1 /* 2 * Copyright (C) 2009 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.security; 18 19 import android.content.ActivityNotFoundException; 20 import android.content.Context; 21 import android.content.Intent; 22 import android.util.Log; 23 import com.android.org.bouncycastle.util.io.pem.PemObject; 24 import com.android.org.bouncycastle.util.io.pem.PemReader; 25 import com.android.org.bouncycastle.util.io.pem.PemWriter; 26 import java.io.ByteArrayInputStream; 27 import java.io.ByteArrayOutputStream; 28 import java.io.IOException; 29 import java.io.InputStreamReader; 30 import java.io.OutputStreamWriter; 31 import java.io.Reader; 32 import java.io.Writer; 33 import java.nio.charset.StandardCharsets; 34 import java.security.KeyPair; 35 import java.security.cert.Certificate; 36 import java.security.cert.CertificateEncodingException; 37 import java.security.cert.CertificateException; 38 import java.security.cert.CertificateFactory; 39 import java.security.cert.X509Certificate; 40 import java.util.ArrayList; 41 import java.util.List; 42 43 /** 44 * {@hide} 45 */ 46 public class Credentials { 47 private static final String LOGTAG = "Credentials"; 48 49 public static final String INSTALL_ACTION = "android.credentials.INSTALL"; 50 51 public static final String INSTALL_AS_USER_ACTION = "android.credentials.INSTALL_AS_USER"; 52 53 public static final String UNLOCK_ACTION = "com.android.credentials.UNLOCK"; 54 55 /** Key prefix for CA certificates. */ 56 public static final String CA_CERTIFICATE = "CACERT_"; 57 58 /** Key prefix for user certificates. */ 59 public static final String USER_CERTIFICATE = "USRCERT_"; 60 61 /** Key prefix for user private keys. */ 62 public static final String USER_PRIVATE_KEY = "USRPKEY_"; 63 64 /** Key prefix for user secret keys. */ 65 public static final String USER_SECRET_KEY = "USRSKEY_"; 66 67 /** Key prefix for VPN. */ 68 public static final String VPN = "VPN_"; 69 70 /** Key prefix for WIFI. */ 71 public static final String WIFI = "WIFI_"; 72 73 /** Key containing suffix of lockdown VPN profile. */ 74 public static final String LOCKDOWN_VPN = "LOCKDOWN_VPN"; 75 76 /** Data type for public keys. */ 77 public static final String EXTRA_PUBLIC_KEY = "KEY"; 78 79 /** Data type for private keys. */ 80 public static final String EXTRA_PRIVATE_KEY = "PKEY"; 81 82 // historically used by Android 83 public static final String EXTENSION_CRT = ".crt"; 84 public static final String EXTENSION_P12 = ".p12"; 85 // commonly used on Windows 86 public static final String EXTENSION_CER = ".cer"; 87 public static final String EXTENSION_PFX = ".pfx"; 88 89 /** 90 * Intent extra: install the certificate bundle as this UID instead of 91 * system. 92 */ 93 public static final String EXTRA_INSTALL_AS_UID = "install_as_uid"; 94 95 /** 96 * Intent extra: name for the user's private key. 97 */ 98 public static final String EXTRA_USER_PRIVATE_KEY_NAME = "user_private_key_name"; 99 100 /** 101 * Intent extra: data for the user's private key in PEM-encoded PKCS#8. 102 */ 103 public static final String EXTRA_USER_PRIVATE_KEY_DATA = "user_private_key_data"; 104 105 /** 106 * Intent extra: name for the user's certificate. 107 */ 108 public static final String EXTRA_USER_CERTIFICATE_NAME = "user_certificate_name"; 109 110 /** 111 * Intent extra: data for the user's certificate in PEM-encoded X.509. 112 */ 113 public static final String EXTRA_USER_CERTIFICATE_DATA = "user_certificate_data"; 114 115 /** 116 * Intent extra: name for CA certificate chain 117 */ 118 public static final String EXTRA_CA_CERTIFICATES_NAME = "ca_certificates_name"; 119 120 /** 121 * Intent extra: data for CA certificate chain in PEM-encoded X.509. 122 */ 123 public static final String EXTRA_CA_CERTIFICATES_DATA = "ca_certificates_data"; 124 125 /** 126 * Convert objects to a PEM format which is used for 127 * CA_CERTIFICATE and USER_CERTIFICATE entries. 128 */ convertToPem(Certificate... objects)129 public static byte[] convertToPem(Certificate... objects) 130 throws IOException, CertificateEncodingException { 131 ByteArrayOutputStream bao = new ByteArrayOutputStream(); 132 Writer writer = new OutputStreamWriter(bao, StandardCharsets.US_ASCII); 133 PemWriter pw = new PemWriter(writer); 134 for (Certificate o : objects) { 135 pw.writeObject(new PemObject("CERTIFICATE", o.getEncoded())); 136 } 137 pw.close(); 138 return bao.toByteArray(); 139 } 140 /** 141 * Convert objects from PEM format, which is used for 142 * CA_CERTIFICATE and USER_CERTIFICATE entries. 