1 /* 2 * Copyright (C) 2009 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.security; 18 19 import android.content.ActivityNotFoundException; 20 import android.content.Context; 21 import android.content.Intent; 22 import android.util.Log; 23 import com.android.org.bouncycastle.util.io.pem.PemObject; 24 import com.android.org.bouncycastle.util.io.pem.PemReader; 25 import com.android.org.bouncycastle.util.io.pem.PemWriter; 26 import java.io.ByteArrayInputStream; 27 import java.io.ByteArrayOutputStream; 28 import java.io.IOException; 29 import java.io.InputStreamReader; 30 import java.io.ObjectOutputStream; 31 import java.io.OutputStreamWriter; 32 import java.io.Reader; 33 import java.io.Writer; 34 import java.nio.charset.Charsets; 35 import java.security.KeyPair; 36 import java.security.cert.Certificate; 37 import java.security.cert.CertificateEncodingException; 38 import java.security.cert.CertificateException; 39 import java.security.cert.CertificateFactory; 40 import java.security.cert.X509Certificate; 41 import java.util.ArrayList; 42 import java.util.List; 43 44 /** 45 * {@hide} 46 */ 47 public class Credentials { 48 private static final String LOGTAG = "Credentials"; 49 50 public static final String INSTALL_ACTION = "android.credentials.INSTALL"; 51 52 public static final String INSTALL_AS_USER_ACTION = "android.credentials.INSTALL_AS_USER"; 53 54 public static final String UNLOCK_ACTION = "com.android.credentials.UNLOCK"; 55 56 /** Key prefix for CA certificates. */ 57 public static final String CA_CERTIFICATE = "CACERT_"; 58 59 /** Key prefix for user certificates. */ 60 public static final String USER_CERTIFICATE = "USRCERT_"; 61 62 /** Key prefix for user private keys. */ 63 public static final String USER_PRIVATE_KEY = "USRPKEY_"; 64 65 /** Key prefix for VPN. */ 66 public static final String VPN = "VPN_"; 67 68 /** Key prefix for WIFI. */ 69 public static final String WIFI = "WIFI_"; 70 71 /** Key containing suffix of lockdown VPN profile. */ 72 public static final String LOCKDOWN_VPN = "LOCKDOWN_VPN"; 73 74 /** Data type for public keys. */ 75 public static final String EXTRA_PUBLIC_KEY = "KEY"; 76 77 /** Data type for private keys. */ 78 public static final String EXTRA_PRIVATE_KEY = "PKEY"; 79 80 // historically used by Android 81 public static final String EXTENSION_CRT = ".crt"; 82 public static final String EXTENSION_P12 = ".p12"; 83 // commonly used on Windows 84 public static final String EXTENSION_CER = ".cer"; 85 public static final String EXTENSION_PFX = ".pfx"; 86 87 /** 88 * Intent extra: install the certificate bundle as this UID instead of 89 * system. 90 */ 91 public static final String EXTRA_INSTALL_AS_UID = "install_as_uid"; 92 93 /** 94 * Intent extra: name for the user's private key. 95 */ 96 public static final String EXTRA_USER_PRIVATE_KEY_NAME = "user_private_key_name"; 97 98 /** 99 * Intent extra: data for the user's private key in PEM-encoded PKCS#8. 100 */ 101 public static final String EXTRA_USER_PRIVATE_KEY_DATA = "user_private_key_data"; 102 103 /** 104 * Intent extra: name for the user's certificate. 105 */ 106 public static final String EXTRA_USER_CERTIFICATE_NAME = "user_certificate_name"; 107 108 /** 109 * Intent extra: data for the user's certificate in PEM-encoded X.509. 110 */ 111 public static final String EXTRA_USER_CERTIFICATE_DATA = "user_certificate_data"; 112 113 /** 114 * Intent extra: name for CA certificate chain 115 */ 116 public static final String EXTRA_CA_CERTIFICATES_NAME = "ca_certificates_name"; 117 118 /** 119 * Intent extra: data for CA certificate chain in PEM-encoded X.509. 120 */ 121 public static final String EXTRA_CA_CERTIFICATES_DATA = "ca_certificates_data"; 122 123 /** 124 * Convert objects to a PEM format which is used for 125 * CA_CERTIFICATE and USER_CERTIFICATE entries. 