1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
|
/*
* Copyright (C) 2011 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.security;
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.annotation.SdkConstant;
import android.annotation.WorkerThread;
import android.annotation.SdkConstant.SdkConstantType;
import android.app.Activity;
import android.app.PendingIntent;
import android.app.Service;
import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
import android.content.ServiceConnection;
import android.net.Uri;
import android.os.Binder;
import android.os.Build;
import android.os.IBinder;
import android.os.Looper;
import android.os.Process;
import android.os.RemoteException;
import android.os.UserHandle;
import android.security.keystore.AndroidKeyStoreProvider;
import android.security.keystore.KeyProperties;
import java.io.ByteArrayInputStream;
import java.io.Closeable;
import java.security.KeyPair;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Locale;
import java.util.concurrent.BlockingQueue;
import java.util.concurrent.LinkedBlockingQueue;
import com.android.org.conscrypt.TrustedCertificateStore;
/**
* The {@code KeyChain} class provides access to private keys and
* their corresponding certificate chains in credential storage.
*
* <p>Applications accessing the {@code KeyChain} normally go through
* these steps:
*
* <ol>
*
* <li>Receive a callback from an {@link javax.net.ssl.X509KeyManager
* X509KeyManager} that a private key is requested.
*
* <li>Call {@link #choosePrivateKeyAlias
* choosePrivateKeyAlias} to allow the user to select from a
* list of currently available private keys and corresponding
* certificate chains. The chosen alias will be returned by the
* callback {@link KeyChainAliasCallback#alias}, or null if no private
* key is available or the user cancels the request.
*
* <li>Call {@link #getPrivateKey} and {@link #getCertificateChain} to
* retrieve the credentials to return to the corresponding {@link
* javax.net.ssl.X509KeyManager} callbacks.
*
* </ol>
*
* <p>An application may remember the value of a selected alias to
* avoid prompting the user with {@link #choosePrivateKeyAlias
* choosePrivateKeyAlias} on subsequent connections. If the alias is
* no longer valid, null will be returned on lookups using that value
*
* <p>An application can request the installation of private keys and
* certificates via the {@code Intent} provided by {@link
* #createInstallIntent}. Private keys installed via this {@code
* Intent} will be accessible via {@link #choosePrivateKeyAlias} while
* Certificate Authority (CA) certificates will be trusted by all
* applications through the default {@code X509TrustManager}.
*/
// TODO reference intent for credential installation when public
public final class KeyChain {
/**
* @hide Also used by KeyChainService implementation
*/
public static final String ACCOUNT_TYPE = "com.android.keychain";
/**
* Package name for KeyChain chooser.
*/
private static final String KEYCHAIN_PACKAGE = "com.android.keychain";
/**
* Action to bring up the KeyChainActivity
*/
private static final String ACTION_CHOOSER = "com.android.keychain.CHOOSER";
/**
* Package name for the Certificate Installer.
*/
private static final String CERT_INSTALLER_PACKAGE = "com.android.certinstaller";
/**
* Extra for use with {@link #ACTION_CHOOSER}
* @hide Also used by KeyChainActivity implementation
*/
public static final String EXTRA_RESPONSE = "response";
/**
* Extra for use with {@link #ACTION_CHOOSER}
* @hide Also used by KeyChainActivity implementation
*/
public static final String EXTRA_URI = "uri";
/**
* Extra for use with {@link #ACTION_CHOOSER}
* @hide Also used by KeyChainActivity implementation
*/
public static final String EXTRA_ALIAS = "alias";
/**
* Extra for use with {@link #ACTION_CHOOSER}
* @hide Also used by KeyChainActivity implementation
*/
public static final String EXTRA_SENDER = "sender";
/**
* Action to bring up the CertInstaller.
*/
private static final String ACTION_INSTALL = "android.credentials.INSTALL";
/**
* Optional extra to specify a {@code String} credential name on
* the {@code Intent} returned by {@link #createInstallIntent}.
*/
// Compatible with old com.android.certinstaller.CredentialHelper.CERT_NAME_KEY
public static final String EXTRA_NAME = "name";
/**
* Optional extra to specify an X.509 certificate to install on
* the {@code Intent} returned by {@link #createInstallIntent}.
* The extra value should be a PEM or ASN.1 DER encoded {@code
* byte[]}. An {@link X509Certificate} can be converted to DER
* encoded bytes with {@link X509Certificate#getEncoded}.
