• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2009 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.security;
18 
19 import android.content.ActivityNotFoundException;
20 import android.content.Context;
21 import android.content.Intent;
22 import android.util.Log;
23 
24 import com.android.org.bouncycastle.util.io.pem.PemObject;
25 import com.android.org.bouncycastle.util.io.pem.PemReader;
26 import com.android.org.bouncycastle.util.io.pem.PemWriter;
27 
28 import java.io.ByteArrayInputStream;
29 import java.io.ByteArrayOutputStream;
30 import java.io.IOException;
31 import java.io.InputStreamReader;
32 import java.io.OutputStreamWriter;
33 import java.io.Reader;
34 import java.io.Writer;
35 import java.nio.charset.StandardCharsets;
36 import java.security.KeyPair;
37 import java.security.cert.Certificate;
38 import java.security.cert.CertificateEncodingException;
39 import java.security.cert.CertificateException;
40 import java.security.cert.CertificateFactory;
41 import java.security.cert.X509Certificate;
42 import java.util.ArrayList;
43 import java.util.List;
44 
45 /**
46  * {@hide}
47  */
48 public class Credentials {
49     private static final String LOGTAG = "Credentials";
50 
51     public static final String INSTALL_ACTION = "android.credentials.INSTALL";
52 
53     public static final String INSTALL_AS_USER_ACTION = "android.credentials.INSTALL_AS_USER";
54 
55     public static final String UNLOCK_ACTION = "com.android.credentials.UNLOCK";
56 
57     /** Key prefix for CA certificates. */
58     public static final String CA_CERTIFICATE = "CACERT_";
59 
60     /** Key prefix for user certificates. */
61     public static final String USER_CERTIFICATE = "USRCERT_";
62 
63     /** Key prefix for user private keys. */
64     public static final String USER_PRIVATE_KEY = "USRPKEY_";
65 
66     /** Key prefix for user secret keys. */
67     public static final String USER_SECRET_KEY = "USRSKEY_";
68 
69     /** Key prefix for VPN. */
70     public static final String VPN = "VPN_";
71 
72     /** Key prefix for WIFI. */
73     public static final String WIFI = "WIFI_";
74 
75     /** Key containing suffix of lockdown VPN profile. */
76     public static final String LOCKDOWN_VPN = "LOCKDOWN_VPN";
77 
78     /** Data type for public keys. */
79     public static final String EXTRA_PUBLIC_KEY = "KEY";
80 
81     /** Data type for private keys. */
82     public static final String EXTRA_PRIVATE_KEY = "PKEY";
83 
84     // historically used by Android
85     public static final String EXTENSION_CRT = ".crt";
86     public static final String EXTENSION_P12 = ".p12";
87     // commonly used on Windows
88     public static final String EXTENSION_CER = ".cer";
89     public static final String EXTENSION_PFX = ".pfx";
90 
91     /**
92      * Intent extra: install the certificate bundle as this UID instead of
93      * system.
94      */
95     public static final String EXTRA_INSTALL_AS_UID = "install_as_uid";
96 
97     /**
98      * Intent extra: name for the user's private key.
99      */
100     public static final String EXTRA_USER_PRIVATE_KEY_NAME = "user_private_key_name";
101 
102     /**
103      * Intent extra: data for the user's private key in PEM-encoded PKCS#8.
104      */
105     public static final String EXTRA_USER_PRIVATE_KEY_DATA = "user_private_key_data";
106 
107     /**
108      * Intent extra: name for the user's certificate.
109      */
110     public static final String EXTRA_USER_CERTIFICATE_NAME = "user_certificate_name";
111 
112     /**
113      * Intent extra: data for the user's certificate in PEM-encoded X.509.
114      */
115     public static final String EXTRA_USER_CERTIFICATE_DATA = "user_certificate_data";
116 
117     /**
118      * Intent extra: name for CA certificate chain
119      */
120     public static final String EXTRA_CA_CERTIFICATES_NAME = "ca_certificates_name";
121 
122     /**
123      * Intent extra: data for CA certificate chain in PEM-encoded X.509.
