1 /*
2  * Copyright (C) 2009 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package com.android.certinstaller;
18 
19 import android.app.admin.DevicePolicyManager;
20 import android.content.Context;
21 import android.content.Intent;
22 import android.content.pm.PackageManager;
23 import android.os.Bundle;
24 import android.os.RemoteException;
25 import android.os.UserHandle;
26 import android.security.Credentials;
27 import android.security.KeyChain;
28 import android.security.IKeyChainService;
29 import android.text.Html;
30 import android.text.TextUtils;
31 import android.util.Log;
32 import com.android.org.bouncycastle.asn1.ASN1InputStream;
33 import com.android.org.bouncycastle.asn1.ASN1Sequence;
34 import com.android.org.bouncycastle.asn1.DEROctetString;
35 import com.android.org.bouncycastle.asn1.x509.BasicConstraints;
36 import com.android.org.conscrypt.TrustedCertificateStore;
37 
38 import java.io.ByteArrayInputStream;
39 import java.io.IOException;
40 import java.security.KeyFactory;
41 import java.security.KeyStore.PasswordProtection;
42 import java.security.KeyStore.PrivateKeyEntry;
43 import java.security.KeyStore;
44 import java.security.NoSuchAlgorithmException;
45 import java.security.PrivateKey;
46 import java.security.cert.Certificate;
47 import java.security.cert.CertificateEncodingException;
48 import java.security.cert.CertificateException;
49 import java.security.cert.CertificateFactory;
50 import java.security.cert.X509Certificate;
51 import java.security.spec.InvalidKeySpecException;
52 import java.security.spec.PKCS8EncodedKeySpec;
53 import java.util.ArrayList;
54 import java.util.Enumeration;
55 import java.util.HashMap;
56 import java.util.List;
57 
58 /**
59  * A helper class for accessing the raw data in the intent extra and handling
60  * certificates.
61  */
62 class CredentialHelper {
63     private static final String DATA_KEY = "data";
64     private static final String CERTS_KEY = "crts";
65 
66     private static final String TAG = "CredentialHelper";
67 
68     // keep raw data from intent's extra
69     private HashMap<String, byte[]> mBundle = new HashMap<String, byte[]>();
70 
71     private String mName = "";
72     private int mUid = -1;
73     private PrivateKey mUserKey;
74     private X509Certificate mUserCert;
75     private List<X509Certificate> mCaCerts = new ArrayList<X509Certificate>();
76 
CredentialHelper()77     CredentialHelper() {
78     }
79 
CredentialHelper(Intent intent)80     CredentialHelper(Intent intent) {
81         Bundle bundle = intent.getExtras();
82         if (bundle == null) {
83             return;
84         }
85 
86         String name = bundle.getString(KeyChain.EXTRA_NAME);
87         bundle.remove(KeyChain.EXTRA_NAME);
88         if (name != null) {
89             mName = name;
90         }
91 
92         mUid = bundle.getInt(Credentials.EXTRA_INSTALL_AS_UID, -1);
93         bundle.remove(Credentials.EXTRA_INSTALL_AS_UID);
94 
95         Log.d(TAG, "# extras: " + bundle.size());
96         for (String key : bundle.keySet()) {
97             byte[] bytes = bundle.getByteArray(key);
98             Log.d(TAG, "   " + key + ": " + ((bytes == null) ? -1 : bytes.length));
99             mBundle.put(key, bytes);
100         }
101         parseCert(getData(KeyChain.EXTRA_CERTIFICATE));
102     }
103 
onSaveStates(Bundle outStates)104     synchronized void onSaveStates(Bundle outStates) {
105         try {
106             outStates.putSerializable(DATA_KEY, mBundle);
107             outStates.putString(KeyChain.EXTRA_NAME, mName);
108             outStates.putInt(Credentials.EXTRA_INSTALL_AS_UID, mUid);
109             if (mUserKey != null) {
110                 outStates.putByteArray(Credentials.USER_PRIVATE_KEY,
111                         mUserKey.getEncoded());
112             }
113             ArrayList<byte[]> certs = new ArrayList<byte[]>(mCaCerts.size() + 1);
114             if (mUserCert != null) {
115                 certs.add(mUserCert.getEncoded());
116             }
117             for (X509Certificate cert : mCaCerts) {
118                 certs.add(cert.getEncoded());
119             }
120             outStates.putByteArray(CERTS_KEY, Util.toBytes(certs));
121         } catch (CertificateEncodingException e) {
122             throw new AssertionError(e);
123         }
124     }
125 
