KeyChain.java revision 1cedb47e18a3acb322914e1963285882dc77d9ba 
1/*
2 * Copyright (C) 2011 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16package android.security;
17
18import android.app.Activity;
19import android.app.PendingIntent;
20import android.content.ComponentName;
21import android.content.Context;
22import android.content.Intent;
23import android.content.ServiceConnection;
24import android.os.IBinder;
25import android.os.Looper;
26import android.os.RemoteException;
27import java.io.ByteArrayInputStream;
28import java.io.Closeable;
29import java.io.IOException;
30import java.security.KeyPair;
31import java.security.Principal;
32import java.security.PrivateKey;
33import java.security.cert.Certificate;
34import java.security.cert.CertificateException;
35import java.security.cert.CertificateFactory;
36import java.security.cert.X509Certificate;
37import java.util.ArrayList;
38import java.util.List;
39import java.util.concurrent.BlockingQueue;
40import java.util.concurrent.LinkedBlockingQueue;
41import libcore.util.Objects;
42import org.apache.harmony.xnet.provider.jsse.TrustedCertificateStore;
43
44/**
45 * The {@code KeyChain} class provides access to private keys and
46 * their corresponding certificate chains in credential storage.
47 *
48 * <p>Applications accessing the {@code KeyChain} normally go through
49 * these steps:
50 *
51 * <ol>
52 *
53 * <li>Receive a callback from an {@link javax.net.ssl.X509KeyManager
54 * X509KeyManager} that a private key is requested.
55 *
56 * <li>Call {@link #choosePrivateKeyAlias
57 * choosePrivateKeyAlias} to allow the user to select from a
58 * list of currently available private keys and corresponding
59 * certificate chains. The chosen alias will be returned by the
60 * callback {@link KeyChainAliasCallback#alias}, or null if no private
61 * key is available or the user cancels the request.
62 *
63 * <li>Call {@link #getPrivateKey} and {@link #getCertificateChain} to
64 * retrieve the credentials to return to the corresponding {@link
65 * javax.net.ssl.X509KeyManager} callbacks.
66 *
67 * </ol>
68 *
69 * <p>An application may remember the value of a selected alias to
70 * avoid prompting the user with {@link #choosePrivateKeyAlias
71 * choosePrivateKeyAlias} on subsequent connections. If the alias is
72 * no longer valid, null will be returned on lookups using that value
73 *
74 * <p>An application can request the installation of private keys and
75 * certificates via the {@code Intent} provided by {@link
76 * #createInstallIntent}. Private keys installed via this {@code
77 * Intent} will be accessible via {@link #choosePrivateKeyAlias} while
78 * Certificate Authority (CA) certificates will be trusted by all
79 * applications through the default {@code X509TrustManager}.
80 */
81// TODO reference intent for credential installation when public
82public final class KeyChain {
83
84    private static final String TAG = "KeyChain";
85
86    /**
87     * @hide Also used by KeyChainService implementation
88     */
89    public static final String ACCOUNT_TYPE = "com.android.keychain";
90
91    /**
92     * Action to bring up the KeyChainActivity
93     */
94    private static final String ACTION_CHOOSER = "com.android.keychain.CHOOSER";
95
96    /**
97     * Extra for use with {@link #ACTION_CHOOSER}
98     * @hide Also used by KeyChainActivity implementation
99     */
100    public static final String EXTRA_RESPONSE = "response";
101
102    /**
103     * Extra for use with {@link #ACTION_CHOOSER}
104     * @hide Also used by KeyChainActivity implementation
105     */
106    public static final String EXTRA_HOST = "host";
107
108    /**
109     * Extra for use with {@link #ACTION_CHOOSER}
110     * @hide Also used by KeyChainActivity implementation
111     */
112    public static final String EXTRA_PORT = "port";
113
114    /**
115     * Extra for use with {@link #ACTION_CHOOSER}
116     * @hide Also used by KeyChainActivity implementation
117     */
118    public static final String EXTRA_ALIAS = "alias";
119
120    /**
121     * Extra for use with {@link #ACTION_CHOOSER}
122     * @hide Also used by KeyChainActivity implementation
123     */
124    public static final String EXTRA_SENDER = "sender";
125
126    /**
127     * Action to bring up the CertInstaller.
