Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2011 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | package android.security; |
| 17 | |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 18 | import android.app.Activity; |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 19 | import android.app.PendingIntent; |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 20 | import android.content.ComponentName; |
| 21 | import android.content.Context; |
| 22 | import android.content.Intent; |
| 23 | import android.content.ServiceConnection; |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 24 | import android.os.IBinder; |
| 25 | import android.os.Looper; |
| 26 | import android.os.RemoteException; |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 27 | import java.io.ByteArrayInputStream; |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 28 | import java.io.Closeable; |
Kenny Root | 5423e68 | 2011-11-14 08:43:13 -0800 | [diff] [blame] | 29 | import java.security.InvalidKeyException; |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 30 | import java.security.Principal; |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 31 | import java.security.PrivateKey; |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 32 | import java.security.cert.Certificate; |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 33 | import java.security.cert.CertificateException; |
| 34 | import java.security.cert.CertificateFactory; |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 35 | import java.security.cert.X509Certificate; |
Brian Carlstrom | db93b78 | 2011-07-01 00:12:17 -0700 | [diff] [blame] | 36 | import java.util.List; |
Kenny Root | b91773b | 2013-09-05 13:03:16 -0700 | [diff] [blame] | 37 | import java.util.Locale; |
Brian Carlstrom | 8e9929c | 2011-05-17 00:40:28 -0700 | [diff] [blame] | 38 | import java.util.concurrent.BlockingQueue; |
| 39 | import java.util.concurrent.LinkedBlockingQueue; |
Kenny Root | 5423e68 | 2011-11-14 08:43:13 -0800 | [diff] [blame] | 40 | |
Kenny Root | 12e7522 | 2013-04-23 22:34:24 -0700 | [diff] [blame] | 41 | import com.android.org.conscrypt.OpenSSLEngine; |
| 42 | import com.android.org.conscrypt.TrustedCertificateStore; |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 43 | |
| 44 | /** |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 45 | * The {@code KeyChain} class provides access to private keys and |
| 46 | * their corresponding certificate chains in credential storage. |
| 47 | * |
| 48 | * <p>Applications accessing the {@code KeyChain} normally go through |
| 49 | * these steps: |
| 50 | * |
| 51 | * <ol> |
| 52 | * |
| 53 | * <li>Receive a callback from an {@link javax.net.ssl.X509KeyManager |
| 54 | * X509KeyManager} that a private key is requested. |
| 55 | * |
| 56 | * <li>Call {@link #choosePrivateKeyAlias |
| 57 | * choosePrivateKeyAlias} to allow the user to select from a |
| 58 | * list of currently available private keys and corresponding |
| 59 | * certificate chains. The chosen alias will be returned by the |
| 60 | * callback {@link KeyChainAliasCallback#alias}, or null if no private |
| 61 | * key is available or the user cancels the request. |
| 62 | * |
| 63 | * <li>Call {@link #getPrivateKey} and {@link #getCertificateChain} to |
| 64 | * retrieve the credentials to return to the corresponding {@link |
| 65 | * javax.net.ssl.X509KeyManager} callbacks. |
| 66 | * |
| 67 | * </ol> |
| 68 | * |
| 69 | * <p>An application may remember the value of a selected alias to |
| 70 | * avoid prompting the user with {@link #choosePrivateKeyAlias |
| 71 | * choosePrivateKeyAlias} on subsequent connections. If the alias is |
| 72 | * no longer valid, null will be returned on lookups using that value |
Brian Carlstrom | ca43c45 | 2011-06-29 18:53:17 -0700 | [diff] [blame] | 73 | * |
| 74 | * <p>An application can request the installation of private keys and |
