AndroidKeyStore.java revision 2a99a7e74a7f215066514fe81d2bfa6639d9eddd
1// Copyright (c) 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5package org.chromium.net; 6 7import android.util.Log; 8 9import java.lang.reflect.InvocationTargetException; 10import java.lang.reflect.Method; 11import java.math.BigInteger; 12import java.security.interfaces.DSAKey; 13import java.security.interfaces.DSAPrivateKey; 14import java.security.interfaces.DSAParams; 15import java.security.interfaces.ECKey; 16import java.security.interfaces.ECPrivateKey; 17import java.security.interfaces.RSAKey; 18import java.security.interfaces.RSAPrivateKey; 19import java.security.NoSuchAlgorithmException; 20import java.security.PrivateKey; 21import java.security.Signature; 22import java.security.spec.ECParameterSpec; 23 24import org.chromium.base.CalledByNative; 25import org.chromium.base.JNINamespace; 26import org.chromium.net.PrivateKeyType;; 27 28@JNINamespace("net::android") 29public class AndroidKeyStore { 30 31 private static final String TAG = "AndroidKeyStore"; 32 33 //////////////////////////////////////////////////////////////////// 34 // 35 // Message signing support. 36 37 /** 38 * Returns the public modulus of a given RSA private key as a byte 39 * buffer. 40 * This can be used by native code to convert the modulus into 41 * an OpenSSL BIGNUM object. Required to craft a custom native RSA 42 * object where RSA_size() works as expected. 43 * 44 * @param key A PrivateKey instance, must implement RSAKey. 45 * @return A byte buffer corresponding to the modulus. This is 46 * big-endian representation of a BigInteger. 47 */ 48 @CalledByNative 49 public static byte[] getRSAKeyModulus(PrivateKey key) { 50 if (key instanceof RSAKey) { 51 return ((RSAKey) key).getModulus().toByteArray(); 52 } else { 53 Log.w(TAG, "Not a RSAKey instance!"); 54 return null; 55 } 56 } 57 58 /** 59 * Returns the 'Q' parameter of a given DSA private key as a byte 60 * buffer. 61 * This can be used by native code to convert it into an OpenSSL BIGNUM 62 * object where DSA_size() works as expected. 63 * 64 * @param key A PrivateKey instance. Must implement DSAKey. 65 * @return A byte buffer corresponding to the Q parameter. This is 66 * a big-endian representation of a BigInteger. 67 */ 68 @CalledByNative 69 public static byte[] getDSAKeyParamQ(PrivateKey key) { 70 if (key instanceof DSAKey) { 71 DSAParams params = ((DSAKey) key).getParams(); 72 return params.getQ().toByteArray(); 73 } else { 74 Log.w(TAG, "Not a DSAKey instance!"); 75 return null; 76 } 77 } 78 79 /** 80 * Returns the 'order' parameter of a given ECDSA private key as a 81 * a byte buffer. 82 * @param key A PrivateKey instance. Must implement ECKey. 83 * @return A byte buffer corresponding to the 'order' parameter. 84 * This is a big-endian representation of a BigInteger. 85 */ 86 @CalledByNative 87 public static byte[] getECKeyOrder(PrivateKey key) { 88 if (key instanceof ECKey) { 89 ECParameterSpec params = ((ECKey) key).getParams(); 90 return params.getOrder().toByteArray(); 91 } else { 92 Log.w(TAG, "Not an ECKey instance!"); 93 return null; 94 } 95 } 96 97 /** 98 * Returns the encoded data corresponding to a given PrivateKey. 99 * Note that this will fail for platform keys on Android 4.0.4 100 * and higher. It can be used on 4.0.3 and older platforms to 101 * route around the platform bug described below. 102 * @param key A PrivateKey instance 103 * @return encoded key as PKCS#8 byte array, can be null. 104 */ 105 @CalledByNative 106 public static byte[] getPrivateKeyEncodedBytes(PrivateKey key) { 107 return key.getEncoded(); 108 } 109 110 /** 111 * Sign a given message with a given PrivateKey object. This method 112 * shall only be used to implement signing in the context of SSL 113 * client certificate support. 