Gitiles
Code Review Sign In
gerrit.witaqua.org / frameworks_base / 0094de3727027b8437a4d2e2b8e459c2c12aa215 / . / keystore / java / android / security / Credentials.java
blob: 962ce512d949d7d070db6d6e485975b357189211 [file] [log] [blame]
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]1/*
2 * Copyright (C) 2009 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package android.security;
18
Mathew Inwood4dbdcf432018-08-16 18:49:37 +0100[diff] [blame]19import android.annotation.UnsupportedAppUsage;
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]20import android.content.ActivityNotFoundException;
21import android.content.Context;
22import android.content.Intent;
23import android.util.Log;
Shawn Willden8d8c7472016-02-02 08:27:39 -0700[diff] [blame]24
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]25import com.android.org.bouncycastle.util.io.pem.PemObject;
26import com.android.org.bouncycastle.util.io.pem.PemReader;
27import com.android.org.bouncycastle.util.io.pem.PemWriter;
Shawn Willden8d8c7472016-02-02 08:27:39 -0700[diff] [blame]28
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]29import java.io.ByteArrayInputStream;
30import java.io.ByteArrayOutputStream;
31import java.io.IOException;
32import java.io.InputStreamReader;
33import java.io.OutputStreamWriter;
34import java.io.Reader;
35import java.io.Writer;
Elliott Hughesd396a442013-06-28 16:24:48 -0700[diff] [blame]36import java.nio.charset.StandardCharsets;
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]37import java.security.KeyPair;
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]38import java.security.cert.Certificate;
39import java.security.cert.CertificateEncodingException;
40import java.security.cert.CertificateException;
41import java.security.cert.CertificateFactory;
Kenny Root5423e682011-11-14 08:43:13 -0800[diff] [blame]42import java.security.cert.X509Certificate;
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]43import java.util.ArrayList;
44import java.util.List;
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]45
46/**
47 * {@hide}
48 */
49public class Credentials {
50 private static final String LOGTAG = "Credentials";
Chia-chi Yeh44039172009-09-21 11:53:59 +0800[diff] [blame]51
Chia-chi Yeh44039172009-09-21 11:53:59 +0800[diff] [blame]52 public static final String INSTALL_ACTION = "android.credentials.INSTALL";
53
Kenny Root3e7be432013-03-28 09:25:51 -0700[diff] [blame]54 public static final String INSTALL_AS_USER_ACTION = "android.credentials.INSTALL_AS_USER";
55
Brian Carlstrom4a9e1a22011-04-22 15:45:22 -0700[diff] [blame]56 public static final String UNLOCK_ACTION = "com.android.credentials.UNLOCK";
57
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]58 /** Key prefix for CA certificates. */
59 public static final String CA_CERTIFICATE = "CACERT_";
60
61 /** Key prefix for user certificates. */
62 public static final String USER_CERTIFICATE = "USRCERT_";
63
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]64 /** Key prefix for user private and secret keys. */
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]65 public static final String USER_PRIVATE_KEY = "USRPKEY_";
66
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]67 /** Key prefix for user secret keys.
68 * @deprecated use {@code USER_PRIVATE_KEY} for this category instead.
69 */
Alex Klyubinbaf28382015-03-26 14:46:55 -0700[diff] [blame]70 public static final String USER_SECRET_KEY = "USRSKEY_";
71
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]72 /** Key prefix for VPN. */
73 public static final String VPN = "VPN_";
74
75 /** Key prefix for WIFI. */
76 public static final String WIFI = "WIFI_";
77
Jeff Sharkey69ddab42012-08-25 00:05:46 -0700[diff] [blame]78 /** Key containing suffix of lockdown VPN profile. */
79 public static final String LOCKDOWN_VPN = "LOCKDOWN_VPN";
80
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]81 /** Data type for public keys. */
Brian Carlstroma00a2b32011-06-29 10:42:35 -0700[diff] [blame]82 public static final String EXTRA_PUBLIC_KEY = "KEY";
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]83
84 /** Data type for private keys. */
Brian Carlstroma00a2b32011-06-29 10:42:35 -0700[diff] [blame]85 public static final String EXTRA_PRIVATE_KEY = "PKEY";
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]86
Brian Carlstrom67c30df2011-06-24 02:13:23 -0700[diff] [blame]87 // historically used by Android
88 public static final String EXTENSION_CRT = ".crt";
89 public static final String EXTENSION_P12 = ".p12";
90 // commonly used on Windows
91 public static final String EXTENSION_CER = ".cer";
92 public static final String EXTENSION_PFX = ".pfx";
93
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]94 /**
Kenny Root3e7be432013-03-28 09:25:51 -0700[diff] [blame]95 * Intent extra: install the certificate bundle as this UID instead of
96 * system.