| 75 | * certificates via the {@code Intent} provided by {@link |
| 76 | * #createInstallIntent}. Private keys installed via this {@code |
| 77 | * Intent} will be accessible via {@link #choosePrivateKeyAlias} while |
| 78 | * Certificate Authority (CA) certificates will be trusted by all |
| 79 | * applications through the default {@code X509TrustManager}. |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 80 | */ |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 81 | // TODO reference intent for credential installation when public |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 82 | public final class KeyChain { |
| 83 | |
| 84 | private static final String TAG = "KeyChain"; |
| 85 | |
| 86 | /** |
| 87 | * @hide Also used by KeyChainService implementation |
| 88 | */ |
| 89 | public static final String ACCOUNT_TYPE = "com.android.keychain"; |
| 90 | |
| 91 | /** |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 92 | * Action to bring up the KeyChainActivity |
| 93 | */ |
| 94 | private static final String ACTION_CHOOSER = "com.android.keychain.CHOOSER"; |
| 95 | |
| 96 | /** |
| 97 | * Extra for use with {@link #ACTION_CHOOSER} |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 98 | * @hide Also used by KeyChainActivity implementation |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 99 | */ |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 100 | public static final String EXTRA_RESPONSE = "response"; |
| 101 | |
| 102 | /** |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 103 | * Extra for use with {@link #ACTION_CHOOSER} |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 104 | * @hide Also used by KeyChainActivity implementation |
| 105 | */ |
| 106 | public static final String EXTRA_HOST = "host"; |
| 107 | |
| 108 | /** |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 109 | * Extra for use with {@link #ACTION_CHOOSER} |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 110 | * @hide Also used by KeyChainActivity implementation |
| 111 | */ |
| 112 | public static final String EXTRA_PORT = "port"; |
| 113 | |
| 114 | /** |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 115 | * Extra for use with {@link #ACTION_CHOOSER} |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 116 | * @hide Also used by KeyChainActivity implementation |
| 117 | */ |
| 118 | public static final String EXTRA_ALIAS = "alias"; |
| 119 | |
| 120 | /** |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 121 | * Extra for use with {@link #ACTION_CHOOSER} |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 122 | * @hide Also used by KeyChainActivity implementation |
| 123 | */ |
| 124 | public static final String EXTRA_SENDER = "sender"; |
| 125 | |
| 126 | /** |
Selim Gurun | 93ba4fe | 2012-02-14 11:48:49 -0800 | [diff] [blame] | 127 | * Action to bring up the CertInstaller. |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 128 | */ |
| 129 | private static final String ACTION_INSTALL = "android.credentials.INSTALL"; |
| 130 | |
| 131 | /** |
| 132 | * Optional extra to specify a {@code String} credential name on |
| 133 | * the {@code Intent} returned by {@link #createInstallIntent}. |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 134 | */ |
| 135 | // Compatible with old com.android.certinstaller.CredentialHelper.CERT_NAME_KEY |
| 136 | public static final String EXTRA_NAME = "name"; |
| 137 | |
| 138 | /** |
| 139 | * Optional extra to specify an X.509 certificate to install on |
| 140 | * the {@code Intent} returned by {@link #createInstallIntent}. |
| 141 | * The extra value should be a PEM or ASN.1 DER encoded {@code |
| 142 | * byte[]}. An {@link X509Certificate} can be converted to DER |
| 143 | * encoded bytes with {@link X509Certificate#getEncoded}. |
| 144 | * |
| 145 | * <p>{@link #EXTRA_NAME} may be used to provide a default alias |
| 146 | * name for the installed certificate. |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 147 | */ |
