1 /* 2 * Copyright (C) 2017 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.googlecode.android_scripting.facade; 18 19 import android.os.Environment; 20 import android.security.Credentials; 21 import android.security.KeyStore; 22 import android.util.Log; 23 24 import com.android.internal.net.VpnProfile; 25 import com.android.org.bouncycastle.asn1.ASN1InputStream; 26 import com.android.org.bouncycastle.asn1.ASN1Sequence; 27 import com.android.org.bouncycastle.asn1.DEROctetString; 28 import com.android.org.bouncycastle.asn1.x509.BasicConstraints; 29 30 import junit.framework.Assert; 31 32 import libcore.io.Streams; 33 34 import java.io.ByteArrayInputStream; 35 import java.io.File; 36 import java.io.FileInputStream; 37 import java.io.IOException; 38 import java.io.InputStream; 39 import java.security.KeyStoreException; 40 import java.security.NoSuchAlgorithmException; 41 import java.security.KeyStore.PasswordProtection; 42 import java.security.KeyStore.PrivateKeyEntry; 43 import java.security.PrivateKey; 44 import java.security.UnrecoverableEntryException; 45 import java.security.cert.Certificate; 46 import java.security.cert.CertificateEncodingException; 47 import java.security.cert.CertificateException; 48 import java.security.cert.X509Certificate; 49 import java.util.ArrayList; 50 import java.util.Collections; 51 import java.util.Enumeration; 52 import java.util.List; 53 54 /** 55 * Certificate installer helper to extract information from a provided file 56 * and install certificates to keystore. 57 */ 58 public class CertInstallerHelper { 59 private static final String TAG = "CertInstallerHelper"; 60 /* Define a password to unlock keystore after it is reset */ 61 private static final String CERT_STORE_PASSWORD = "password"; 62 private final int mUid = KeyStore.UID_SELF; 63 private PrivateKey mUserKey; // private key 64 private X509Certificate mUserCert; // user certificate 65 private List<X509Certificate> mCaCerts = new ArrayList<X509Certificate>(); 66 private KeyStore mKeyStore = KeyStore.getInstance(); 67 68 /** 69 * Unlock keystore and set password 70 */ 71 public CertInstallerHelper() { 72 mKeyStore.reset(); 73 mKeyStore.onUserPasswordChanged(CERT_STORE_PASSWORD); 74 } 75 76 private void extractCertificate(String certFile, String password) { 77 InputStream in = null; 78 final byte[] raw; 79 java.security.KeyStore keystore = null; 80 try { 81 // Read .p12 file from SDCARD and extract with password 82 in = new FileInputStream(new File( 83 Environment.getExternalStorageDirectory(), certFile)); 84 raw = Streams.readFully(in); 85 86 keystore = java.security.KeyStore.getInstance("PKCS12"); 87 PasswordProtection passwordProtection = new PasswordProtection(password.toCharArray()); 88 keystore.load(new ByteArrayInputStream(raw), passwordProtection.getPassword()); 89 90 // Install certificates and private keys 91 Enumeration<String> aliases = keystore.aliases(); 92 if (!aliases.hasMoreElements()) { 93 Assert.fail("key store failed to put in keychain"); 94 } 95 ArrayList<String> aliasesList = Collections.list(aliases); 96 // The keystore is initialized for each test case, there will 97 // be only one alias in the keystore 98 Assert.assertEquals(1, aliasesList.size()); 99 String alias = aliasesList.get(0); 100 java.security.KeyStore.Entry entry = keystore.getEntry(alias, passwordProtection); 101 Log.d(TAG, "extracted alias = " + alias + ", entry=" + entry.getClass()); 102 103 if (entry instanceof PrivateKeyEntry) { 104 Assert.assertTrue(installFrom((PrivateKeyEntry) entry)); 105 } 106 } catch (IOException e) { 107 Assert.fail("Failed to read certficate: " + e); 108 } catch (KeyStoreException e) { 109 Log.e(TAG, "failed to extract certificate" + e); 110 } catch (NoSuchAlgorithmException e) { 111 