*
* <p>{@link #EXTRA_NAME} may be used to provide a default alias
* name for the installed certificate.
*/
// Compatible with old android.security.Credentials.CERTIFICATE
public static final String EXTRA_CERTIFICATE = "CERT";
/**
* Optional extra for use with the {@code Intent} returned by
* {@link #createInstallIntent} to specify a PKCS#12 key store to
* install. The extra value should be a {@code byte[]}. The bytes
* may come from an external source or be generated with {@link
* java.security.KeyStore#store} on a "PKCS12" instance.
*
* <p>The user will be prompted for the password to load the key store.
*
* <p>The key store will be scanned for {@link
* java.security.KeyStore.PrivateKeyEntry} entries and both the
* private key and associated certificate chain will be installed.
*
* <p>{@link #EXTRA_NAME} may be used to provide a default alias
* name for the installed credentials.
*/
// Compatible with old android.security.Credentials.PKCS12
public static final String EXTRA_PKCS12 = "PKCS12";
/**
* Broadcast Action: Indicates the trusted storage has changed. Sent when
* one of this happens:
*
* <ul>
* <li>a new CA is added,
* <li>an existing CA is removed or disabled,
* <li>a disabled CA is enabled,
* <li>trusted storage is reset (all user certs are cleared),
* <li>when permission to access a private key is changed.
* </ul>
*
* @deprecated Use {@link #ACTION_KEYCHAIN_CHANGED}, {@link #ACTION_TRUST_STORE_CHANGED} or
* {@link #ACTION_KEY_ACCESS_CHANGED}. Apps that target a version higher than
* {@link Build.VERSION_CODES#N_MR1} will only receive this broadcast if they register for it
* at runtime.
*/
@SdkConstant(SdkConstantType.BROADCAST_INTENT_ACTION)
public static final String ACTION_STORAGE_CHANGED = "android.security.STORAGE_CHANGED";
/**
* Broadcast Action: Indicates the contents of the keychain has changed. Sent when a KeyChain
* entry is added, modified or removed.
*/
@SdkConstant(SdkConstantType.BROADCAST_INTENT_ACTION)
public static final String ACTION_KEYCHAIN_CHANGED = "android.security.action.KEYCHAIN_CHANGED";
/**
* Broadcast Action: Indicates the contents of the trusted certificate store has changed. Sent
* when one the following occurs:
*
* <ul>
* <li>A pre-installed CA is disabled or re-enabled</li>
* <li>A CA is added or removed from the trust store</li>
* </ul>
*/
@SdkConstant(SdkConstantType.BROADCAST_INTENT_ACTION)
public static final String ACTION_TRUST_STORE_CHANGED =
"android.security.action.TRUST_STORE_CHANGED";
/**
* Broadcast Action: Indicates that the access permissions for a private key have changed.
*
*/
@SdkConstant(SdkConstantType.BROADCAST_INTENT_ACTION)
public static final String ACTION_KEY_ACCESS_CHANGED =
"android.security.action.KEY_ACCESS_CHANGED";
/**
* Used as a String extra field in {@link #ACTION_KEY_ACCESS_CHANGED} to supply the alias of
* the key.
*/
public static final String EXTRA_KEY_ALIAS = "android.security.extra.KEY_ALIAS";
/**
* Used as a boolean extra field in {@link #ACTION_KEY_ACCESS_CHANGED} to supply if the key is
* accessible to the application.
*/
public static final String EXTRA_KEY_ACCESSIBLE = "android.security.extra.KEY_ACCESSIBLE";
/**
* Indicates that a call to {@link #generateKeyPair} was successful.
* @hide
*/
public static final int KEY_GEN_SUCCESS = 0;
/**
* An alias was missing from the key specifications when calling {@link #generateKeyPair}.
* @hide
*/
public static final int KEY_GEN_MISSING_ALIAS = 1;
/**
* A key attestation challenge was provided to {@link #generateKeyPair}, but it shouldn't
* have been provided.