| 148 | // Compatible with old android.security.Credentials.CERTIFICATE |
| 149 | public static final String EXTRA_CERTIFICATE = "CERT"; |
| 150 | |
| 151 | /** |
| 152 | * Optional extra for use with the {@code Intent} returned by |
| 153 | * {@link #createInstallIntent} to specify a PKCS#12 key store to |
| 154 | * install. The extra value should be a {@code byte[]}. The bytes |
| 155 | * may come from an external source or be generated with {@link |
Brian Carlstrom | ca43c45 | 2011-06-29 18:53:17 -0700 | [diff] [blame] | 156 | * java.security.KeyStore#store} on a "PKCS12" instance. |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 157 | * |
| 158 | * <p>The user will be prompted for the password to load the key store. |
| 159 | * |
| 160 | * <p>The key store will be scanned for {@link |
| 161 | * java.security.KeyStore.PrivateKeyEntry} entries and both the |
| 162 | * private key and associated certificate chain will be installed. |
| 163 | * |
| 164 | * <p>{@link #EXTRA_NAME} may be used to provide a default alias |
| 165 | * name for the installed credentials. |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 166 | */ |
| 167 | // Compatible with old android.security.Credentials.PKCS12 |
| 168 | public static final String EXTRA_PKCS12 = "PKCS12"; |
| 169 | |
Selim Gurun | 93ba4fe | 2012-02-14 11:48:49 -0800 | [diff] [blame] | 170 | |
| 171 | /** |
Selim Gurun | 93ba4fe | 2012-02-14 11:48:49 -0800 | [diff] [blame] | 172 | * Broadcast Action: Indicates the trusted storage has changed. Sent when |
| 173 | * one of this happens: |
| 174 | * |
| 175 | * <ul> |
| 176 | * <li>a new CA is added, |
| 177 | * <li>an existing CA is removed or disabled, |
| 178 | * <li>a disabled CA is enabled, |
| 179 | * <li>trusted storage is reset (all user certs are cleared), |
| 180 | * <li>when permission to access a private key is changed. |
| 181 | * </ul> |
| 182 | */ |
| 183 | public static final String ACTION_STORAGE_CHANGED = "android.security.STORAGE_CHANGED"; |
| 184 | |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 185 | /** |
| 186 | * Returns an {@code Intent} that can be used for credential |
| 187 | * installation. The intent may be used without any extras, in |
| 188 | * which case the user will be able to install credentials from |
| 189 | * their own source. |
| 190 | * |
| 191 | * <p>Alternatively, {@link #EXTRA_CERTIFICATE} or {@link |
| 192 | * #EXTRA_PKCS12} maybe used to specify the bytes of an X.509 |
| 193 | * certificate or a PKCS#12 key store for installation. These |
Brian Carlstrom | ca43c45 | 2011-06-29 18:53:17 -0700 | [diff] [blame] | 194 | * extras may be combined with {@link #EXTRA_NAME} to provide a |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 195 | * default alias name for credentials being installed. |
| 196 | * |
| 197 | * <p>When used with {@link Activity#startActivityForResult}, |
| 198 | * {@link Activity#RESULT_OK} will be returned if a credential was |
| 199 | * successfully installed, otherwise {@link |
| 200 | * Activity#RESULT_CANCELED} will be returned. |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 201 | */ |
| 202 | public static Intent createInstallIntent() { |
| 203 | Intent intent = new Intent(ACTION_INSTALL); |
| 204 | intent.setClassName("com.android.certinstaller", |
| 205 | "com.android.certinstaller.CertInstallerMain"); |
| 206 | return intent; |
| 207 | } |
| 208 | |
| 209 | /** |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 210 | * Launches an {@code Activity} for the user to select the alias |
| 211 | * for a private key and certificate pair for authentication. The |
| 212 | * selected alias or null will be returned via the |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 213 | * KeyChainAliasCallback callback. |
| 214 | * |
| 215 | * <p>{@code keyTypes} and {@code issuers} may be used to |
| 216 | * highlight suggested choices to the user, although to cope with |