onRestoreStates(Bundle savedStates)126     void onRestoreStates(Bundle savedStates) {
127         mBundle = (HashMap) savedStates.getSerializable(DATA_KEY);
128         mName = savedStates.getString(KeyChain.EXTRA_NAME);
129         mUid = savedStates.getInt(Credentials.EXTRA_INSTALL_AS_UID, -1);
130         byte[] bytes = savedStates.getByteArray(Credentials.USER_PRIVATE_KEY);
131         if (bytes != null) {
132             setPrivateKey(bytes);
133         }
134 
135         ArrayList<byte[]> certs = Util.fromBytes(savedStates.getByteArray(CERTS_KEY));
136         for (byte[] cert : certs) {
137             parseCert(cert);
138         }
139     }
140 
getUserCertificate()141     X509Certificate getUserCertificate() {
142         return mUserCert;
143     }
144 
parseCert(byte[] bytes)145     private void parseCert(byte[] bytes) {
146         if (bytes == null) {
147             return;
148         }
149 
150         try {
151             CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
152             X509Certificate cert = (X509Certificate)
153                     certFactory.generateCertificate(
154                             new ByteArrayInputStream(bytes));
155             if (isCa(cert)) {
156                 Log.d(TAG, "got a CA cert");
157                 mCaCerts.add(cert);
158             } else {
159                 Log.d(TAG, "got a user cert");
160                 mUserCert = cert;
161             }
162         } catch (CertificateException e) {
163             Log.w(TAG, "parseCert(): " + e);
164         }
165     }
166 
isCa(X509Certificate cert)167     private boolean isCa(X509Certificate cert) {
168         try {
169             // TODO: add a test about this
170             byte[] asn1EncodedBytes = cert.getExtensionValue("2.5.29.19");
171             if (asn1EncodedBytes == null) {
172                 return false;
173             }
174             DEROctetString derOctetString = (DEROctetString)
175                     new ASN1InputStream(asn1EncodedBytes).readObject();
176             byte[] octets = derOctetString.getOctets();
177             ASN1Sequence sequence = (ASN1Sequence)
178                     new ASN1InputStream(octets).readObject();
179             return BasicConstraints.getInstance(sequence).isCA();
180         } catch (IOException e) {
181             return false;
182         }
183     }
184 
hasPkcs12KeyStore()185     boolean hasPkcs12KeyStore() {
186         return mBundle.containsKey(KeyChain.EXTRA_PKCS12);
187     }
188 
hasKeyPair()189     boolean hasKeyPair() {
190         return mBundle.containsKey(Credentials.EXTRA_PUBLIC_KEY)
191                 && mBundle.containsKey(Credentials.EXTRA_PRIVATE_KEY);
192     }
193 
hasUserCertificate()194     boolean hasUserCertificate() {
195         return (mUserCert != null);
196     }
197 
hasCaCerts()198     boolean hasCaCerts() {
199         return !mCaCerts.isEmpty();
200     }
201 
hasAnyForSystemInstall()202     boolean hasAnyForSystemInstall() {
203         return (mUserKey != null) || hasUserCertificate() || hasCaCerts();
204     }
205 
setPrivateKey(byte[] bytes)206     void setPrivateKey(byte[] bytes) {
207         try {
208             KeyFactory keyFactory = KeyFactory.getInstance("RSA");
209             mUserKey = keyFactory.generatePrivate(new PKCS8EncodedKeySpec(bytes));
210         } catch (NoSuchAlgorithmException e) {
211             throw new AssertionError(e);
212         } catch (InvalidKeySpecException e) {
213             throw new AssertionError(e);
214         }
215     }
216 
containsAnyRawData()217     boolean containsAnyRawData() {
218         return !mBundle.isEmpty();
219     }
220 
getData(String key)221     byte[] getData(String key) {
222         return mBundle.get(key);
223     }
224 
putPkcs12Data(byte[] data)225     void putPkcs12Data(byte[] data) {
226         mBundle.put(KeyChain.EXTRA_PKCS12, data);
227     }
228 
getDescription(Context context)229     CharSequence getDescription(Context context) {
230         // TODO: create more descriptive string
231         StringBuilder sb = new StringBuilder();
232         String newline = "<br>";
233         if (mUserKey != null) {
234             sb.append(context.getString(R.string.one_userkey)).append(newline);
235         }
236         if (mUserCert != null) {
237             sb.append(context.getString(R.string.one_usercrt)).append(newline);
238         }
