/* * Copyright (C) 2013 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.android.settings.vpn2; import android.os.Environment; import android.security.Credentials; import android.security.KeyStore; import android.util.Log; import com.android.internal.net.VpnProfile; import com.android.org.bouncycastle.asn1.ASN1InputStream; import com.android.org.bouncycastle.asn1.ASN1Sequence; import com.android.org.bouncycastle.asn1.DEROctetString; import com.android.org.bouncycastle.asn1.x509.BasicConstraints; import junit.framework.Assert; import libcore.io.Streams; import java.io.ByteArrayInputStream; import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; import java.nio.charset.StandardCharsets; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.KeyStore.PasswordProtection; import java.security.KeyStore.PrivateKeyEntry; import java.security.PrivateKey; import java.security.UnrecoverableEntryException; import java.security.cert.Certificate; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collections; import java.util.Enumeration; import java.util.List; /** * Certificate installer helper to extract information from a provided file * and install certificates to keystore. */ public class CertInstallerHelper { private static final String TAG = "CertInstallerHelper"; /* Define a password to unlock keystore after it is reset */ private static final String CERT_STORE_PASSWORD = "password"; private final int mUid = KeyStore.UID_SELF; private PrivateKey mUserKey; // private key private X509Certificate mUserCert; // user certificate private List mCaCerts = new ArrayList(); private KeyStore mKeyStore = KeyStore.getInstance(); /** * Unlock keystore and set password */ public CertInstallerHelper() { mKeyStore.reset(); mKeyStore.onUserPasswordChanged(CERT_STORE_PASSWORD); } private void extractCertificate(String certFile, String password) { InputStream in = null; final byte[] raw; java.security.KeyStore keystore = null; try { // Read .p12 file from SDCARD and extract with password in = new FileInputStream(new File( Environment.getExternalStorageDirectory(), certFile)); raw = Streams.readFully(in); keystore = java.security.KeyStore.getInstance("PKCS12"); PasswordProtection passwordProtection = new PasswordProtection(password.toCharArray()); keystore.load(new ByteArrayInputStream(raw), passwordProtection.getPassword()); // Install certificates and private keys Enumeration aliases = keystore.aliases(); if (!aliases.hasMoreElements()) { Assert.fail("key store failed to put in keychain"); } ArrayList aliasesList = Collections.list(aliases); // The keystore is initialized for each test case, there will // be only one alias in the keystore Assert.assertEquals(1, aliasesList.size()); String alias = aliasesList.get(0); java.security.KeyStore.Entry entry = keystore.getEntry(alias, passwordProtection); Log.d(TAG, "extracted alias = " + alias + ", entry=" + entry.getClass()); if (entry instanceof PrivateKeyEntry) { Assert.assertTrue(installFrom((PrivateKeyEntry) entry)); } } catch (IOException e) { Assert.fail("Failed to read certficate: " + e); } catch (KeyStoreException e) { Log.e(TAG, "failed to extract certificate" + e); } catch (NoSuchAlgorithmException e) { Log.e(TAG, "failed to extract certificate" + e); } catch (CertificateException e) { Log.e(TAG, "failed to extract certificate" + e); } catch (UnrecoverableEntryException e) { Log.e(TAG, "failed to extract certificate" + e); } finally { if (in != null) { try { in.close(); } catch (IOException e) { Log.e(TAG, "close FileInputStream error: " + e); } } } } /** * Extract private keys, user certificates and ca certificates */ private synchronized boolean installFrom(PrivateKeyEntry entry) { mUserKey = entry.getPrivateKey(); mUserCert = (X509Certificate) entry.getCertificate(); Certificate[] certs = entry.getCertificateChain(); Log.d(TAG, "# certs extracted = " + certs.length); mCaCerts = new ArrayList(certs.length); for (Certificate c : certs) { X509Certificate cert = (X509Certificate) c; if (isCa(cert)) { mCaCerts.add(cert); } } Log.d(TAG, "# ca certs extracted = " + mCaCerts.size()); return true; } private boolean isCa(X509Certificate cert) { try { byte[] asn1EncodedBytes = cert.getExtensionValue("2.5.29.19"); if (asn1EncodedBytes == null) { return false; } DEROctetString derOctetString = (DEROctetString) new ASN1InputStream(asn1EncodedBytes).readObject(); byte[] octets = derOctetString.getOctets(); ASN1Sequence sequence = (ASN1Sequence) new ASN1InputStream(octets).readObject(); return BasicConstraints.getInstance(sequence).isCA(); } catch (IOException e) { return false; } } /** * Extract certificate from the given file, and install it to keystore * @param name certificate name * @param certFile .p12 file which includes certificates * @param password password to extract the .p12 file */ public void installCertificate(VpnProfile profile, String certFile, String password) { // extract private keys, certificates from the provided file extractCertificate(certFile, password); // install certificate to the keystore int flags = KeyStore.FLAG_ENCRYPTED; try { if (mUserKey != null) { Log.v(TAG, "has private key"); String key = Credentials.USER_PRIVATE_KEY + profile.ipsecUserCert; byte[] value = mUserKey.getEncoded(); if (!mKeyStore.importKey(key, value, mUid, flags)) { Log.e(TAG, "Failed to install " + key + " as user " + mUid); return; } Log.v(TAG, "install " + key + " as user " + mUid + " is successful"); } if (mUserCert != null) { String certName = Credentials.USER_CERTIFICATE + profile.ipsecUserCert; byte[] certData = Credentials.convertToPem(mUserCert); if (!mKeyStore.put(certName, certData, mUid, flags)) { Log.e(TAG, "Failed to install " + certName + " as user " + mUid); return; } Log.v(TAG, "install " + certName + " as user" + mUid + " is successful."); } if (!mCaCerts.isEmpty()) { String caListName = Credentials.CA_CERTIFICATE + profile.ipsecCaCert; X509Certificate[] caCerts = mCaCerts.toArray(new X509Certificate[mCaCerts.size()]); byte[] caListData = Credentials.convertToPem(caCerts); if (!mKeyStore.put(caListName, caListData, mUid, flags)) { Log.e(TAG, "Failed to install " + caListName + " as user " + mUid); return; } Log.v(TAG, " install " + caListName + " as user " + mUid + " is successful"); } } catch (CertificateEncodingException e) { Log.e(TAG, "Exception while convert certificates to pem " + e); throw new AssertionError(e); } catch (IOException e) { Log.e(TAG, "IOException while convert to pem: " + e); } } public int getUid() { return mUid; } }