| 217 | * sometimes erroneous values provided by servers, the user may be |
| 218 | * able to override these suggestions. |
| 219 | * |
| 220 | * <p>{@code host} and {@code port} may be used to give the user |
| 221 | * more context about the server requesting the credentials. |
| 222 | * |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 223 | * <p>{@code alias} allows the chooser to preselect an existing |
| 224 | * alias which will still be subject to user confirmation. |
| 225 | * |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 226 | * @param activity The {@link Activity} context to use for |
| 227 | * launching the new sub-Activity to prompt the user to select |
| 228 | * a private key; used only to call startActivity(); must not |
| 229 | * be null. |
| 230 | * @param response Callback to invoke when the request completes; |
| 231 | * must not be null |
| 232 | * @param keyTypes The acceptable types of asymmetric keys such as |
| 233 | * "RSA" or "DSA", or a null array. |
| 234 | * @param issuers The acceptable certificate issuers for the |
| 235 | * certificate matching the private key, or null. |
| 236 | * @param host The host name of the server requesting the |
| 237 | * certificate, or null if unavailable. |
| 238 | * @param port The port number of the server requesting the |
| 239 | * certificate, or -1 if unavailable. |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 240 | * @param alias The alias to preselect if available, or null if |
| 241 | * unavailable. |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 242 | */ |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 243 | public static void choosePrivateKeyAlias(Activity activity, KeyChainAliasCallback response, |
| 244 | String[] keyTypes, Principal[] issuers, |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 245 | String host, int port, |
| 246 | String alias) { |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 247 | /* |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 248 | * TODO currently keyTypes, issuers are unused. They are meant |
| 249 | * to follow the semantics and purpose of X509KeyManager |
| 250 | * method arguments. |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 251 | * |
| 252 | * keyTypes would allow the list to be filtered and typically |
| 253 | * will be set correctly by the server. In practice today, |
| 254 | * most all users will want only RSA, rarely DSA, and usually |
| 255 | * only a small number of certs will be available. |
| 256 | * |
| 257 | * issuers is typically not useful. Some servers historically |
| 258 | * will send the entire list of public CAs known to the |
| 259 | * server. Others will send none. If this is used, if there |
| 260 | * are no matches after applying the constraint, it should be |
| 261 | * ignored. |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 262 | */ |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 263 | if (activity == null) { |
| 264 | throw new NullPointerException("activity == null"); |
| 265 | } |
| 266 | if (response == null) { |
| 267 | throw new NullPointerException("response == null"); |
| 268 | } |
Brian Carlstrom | a00a2b3 | 2011-06-29 10:42:35 -0700 | [diff] [blame] | 269 | Intent intent = new Intent(ACTION_CHOOSER); |
Fred Quintana | ab8b84a | 2011-07-13 14:55:39 -0700 | [diff] [blame] | 270 | intent.putExtra(EXTRA_RESPONSE, new AliasResponse(response)); |
Brian Carlstrom | 67c30df | 2011-06-24 02:13:23 -0700 | [diff] [blame] | 271 | intent.putExtra(EXTRA_HOST, host); |
| 272 | intent.putExtra(EXTRA_PORT, port); |
| 273 | intent.putExtra(EXTRA_ALIAS, alias); |
| 274 | // the PendingIntent is used to get calling package name |
| 275 | intent.putExtra(EXTRA_SENDER, PendingIntent.getActivity(activity, 0, new Intent(), 0)); |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 276 | activity.startActivity(intent); |
| 277 | } |
