/* * Copyright (C) 2011 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package android.security; import android.app.Activity; import android.app.PendingIntent; import android.content.ComponentName; import android.content.Context; import android.content.Intent; import android.content.ServiceConnection; import android.os.IBinder; import android.os.Looper; import android.os.RemoteException; import java.io.ByteArrayInputStream; import java.io.Closeable; import java.security.InvalidKeyException; import java.security.Principal; import java.security.PrivateKey; import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.List; import java.util.concurrent.BlockingQueue; import java.util.concurrent.LinkedBlockingQueue; import org.apache.harmony.xnet.provider.jsse.OpenSSLEngine; import org.apache.harmony.xnet.provider.jsse.TrustedCertificateStore; /** * The {@code KeyChain} class provides access to private keys and * their corresponding certificate chains in credential storage. * *
Applications accessing the {@code KeyChain} normally go through * these steps: * *
An application may remember the value of a selected alias to * avoid prompting the user with {@link #choosePrivateKeyAlias * choosePrivateKeyAlias} on subsequent connections. If the alias is * no longer valid, null will be returned on lookups using that value * *
An application can request the installation of private keys and * certificates via the {@code Intent} provided by {@link * #createInstallIntent}. Private keys installed via this {@code * Intent} will be accessible via {@link #choosePrivateKeyAlias} while * Certificate Authority (CA) certificates will be trusted by all * applications through the default {@code X509TrustManager}. */ // TODO reference intent for credential installation when public public final class KeyChain { private static final String TAG = "KeyChain"; /** * @hide Also used by KeyChainService implementation */ public static final String ACCOUNT_TYPE = "com.android.keychain"; /** * Action to bring up the KeyChainActivity */ private static final String ACTION_CHOOSER = "com.android.keychain.CHOOSER"; /** * Extra for use with {@link #ACTION_CHOOSER} * @hide Also used by KeyChainActivity implementation */ public static final String EXTRA_RESPONSE = "response"; /** * Extra for use with {@link #ACTION_CHOOSER} * @hide Also used by KeyChainActivity implementation */ public static final String EXTRA_HOST = "host"; /** * Extra for use with {@link #ACTION_CHOOSER} * @hide Also used by KeyChainActivity implementation */ public static final String EXTRA_PORT = "port"; /** * Extra for use with {@link #ACTION_CHOOSER} * @hide Also used by KeyChainActivity implementation */ public static final String EXTRA_ALIAS = "alias"; /** * Extra for use with {@link #ACTION_CHOOSER} * @hide Also used by KeyChainActivity implementation */ public static final String EXTRA_SENDER = "sender"; /** * Action to bring up the CertInstaller. */ private static final String ACTION_INSTALL = "android.credentials.INSTALL"; /** * Optional extra to specify a {@code String} credential name on * the {@code Intent} returned by {@link #createInstallIntent}. */ // Compatible with old com.android.certinstaller.CredentialHelper.CERT_NAME_KEY public static final String EXTRA_NAME = "name"; /** * Optional extra to specify an X.509 certificate to install on * the {@code Intent} returned by {@link #createInstallIntent}. * The extra value should be a PEM or ASN.1 DER encoded {@code * byte[]}. An {@link X509Certificate} can be converted to DER * encoded bytes with {@link X509Certificate#getEncoded}. * *
{@link #EXTRA_NAME} may be used to provide a default alias * name for the installed certificate. */ // Compatible with old android.security.Credentials.CERTIFICATE public static final String EXTRA_CERTIFICATE = "CERT"; /** * Optional extra for use with the {@code Intent} returned by * {@link #createInstallIntent} to specify a PKCS#12 key store to * install. The extra value should be a {@code byte[]}. The bytes * may come from an external source or be generated with {@link * java.security.KeyStore#store} on a "PKCS12" instance. * *
The user will be prompted for the password to load the key store. * *
The key store will be scanned for {@link * java.security.KeyStore.PrivateKeyEntry} entries and both the * private key and associated certificate chain will be installed. * *
{@link #EXTRA_NAME} may be used to provide a default alias * name for the installed credentials. */ // Compatible with old android.security.Credentials.PKCS12 public static final String EXTRA_PKCS12 = "PKCS12"; /** * Broadcast Action: Indicates the trusted storage has changed. Sent when * one of this happens: * *
Alternatively, {@link #EXTRA_CERTIFICATE} or {@link * #EXTRA_PKCS12} maybe used to specify the bytes of an X.509 * certificate or a PKCS#12 key store for installation. These * extras may be combined with {@link #EXTRA_NAME} to provide a * default alias name for credentials being installed. * *
When used with {@link Activity#startActivityForResult}, * {@link Activity#RESULT_OK} will be returned if a credential was * successfully installed, otherwise {@link * Activity#RESULT_CANCELED} will be returned. */ public static Intent createInstallIntent() { Intent intent = new Intent(ACTION_INSTALL); intent.setClassName("com.android.certinstaller", "com.android.certinstaller.CertInstallerMain"); return intent; } /** * Launches an {@code Activity} for the user to select the alias * for a private key and certificate pair for authentication. The * selected alias or null will be returned via the * KeyChainAliasCallback callback. * *
{@code keyTypes} and {@code issuers} may be used to * highlight suggested choices to the user, although to cope with * sometimes erroneous values provided by servers, the user may be * able to override these suggestions. * *
{@code host} and {@code port} may be used to give the user * more context about the server requesting the credentials. * *
{@code alias} allows the chooser to preselect an existing
* alias which will still be subject to user confirmation.
