Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b9a07c18e678da35b4c2a618b315fa174a21e818
frameworks_base/keystore/java/android/security/KeyChain.java
Brian Carlstrom b9a07c18e6 Adding KeyChain API and IKeyChainService 
Change-Id: Id3eaa2d1315481f199777b50e875811e3532988a
2011-04-20 13:35:31 -07:00

373 lines
13 KiB
Java
Raw Blame History

/*
* Copyright (C) 2011 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.security;
import android.accounts.Account;
import android.accounts.AccountManager;
import android.accounts.AccountManagerFuture;
import android.accounts.AuthenticatorException;
import android.accounts.OperationCanceledException;
import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
import android.content.ServiceConnection;
import android.os.Bundle;
import android.os.IBinder;
import android.os.Looper;
import android.os.RemoteException;
import android.util.Log;
import dalvik.system.CloseGuard;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import org.apache.harmony.xnet.provider.jsse.IndexedPKIXParameters;
import org.apache.harmony.xnet.provider.jsse.SSLParametersImpl;
/**
* @hide
*/
public final class KeyChain {
private static final String TAG = "KeyChain";
/**
* @hide Also used by KeyChainService implementation
*/
public static final String ACCOUNT_TYPE = "com.android.keychain";
/**
* @hide Also used by KeyChainService implementation
*/
// TODO This non-localized CA string to be removed when CAs moved out of keystore
public static final String CA_SUFFIX = " CA";
public static final String KEY_INTENT = "intent";
/**
* Intentionally not public to leave open the future possibility
* of hardware based keys. Callers should use {@link #toPrivateKey
* toPrivateKey} in order to convert a bundle to a {@code
* PrivateKey}
*/
private static final String KEY_PKCS8 = "pkcs8";
/**
* Intentionally not public to leave open the future possibility
* of hardware based certs. Callers should use {@link
* #toCertificate toCertificate} in order to convert a bundle to a
* {@code PrivateKey}
*/
private static final String KEY_X509 = "x509";
/**
* Returns an {@code Intent} for use with {@link
* android.app.Activity#startActivityForResult
* startActivityForResult}. The result will be returned via {@link
* android.app.Activity#onActivityResult onActivityResult} with
* {@link android.app.Activity#RESULT_OK RESULT_OK} and the alias
* in the returned {@code Intent}'s extra data with key {@link
* android.content.Intent#EXTRA_TEXT Intent.EXTRA_TEXT}.
*/
public static Intent chooseAlias() {
return new Intent("com.android.keychain.CHOOSER");
}
/**
* Returns a new {@code KeyChain} instance. When the caller is
* done using the {@code KeyChain}, it must be closed with {@link
* #close()} or resource leaks will occur.
*/
public static KeyChain getInstance(Context context) throws InterruptedException {
return new KeyChain(context);
}
private final AccountManager mAccountManager;
private final Object mServiceLock = new Object();
private IKeyChainService mService;
private boolean mIsBound;
private Account mAccount;
private ServiceConnection mServiceConnection = new ServiceConnection() {
@Override public void onServiceConnected(ComponentName name, IBinder service) {
synchronized (mServiceLock) {
mService = IKeyChainService.Stub.asInterface(service);
mServiceLock.notifyAll();
// Account is created if necessary during binding of the IKeyChainService
mAccount = mAccountManager.getAccountsByType(ACCOUNT_TYPE)[0];
}
}
@Override public void onServiceDisconnected(ComponentName name) {
synchronized (mServiceLock) {
mService = null;
}
}
};
private final Context mContext;
private final CloseGuard mGuard = CloseGuard.get();
private KeyChain(Context context) throws InterruptedException {
if (context == null) {
throw new NullPointerException("context == null");
}
mContext = context;
ensureNotOnMainThread();
mAccountManager = AccountManager.get(mContext);
mIsBound = mContext.bindService(new Intent(IKeyChainService.class.getName()),
mServiceConnection,
Context.BIND_AUTO_CREATE);
if (!mIsBound) {
throw new AssertionError();
}
synchronized (mServiceLock) {
// there is a race between binding on this thread and the
// callback on the main thread. wait until binding is done
// to be sure we have the mAccount initialized.
if (mService == null) {
mServiceLock.wait();
}
}
mGuard.open("close");
}
/**
* {@code Bundle} will contain {@link #KEY_INTENT} if user needs
* to confirm application access to requested key. In the alias
* does not exist or there is an error, null is
* returned. Otherwise the {@code Bundle} contains information
* representing the private key which can be interpreted with
* {@link #toPrivateKey toPrivateKey}.