| 278 | |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 279 | private static class AliasResponse extends IKeyChainAliasCallback.Stub { |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 280 | private final KeyChainAliasCallback keyChainAliasResponse; |
Fred Quintana | ab8b84a | 2011-07-13 14:55:39 -0700 | [diff] [blame] | 281 | private AliasResponse(KeyChainAliasCallback keyChainAliasResponse) { |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 282 | this.keyChainAliasResponse = keyChainAliasResponse; |
| 283 | } |
| 284 | @Override public void alias(String alias) { |
Fred Quintana | ab8b84a | 2011-07-13 14:55:39 -0700 | [diff] [blame] | 285 | keyChainAliasResponse.alias(alias); |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 286 | } |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 287 | } |
| 288 | |
| 289 | /** |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 290 | * Returns the {@code PrivateKey} for the requested alias, or null |
| 291 | * if no there is no result. |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 292 | * |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 293 | * @param alias The alias of the desired private key, typically |
| 294 | * returned via {@link KeyChainAliasCallback#alias}. |
| 295 | * @throws KeyChainException if the alias was valid but there was some problem accessing it. |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 296 | */ |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 297 | public static PrivateKey getPrivateKey(Context context, String alias) |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 298 | throws KeyChainException, InterruptedException { |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 299 | if (alias == null) { |
| 300 | throw new NullPointerException("alias == null"); |
| 301 | } |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 302 | KeyChainConnection keyChainConnection = bind(context); |
Brian Carlstrom | 8e9929c | 2011-05-17 00:40:28 -0700 | [diff] [blame] | 303 | try { |
Kenny Root | 5423e68 | 2011-11-14 08:43:13 -0800 | [diff] [blame] | 304 | final IKeyChainService keyChainService = keyChainConnection.getService(); |
| 305 | final String keyId = keyChainService.requestPrivateKey(alias); |
| 306 | if (keyId == null) { |
| 307 | throw new KeyChainException("keystore had a problem"); |
| 308 | } |
| 309 | |
| 310 | final OpenSSLEngine engine = OpenSSLEngine.getInstance("keystore"); |
| 311 | return engine.getPrivateKeyById(keyId); |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 312 | } catch (RemoteException e) { |
| 313 | throw new KeyChainException(e); |
| 314 | } catch (RuntimeException e) { |
| 315 | // only certain RuntimeExceptions can be propagated across the IKeyChainService call |
| 316 | throw new KeyChainException(e); |
Kenny Root | 5423e68 | 2011-11-14 08:43:13 -0800 | [diff] [blame] | 317 | } catch (InvalidKeyException e) { |
| 318 | throw new KeyChainException(e); |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 319 | } finally { |
| 320 | keyChainConnection.close(); |
| 321 | } |
| 322 | } |
| 323 | |
| 324 | /** |
| 325 | * Returns the {@code X509Certificate} chain for the requested |
| 326 | * alias, or null if no there is no result. |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 327 | * |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 328 | * @param alias The alias of the desired certificate chain, typically |
| 329 | * returned via {@link KeyChainAliasCallback#alias}. |
| 330 | * @throws KeyChainException if the alias was valid but there was some problem accessing it. |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 331 | */ |
| 332 | public static X509Certificate[] getCertificateChain(Context context, String alias) |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 333 | throws KeyChainException, InterruptedException { |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 334 | if (alias == null) { |