* @hide
*/
public static final int KEY_GEN_SUPERFLUOUS_ATTESTATION_CHALLENGE = 2;
/**
* Algorithm not supported by {@link #generateKeyPair}
* @hide
*/
public static final int KEY_GEN_NO_SUCH_ALGORITHM = 3;
/**
* Invalid algorithm parameters when calling {@link #generateKeyPair}
* @hide
*/
public static final int KEY_GEN_INVALID_ALGORITHM_PARAMETERS = 4;
/**
* Keystore is not available when calling {@link #generateKeyPair}
* @hide
*/
public static final int KEY_GEN_NO_KEYSTORE_PROVIDER = 5;
/**
* General failure while calling {@link #generateKeyPair}
* @hide
*/
public static final int KEY_GEN_FAILURE = 6;
/**
* Successful call to {@link #attestKey}
* @hide
*/
public static final int KEY_ATTESTATION_SUCCESS = 0;
/**
* Attestation challenge missing when calling {@link #attestKey}
* @hide
*/
public static final int KEY_ATTESTATION_MISSING_CHALLENGE = 1;
/**
* The caller requested Device ID attestation when calling {@link #attestKey}, but has no
* permissions to get device identifiers.
* @hide
*/
public static final int KEY_ATTESTATION_CANNOT_COLLECT_DATA = 2;
/**
* The underlying hardware does not support Device ID attestation or cannot attest to the
* identifiers that are stored on the device. This indicates permanent inability
* to get attestation records on the device.
* @hide
*/
public static final int KEY_ATTESTATION_CANNOT_ATTEST_IDS = 3;
/**
* General failure when calling {@link #attestKey}
* @hide
*/
public static final int KEY_ATTESTATION_FAILURE = 4;
/**
* Returns an {@code Intent} that can be used for credential
* installation. The intent may be used without any extras, in
* which case the user will be able to install credentials from
* their own source.
*
* <p>Alternatively, {@link #EXTRA_CERTIFICATE} or {@link
* #EXTRA_PKCS12} maybe used to specify the bytes of an X.509
* certificate or a PKCS#12 key store for installation. These
* extras may be combined with {@link #EXTRA_NAME} to provide a
* default alias name for credentials being installed.
*
* <p>When used with {@link Activity#startActivityForResult},
* {@link Activity#RESULT_OK} will be returned if a credential was
* successfully installed, otherwise {@link
* Activity#RESULT_CANCELED} will be returned.
*/
@NonNull
public static Intent createInstallIntent() {
Intent intent = new Intent(ACTION_INSTALL);
intent.setClassName(CERT_INSTALLER_PACKAGE,
"com.android.certinstaller.CertInstallerMain");
return intent;
}
/**
* Launches an {@code Activity} for the user to select the alias
* for a private key and certificate pair for authentication. The
* selected alias or null will be returned via the
* KeyChainAliasCallback callback.
*
* <p>The device or profile owner can intercept this before the activity
* is shown, to pick a specific private key alias.
*
* <p>{@code keyTypes} and {@code issuers} may be used to
* highlight suggested choices to the user, although to cope with
* sometimes erroneous values provided by servers, the user may be
* able to override these suggestions.
*
* <p>{@code host} and {@code port} may be used to give the user
* more context about the server requesting the credentials.
*
* <p>{@code alias} allows the chooser to preselect an existing
* alias which will still be subject to user confirmation.
*
* @param activity The {@link Activity} context to use for
* launching the new sub-Activity to prompt the user to select
* a private key; used only to call startActivity(); must not
* be null.
* @param response Callback to invoke when the request completes;
* must not be null
* @param keyTypes The acceptable types of asymmetric keys such as
* "RSA" or "DSA", or a null array.
* @param issuers The acceptable certificate issuers for the
* certificate matching the private key, or null.
* @param host The host name of the server requesting the
* certificate, or null if unavailable.
* @param port The port number of the server requesting the
* certificate, or -1 if unavailable.
* @param alias The alias to preselect if available, or null if
* unavailable.
*/
public static void choosePrivateKeyAlias(@NonNull Activity activity,
@NonNull KeyChainAliasCallback response,
@KeyProperties.KeyAlgorithmEnum String[] keyTypes, Principal[] issuers,
@Nullable String host, int port, @Nullable String alias) {
Uri uri = null;
if (host != null) {
uri = new Uri.Builder()
.authority(host + (port != -1 ? ":" + port : ""))
.build();
}
choosePrivateKeyAlias(activity, response, keyTypes, issuers, uri, alias);
}
/**
* Launches an {@code Activity} for the user to select the alias
* for a private key and certificate pair for authentication. The
* selected alias or null will be returned via the
* KeyChainAliasCallback callback.