239         int n = mCaCerts.size();
240         if (n > 0) {
241             if (n == 1) {
242                 sb.append(context.getString(R.string.one_cacrt));
243             } else {
244                 sb.append(context.getString(R.string.n_cacrts, n));
245             }
246         }
247         return Html.fromHtml(sb.toString());
248     }
249 
setName(String name)250     void setName(String name) {
251         mName = name;
252     }
253 
getName()254     String getName() {
255         return mName;
256     }
257 
setInstallAsUid(int uid)258     void setInstallAsUid(int uid) {
259         mUid = uid;
260     }
261 
isInstallAsUidSet()262     boolean isInstallAsUidSet() {
263         return mUid != -1;
264     }
265 
getInstallAsUid()266     int getInstallAsUid() {
267         return mUid;
268     }
269 
createSystemInstallIntent(final Context context)270     Intent createSystemInstallIntent(final Context context) {
271         Intent intent = new Intent("com.android.credentials.INSTALL");
272         // To prevent the private key from being sniffed, we explicitly spell
273         // out the intent receiver class.
274         if (!isWear(context)) {
275             intent.setClassName(Util.SETTINGS_PACKAGE, "com.android.settings.CredentialStorage");
276         } else {
277             intent.setClassName("com.google.android.apps.wearable.settings",
278                     "com.google.android.clockwork.settings.CredentialStorage");
279         }
280         intent.putExtra(Credentials.EXTRA_INSTALL_AS_UID, mUid);
281         try {
282             if (mUserKey != null) {
283                 intent.putExtra(Credentials.EXTRA_USER_PRIVATE_KEY_NAME,
284                         Credentials.USER_PRIVATE_KEY + mName);
285                 intent.putExtra(Credentials.EXTRA_USER_PRIVATE_KEY_DATA,
286                         mUserKey.getEncoded());
287             }
288             if (mUserCert != null) {
289                 intent.putExtra(Credentials.EXTRA_USER_CERTIFICATE_NAME,
290                         Credentials.USER_CERTIFICATE + mName);
291                 intent.putExtra(Credentials.EXTRA_USER_CERTIFICATE_DATA,
292                         Credentials.convertToPem(mUserCert));
293             }
294             if (!mCaCerts.isEmpty()) {
295                 intent.putExtra(Credentials.EXTRA_CA_CERTIFICATES_NAME,
296                         Credentials.CA_CERTIFICATE + mName);
297                 X509Certificate[] caCerts
298                         = mCaCerts.toArray(new X509Certificate[mCaCerts.size()]);
299                 intent.putExtra(Credentials.EXTRA_CA_CERTIFICATES_DATA,
300                         Credentials.convertToPem(caCerts));
301             }
302             return intent;
303         } catch (IOException e) {
304             throw new AssertionError(e);
305         } catch (CertificateEncodingException e) {
306             throw new AssertionError(e);
307         }
308     }
309 
installVpnAndAppsTrustAnchors(Context context, IKeyChainService keyChainService)310     boolean installVpnAndAppsTrustAnchors(Context context, IKeyChainService keyChainService) {
311         final TrustedCertificateStore trustedCertificateStore = new TrustedCertificateStore();
312         final DevicePolicyManager dpm = context.getSystemService(DevicePolicyManager.class);
313         for (X509Certificate caCert : mCaCerts) {
314             byte[] bytes = null;
315             try {
316                 bytes = caCert.getEncoded();
317             } catch (CertificateEncodingException e) {
318                 throw new AssertionError(e);
319             }
320             if (bytes != null) {
321                 try {
322                     keyChainService.installCaCertificate(bytes);
323                 } catch (RemoteException e) {
324                     Log.w(TAG, "installCaCertsToKeyChain(): " + e);
325                     return false;
326                 }
327 
328                 String alias = trustedCertificateStore.getCertificateAlias(caCert);
329                 if (alias == null) {
330                     Log.e(TAG, "alias is null");
331                     return false;
332                 }
333 
334                 // Since the cert is installed by real user, the cert is approved by the user
335                 dpm.approveCaCert(alias, UserHandle.myUserId(), true);
336             }
337         }