| 335 | throw new NullPointerException("alias == null"); |
| 336 | } |
| 337 | KeyChainConnection keyChainConnection = bind(context); |
| 338 | try { |
Brian Carlstrom | ba1a667 | 2011-05-24 21:54:37 -0700 | [diff] [blame] | 339 | IKeyChainService keyChainService = keyChainConnection.getService(); |
Kenny Root | 0150e48 | 2013-02-13 15:22:50 -0800 | [diff] [blame] | 340 | |
| 341 | final byte[] certificateBytes = keyChainService.getCertificate(alias); |
| 342 | if (certificateBytes == null) { |
| 343 | return null; |
| 344 | } |
| 345 | |
Brian Carlstrom | db93b78 | 2011-07-01 00:12:17 -0700 | [diff] [blame] | 346 | TrustedCertificateStore store = new TrustedCertificateStore(); |
Kenny Root | 54e03af | 2012-08-07 10:04:26 -0700 | [diff] [blame] | 347 | List<X509Certificate> chain = store |
| 348 | .getCertificateChain(toCertificate(certificateBytes)); |
Brian Carlstrom | db93b78 | 2011-07-01 00:12:17 -0700 | [diff] [blame] | 349 | return chain.toArray(new X509Certificate[chain.size()]); |
Kenny Root | cfba6a0 | 2013-05-06 15:00:58 -0700 | [diff] [blame] | 350 | } catch (CertificateException e) { |
| 351 | throw new KeyChainException(e); |
Brian Carlstrom | 93201f5 | 2011-06-09 15:05:35 -0700 | [diff] [blame] | 352 | } catch (RemoteException e) { |
| 353 | throw new KeyChainException(e); |
| 354 | } catch (RuntimeException e) { |
| 355 | // only certain RuntimeExceptions can be propagated across the IKeyChainService call |
| 356 | throw new KeyChainException(e); |
Brian Carlstrom | 8e9929c | 2011-05-17 00:40:28 -0700 | [diff] [blame] | 357 | } finally { |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 358 | keyChainConnection.close(); |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 359 | } |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 360 | } |
| 361 | |
Kenny Root | bf556ac | 2013-04-01 15:10:22 -0700 | [diff] [blame] | 362 | /** |
| 363 | * Returns {@code true} if the current device's {@code KeyChain} supports a |
| 364 | * specific {@code PrivateKey} type indicated by {@code algorithm} (e.g., |
| 365 | * "RSA"). |
| 366 | */ |
Kenny Root | 5b7e90a | 2013-04-02 11:23:41 -0700 | [diff] [blame] | 367 | public static boolean isKeyAlgorithmSupported(String algorithm) { |
Kenny Root | b91773b | 2013-09-05 13:03:16 -0700 | [diff] [blame] | 368 | final String algUpper = algorithm.toUpperCase(Locale.US); |
| 369 | return "DSA".equals(algUpper) || "EC".equals(algUpper) || "RSA".equals(algUpper); |
Kenny Root | bf556ac | 2013-04-01 15:10:22 -0700 | [diff] [blame] | 370 | } |
| 371 | |
| 372 | /** |
| 373 | * Returns {@code true} if the current device's {@code KeyChain} binds any |
| 374 | * {@code PrivateKey} of the given {@code algorithm} to the device once |
| 375 | * imported or generated. This can be used to tell if there is special |
| 376 | * hardware support that can be used to bind keys to the device in a way |
| 377 | * that makes it non-exportable. |
| 378 | */ |
Kenny Root | 5b7e90a | 2013-04-02 11:23:41 -0700 | [diff] [blame] | 379 | public static boolean isBoundKeyAlgorithm(String algorithm) { |
| 380 | if (!isKeyAlgorithmSupported(algorithm)) { |
Kenny Root | bf556ac | 2013-04-01 15:10:22 -0700 | [diff] [blame] | 381 | return false; |
| 382 | } |
| 383 | |
Kenny Root | b91773b | 2013-09-05 13:03:16 -0700 | [diff] [blame] | 384 | return KeyStore.getInstance().isHardwareBacked(algorithm); |
Kenny Root | bf556ac | 2013-04-01 15:10:22 -0700 | [diff] [blame] | 385 | } |
| 386 | |
Brian Carlstrom | 8e9929c | 2011-05-17 00:40:28 -0700 | [diff] [blame] | 387 | private static X509Certificate toCertificate(byte[] bytes) { |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 388 | if (bytes == null) { |
Brian Carlstrom | 8e9929c | 2011-05-17 00:40:28 -0700 | [diff] [blame] | 389 | throw new IllegalArgumentException("bytes == null"); |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 390 | } |
| 391 | try { |