114 * 115 * The message will actually be a hash, computed and padded by OpenSSL, 116 * itself, depending on the type of the key. The result should match 117 * exactly what the vanilla implementations of the following OpenSSL 118 * function calls do: 119 * 120 * - For a RSA private key, this should be equivalent to calling 121 * RSA_sign(NDI_md5_sha1,....), i.e. it must generate a raw RSA 122 * signature. The message must a combined, 36-byte MD5+SHA1 message 123 * digest padded to the length of the modulus using PKCS#1 padding. 124 * 125 * - For a DSA and ECDSA private keys, this should be equivalent to 126 * calling DSA_sign(0,...) and ECDSA_sign(0,...) respectively. The 127 * message must be a 20-byte SHA1 hash and the function shall 128 * compute a direct DSA/ECDSA signature for it. 129 * 130 * @param privateKey The PrivateKey handle. 131 * @param message The message to sign. 132 * @return signature as a byte buffer. 133 * 134 * Important: Due to a platform bug, this function will always fail on 135 * Android < 4.2 for RSA PrivateKey objects. See the 136 * getOpenSSLHandleForPrivateKey() below for work-around. 137 */ 138 @CalledByNative 139 public static byte[] rawSignDigestWithPrivateKey(PrivateKey privateKey, 140 byte[] message) { 141 // Get the Signature for this key. 142 Signature signature = null; 143 // Hint: Algorithm names come from: 144 // http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html 145 try { 146 if (privateKey instanceof RSAPrivateKey) { 147 // IMPORTANT: Due to a platform bug, this will throw NoSuchAlgorithmException 148 // on Android 4.0.x and 4.1.x. Fixed in 4.2 and higher. 149 // See https://android-review.googlesource.com/#/c/40352/ 150 signature = Signature.getInstance("NONEwithRSA"); 151 } else if (privateKey instanceof DSAPrivateKey) { 152 signature = Signature.getInstance("NONEwithDSA"); 153 } else if (privateKey instanceof ECPrivateKey) { 154 signature = Signature.getInstance("NONEwithECDSA"); 155 } 156 } catch (NoSuchAlgorithmException e) { 157 ; 158 } 159 160 if (signature == null) { 161 Log.e(TAG, "Unsupported private key algorithm: " + privateKey.getAlgorithm()); 162 return null; 163 } 164 165 // Sign the message. 166 try { 167 signature.initSign(privateKey); 168 signature.update(message); 169 return signature.sign(); 170 } catch (Exception e) { 171 Log.e(TAG, "Exception while signing message with " + privateKey.getAlgorithm() + 172 " private key: " + e); 173 return null; 174 } 175 } 176 177 /** 178 * Return the type of a given PrivateKey object. This is an integer 179 * that maps to one of the values defined by org.chromium.net.PrivateKeyType, 180 * which is itself auto-generated from net/android/private_key_type_list.h 181 * @param privateKey The PrivateKey handle 182 * @return key type, or PrivateKeyType.INVALID if unknown. 183 */ 184 @CalledByNative 185 public static int getPrivateKeyType(PrivateKey privateKey) { 186 if (privateKey instanceof RSAPrivateKey) 187 return PrivateKeyType.RSA; 188 if (privateKey instanceof DSAPrivateKey) 189 return PrivateKeyType.DSA; 190 if (privateKey instanceof ECPrivateKey) 191 return PrivateKeyType.ECDSA; 192 else 193 return PrivateKeyType.INVALID; 194 } 195 196 /** 197 * Return the system EVP_PKEY handle corresponding to a given PrivateKey 198 * object, obtained through reflection. 199 * 200 * This shall only be used when the "NONEwithRSA" signature is not 201 * available, as described in rawSignDigestWithPrivateKey(). I.e. 202 * never use this on Android 4.2 or higher. 203 * 204 * This can only work in Android 4.0.4 and higher, for older versions 205 * of the platform (e.g. 4.0.3), there is no system OpenSSL EVP_PKEY, 206 * but the private key contents can be retrieved directly with 207 * the getEncoded() method. 