*
* <p>The device or profile owner can intercept this before the activity
* is shown, to pick a specific private key alias.</p>
*
* <p>{@code keyTypes} and {@code issuers} may be used to
* highlight suggested choices to the user, although to cope with
* sometimes erroneous values provided by servers, the user may be
* able to override these suggestions.
*
* <p>{@code host} and {@code port} may be used to give the user
* more context about the server requesting the credentials.
*
* <p>{@code alias} allows the chooser to preselect an existing
* alias which will still be subject to user confirmation.
*
* @param activity The {@link Activity} context to use for
* launching the new sub-Activity to prompt the user to select
* a private key; used only to call startActivity(); must not
* be null.
* @param response Callback to invoke when the request completes;
* must not be null
* @param keyTypes The acceptable types of asymmetric keys such as
* "EC" or "RSA", or a null array.
* @param issuers The acceptable certificate issuers for the
* certificate matching the private key, or null.
* @param uri The full URI the server is requesting the certificate
* for, or null if unavailable.
* @param alias The alias to preselect if available, or null if
* unavailable.
*/
public static void choosePrivateKeyAlias(@NonNull Activity activity,
@NonNull KeyChainAliasCallback response,
@KeyProperties.KeyAlgorithmEnum String[] keyTypes, Principal[] issuers,
@Nullable Uri uri, @Nullable String alias) {
/*
* TODO currently keyTypes, issuers are unused. They are meant
* to follow the semantics and purpose of X509KeyManager
* method arguments.
*
* keyTypes would allow the list to be filtered and typically
* will be set correctly by the server. In practice today,
* most all users will want only RSA or EC, and usually
* only a small number of certs will be available.
*
* issuers is typically not useful. Some servers historically
* will send the entire list of public CAs known to the
* server. Others will send none. If this is used, if there
* are no matches after applying the constraint, it should be
* ignored.
*/
if (activity == null) {
throw new NullPointerException("activity == null");
}
if (response == null) {
throw new NullPointerException("response == null");
}
Intent intent = new Intent(ACTION_CHOOSER);
intent.setPackage(KEYCHAIN_PACKAGE);
intent.putExtra(EXTRA_RESPONSE, new AliasResponse(response));
intent.putExtra(EXTRA_URI, uri);
intent.putExtra(EXTRA_ALIAS, alias);
// the PendingIntent is used to get calling package name
intent.putExtra(EXTRA_SENDER, PendingIntent.getActivity(activity, 0, new Intent(), 0));
activity.startActivity(intent);
}
private static class AliasResponse extends IKeyChainAliasCallback.Stub {
private final KeyChainAliasCallback keyChainAliasResponse;
private AliasResponse(KeyChainAliasCallback keyChainAliasResponse) {
this.keyChainAliasResponse = keyChainAliasResponse;
}
@Override public void alias(String alias) {
keyChainAliasResponse.alias(alias);
}
}
/**
* Returns the {@code PrivateKey} for the requested alias, or null
* if there is no result.
*
* <p> This method may block while waiting for a connection to another process, and must never
* be called from the main thread.
* <p> As {@link Activity} and {@link Service} contexts are short-lived and can be destroyed
* at any time from the main thread, it is safer to rely on a long-lived context such as one
* returned from {@link Context#getApplicationContext()}.
*
* @param alias The alias of the desired private key, typically returned via
* {@link KeyChainAliasCallback#alias}.
* @throws KeyChainException if the alias was valid but there was some problem accessing it.
* @throws IllegalStateException if called from the main thread.
*/
@Nullable @WorkerThread
public static PrivateKey getPrivateKey(@NonNull Context context, @NonNull String alias)
throws KeyChainException, InterruptedException {
KeyPair keyPair = getKeyPair(context, alias);
if (keyPair != null) {
return keyPair.getPrivate();
}
return null;
}
/** @hide */
@Nullable @WorkerThread
public static KeyPair getKeyPair(@NonNull Context context, @NonNull String alias)
throws KeyChainException, InterruptedException {
if (alias == null) {
throw new NullPointerException("alias == null");
}
if (context == null) {
throw new NullPointerException("context == null");
}
final String keyId;
try (KeyChainConnection keyChainConnection = bind(context.getApplicationContext())) {
keyId = keyChainConnection.getService().requestPrivateKey(alias);
} catch (RemoteException e) {
throw new KeyChainException(e);
} catch (RuntimeException e) {
// only certain RuntimeExceptions can be propagated across the IKeyChainService call
throw new KeyChainException(e);
}
if (keyId == null) {
return null;
} else {
try {
return AndroidKeyStoreProvider.loadAndroidKeyStoreKeyPairFromKeystore(
KeyStore.getInstance(), keyId, KeyStore.UID_SELF);
} catch (RuntimeException | UnrecoverableKeyException e) {
throw new KeyChainException(e);
}
}
}
/**
* Returns the {@code X509Certificate} chain for the requested
* alias, or null if there is no result.