97 */
98 public static final String EXTRA_INSTALL_AS_UID = "install_as_uid";
99
100 /**
Kenny Root5423e682011-11-14 08:43:13 -0800[diff] [blame]101 * Intent extra: name for the user's private key.
102 */
103 public static final String EXTRA_USER_PRIVATE_KEY_NAME = "user_private_key_name";
104
105 /**
106 * Intent extra: data for the user's private key in PEM-encoded PKCS#8.
107 */
108 public static final String EXTRA_USER_PRIVATE_KEY_DATA = "user_private_key_data";
109
110 /**
111 * Intent extra: name for the user's certificate.
112 */
113 public static final String EXTRA_USER_CERTIFICATE_NAME = "user_certificate_name";
114
115 /**
116 * Intent extra: data for the user's certificate in PEM-encoded X.509.
117 */
118 public static final String EXTRA_USER_CERTIFICATE_DATA = "user_certificate_data";
119
120 /**
121 * Intent extra: name for CA certificate chain
122 */
123 public static final String EXTRA_CA_CERTIFICATES_NAME = "ca_certificates_name";
124
125 /**
126 * Intent extra: data for CA certificate chain in PEM-encoded X.509.
127 */
128 public static final String EXTRA_CA_CERTIFICATES_DATA = "ca_certificates_data";
129
130 /**
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]131 * Convert objects to a PEM format which is used for
132 * CA_CERTIFICATE and USER_CERTIFICATE entries.
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]133 */
Andrei Oneaffeefd32019-02-28 13:44:21 +0000[diff] [blame]134 @UnsupportedAppUsage
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]135 public static byte[] convertToPem(Certificate... objects)
136 throws IOException, CertificateEncodingException {
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]137 ByteArrayOutputStream bao = new ByteArrayOutputStream();
Elliott Hughesd396a442013-06-28 16:24:48 -0700[diff] [blame]138 Writer writer = new OutputStreamWriter(bao, StandardCharsets.US_ASCII);
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]139 PemWriter pw = new PemWriter(writer);
140 for (Certificate o : objects) {
141 pw.writeObject(new PemObject("CERTIFICATE", o.getEncoded()));
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]142 }
143 pw.close();
144 return bao.toByteArray();
145 }
146 /**
147 * Convert objects from PEM format, which is used for
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]148 * CA_CERTIFICATE and USER_CERTIFICATE entries.