208 * 209 * This assumes that the target device uses a vanilla AOSP 210 * implementation of its java.security classes, which is also 211 * based on OpenSSL (fortunately, no OEM has apperently changed to 212 * a different implementation, according to the Android team). 213 * 214 * Note that the object returned was created with the platform version 215 * of OpenSSL, and _not_ the one that comes with Chromium. Whether the 216 * object can be used safely with the Chromium OpenSSL library depends 217 * on differences between their actual ABI / implementation details. 218 * 219 * To better understand what's going on below, please refer to the 220 * following source files in the Android 4.0.4 and 4.1 source trees: 221 * libcore/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLRSAPrivateKey.java 222 * libcore/luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp 223 * 224 * @param privateKey The PrivateKey handle. 225 * @return The EVP_PKEY handle, as a 32-bit integer (0 if not available) 226 */ 227 @CalledByNative 228 public static int getOpenSSLHandleForPrivateKey(PrivateKey privateKey) { 229 // Sanity checks 230 if (privateKey == null) { 231 Log.e(TAG, "privateKey == null"); 232 return 0; 233 } 234 if (!(privateKey instanceof RSAPrivateKey)) { 235 Log.e(TAG, "does not implement RSAPrivateKey"); 236 return 0; 237 } 238 // First, check that this is a proper instance of OpenSSLRSAPrivateKey 239 // or one of its sub-classes. 240 Class<?> superClass; 241 try { 242 superClass = Class.forName( 243 "org.apache.harmony.xnet.provider.jsse.OpenSSLRSAPrivateKey"); 244 } catch (Exception e) { 245 // This may happen if the target device has a completely different 246 // implementation of the java.security APIs, compared to vanilla 247 // Android. Highly unlikely, but still possible. 248 Log.e(TAG, "Cannot find system OpenSSLRSAPrivateKey class: " + e); 249 return 0; 250 } 251 if (!superClass.isInstance(privateKey)) { 252 // This may happen if the PrivateKey was not created by the "AndroidOpenSSL" 253 // provider, which should be the default. That could happen if an OEM decided 254 // to implement a different default provider. Also highly unlikely. 255 Log.e(TAG, "Private key is not an OpenSSLRSAPrivateKey instance, its class name is:" + 256 privateKey.getClass().getCanonicalName()); 257 return 0; 258 } 259 260 try { 261 // Use reflection to invoke the 'getOpenSSLKey()' method on 262 // the private key. This returns another Java object that wraps 263 // a native EVP_PKEY. Note that the method is final, so calling 264 // the superclass implementation is ok. 265 Method getKey = superClass.getDeclaredMethod("getOpenSSLKey"); 266 getKey.setAccessible(true); 267 Object opensslKey = null; 268 try { 269 opensslKey = getKey.invoke(privateKey); 270 } finally { 271 getKey.setAccessible(false); 272 } 273 if (opensslKey == null) { 274 // Bail when detecting OEM "enhancement". 275 Log.e(TAG, "getOpenSSLKey() returned null"); 276 return 0; 277 } 278 279 // Use reflection to invoke the 'getPkeyContext' method on the 280 // result of the getOpenSSLKey(). This is an 32-bit integer 281 // which is the address of an EVP_PKEY object. 282 Method getPkeyContext; 283 try { 284 getPkeyContext = opensslKey.getClass().getDeclaredMethod("getPkeyContext"); 285 } catch (Exception e) { 286 // Bail here too, something really not working as expected. 287 Log.e(TAG, "No getPkeyContext() method on OpenSSLKey member:" + e); 288 return 0; 289 } 290 getPkeyContext.setAccessible(true); 291 int evp_pkey = 0; 292 try { 293 evp_pkey = (Integer) getPkeyContext.invoke(opensslKey); 294 } finally { 295 getPkeyContext.setAccessible(false); 296 } 297 if (evp_pkey == 0) { 298 // The PrivateKey is probably rotten for some reason. 299 Log.e(TAG, "getPkeyContext() returned null"); 300 } 301 return evp_pkey; 302 303 } catch (Exception e) { 304 Log.e(TAG, "Exception while trying to retrieve system EVP_PKEY handle: " + e); 305 return 0; 306 } 307 } 308} 309