124      */
125     public static final String EXTRA_CA_CERTIFICATES_DATA = "ca_certificates_data";
126 
127     /**
128      * Convert objects to a PEM format which is used for
129      * CA_CERTIFICATE and USER_CERTIFICATE entries.
130      */
convertToPem(Certificate... objects)131     public static byte[] convertToPem(Certificate... objects)
132             throws IOException, CertificateEncodingException {
133         ByteArrayOutputStream bao = new ByteArrayOutputStream();
134         Writer writer = new OutputStreamWriter(bao, StandardCharsets.US_ASCII);
135         PemWriter pw = new PemWriter(writer);
136         for (Certificate o : objects) {
137             pw.writeObject(new PemObject("CERTIFICATE", o.getEncoded()));
138         }
139         pw.close();
140         return bao.toByteArray();
141     }
142     /**
143      * Convert objects from PEM format, which is used for
144      * CA_CERTIFICATE and USER_CERTIFICATE entries.
145      */
convertFromPem(byte[] bytes)146     public static List<X509Certificate> convertFromPem(byte[] bytes)
147             throws IOException, CertificateException {
148         ByteArrayInputStream bai = new ByteArrayInputStream(bytes);
149         Reader reader = new InputStreamReader(bai, StandardCharsets.US_ASCII);
150         PemReader pr = new PemReader(reader);
151 
152         try {
153             CertificateFactory cf = CertificateFactory.getInstance("X509");
154 
155             List<X509Certificate> result = new ArrayList<X509Certificate>();
156             PemObject o;
157             while ((o = pr.readPemObject()) != null) {
158                 if (o.getType().equals("CERTIFICATE")) {
159                     Certificate c = cf.generateCertificate(new ByteArrayInputStream(o.getContent()));
160                     result.add((X509Certificate) c);
161                 } else {
162                     throw new IllegalArgumentException("Unknown type " + o.getType());
163                 }
164             }
165             return result;
166         } finally {
167             pr.close();
168         }
169     }
170 
171     private static Credentials singleton;
172 
getInstance()173     public static Credentials getInstance() {
174         if (singleton == null) {
175             singleton = new Credentials();
176         }
177         return singleton;
178     }
179 
unlock(Context context)180     public void unlock(Context context) {
181         try {
182             Intent intent = new Intent(UNLOCK_ACTION);
183             context.startActivity(intent);
184         } catch (ActivityNotFoundException e) {
185             Log.w(LOGTAG, e.toString());
186         }
187     }
188 
install(Context context)189     public void install(Context context) {
190         try {
191             Intent intent = KeyChain.createInstallIntent();
192             context.startActivity(intent);
193         } catch (ActivityNotFoundException e) {
194             Log.w(LOGTAG, e.toString());
195         }
196     }
197 
install(Context context, KeyPair pair)198     public void install(Context context, KeyPair pair) {
199         try {
200             Intent intent = KeyChain.createInstallIntent();
201             intent.putExtra(EXTRA_PRIVATE_KEY, pair.getPrivate().getEncoded());
202             intent.putExtra(EXTRA_PUBLIC_KEY, pair.getPublic().getEncoded());
203             context.startActivity(intent);
204         } catch (ActivityNotFoundException e) {
205             Log.w(LOGTAG, e.toString());
206         }
207     }
208 
install(Context context, String type, byte[] value)209     public void install(Context context, String type, byte[] value) {
210         try {
211             Intent intent = KeyChain.createInstallIntent();
212             intent.putExtra(type, value);
213             context.startActivity(intent);
214         } catch (ActivityNotFoundException e) {
215             Log.w(LOGTAG, e.toString());
216         }
217     }
218 
219     /**
220      * Delete all types (private key, user certificate, CA certificate) for a
221      * particular {@code alias}. All three can exist for any given alias.
222      * Returns {@code true} if the alias no longer contains any types.