338         return true;
339     }
340 
hasPassword()341     boolean hasPassword() {
342         if (!hasPkcs12KeyStore()) {
343             return false;
344         }
345         try {
346             return loadPkcs12Internal(new PasswordProtection(new char[] {})) == null;
347         } catch (Exception e) {
348             return true;
349         }
350     }
351 
extractPkcs12(String password)352     boolean extractPkcs12(String password) {
353         try {
354             return extractPkcs12Internal(new PasswordProtection(password.toCharArray()));
355         } catch (Exception e) {
356             Log.w(TAG, "extractPkcs12(): " + e, e);
357             return false;
358         }
359     }
360 
extractPkcs12Internal(PasswordProtection password)361     private boolean extractPkcs12Internal(PasswordProtection password)
362             throws Exception {
363         // TODO: add test about this
364         java.security.KeyStore keystore = loadPkcs12Internal(password);
365 
366         Enumeration<String> aliases = keystore.aliases();
367         if (!aliases.hasMoreElements()) {
368             return false;
369         }
370 
371         while (aliases.hasMoreElements()) {
372             String alias = aliases.nextElement();
373             if (keystore.isKeyEntry(alias)) {
374                 KeyStore.Entry entry = keystore.getEntry(alias, password);
375                 Log.d(TAG, "extracted alias = " + alias + ", entry=" + entry.getClass());
376 
377                 if (entry instanceof PrivateKeyEntry) {
378                     if (TextUtils.isEmpty(mName)) {
379                         mName = alias;
380                     }
381                     return installFrom((PrivateKeyEntry) entry);
382                 }
383             } else {
384                 // KeyStore.getEntry with non-null ProtectionParameter can only be invoked on
385                 // PrivateKeyEntry or SecretKeyEntry.
386                 // See https://docs.oracle.com/javase/8/docs/api/java/security/KeyStore.html
387                 Log.d(TAG, "Skip non-key entry, alias = " + alias);
388             }
389         }
390         return true;
391     }
392 
loadPkcs12Internal(PasswordProtection password)393     private java.security.KeyStore loadPkcs12Internal(PasswordProtection password)
394             throws Exception {
395         java.security.KeyStore keystore = java.security.KeyStore.getInstance("PKCS12");
396         keystore.load(new ByteArrayInputStream(getData(KeyChain.EXTRA_PKCS12)),
397                       password.getPassword());
398         return keystore;
399     }
400 
installFrom(PrivateKeyEntry entry)401     private synchronized boolean installFrom(PrivateKeyEntry entry) {
402         mUserKey = entry.getPrivateKey();
403         mUserCert = (X509Certificate) entry.getCertificate();
404 
405         Certificate[] certs = entry.getCertificateChain();
406         Log.d(TAG, "# certs extracted = " + certs.length);
407         mCaCerts = new ArrayList<X509Certificate>(certs.length);
408         for (Certificate c : certs) {
409             X509Certificate cert = (X509Certificate) c;
410             if (isCa(cert)) {
411                 mCaCerts.add(cert);
412             }
413         }
414         Log.d(TAG, "# ca certs extracted = " + mCaCerts.size());
415 
416         return true;
417     }
418 
isWear(final Context context)419     private static boolean isWear(final Context context) {
420         return context.getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH);
421     }
422 
423     /**
424      * Returns whether this credential contains CA certificates to be used as trust anchors
425      * for VPN and apps.
426      */
includesVpnAndAppsTrustAnchors()427     public boolean includesVpnAndAppsTrustAnchors() {
428         if (!hasCaCerts()) {
429             return false;
430         }
431         if (getInstallAsUid() != android.security.KeyStore.UID_SELF) {
432             // VPN and Apps trust anchors can only be installed under UID_SELF
433             return false;
434         }
435 
436         if (mUserKey != null) {
437             // We are installing a key pair for client authentication, its CA
438             // should have nothing to do with VPN and apps trust anchors.
439             return false;
440         } else {
441             return true;
442         }
443     }
444 }
445