1 /* 2 * Copyright (C) 2017 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License 15 */ 16 17 package com.android.server.backup.utils; 18 19 import static com.android.server.backup.BackupManagerService.TAG; 20 21 import android.util.Slog; 22 23 import java.security.Key; 24 import java.security.NoSuchAlgorithmException; 25 import java.security.spec.InvalidKeySpecException; 26 import java.security.spec.KeySpec; 27 28 import javax.crypto.SecretKey; 29 import javax.crypto.SecretKeyFactory; 30 import javax.crypto.spec.PBEKeySpec; 31 32 /** 33 * Passwords related utility methods. 34 */ 35 public class PasswordUtils { 36 // Configuration of PBKDF2 that we use for generating pw hashes and intermediate keys 37 public static final int PBKDF2_HASH_ROUNDS = 10000; 38 private static final int PBKDF2_KEY_SIZE = 256; // bits 39 public static final int PBKDF2_SALT_SIZE = 512; // bits 40 public static final String ENCRYPTION_ALGORITHM_NAME = "AES-256"; 41 42 /** 43 * Creates {@link SecretKey} instance from given parameters. 44 * 45 * @param algorithm - key generation algorithm. 46 * @param pw - password. 47 * @param salt - salt. 48 * @param rounds - number of rounds to run in key generation. 49 * @return {@link SecretKey} instance or null in case of an error. 50 */ 51 public static SecretKey buildPasswordKey(String algorithm, String pw, byte[] salt, int rounds) { 52 return buildCharArrayKey(algorithm, pw.toCharArray(), salt, rounds); 53 } 54 55 /** 56 * Generates {@link SecretKey} instance from given parameters and returns it's hex 57 * representation. 58 * 59 * @param algorithm - key generation algorithm. 60 * @param pw - password. 61 * @param salt - salt. 62 * @param rounds - number of rounds to run in key generation. 63 * @return Hex representation of the generated key, or null if generation failed. 64 */ 65 public static String buildPasswordHash(String algorithm, String pw, byte[] salt, int rounds) { 66 SecretKey key = buildPasswordKey(algorithm, pw, salt, rounds); 67 if (key != null) { 68 return byteArrayToHex(key.getEncoded()); 69 } 70 return null; 71 } 72 73 /** 74 * Creates hex string representation of the byte array. 75 */ 76 public static String byteArrayToHex(byte[] data) { 77 StringBuilder buf = new StringBuilder(data.length * 2); 78 for (int i = 0; i < data.length; i++) { 79 buf.append(Byte.toHexString(data[i], true)); 80 } 81 return buf.toString(); 82 } 83 84 /** 85 * Creates byte array from it's hex string representation. 86 */ 87 public static byte[] hexToByteArray(String digits) { 88 final int bytes = digits.length() / 2; 89 if (2 * bytes != digits.length()) { 90 throw new IllegalArgumentException("Hex string must have an even number of digits"); 91 } 92 93 byte[] result = new byte[bytes]; 94 for (int i = 0; i < digits.length(); i += 2) { 95 result[i / 2] = (byte) Integer.parseInt(digits.substring(i, i + 2), 16); 96 } 97 return result; 98 } 99 100 /** 101 * Generates {@link SecretKey} instance from given parameters and returns it's checksum. 102 * 103 * Current implementation returns the key in its primary encoding format. 104 * 105 * @param algorithm - key generation algorithm. 106 * @param pwBytes - password. 107 * @param salt - salt. 108 * @param rounds - number of rounds to run in key generation. 109 * @return Hex representation of the generated key, or null if generation failed. 110 */ 111 public static byte[] makeKeyChecksum(String algorithm, byte[] pwBytes, byte[] salt, 112 int rounds) { 113 char[] mkAsChar = new char[pwBytes.length]; 114 for (int i = 0; i < pwBytes.length; i++) { 115 mkAsChar[i] = (char) pwBytes[i]; 116 } 117 118 Key checksum = buildCharArrayKey(algorithm, mkAsChar, salt, rounds); 119 return checksum.getEncoded(); 120 } 121 122 private static SecretKey buildCharArrayKey(String algorithm, char[] pwArray, byte[] salt, 123 int rounds) { 124 try { 125 SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(algorithm); 126 KeySpec ks = new PBEKeySpec(pwArray, salt, rounds, PBKDF2_KEY_SIZE); 127 return keyFactory.generateSecret(ks); 128 } catch (InvalidKeySpecException e) { 129 Slog.e(TAG, "Invalid key spec for PBKDF2!"); 130 } catch (NoSuchAlgorithmException e) { 131 Slog.e(TAG, "PBKDF2 unavailable!"); 132 } 133 return null; 134 } 135 } 136