223      */
deleteAllTypesForAlias(KeyStore keystore, String alias)224     public static boolean deleteAllTypesForAlias(KeyStore keystore, String alias) {
225         return deleteAllTypesForAlias(keystore, alias, KeyStore.UID_SELF);
226     }
227 
228     /**
229      * Delete all types (private key, user certificate, CA certificate) for a
230      * particular {@code alias}. All three can exist for any given alias.
231      * Returns {@code true} if the alias no longer contains any types.
232      */
deleteAllTypesForAlias(KeyStore keystore, String alias, int uid)233     public static boolean deleteAllTypesForAlias(KeyStore keystore, String alias, int uid) {
234         /*
235          * Make sure every type is deleted. There can be all three types, so
236          * don't use a conditional here.
237          */
238         return deletePrivateKeyTypeForAlias(keystore, alias, uid)
239                 & deleteSecretKeyTypeForAlias(keystore, alias, uid)
240                 & deleteCertificateTypesForAlias(keystore, alias, uid);
241     }
242 
243     /**
244      * Delete certificate types (user certificate, CA certificate) for a
245      * particular {@code alias}. Both can exist for any given alias.
246      * Returns {@code true} if the alias no longer contains either type.
247      */
deleteCertificateTypesForAlias(KeyStore keystore, String alias)248     public static boolean deleteCertificateTypesForAlias(KeyStore keystore, String alias) {
249         return deleteCertificateTypesForAlias(keystore, alias, KeyStore.UID_SELF);
250     }
251 
252     /**
253      * Delete certificate types (user certificate, CA certificate) for a
254      * particular {@code alias}. Both can exist for any given alias.
255      * Returns {@code true} if the alias no longer contains either type.
256      */
deleteCertificateTypesForAlias(KeyStore keystore, String alias, int uid)257     public static boolean deleteCertificateTypesForAlias(KeyStore keystore, String alias, int uid) {
258         /*
259          * Make sure every certificate type is deleted. There can be two types,
260          * so don't use a conditional here.
261          */
262         return keystore.delete(Credentials.USER_CERTIFICATE + alias, uid)
263                 & keystore.delete(Credentials.CA_CERTIFICATE + alias, uid);
264     }
265 
266     /**
267      * Delete private key for a particular {@code alias}.
268      * Returns {@code true} if the entry no longer exists.
269      */
deletePrivateKeyTypeForAlias(KeyStore keystore, String alias)270     static boolean deletePrivateKeyTypeForAlias(KeyStore keystore, String alias) {
271         return deletePrivateKeyTypeForAlias(keystore, alias, KeyStore.UID_SELF);
272     }
273 
274     /**
275      * Delete private key for a particular {@code alias}.
276      * Returns {@code true} if the entry no longer exists.
277      */
deletePrivateKeyTypeForAlias(KeyStore keystore, String alias, int uid)278     static boolean deletePrivateKeyTypeForAlias(KeyStore keystore, String alias, int uid) {
279         return keystore.delete(Credentials.USER_PRIVATE_KEY + alias, uid);
280     }
281 
282     /**
283      * Delete secret key for a particular {@code alias}.
284      * Returns {@code true} if the entry no longer exists.
285      */
deleteSecretKeyTypeForAlias(KeyStore keystore, String alias)286     public static boolean deleteSecretKeyTypeForAlias(KeyStore keystore, String alias) {
287         return deleteSecretKeyTypeForAlias(keystore, alias, KeyStore.UID_SELF);
288     }
289 
290     /**
291      * Delete secret key for a particular {@code alias}.
292      * Returns {@code true} if the entry no longer exists.
293      */
deleteSecretKeyTypeForAlias(KeyStore keystore, String alias, int uid)294     public static boolean deleteSecretKeyTypeForAlias(KeyStore keystore, String alias, int uid) {
295         return keystore.delete(Credentials.USER_SECRET_KEY + alias, uid);
296     }
297 }
298