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]149 */
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]150 public static List<X509Certificate> convertFromPem(byte[] bytes)
151 throws IOException, CertificateException {
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]152 ByteArrayInputStream bai = new ByteArrayInputStream(bytes);
Elliott Hughesd396a442013-06-28 16:24:48 -0700[diff] [blame]153 Reader reader = new InputStreamReader(bai, StandardCharsets.US_ASCII);
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]154 PemReader pr = new PemReader(reader);
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]155
Shawn Willden8d8c7472016-02-02 08:27:39 -0700[diff] [blame]156 try {
157 CertificateFactory cf = CertificateFactory.getInstance("X509");
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]158
Shawn Willden8d8c7472016-02-02 08:27:39 -0700[diff] [blame]159 List<X509Certificate> result = new ArrayList<X509Certificate>();
160 PemObject o;
161 while ((o = pr.readPemObject()) != null) {
162 if (o.getType().equals("CERTIFICATE")) {
163 Certificate c = cf.generateCertificate(new ByteArrayInputStream(o.getContent()));
164 result.add((X509Certificate) c);
165 } else {
166 throw new IllegalArgumentException("Unknown type " + o.getType());
167 }
Brian Carlstrom0efca172012-09-04 23:01:07 -0700[diff] [blame]168 }
Shawn Willden8d8c7472016-02-02 08:27:39 -0700[diff] [blame]169 return result;
170 } finally {
171 pr.close();
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]172 }
Brian Carlstrom9d7faa92011-06-07 13:45:33 -0700[diff] [blame]173 }
174
Chia-chi Yeh44039172009-09-21 11:53:59 +0800[diff] [blame]175 private static Credentials singleton;
176
Mathew Inwood4dbdcf432018-08-16 18:49:37 +0100[diff] [blame]177 @UnsupportedAppUsage
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]178 public static Credentials getInstance() {
179 if (singleton == null) {
180 singleton = new Credentials();
181 }
182 return singleton;
183 }
184
Mathew Inwood4dbdcf432018-08-16 18:49:37 +0100[diff] [blame]185 @UnsupportedAppUsage
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]186 public void unlock(Context context) {
187 try {
Brian Carlstrom4a9e1a22011-04-22 15:45:22 -0700[diff] [blame]188 Intent intent = new Intent(UNLOCK_ACTION);
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]189 context.startActivity(intent);
190 } catch (ActivityNotFoundException e) {
191 Log.w(LOGTAG, e.toString());
192 }
193 }
194
Brian Carlstrom67c30df2011-06-24 02:13:23 -0700[diff] [blame]195 public void install(Context context) {
196 try {
Brian Carlstroma00a2b32011-06-29 10:42:35 -0700[diff] [blame]197 Intent intent = KeyChain.createInstallIntent();
Brian Carlstrom67c30df2011-06-24 02:13:23 -0700[diff] [blame]198 context.startActivity(intent);
199 } catch (ActivityNotFoundException e) {
200 Log.w(LOGTAG, e.toString());
201 }
202 }
203
Mathew Inwood4dbdcf432018-08-16 18:49:37 +0100[diff] [blame]204 @UnsupportedAppUsage
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]205 public void install(Context context, KeyPair pair) {
206 try {
Brian Carlstroma00a2b32011-06-29 10:42:35 -0700[diff] [blame]207 Intent intent = KeyChain.createInstallIntent();
208 intent.putExtra(EXTRA_PRIVATE_KEY, pair.getPrivate().getEncoded());
209 intent.putExtra(EXTRA_PUBLIC_KEY, pair.getPublic().getEncoded());
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]210 context.startActivity(intent);
211 } catch (ActivityNotFoundException e) {
212 Log.w(LOGTAG, e.toString());
213 }
214 }
215
Mathew Inwood4dbdcf432018-08-16 18:49:37 +0100[diff] [blame]216 @UnsupportedAppUsage
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]217 public void install(Context context, String type, byte[] value) {
218 try {
Brian Carlstroma00a2b32011-06-29 10:42:35 -0700[diff] [blame]219 Intent intent = KeyChain.createInstallIntent();
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]220 intent.putExtra(type, value);
221 context.startActivity(intent);
222 } catch (ActivityNotFoundException e) {
223 Log.w(LOGTAG, e.toString());
224 }
225 }
Kenny Rootdb026712012-08-20 10:48:46 -0700[diff] [blame]226
227 /**
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]228 * Delete all types (private key, user certificate, CA certificate) for a
Kenny Rootdb026712012-08-20 10:48:46 -0700[diff] [blame]229 * particular {@code alias}. All three can exist for any given alias.
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]230 * Returns {@code true} if the alias no longer contains any types.
Kenny Rootdb026712012-08-20 10:48:46 -0700[diff] [blame]231 */
Alex Klyubindcdaf872015-05-13 15:57:09 -0700[diff] [blame]232 public static boolean deleteAllTypesForAlias(KeyStore keystore, String alias) {
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]233 return deleteAllTypesForAlias(keystore, alias, KeyStore.UID_SELF);
234 }
235
236 /**
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]237 * Delete all types (private key, user certificate, CA certificate) for a
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]238 * particular {@code alias}. All three can exist for any given alias.
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]239 * Returns {@code true} if the alias no longer contains any types.