* <p>
* <strong>Note:</strong> If a certificate chain was explicitly specified when the alias was
* installed, this method will return that chain. If only the client certificate was specified
* at the installation time, this method will try to build a certificate chain using all
* available trust anchors (preinstalled and user-added).
*
* <p> This method may block while waiting for a connection to another process, and must never
* be called from the main thread.
* <p> As {@link Activity} and {@link Service} contexts are short-lived and can be destroyed
* at any time from the main thread, it is safer to rely on a long-lived context such as one
* returned from {@link Context#getApplicationContext()}.
*
* @param alias The alias of the desired certificate chain, typically
* returned via {@link KeyChainAliasCallback#alias}.
* @throws KeyChainException if the alias was valid but there was some problem accessing it.
* @throws IllegalStateException if called from the main thread.
*/
@Nullable @WorkerThread
public static X509Certificate[] getCertificateChain(@NonNull Context context,
@NonNull String alias) throws KeyChainException, InterruptedException {
if (alias == null) {
throw new NullPointerException("alias == null");
}
final byte[] certificateBytes;
final byte[] certChainBytes;
try (KeyChainConnection keyChainConnection = bind(context.getApplicationContext())) {
IKeyChainService keyChainService = keyChainConnection.getService();
certificateBytes = keyChainService.getCertificate(alias);
if (certificateBytes == null) {
return null;
}
certChainBytes = keyChainService.getCaCertificates(alias);
} catch (RemoteException e) {
throw new KeyChainException(e);
} catch (RuntimeException e) {
// only certain RuntimeExceptions can be propagated across the IKeyChainService call
throw new KeyChainException(e);
}
try {
X509Certificate leafCert = toCertificate(certificateBytes);
// If the keypair is installed with a certificate chain by either
// DevicePolicyManager.installKeyPair or CertInstaller, return that chain.
if (certChainBytes != null && certChainBytes.length != 0) {
Collection<X509Certificate> chain = toCertificates(certChainBytes);
ArrayList<X509Certificate> fullChain = new ArrayList<>(chain.size() + 1);
fullChain.add(leafCert);
fullChain.addAll(chain);
return fullChain.toArray(new X509Certificate[fullChain.size()]);
} else {
// If there isn't a certificate chain, either due to a pre-existing keypair
// installed before N, or no chain is explicitly installed under the new logic,
// fall back to old behavior of constructing the chain from trusted credentials.
//
// This logic exists to maintain old behaviour for already installed keypair, at
// the cost of potentially returning extra certificate chain for new clients who
// explicitly installed only the client certificate without a chain. The latter
// case is actually no different from pre-N behaviour of getCertificateChain(),
// in that sense this change introduces no regression. Besides the returned chain
// is still valid so the consumer of the chain should have no problem verifying it.
TrustedCertificateStore store = new TrustedCertificateStore();
List<X509Certificate> chain = store.getCertificateChain(leafCert);
return chain.toArray(new X509Certificate[chain.size()]);
}
} catch (CertificateException | RuntimeException e) {
throw new KeyChainException(e);
}
}
/**
* Returns {@code true} if the current device's {@code KeyChain} supports a
* specific {@code PrivateKey} type indicated by {@code algorithm} (e.g.,
* "RSA").
*/
public static boolean isKeyAlgorithmSupported(
@NonNull @KeyProperties.KeyAlgorithmEnum String algorithm) {
final String algUpper = algorithm.toUpperCase(Locale.US);
return KeyProperties.KEY_ALGORITHM_EC.equals(algUpper)
|| KeyProperties.KEY_ALGORITHM_RSA.equals(algUpper);
}
/**
* Returns {@code true} if the current device's {@code KeyChain} binds any
* {@code PrivateKey} of the given {@code algorithm} to the device once
* imported or generated. This can be used to tell if there is special
* hardware support that can be used to bind keys to the device in a way
* that makes it non-exportable.