*
* non-null alias
*/
public Bundle getPrivate(String alias) {
return get(alias, Credentials.USER_PRIVATE_KEY);
}
public Bundle getCertificate(String alias) {
return get(alias, Credentials.USER_CERTIFICATE);
}
public Bundle getCaCertificate(String alias) {
return get(alias, Credentials.CA_CERTIFICATE);
}
private Bundle get(String alias, String type) {
if (alias == null) {
throw new NullPointerException("alias == null");
}
ensureNotOnMainThread();
String authAlias = (type.equals(Credentials.CA_CERTIFICATE)) ? (alias + CA_SUFFIX) : alias;
AccountManagerFuture<Bundle> future = mAccountManager.getAuthToken(mAccount,
authAlias,
false,
null,
null);
Bundle bundle;
try {
bundle = future.getResult();
} catch (OperationCanceledException e) {
throw new AssertionError(e);
} catch (IOException e) {
throw new AssertionError(e);
} catch (AuthenticatorException e) {
throw new AssertionError(e);
}
Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
if (intent != null) {
Bundle result = new Bundle();
// we don't want this Eclair compatability flag,
// it will prevent onActivityResult from being called
intent.setFlags(intent.getFlags() & ~Intent.FLAG_ACTIVITY_NEW_TASK);
result.putParcelable(KEY_INTENT, intent);
return result;
}
String authToken = bundle.getString(AccountManager.KEY_AUTHTOKEN);
if (authToken == null) {
throw new AssertionError("Invalid authtoken");
}
byte[] bytes;
try {
if (type.equals(Credentials.USER_PRIVATE_KEY)) {
bytes = mService.getPrivate(alias, authToken);
} else if (type.equals(Credentials.USER_CERTIFICATE)) {
bytes = mService.getCertificate(alias, authToken);
} else if (type.equals(Credentials.CA_CERTIFICATE)) {
bytes = mService.getCaCertificate(alias, authToken);
} else {
throw new AssertionError();
}
} catch (RemoteException e) {
throw new AssertionError(e);
}
if (bytes == null) {
throw new AssertionError();
}
Bundle result = new Bundle();
if (type.equals(Credentials.USER_PRIVATE_KEY)) {
result.putByteArray(KEY_PKCS8, bytes);
} else if (type.equals(Credentials.USER_CERTIFICATE)) {
result.putByteArray(KEY_X509, bytes);
} else if (type.equals(Credentials.CA_CERTIFICATE)) {
result.putByteArray(KEY_X509, bytes);
} else {
throw new AssertionError();
}
return result;
}
public static PrivateKey toPrivateKey(Bundle bundle) {
byte[] bytes = bundle.getByteArray(KEY_PKCS8);
if (bytes == null) {
throw new IllegalArgumentException("not a private key bundle");
}
try {
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
return keyFactory.generatePrivate(new PKCS8EncodedKeySpec(bytes));
} catch (NoSuchAlgorithmException e) {
throw new AssertionError(e);
} catch (InvalidKeySpecException e) {
throw new AssertionError(e);
}
}
public static Bundle fromPrivateKey(PrivateKey privateKey) {
Bundle bundle = new Bundle();
String format = privateKey.getFormat();
if (!format.equals("PKCS#8")) {
throw new IllegalArgumentException("Unsupported private key format " + format);
}
bundle.putByteArray(KEY_PKCS8, privateKey.getEncoded());
return bundle;
}
public static X509Certificate toCertificate(Bundle bundle) {
byte[] bytes = bundle.getByteArray(KEY_X509);
if (bytes == null) {
throw new IllegalArgumentException("not a certificate bundle");
}
try {
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
Certificate cert = certFactory.generateCertificate(new ByteArrayInputStream(bytes));
return (X509Certificate) cert;
} catch (CertificateException e) {
throw new AssertionError(e);
}
}
public static Bundle fromCertificate(Certificate cert) {
Bundle bundle = new Bundle();
String type = cert.getType();
if (!type.equals("X.509")) {
throw new IllegalArgumentException("Unsupported certificate type " + type);
}
try {
bundle.putByteArray(KEY_X509, cert.getEncoded());
} catch (CertificateEncodingException e) {
throw new AssertionError(e);
}
return bundle;
}
private void ensureNotOnMainThread() {
Looper looper = Looper.myLooper();
if (looper != null && looper == mContext.getMainLooper()) {
throw new IllegalStateException(
"calling this from your main thread can lead to deadlock");
}
}
public Bundle findIssuer(X509Certificate cert) {
if (cert == null) {
throw new NullPointerException("cert == null");
}
ensureNotOnMainThread();
// check and see if the issuer is already known to the default IndexedPKIXParameters
IndexedPKIXParameters index = SSLParametersImpl.getDefaultIndexedPKIXParameters();
try {
TrustAnchor anchor = index.findTrustAnchor(cert);
if (anchor != null && anchor.getTrustedCert() != null) {
X509Certificate ca = anchor.getTrustedCert();
return fromCertificate(ca);
}
} catch (CertPathValidatorException ignored) {
}
// otherwise, it might be a user installed CA in the keystore
String alias;
try {
alias = mService.findIssuer(fromCertificate(cert));
} catch (RemoteException e) {
throw new AssertionError(e);
}
if (alias == null) {
Log.w(TAG, "Lookup failed for issuer");
return null;
}
Bundle bundle = get(alias, Credentials.CA_CERTIFICATE);
Intent intent = bundle.getParcelable(KEY_INTENT);
if (intent != null) {
// permission still required
return bundle;
}
// add the found CA to the index for next time
X509Certificate ca = toCertificate(bundle);
index.index(new TrustAnchor(ca, null));
return bundle;
}
public void close() {
if (mIsBound) {
mContext.unbindService(mServiceConnection);
mIsBound = false;
mGuard.close();
}
}
protected void finalize() throws Throwable {
// note we don't close, we just warn.
// shouldn't be doing I/O in a finalizer,
// which the unbind would cause.
try {
if (mGuard != null) {
mGuard.warnIfOpen();
}
} finally {
super.finalize();
}
}
}
Reference in New Issue View Git Blame Copy Permalink