1 /* 2 * Copyright (C) 2009 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.security; 18 19 import android.compat.annotation.UnsupportedAppUsage; 20 import android.os.Build; 21 22 import com.android.internal.org.bouncycastle.util.io.pem.PemObject; 23 import com.android.internal.org.bouncycastle.util.io.pem.PemReader; 24 import com.android.internal.org.bouncycastle.util.io.pem.PemWriter; 25 26 import java.io.ByteArrayInputStream; 27 import java.io.ByteArrayOutputStream; 28 import java.io.IOException; 29 import java.io.InputStreamReader; 30 import java.io.OutputStreamWriter; 31 import java.io.Reader; 32 import java.io.Writer; 33 import java.nio.charset.StandardCharsets; 34 import java.security.cert.Certificate; 35 import java.security.cert.CertificateEncodingException; 36 import java.security.cert.CertificateException; 37 import java.security.cert.CertificateFactory; 38 import java.security.cert.X509Certificate; 39 import java.util.ArrayList; 40 import java.util.List; 41 42 /** 43 * {@hide} 44 */ 45 public class Credentials { 46 private static final String LOGTAG = "Credentials"; 47 48 public static final String INSTALL_ACTION = "android.credentials.INSTALL"; 49 50 public static final String INSTALL_AS_USER_ACTION = "android.credentials.INSTALL_AS_USER"; 51 52 public static final String ACTION_MANAGE_CREDENTIALS = "android.security.MANAGE_CREDENTIALS"; 53 54 /** 55 * Key prefix for CA certificates. 56 * 57 * @deprecated Keystore no longer supports unstructured blobs. Public certificates are 58 * stored in typed slots associated with a given alias. 59 */ 60 @Deprecated 61 public static final String CA_CERTIFICATE = "CACERT_"; 62 63 /** 64 * Key prefix for user certificates. 65 * 66 * @deprecated Keystore no longer supports unstructured blobs. Public certificates are 67 * stored in typed slots associated with a given alias. 68 */ 69 @Deprecated 70 public static final String USER_CERTIFICATE = "USRCERT_"; 71 72 /** 73 * Key prefix for user private and secret keys. 74 * 75 * @deprecated Keystore no longer uses alias prefixes to discriminate between entry types. 76 */ 77 @Deprecated 78 public static final String USER_PRIVATE_KEY = "USRPKEY_"; 79 80 /** 81 * Key prefix for user secret keys. 82 * 83 * @deprecated use {@code USER_PRIVATE_KEY} for this category instead. 84 */ 85 @Deprecated 86 public static final String USER_SECRET_KEY = "USRSKEY_"; 87 88 /** Key prefix for VPN. */ 89 public static final String VPN = "VPN_"; 90 91 /** Key prefix for platform VPNs. */ 92 public static final String PLATFORM_VPN = "PLATFORM_VPN_"; 93 94 /** Key prefix for WIFI. */ 95 public static final String WIFI = "WIFI_"; 96 97 /** 98 * Key prefix for App Source certificates. 99 * 100 * @deprecated This was intended for FS-verity but never used. FS-verity is not 101 * going to use this constant moving forward. 102 */ 103 @Deprecated 104 public static final String APP_SOURCE_CERTIFICATE = "FSV_"; 105 106 /** Key containing suffix of lockdown VPN profile. */ 107 public static final String LOCKDOWN_VPN = "LOCKDOWN_VPN"; 108 109 /** Name of CA certificate usage. */ 110 public static final String CERTIFICATE_USAGE_CA = "ca"; 111 112 /** Name of User certificate usage. */ 113 public static final String CERTIFICATE_USAGE_USER = "user"; 114 115 /** Name of WIFI certificate usage. */ 116 public static final String CERTIFICATE_USAGE_WIFI = "wifi"; 117 118 /** Name of App Source certificate usage. */ 119 public static final String CERTIFICATE_USAGE_APP_SOURCE = "appsrc"; 120 121 /** Data type for public keys. */ 122 public static final String EXTRA_PUBLIC_KEY = "KEY"; 123 124 /** Data type for private keys. */ 125 public static final String EXTRA_PRIVATE_KEY = "PKEY"; 126 127 // historically used by Android 128 public static final String EXTENSION_CRT = ".crt"; 129 public static final String EXTENSION_P12 = ".p12"; 130 // commonly used on Windows 131 public static final String EXTENSION_CER = ".cer"; 132 public static final String EXTENSION_PFX = ".pfx"; 133 134 /** 135 * Intent extra: install the certificate bundle as this UID instead of 136 * system. 137 */ 138 public static final String EXTRA_INSTALL_AS_UID = "install_as_uid"; 139 140 /** 141 * Intent extra: type of the certificate to install 142 */ 143 public static final String EXTRA_CERTIFICATE_USAGE = "certificate_install_usage"; 144 145 /** 146 * Intent extra: name for the user's key pair. 147 */ 148 public static final String EXTRA_USER_KEY_ALIAS = "user_key_pair_name"; 149 150 /** 151 * Intent extra: data for the user's private key in PEM-encoded PKCS#8. 152 */ 153 public static final String EXTRA_USER_PRIVATE_KEY_DATA = "user_private_key_data"; 154 155 /** 156 * Intent extra: data for the user's certificate in PEM-encoded X.509. 157 */ 158 public static final String EXTRA_USER_CERTIFICATE_DATA = "user_certificate_data"; 159 160 /** 161 * Intent extra: data for CA certificate chain in PEM-encoded X.509. 162 */ 163 public static final String EXTRA_CA_CERTIFICATES_DATA = "ca_certificates_data"; 164 165 /** 166 * Convert objects to a PEM format which is used for 167 * CA_CERTIFICATE and USER_CERTIFICATE entries. 168 */ 169 @UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553) convertToPem(Certificate... objects)170 public static byte[] convertToPem(Certificate... objects) 171 throws IOException, CertificateEncodingException { 172 ByteArrayOutputStream bao = new ByteArrayOutputStream(); 173 Writer writer = new OutputStreamWriter(bao, StandardCharsets.US_ASCII); 174 PemWriter pw = new PemWriter(writer); 175 for (Certificate o : objects) { 176 pw.writeObject(new PemObject("CERTIFICATE", o.getEncoded())); 177 } 178 pw.close(); 179 return bao.toByteArray(); 180 } 181 182 /** 183 * Convert objects from PEM format, which is used for 184 * CA_CERTIFICATE and USER_CERTIFICATE entries. 185 */ convertFromPem(byte[] bytes)186 public static List<X509Certificate> convertFromPem(byte[] bytes) 187 throws IOException, CertificateException { 188 ByteArrayInputStream bai = new ByteArrayInputStream(bytes); 189 Reader reader = new InputStreamReader(bai, StandardCharsets.US_ASCII); 190 PemReader pr = new PemReader(reader); 191 192 try { 193 CertificateFactory cf = CertificateFactory.getInstance("X509"); 194 195 List<X509Certificate> result = new ArrayList<X509Certificate>(); 196 PemObject o; 197 while ((o = pr.readPemObject()) != null) { 198 if (o.getType().equals("CERTIFICATE")) { 199 Certificate c = cf.generateCertificate( 200 new ByteArrayInputStream(o.getContent())); 201 result.add((X509Certificate) c); 202 } else { 203 throw new IllegalArgumentException("Unknown type " + o.getType()); 204 } 205 } 206 return result; 207 } finally { 208 pr.close(); 209 } 210 } 211 } 212