*
* @deprecated Whether the key is bound to the secure hardware is known only
* once the key has been imported. To find out, use:
* <pre>{@code
* PrivateKey key = ...; // private key from KeyChain
*
* KeyFactory keyFactory =
* KeyFactory.getInstance(key.getAlgorithm(), "AndroidKeyStore");
* KeyInfo keyInfo = keyFactory.getKeySpec(key, KeyInfo.class);
* if (keyInfo.isInsideSecureHardware()) {
* // The key is bound to the secure hardware of this Android
* }}</pre>
*/
@Deprecated
public static boolean isBoundKeyAlgorithm(
@NonNull @KeyProperties.KeyAlgorithmEnum String algorithm) {
if (!isKeyAlgorithmSupported(algorithm)) {
return false;
}
return KeyStore.getInstance().isHardwareBacked(algorithm);
}
/** @hide */
@NonNull
public static X509Certificate toCertificate(@NonNull byte[] bytes) {
if (bytes == null) {
throw new IllegalArgumentException("bytes == null");
}
try {
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
Certificate cert = certFactory.generateCertificate(new ByteArrayInputStream(bytes));
return (X509Certificate) cert;
} catch (CertificateException e) {
throw new AssertionError(e);
}
}
/** @hide */
@NonNull
public static Collection<X509Certificate> toCertificates(@NonNull byte[] bytes) {
if (bytes == null) {
throw new IllegalArgumentException("bytes == null");
}
try {
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
return (Collection<X509Certificate>) certFactory.generateCertificates(
new ByteArrayInputStream(bytes));
} catch (CertificateException e) {
throw new AssertionError(e);
}
}
/**
* @hide for reuse by CertInstaller and Settings.
* @see KeyChain#bind
*/
public static class KeyChainConnection implements Closeable {
private final Context context;
private final ServiceConnection serviceConnection;
private final IKeyChainService service;
protected KeyChainConnection(Context context,
ServiceConnection serviceConnection,
IKeyChainService service) {
this.context = context;
this.serviceConnection = serviceConnection;
this.service = service;
}
@Override public void close() {
context.unbindService(serviceConnection);
}
public IKeyChainService getService() {
return service;
}
}
/**
* @hide for reuse by CertInstaller and Settings.
*
* Caller should call unbindService on the result when finished.
*/
@WorkerThread
public static KeyChainConnection bind(@NonNull Context context) throws InterruptedException {
return bindAsUser(context, Process.myUserHandle());
}
/**
* @hide
*/
@WorkerThread
public static KeyChainConnection bindAsUser(@NonNull Context context, UserHandle user)
throws InterruptedException {
if (context == null) {
throw new NullPointerException("context == null");
}
ensureNotOnMainThread(context);
final BlockingQueue<IKeyChainService> q = new LinkedBlockingQueue<IKeyChainService>(1);
ServiceConnection keyChainServiceConnection = new ServiceConnection() {
volatile boolean mConnectedAtLeastOnce = false;
@Override public void onServiceConnected(ComponentName name, IBinder service) {
if (!mConnectedAtLeastOnce) {
mConnectedAtLeastOnce = true;
try {
q.put(IKeyChainService.Stub.asInterface(Binder.allowBlocking(service)));
} catch (InterruptedException e) {
// will never happen, since the queue starts with one available slot
}
}
}
@Override public void onServiceDisconnected(ComponentName name) {}
};
Intent intent = new Intent(IKeyChainService.class.getName());
ComponentName comp = intent.resolveSystemService(context.getPackageManager(), 0);
intent.setComponent(comp);
if (comp == null || !context.bindServiceAsUser(
intent, keyChainServiceConnection, Context.BIND_AUTO_CREATE, user)) {
throw new AssertionError("could not bind to KeyChainService");
}
return new KeyChainConnection(context, keyChainServiceConnection, q.take());
}
private static void ensureNotOnMainThread(@NonNull Context context) {
Looper looper = Looper.myLooper();
if (looper != null && looper == context.getMainLooper()) {
throw new IllegalStateException(
"calling this from your main thread can lead to deadlock");
}
}
}
|