143 */ convertFromPem(byte[] bytes)144 public static List<X509Certificate> convertFromPem(byte[] bytes) 145 throws IOException, CertificateException { 146 ByteArrayInputStream bai = new ByteArrayInputStream(bytes); 147 Reader reader = new InputStreamReader(bai, StandardCharsets.US_ASCII); 148 PemReader pr = new PemReader(reader); 149 150 CertificateFactory cf = CertificateFactory.getInstance("X509"); 151 152 List<X509Certificate> result = new ArrayList<X509Certificate>(); 153 PemObject o; 154 while ((o = pr.readPemObject()) != null) { 155 if (o.getType().equals("CERTIFICATE")) { 156 Certificate c = cf.generateCertificate(new ByteArrayInputStream(o.getContent())); 157 result.add((X509Certificate) c); 158 } else { 159 throw new IllegalArgumentException("Unknown type " + o.getType()); 160 } 161 } 162 pr.close(); 163 return result; 164 } 165 166 private static Credentials singleton; 167 getInstance()168 public static Credentials getInstance() { 169 if (singleton == null) { 170 singleton = new Credentials(); 171 } 172 return singleton; 173 } 174 unlock(Context context)175 public void unlock(Context context) { 176 try { 177 Intent intent = new Intent(UNLOCK_ACTION); 178 context.startActivity(intent); 179 } catch (ActivityNotFoundException e) { 180 Log.w(LOGTAG, e.toString()); 181 } 182 } 183 install(Context context)184 public void install(Context context) { 185 try { 186 Intent intent = KeyChain.createInstallIntent(); 187 context.startActivity(intent); 188 } catch (ActivityNotFoundException e) { 189 Log.w(LOGTAG, e.toString()); 190 } 191 } 192 install(Context context, KeyPair pair)193 public void install(Context context, KeyPair pair) { 194 try { 195 Intent intent = KeyChain.createInstallIntent(); 196 intent.putExtra(EXTRA_PRIVATE_KEY, pair.getPrivate().getEncoded()); 197 intent.putExtra(EXTRA_PUBLIC_KEY, pair.getPublic().getEncoded()); 198 context.startActivity(intent); 199 } catch (ActivityNotFoundException e) { 200 Log.w(LOGTAG, e.toString()); 201 } 202 } 203 install(Context context, String type, byte[] value)204 public void install(Context context, String type, byte[] value) { 205 try { 206 Intent intent = KeyChain.createInstallIntent(); 207 intent.putExtra(type, value); 208 context.startActivity(intent); 209 } catch (ActivityNotFoundException e) { 210 Log.w(LOGTAG, e.toString()); 211 } 212 } 213 214 /** 215 * Delete all types (private key, certificate, CA certificate) for a 216 * particular {@code alias}. All three can exist for any given alias. 217 * Returns {@code true} if there was at least one of those types. 218 */ deleteAllTypesForAlias(KeyStore keystore, String alias)219 public static boolean deleteAllTypesForAlias(KeyStore keystore, String alias) { 220 /* 221 * Make sure every type is deleted. There can be all three types, so 222 * don't use a conditional here. 223 */ 224 return keystore.delete(Credentials.USER_PRIVATE_KEY + alias) 225 | keystore.delete(Credentials.USER_SECRET_KEY + alias) 226 | deleteCertificateTypesForAlias(keystore, alias); 227 } 228 229 /** 230 * Delete all types (private key, certificate, CA certificate) for a 231 * particular {@code alias}. All three can exist for any given alias. 232 * Returns {@code true} if there was at least one of those types. 233 */ deleteCertificateTypesForAlias(KeyStore keystore, String alias)234 public static boolean deleteCertificateTypesForAlias(KeyStore keystore, String alias) { 235 /* 236 * Make sure every certificate type is deleted. There can be two types, 237 * so don't use a conditional here. 238 */ 239 return keystore.delete(Credentials.USER_CERTIFICATE + alias) 240 | keystore.delete(Credentials.CA_CERTIFICATE + alias); 241 } 242 243 /** 244 * Delete private key for a particular {@code alias}. 245 * Returns {@code true} if an entry was was deleted. 246 */ deletePrivateKeyTypeForAlias(KeyStore keystore, String alias)247 static boolean deletePrivateKeyTypeForAlias(KeyStore keystore, String alias) { 248 return keystore.delete(Credentials.USER_PRIVATE_KEY + alias); 249 } 250 251 /** 252 * Delete secret key for a particular {@code alias}. 253 * Returns {@code true} if an entry was was deleted. 254 */ deleteSecretKeyTypeForAlias(KeyStore keystore, String alias)255 public static boolean deleteSecretKeyTypeForAlias(KeyStore keystore, String alias) { 256 return keystore.delete(Credentials.USER_SECRET_KEY + alias); 257 } 258 } 259