Log.e(TAG, "failed to extract certificate" + e); 112 } catch (CertificateException e) { 113 Log.e(TAG, "failed to extract certificate" + e); 114 } catch (UnrecoverableEntryException e) { 115 Log.e(TAG, "failed to extract certificate" + e); 116 } 117 finally { 118 if (in != null) { 119 try { 120 in.close(); 121 } catch (IOException e) { 122 Log.e(TAG, "close FileInputStream error: " + e); 123 } 124 } 125 } 126 } 127 128 /** 129 * Extract private keys, user certificates and ca certificates 130 */ 131 private synchronized boolean installFrom(PrivateKeyEntry entry) { 132 mUserKey = entry.getPrivateKey(); 133 mUserCert = (X509Certificate) entry.getCertificate(); 134 135 Certificate[] certs = entry.getCertificateChain(); 136 Log.d(TAG, "# certs extracted = " + certs.length); 137 mCaCerts = new ArrayList<X509Certificate>(certs.length); 138 for (Certificate c : certs) { 139 X509Certificate cert = (X509Certificate) c; 140 if (isCa(cert)) { 141 mCaCerts.add(cert); 142 } 143 } 144 Log.d(TAG, "# ca certs extracted = " + mCaCerts.size()); 145 return true; 146 } 147 148 private boolean isCa(X509Certificate cert) { 149 try { 150 byte[] asn1EncodedBytes = cert.getExtensionValue("2.5.29.19"); 151 if (asn1EncodedBytes == null) { 152 return false; 153 } 154 DEROctetString derOctetString = (DEROctetString) 155 new ASN1InputStream(asn1EncodedBytes).readObject(); 156 byte[] octets = derOctetString.getOctets(); 157 ASN1Sequence sequence = (ASN1Sequence) 158 new ASN1InputStream(octets).readObject(); 159 return BasicConstraints.getInstance(sequence).isCA(); 160 } catch (IOException e) { 161 return false; 162 } 163 } 164 165 /** 166 * Extract certificate from the given file, and install it to keystore 167 * @param name certificate name 168 * @param certFile .p12 file which includes certificates 169 * @param password password to extract the .p12 file 170 */ 171 public void installCertificate(VpnProfile profile, String certFile, String password) { 172 // extract private keys, certificates from the provided file 173 extractCertificate(certFile, password); 174 // install certificate to the keystore 175 int flags = KeyStore.FLAG_ENCRYPTED; 176 try { 177 if (mUserKey != null) { 178 Log.v(TAG, "has private key"); 179 String key = Credentials.USER_PRIVATE_KEY + profile.ipsecUserCert; 180 byte[] value = mUserKey.getEncoded(); 181 182 if (!mKeyStore.importKey(key, value, mUid, flags)) { 183 Log.e(TAG, "Failed to install " + key + " as user " + mUid); 184 return; 185 } 186 Log.v(TAG, "install " + key + " as user " + mUid + " is successful"); 187 } 188 189 if (mUserCert != null) { 190 String certName = Credentials.USER_CERTIFICATE + profile.ipsecUserCert; 191 byte[] certData = Credentials.convertToPem(mUserCert); 192 193 if (!mKeyStore.put(certName, certData, mUid, flags)) { 194 Log.e(TAG, "Failed to install " + certName + " as user " + mUid); 195 return; 196 } 197 Log.v(TAG, "install " + certName + " as user" + mUid + " is successful."); 198 } 199 200 if (!mCaCerts.isEmpty()) { 201 String caListName = Credentials.CA_CERTIFICATE + profile.ipsecCaCert; 202 X509Certificate[] caCerts = mCaCerts.toArray(new X509Certificate[mCaCerts.size()]); 203 byte[] caListData = Credentials.convertToPem(caCerts); 204 205 if (!mKeyStore.put(caListName, caListData, mUid, flags)) { 206 Log.e(TAG, "Failed to install " + caListName + " as user " + mUid); 207 return; 208 } 209 Log.v(TAG, " install " + caListName + " as user " + mUid + " is successful"); 210 } 211 } catch (CertificateEncodingException e) { 212 Log.e(TAG, "Exception while convert certificates to pem " + e); 213 throw new AssertionError(e); 214 } catch (IOException e) { 215 Log.e(TAG, "IOException while convert to pem: " + e); 216 } 217 } 218 219 public int getUid() { 220 return mUid; 221 } 222 } 223