1 /* 2 * Copyright (C) 2018 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.server.locksettings.recoverablekeystore; 18 19 import static android.security.keystore.recovery.RecoveryController.ERROR_INVALID_CERTIFICATE; 20 21 import com.android.internal.widget.LockPatternUtils; 22 import android.annotation.NonNull; 23 import android.annotation.Nullable; 24 import android.os.RemoteException; 25 import android.os.ServiceSpecificException; 26 import android.security.keystore.recovery.TrustedRootCertificates; 27 import android.util.Log; 28 29 import java.util.HashMap; 30 import java.security.cert.X509Certificate; 31 import java.util.Map; 32 import javax.crypto.SecretKey; 33 34 /** 35 * The class provides helper methods to support end-to-end test with insecure certificate. 36 */ 37 public class TestOnlyInsecureCertificateHelper { 38 private static final String TAG = "TestCertHelper"; 39 40 /** 41 * Constructor for the helper class. 42 */ 43 public TestOnlyInsecureCertificateHelper() { 44 } 45 46 /** 47 * Returns a root certificate installed in the system for given alias. 48 * Returns default secure certificate if alias is empty or null. 49 * Can return insecure certificate for its alias. 50 */ 51 public @NonNull X509Certificate 52 getRootCertificate(String rootCertificateAlias) throws RemoteException { 53 rootCertificateAlias = getDefaultCertificateAliasIfEmpty(rootCertificateAlias); 54 if (isTestOnlyCertificateAlias(rootCertificateAlias)) { 55 return TrustedRootCertificates.getTestOnlyInsecureCertificate(); 56 } 57 58 X509Certificate rootCertificate = 59 TrustedRootCertificates.getRootCertificate(rootCertificateAlias); 60 if (rootCertificate == null) { 61 throw new ServiceSpecificException( 62 ERROR_INVALID_CERTIFICATE, "The provided root certificate alias is invalid"); 63 } 64 return rootCertificate; 65 } 66 67 public @NonNull String getDefaultCertificateAliasIfEmpty( 68 @Nullable String rootCertificateAlias) { 69 if (rootCertificateAlias == null || rootCertificateAlias.isEmpty()) { 70 Log.e(TAG, "rootCertificateAlias is null or empty - use secure default value"); 71 // Use the default Google Key Vault Service CA certificate if the alias is not provided 72 rootCertificateAlias = TrustedRootCertificates.GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_ALIAS; 73 } 74 return rootCertificateAlias; 75 } 76 77 public boolean isTestOnlyCertificateAlias(String rootCertificateAlias) { 78 return TrustedRootCertificates.TEST_ONLY_INSECURE_CERTIFICATE_ALIAS 79 .equals(rootCertificateAlias); 80 } 81 82 public boolean isValidRootCertificateAlias(String rootCertificateAlias) { 83 return TrustedRootCertificates.getRootCertificates().containsKey(rootCertificateAlias) 84 || isTestOnlyCertificateAlias(rootCertificateAlias); 85 } 86 87 public boolean doesCredentialSupportInsecureMode(int credentialType, String credential) { 88 return (credentialType == LockPatternUtils.CREDENTIAL_TYPE_PASSWORD) 89 && (credential != null) 90 && credential.startsWith(TrustedRootCertificates.INSECURE_PASSWORD_PREFIX); 91 } 92 93 public Map<String, SecretKey> keepOnlyWhitelistedInsecureKeys(Map<String, SecretKey> rawKeys) { 94 if (rawKeys == null) { 95 return null; 96 } 97 Map<String, SecretKey> filteredKeys = new HashMap<>(); 98 for (Map.Entry<String, SecretKey> entry : rawKeys.entrySet()) { 99 String alias = entry.getKey(); 100 if (alias != null 101 && alias.startsWith(TrustedRootCertificates.INSECURE_KEY_ALIAS_PREFIX)) { 102 filteredKeys.put(entry.getKey(), entry.getValue()); 103 Log.d(TAG, "adding key with insecure alias " + alias + " to the recovery snapshot"); 104 } 105 } 106 return filteredKeys; 107 } 108 } 109