| 392 | CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); |
| 393 | Certificate cert = certFactory.generateCertificate(new ByteArrayInputStream(bytes)); |
| 394 | return (X509Certificate) cert; |
| 395 | } catch (CertificateException e) { |
| 396 | throw new AssertionError(e); |
| 397 | } |
| 398 | } |
| 399 | |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 400 | /** |
| 401 | * @hide for reuse by CertInstaller and Settings. |
| 402 | * @see KeyChain#bind |
| 403 | */ |
| 404 | public final static class KeyChainConnection implements Closeable { |
| 405 | private final Context context; |
| 406 | private final ServiceConnection serviceConnection; |
| 407 | private final IKeyChainService service; |
| 408 | private KeyChainConnection(Context context, |
| 409 | ServiceConnection serviceConnection, |
| 410 | IKeyChainService service) { |
| 411 | this.context = context; |
| 412 | this.serviceConnection = serviceConnection; |
| 413 | this.service = service; |
| 414 | } |
| 415 | @Override public void close() { |
| 416 | context.unbindService(serviceConnection); |
| 417 | } |
| 418 | public IKeyChainService getService() { |
| 419 | return service; |
| 420 | } |
| 421 | } |
| 422 | |
| 423 | /** |
| 424 | * @hide for reuse by CertInstaller and Settings. |
| 425 | * |
| 426 | * Caller should call unbindService on the result when finished. |
| 427 | */ |
| 428 | public static KeyChainConnection bind(Context context) throws InterruptedException { |
| 429 | if (context == null) { |
| 430 | throw new NullPointerException("context == null"); |
| 431 | } |
| 432 | ensureNotOnMainThread(context); |
| 433 | final BlockingQueue<IKeyChainService> q = new LinkedBlockingQueue<IKeyChainService>(1); |
| 434 | ServiceConnection keyChainServiceConnection = new ServiceConnection() { |
Fred Quintana | ab8b84a | 2011-07-13 14:55:39 -0700 | [diff] [blame] | 435 | volatile boolean mConnectedAtLeastOnce = false; |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 436 | @Override public void onServiceConnected(ComponentName name, IBinder service) { |
Fred Quintana | ab8b84a | 2011-07-13 14:55:39 -0700 | [diff] [blame] | 437 | if (!mConnectedAtLeastOnce) { |
| 438 | mConnectedAtLeastOnce = true; |
| 439 | try { |
| 440 | q.put(IKeyChainService.Stub.asInterface(service)); |
| 441 | } catch (InterruptedException e) { |
| 442 | // will never happen, since the queue starts with one available slot |
| 443 | } |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 444 | } |
| 445 | } |
| 446 | @Override public void onServiceDisconnected(ComponentName name) {} |
| 447 | }; |
Maggie Benthall | da51e68 | 2013-08-08 22:35:44 -0400 | [diff] [blame] | 448 | Intent intent = new Intent(IKeyChainService.class.getName()); |
| 449 | ComponentName comp = intent.resolveSystemService(context.getPackageManager(), 0); |
| 450 | intent.setComponent(comp); |
| 451 | boolean isBound = context.bindService(intent, |
Brian Carlstrom | d752472 | 2011-05-17 16:20:36 -0700 | [diff] [blame] | 452 | keyChainServiceConnection, |
| 453 | Context.BIND_AUTO_CREATE); |
| 454 | if (!isBound) { |
| 455 | throw new AssertionError("could not bind to KeyChainService"); |
| 456 | } |
| 457 | return new KeyChainConnection(context, keyChainServiceConnection, q.take()); |
| 458 | } |
| 459 | |
Brian Carlstrom | 8e9929c | 2011-05-17 00:40:28 -0700 | [diff] [blame] | 460 | private static void ensureNotOnMainThread(Context context) { |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 461 | Looper looper = Looper.myLooper(); |
Brian Carlstrom | 8e9929c | 2011-05-17 00:40:28 -0700 | [diff] [blame] | 462 | if (looper != null && looper == context.getMainLooper()) { |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 463 | throw new IllegalStateException( |
| 464 | "calling this from your main thread can lead to deadlock"); |
| 465 | } |
| 466 | } |
Brian Carlstrom | b9a07c1 | 2011-04-11 09:03:51 -0700 | [diff] [blame] | 467 | } |