017-02-08 21:27:02 +0000 | [diff] [blame] | 765 | public static class KeyChainConnection implements Closeable { |
Rubin Xu | 7629a4b | 2019-10-09 11:24:57 +0100 | [diff] [blame] | 766 | private final Context mContext; |
| 767 | private final ServiceConnection mServiceConnection; |
| 768 | private final IKeyChainService mService; |
phweiss | e375fc4 | 2017-04-19 20:15:06 +0200 | [diff] [blame] | 769 | protected KeyChainConnection(Context context, |
| 770 | ServiceConnection serviceConnection, |
| 771 | IKeyChainService service) { |
Rubin Xu | 7629a4b | 2019-10-09 11:24:57 +0100 | [diff] [blame] | 772 | this.mContext = context; |
| 773 | this.mServiceConnection = serviceConnection; |
| 774 | this.mService = service; |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 775 | } |
| 776 | @Override public void close() { |
Rubin Xu | 7629a4b | 2019-10-09 11:24:57 +0100 | [diff] [blame] | 777 | mContext.unbindService(mServiceConnection); |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 778 | } |
Rubin Xu | 7629a4b | 2019-10-09 11:24:57 +0100 | [diff] [blame] | 779 | |
| 780 | /** returns the service binder. */ |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 781 | public IKeyChainService getService() { |
Rubin Xu | 7629a4b | 2019-10-09 11:24:57 +0100 | [diff] [blame] | 782 | return mService; |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 783 | } |
| 784 | } |
| 785 | |
| 786 | /** |
Rubin Xu | 7629a4b | 2019-10-09 11:24:57 +0100 | [diff] [blame] | 787 | * Bind to KeyChainService in the current user. |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 788 | * Caller should call unbindService on the result when finished. |
Rubin Xu | 7629a4b | 2019-10-09 11:24:57 +0100 | [diff] [blame] | 789 | * |
| 790 | *@throws InterruptedException if interrupted during binding. |
| 791 | *@throws AssertionError if unable to bind to KeyChainService. |
| 792 | * @hide for reuse by CertInstaller and Settings. |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 793 | */ |
Robin Lee | 59e3baa | 2015-06-30 10:48:06 -0700 | [diff] [blame] | 794 | @WorkerThread |
Alex Klyubin | 54bb159 | 2015-05-11 12:30:03 -0700 | [diff] [blame] | 795 | public static KeyChainConnection bind(@NonNull Context context) throws InterruptedException { |
Robin Lee | 306fe08 | 2014-06-19 14:04:24 +0000 | [diff] [blame] | 796 | return bindAsUser(context, Process.myUserHandle()); |
| 797 | } |
| 798 | |
| 799 | /** |
Rubin Xu | 7629a4b | 2019-10-09 11:24:57 +0100 | [diff] [blame] | 800 | * Bind to KeyChainService in the target user. |
| 801 | * Caller should call unbindService on the result when finished. |
| 802 | * |
| 803 | * @throws InterruptedException if interrupted during binding. |
| 804 | * @throws AssertionError if unable to bind to KeyChainService. |
Robin Lee | 306fe08 | 2014-06-19 14:04:24 +0000 | [diff] [blame] | 805 | * @hide |
| 806 | */ |
Robin Lee | 59e3baa | 2015-06-30 10:48:06 -0700 | [diff] [blame] | 807 | @WorkerThread |
Alex Klyubin | 54bb159 | 2015-05-11 12:30:03 -0700 | [diff] [blame] | 808 | public static KeyChainConnection bindAsUser(@NonNull Context context, UserHandle user) |
Robin Lee | 306fe08 | 2014-06-19 14:04:24 +0000 | [diff] [blame] | 809 | throws InterruptedException { |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 810 | if (context == null) { |
| 811 | throw new NullPointerException("context == null"); |
| 812 | } |
| 813 | ensureNotOnMainThread(context); |
Robert Horvath | 54c9439 | 2019-11-14 11:42:09 +0100 | [diff] [blame^] | 814 | final CountDownLatch countDownLatch = new CountDownLatch(1); |
| 815 | final AtomicReference<IKeyChainService> keyChainService = new AtomicReference<>(); |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 816 | ServiceConnection keyChainServiceConnection = new ServiceConnection() { |
Fred Quintana | ab8b84a | 2011-07-13 14:55:39 -0700 | [diff] [blame] | 817 | volatile boolean mConnectedAtLeastOnce = false; |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 818 | @Override public void onServiceConnected(ComponentName name, IBinder service) { |
Fred Quintana | ab8b84a | 2011-07-13 14:55:39 -0700 | [diff] [blame] | 819 | if (!mConnectedAtLeastOnce) { |
| 820 | mConnectedAtLeastOnce = true; |
Robert Horvath | 54c9439 | 2019-11-14 11:42:09 +0100 | [diff] [blame^] | 821 | keyChainService.set( |
| 822 | IKeyChainService.Stub.asInterface(Binder.allowBlocking(service))); |
| 823 | countDownLatch.countDown(); |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 824 | } |
| 825 | } |
Rubin Xu | 7629a4b | 2019-10-09 11:24:57 +0100 | [diff] [blame] | 826 | @Override public void onBindingDied(ComponentName name) { |
| 827 | if (!mConnectedAtLeastOnce) { |
| 828 | mConnectedAtLeastOnce = true; |
Robert Horvath | 54c9439 | 2019-11-14 11:42:09 +0100 | [diff] [blame^] | 829 | countDownLatch.countDown(); |
Rubin Xu | 7629a4b | 2019-10-09 11:24:57 +0100 | [diff] [blame] | 830 | } |
| 831 | } |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 832 | @Override public void onServiceDisconnected(ComponentName name) {} |
| 833 | }; |
Maggie Benthall | da51e68 | 2013-08-08 22:35:44 -0400 | [diff] [blame] | 834 | Intent intent = new Intent(IKeyChainService.class.getName()); |
| 835 | ComponentName comp = intent.resolveSystemService(context.getPackageManager(), 0); |
| 836 | intent.setComponent(comp); |
Robin Lee | 21bcbc5 | 2016-02-29 18:55:35 +0000 | [diff] [blame] | 837 | if (comp == null || !context.bindServiceAsUser( |
| 838 | intent, keyChainServiceConnection, Context.BIND_AUTO_CREATE, user)) { |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 839 | throw new AssertionError("could not bind to KeyChainService"); |
| 840 | } |
Robert Horvath | 54c9439 | 2019-11-14 11:42:09 +0100 | [diff] [blame^] | 841 | countDownLatch.await(); |
| 842 | IKeyChainService service = keyChainService.get(); |
Rubin Xu | 7629a4b | 2019-10-09 11:24:57 +0100 | [diff] [blame] | 843 | if (service != null) { |
| 844 | return new KeyChainConnection(context, keyChainServiceConnection, service); |
| 845 | } else { |
| 846 | context.unbindService(keyChainServiceConnection); |
| 847 | throw new AssertionError("KeyChainService died while binding"); |
| 848 | } |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 849 | } |
| 850 | |
Alex Klyubin | 54bb159 | 2015-05-11 12:30:03 -0700 | [diff] [blame] | 851 | private static void ensureNotOnMainThread(@NonNull Context context) { |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 852 | Looper looper = Looper.myLooper(); |
Brian Carlstrom | 8e9929c | 2011-05-17 00:40:28 -0700 | [diff] [blame] | 853 | if (looper != null && looper == context.getMainLooper()) { |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 854 | throw new IllegalStateException( |
| 855 | "calling this from your main thread can lead to deadlock"); |
| 856 | } |
| 857 | } |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 858 | } |