Home | History | Annotate | Download | only in recoverablekeystore 
      1 /*
      2  * Copyright (C) 2018 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 package com.android.server.locksettings.recoverablekeystore;
     18 
     19 import static android.security.keystore.recovery.RecoveryController.ERROR_INVALID_CERTIFICATE;
     20 
     21 import com.android.internal.widget.LockPatternUtils;
     22 import android.annotation.NonNull;
     23 import android.annotation.Nullable;
     24 import android.os.RemoteException;
     25 import android.os.ServiceSpecificException;
     26 import android.security.keystore.recovery.TrustedRootCertificates;
     27 import android.util.Log;
     28 
     29 import java.util.HashMap;
     30 import java.security.cert.X509Certificate;
     31 import java.util.Map;
     32 import javax.crypto.SecretKey;
     33 
     34 /**
     35  * The class provides helper methods to support end-to-end test with insecure certificate.
     36  */
     37 public class TestOnlyInsecureCertificateHelper {
     38     private static final String TAG = "TestCertHelper";
     39 
     40     /**
     41      * Constructor for the helper class.
     42      */
     43     public TestOnlyInsecureCertificateHelper() {
     44     }
     45 
     46     /**
     47      * Returns a root certificate installed in the system for given alias.
     48      * Returns default secure certificate if alias is empty or null.
     49      * Can return insecure certificate for its alias.
     50      */
     51     public @NonNull X509Certificate
     52             getRootCertificate(String rootCertificateAlias) throws RemoteException {
     53         rootCertificateAlias = getDefaultCertificateAliasIfEmpty(rootCertificateAlias);
     54         if (isTestOnlyCertificateAlias(rootCertificateAlias)) {
     55             return TrustedRootCertificates.getTestOnlyInsecureCertificate();
     56         }
     57 
     58         X509Certificate rootCertificate =
     59                 TrustedRootCertificates.getRootCertificate(rootCertificateAlias);
     60         if (rootCertificate == null) {
     61             throw new ServiceSpecificException(
     62                     ERROR_INVALID_CERTIFICATE, "The provided root certificate alias is invalid");
     63         }
     64         return rootCertificate;
     65     }
     66 
     67     public @NonNull String getDefaultCertificateAliasIfEmpty(
     68             @Nullable String rootCertificateAlias) {
     69         if (rootCertificateAlias == null || rootCertificateAlias.isEmpty()) {
     70             Log.e(TAG, "rootCertificateAlias is null or empty - use secure default value");
     71             // Use the default Google Key Vault Service CA certificate if the alias is not provided
     72             rootCertificateAlias = TrustedRootCertificates.GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_ALIAS;
     73         }
     74         return rootCertificateAlias;
     75     }
     76 
     77     public boolean isTestOnlyCertificateAlias(String rootCertificateAlias) {
     78         return TrustedRootCertificates.TEST_ONLY_INSECURE_CERTIFICATE_ALIAS
     79                 .equals(rootCertificateAlias);
     80     }
     81 
     82     public boolean isValidRootCertificateAlias(String rootCertificateAlias) {
     83         return TrustedRootCertificates.getRootCertificates().containsKey(rootCertificateAlias)
     84                 || isTestOnlyCertificateAlias(rootCertificateAlias);
     85     }
     86 
     87     public boolean doesCredentialSupportInsecureMode(int credentialType, String credential) {
     88         return (credentialType == LockPatternUtils.CREDENTIAL_TYPE_PASSWORD)
     89             && (credential != null)
     90             && credential.startsWith(TrustedRootCertificates.INSECURE_PASSWORD_PREFIX);
     91     }
     92 
     93     public Map<String, SecretKey> keepOnlyWhitelistedInsecureKeys(Map<String, SecretKey> rawKeys) {
     94         if (rawKeys == null) {
     95             return null;
     96         }
     97         Map<String, SecretKey> filteredKeys = new HashMap<>();
     98         for (Map.Entry<String, SecretKey> entry : rawKeys.entrySet()) {
     99             String alias = entry.getKey();
    100             if (alias != null
    101                     && alias.startsWith(TrustedRootCertificates.INSECURE_KEY_ALIAS_PREFIX)) {
    102                 filteredKeys.put(entry.getKey(), entry.getValue());
    103                 Log.d(TAG, "adding key with insecure alias " + alias + " to the recovery snapshot");
    104             }
    105         }
    106         return filteredKeys;
    107     }
    108 }
    109