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]240 */
241 public static boolean deleteAllTypesForAlias(KeyStore keystore, String alias, int uid) {
Kenny Rootdb026712012-08-20 10:48:46 -0700[diff] [blame]242 /*
243 * Make sure every type is deleted. There can be all three types, so
244 * don't use a conditional here.
245 */
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]246 return deleteUserKeyTypeForAlias(keystore, alias, uid)
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]247 & deleteCertificateTypesForAlias(keystore, alias, uid);
Kenny Root802768d2012-08-21 15:23:35 -0700[diff] [blame]248 }
249
250 /**
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]251 * Delete certificate types (user certificate, CA certificate) for a
252 * particular {@code alias}. Both can exist for any given alias.
253 * Returns {@code true} if the alias no longer contains either type.
Kenny Root802768d2012-08-21 15:23:35 -0700[diff] [blame]254 */
Alex Klyubindcdaf872015-05-13 15:57:09 -0700[diff] [blame]255 public static boolean deleteCertificateTypesForAlias(KeyStore keystore, String alias) {
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]256 return deleteCertificateTypesForAlias(keystore, alias, KeyStore.UID_SELF);
257 }
258
259 /**
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]260 * Delete certificate types (user certificate, CA certificate) for a
261 * particular {@code alias}. Both can exist for any given alias.
262 * Returns {@code true} if the alias no longer contains either type.
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]263 */
264 public static boolean deleteCertificateTypesForAlias(KeyStore keystore, String alias, int uid) {
Kenny Root802768d2012-08-21 15:23:35 -0700[diff] [blame]265 /*
266 * Make sure every certificate type is deleted. There can be two types,
267 * so don't use a conditional here.
268 */
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]269 return keystore.delete(Credentials.USER_CERTIFICATE + alias, uid)
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]270 & keystore.delete(Credentials.CA_CERTIFICATE + alias, uid);
Kenny Rootdb026712012-08-20 10:48:46 -0700[diff] [blame]271 }
Alex Klyubinbaf28382015-03-26 14:46:55 -0700[diff] [blame]272
273 /**
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]274 * Delete user key for a particular {@code alias}.
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]275 * Returns {@code true} if the entry no longer exists.
Alex Klyubinbaf28382015-03-26 14:46:55 -0700[diff] [blame]276 */
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]277 public static boolean deleteUserKeyTypeForAlias(KeyStore keystore, String alias) {
278 return deleteUserKeyTypeForAlias(keystore, alias, KeyStore.UID_SELF);
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]279 }
280
281 /**
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]282 * Delete user key for a particular {@code alias}.
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]283 * Returns {@code true} if the entry no longer exists.
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]284 */
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]285 public static boolean deleteUserKeyTypeForAlias(KeyStore keystore, String alias, int uid) {
Janis Danisevskis906147c2018-11-06 14:14:05 -0800[diff] [blame]286 int ret = keystore.delete2(Credentials.USER_PRIVATE_KEY + alias, uid);
287 if (ret == KeyStore.KEY_NOT_FOUND) {
288 return keystore.delete(Credentials.USER_SECRET_KEY + alias, uid);
289 }
290 return ret == KeyStore.NO_ERROR;
Alex Klyubinbaf28382015-03-26 14:46:55 -0700[diff] [blame]291 }
292
293 /**
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]294 * Delete legacy prefixed entry for a particular {@code alias}
Robin Leee4487ea2016-02-29 17:43:54 +0000[diff] [blame]295 * Returns {@code true} if the entry no longer exists.
Alex Klyubinbaf28382015-03-26 14:46:55 -0700[diff] [blame]296 */
Janis Danisevskis64338c02017-04-19 09:17:17 -0700[diff] [blame]297 public static boolean deleteLegacyKeyForAlias(KeyStore keystore, String alias, int uid) {
Alex Klyubin3876b1b2015-09-09 14:55:03 -0700[diff] [blame]298 return keystore.delete(Credentials.USER_SECRET_KEY + alias, uid);
Alex Klyubinbaf28382015-03-26 14:46:55 -0700[diff] [blame]299 }
Chia-chi Yeh9b7a3f12009-09-18 12:00:12 +0800[diff] [blame]300}