*
* @param activity The {@link Activity} context to use for
* launching the new sub-Activity to prompt the user to select
* a private key; used only to call startActivity(); must not
* be null.
* @param response Callback to invoke when the request completes;
* must not be null
* @param keyTypes The acceptable types of asymmetric keys such as
* "RSA" or "DSA", or a null array.
* @param issuers The acceptable certificate issuers for the
* certificate matching the private key, or null.
* @param host The host name of the server requesting the
* certificate, or null if unavailable.
* @param port The port number of the server requesting the
* certificate, or -1 if unavailable.
* @param alias The alias to preselect if available, or null if
* unavailable.
*/
public static void choosePrivateKeyAlias(Activity activity, KeyChainAliasCallback response,
String[] keyTypes, Principal[] issuers,
String host, int port,
String alias) {
/*
* TODO currently keyTypes, issuers are unused. They are meant
* to follow the semantics and purpose of X509KeyManager
* method arguments.
*
* keyTypes would allow the list to be filtered and typically
* will be set correctly by the server. In practice today,
* most all users will want only RSA, rarely DSA, and usually
* only a small number of certs will be available.
*
* issuers is typically not useful. Some servers historically
* will send the entire list of public CAs known to the
* server. Others will send none. If this is used, if there
* are no matches after applying the constraint, it should be
* ignored.
*/
if (activity == null) {
throw new NullPointerException("activity == null");
}
if (response == null) {
throw new NullPointerException("response == null");
}
Intent intent = new Intent(ACTION_CHOOSER);
intent.putExtra(EXTRA_RESPONSE, new AliasResponse(response));
intent.putExtra(EXTRA_HOST, host);
intent.putExtra(EXTRA_PORT, port);
intent.putExtra(EXTRA_ALIAS, alias);
// the PendingIntent is used to get calling package name
intent.putExtra(EXTRA_SENDER, PendingIntent.getActivity(activity, 0, new Intent(), 0));
activity.startActivity(intent);
}
private static class AliasResponse extends IKeyChainAliasCallback.Stub {
private final KeyChainAliasCallback keyChainAliasResponse;
private AliasResponse(KeyChainAliasCallback keyChainAliasResponse) {
this.keyChainAliasResponse = keyChainAliasResponse;
}
@Override public void alias(String alias) {
keyChainAliasResponse.alias(alias);
}
}
/**
* Returns the {@code PrivateKey} for the requested alias, or null
* if no there is no result.
*
* @param alias The alias of the desired private key, typically
* returned via {@link KeyChainAliasCallback#alias}.
* @throws KeyChainException if the alias was valid but there was some problem accessing it.
*/
public static PrivateKey getPrivateKey(Context context, String alias)
throws KeyChainException, InterruptedException {
if (alias == null) {
throw new NullPointerException("alias == null");
}
KeyChainConnection keyChainConnection = bind(context);
try {
final IKeyChainService keyChainService = keyChainConnection.getService();
final String keyId = keyChainService.requestPrivateKey(alias);
if (keyId == null) {
throw new KeyChainException("keystore had a problem");
}
final OpenSSLEngine engine = OpenSSLEngine.getInstance("keystore");
return engine.getPrivateKeyById(keyId);
} catch (RemoteException e) {
throw new KeyChainException(e);
} catch (RuntimeException e) {
// only certain RuntimeExceptions can be propagated across the IKeyChainService call
throw new KeyChainException(e);
} catch (InvalidKeyException e) {
throw new KeyChainException(e);
} finally {
keyChainConnection.close();
}
}
/**
* Returns the {@code X509Certificate} chain for the requested
* alias, or null if no there is no result.
*
* @param alias The alias of the desired certificate chain, typically
* returned via {@link KeyChainAliasCallback#alias}.
* @throws KeyChainException if the alias was valid but there was some problem accessing it.
*/
public static X509Certificate[] getCertificateChain(Context context, String alias)
throws KeyChainException, InterruptedException {
if (alias == null) {
throw new NullPointerException("alias == null");
}
KeyChainConnection keyChainConnection = bind(context);
try {
IKeyChainService keyChainService = keyChainConnection.getService();
byte[] certificateBytes = keyChainService.getCertificate(alias);
TrustedCertificateStore store = new TrustedCertificateStore();
List