126 */ 127 public static byte[] convertToPem(Certificate... objects) 128 throws IOException, CertificateEncodingException { 129 ByteArrayOutputStream bao = new ByteArrayOutputStream(); 130 Writer writer = new OutputStreamWriter(bao, Charsets.US_ASCII); 131 PemWriter pw = new PemWriter(writer); 132 for (Certificate o : objects) { 133 pw.writeObject(new PemObject("CERTIFICATE", o.getEncoded())); 134 } 135 pw.close(); 136 return bao.toByteArray(); 137 } 138 /** 139 * Convert objects from PEM format, which is used for 140 * CA_CERTIFICATE and USER_CERTIFICATE entries. 141 */ 142 public static List<X509Certificate> convertFromPem(byte[] bytes) 143 throws IOException, CertificateException { 144 ByteArrayInputStream bai = new ByteArrayInputStream(bytes); 145 Reader reader = new InputStreamReader(bai, Charsets.US_ASCII); 146 PemReader pr = new PemReader(reader); 147 148 CertificateFactory cf = CertificateFactory.getInstance("X509"); 149 150 List<X509Certificate> result = new ArrayList<X509Certificate>(); 151 PemObject o; 152 while ((o = pr.readPemObject()) != null) { 153 if (o.getType().equals("CERTIFICATE")) { 154 Certificate c = cf.generateCertificate(new ByteArrayInputStream(o.getContent())); 155 result.add((X509Certificate) c); 156 } else { 157 throw new IllegalArgumentException("Unknown type " + o.getType()); 158 } 159 } 160 pr.close(); 161 return result; 162 } 163 164 private static Credentials singleton; 165 166 public static Credentials getInstance() { 167 if (singleton == null) { 168 singleton = new Credentials(); 169 } 170 return singleton; 171 } 172 173 public void unlock(Context context) { 174 try { 175 Intent intent = new Intent(UNLOCK_ACTION); 176 context.startActivity(intent); 177 } catch (ActivityNotFoundException e) { 178 Log.w(LOGTAG, e.toString()); 179 } 180 } 181 182 public void install(Context context) { 183 try { 184 Intent intent = KeyChain.createInstallIntent(); 185 context.startActivity(intent); 186 } catch (ActivityNotFoundException e) { 187 Log.w(LOGTAG, e.toString()); 188 } 189 } 190 191 public void install(Context context, KeyPair pair) { 192 try { 193 Intent intent = KeyChain.createInstallIntent(); 194 intent.putExtra(EXTRA_PRIVATE_KEY, pair.getPrivate().getEncoded()); 195 intent.putExtra(EXTRA_PUBLIC_KEY, pair.getPublic().getEncoded()); 196 context.startActivity(intent); 197 } catch (ActivityNotFoundException e) { 198 Log.w(LOGTAG, e.toString()); 199 } 200 } 201 202 public void install(Context context, String type, byte[] value) { 203 try { 204 Intent intent = KeyChain.createInstallIntent(); 205 intent.putExtra(type, value); 206 context.startActivity(intent); 207 } catch (ActivityNotFoundException e) { 208 Log.w(LOGTAG, e.toString()); 209 } 210 } 211 212 /** 213 * Delete all types (private key, certificate, CA certificate) for a 214 * particular {@code alias}. All three can exist for any given alias. 215 * Returns {@code true} if there was at least one of those types. 216 */ 217 static boolean deleteAllTypesForAlias(KeyStore keystore, String alias) { 218 /* 219 * Make sure every type is deleted. There can be all three types, so 220 * don't use a conditional here. 221 */ 222 return keystore.delKey(Credentials.USER_PRIVATE_KEY + alias) 223 | deleteCertificateTypesForAlias(keystore, alias); 224 } 225 226 /** 227 * Delete all types (private key, certificate, CA certificate) for a 228 * particular {@code alias}. All three can exist for any given alias. 229 * Returns {@code true} if there was at least one of those types. 230 */ 231 static boolean deleteCertificateTypesForAlias(KeyStore keystore, String alias) { 232 /* 233 * Make sure every certificate type is deleted. There can be two types, 234 * so don't use a conditional here. 235 */ 236 return keystore.delete(Credentials.USER_CERTIFICATE + alias) 237 | keystore.delete(Credentials.CA_CERTIFICATE + alias); 238 } 239 } 240