128     */
129    private static final String ACTION_INSTALL = "android.credentials.INSTALL";
130
131    /**
132     * Optional extra to specify a {@code String} credential name on
133     * the {@code Intent} returned by {@link #createInstallIntent}.
134     */
135    // Compatible with old com.android.certinstaller.CredentialHelper.CERT_NAME_KEY
136    public static final String EXTRA_NAME = "name";
137
138    /**
139     * Optional extra to specify an X.509 certificate to install on
140     * the {@code Intent} returned by {@link #createInstallIntent}.
141     * The extra value should be a PEM or ASN.1 DER encoded {@code
142     * byte[]}. An {@link X509Certificate} can be converted to DER
143     * encoded bytes with {@link X509Certificate#getEncoded}.
144     *
145     * <p>{@link #EXTRA_NAME} may be used to provide a default alias
146     * name for the installed certificate.
147     */
148    // Compatible with old android.security.Credentials.CERTIFICATE
149    public static final String EXTRA_CERTIFICATE = "CERT";
150
151    /**
152     * Optional extra for use with the {@code Intent} returned by
153     * {@link #createInstallIntent} to specify a PKCS#12 key store to
154     * install. The extra value should be a {@code byte[]}. The bytes
155     * may come from an external source or be generated with {@link
156     * java.security.KeyStore#store} on a "PKCS12" instance.
157     *
158     * <p>The user will be prompted for the password to load the key store.
159     *
160     * <p>The key store will be scanned for {@link
161     * java.security.KeyStore.PrivateKeyEntry} entries and both the
162     * private key and associated certificate chain will be installed.
163     *
164     * <p>{@link #EXTRA_NAME} may be used to provide a default alias
165     * name for the installed credentials.
166     */
167    // Compatible with old android.security.Credentials.PKCS12
168    public static final String EXTRA_PKCS12 = "PKCS12";
169
170
171    /**
172     * Broadcast Action: Indicates the trusted storage has changed. Sent when
173     * one of this happens:
174     *
175     * <ul>
176     * <li>a new CA is added,
177     * <li>an existing CA is removed or disabled,
178     * <li>a disabled CA is enabled,
179     * <li>trusted storage is reset (all user certs are cleared),
180     * <li>when permission to access a private key is changed.
181     * </ul>
182     */
183    public static final String ACTION_STORAGE_CHANGED = "android.security.STORAGE_CHANGED";
184
185    /**
186     * Returns an {@code Intent} that can be used for credential
187     * installation. The intent may be used without any extras, in
188     * which case the user will be able to install credentials from
189     * their own source.
190     *
191     * <p>Alternatively, {@link #EXTRA_CERTIFICATE} or {@link
192     * #EXTRA_PKCS12} maybe used to specify the bytes of an X.509
193     * certificate or a PKCS#12 key store for installation. These
194     * extras may be combined with {@link #EXTRA_NAME} to provide a
195     * default alias name for credentials being installed.
196     *
197     * <p>When used with {@link Activity#startActivityForResult},
198     * {@link Activity#RESULT_OK} will be returned if a credential was
199     * successfully installed, otherwise {@link
200     * Activity#RESULT_CANCELED} will be returned.
201     */
202    public static Intent createInstallIntent() {
203        Intent intent = new Intent(ACTION_INSTALL);
204        intent.setClassName("com.android.certinstaller",
205                            "com.android.certinstaller.CertInstallerMain");
206        return intent;
207    }
208
209    /**
210     * Launches an {@code Activity} for the user to select the alias
211     * for a private key and certificate pair for authentication. The
212     * selected alias or null will be returned via the
213     * KeyChainAliasCallback callback.
214     *
215     * <p>{@code keyTypes} and {@code issuers} may be used to
216     * highlight suggested choices to the user, although to cope with
217     * sometimes erroneous values provided by servers, the user may be
218     * able to override these suggestions.
219     *
220     * <p>{@code host} and {@code port} may be used to give the user
221     * more context about the server requesting the credentials.
222     *
223     * <p>{@code alias} allows the chooser to preselect an existing
224     * alias which will still be subject to user confirmation.
225     *
226     * @param activity The {@link Activity} context to use for
227     *     launching the new sub-Activity to prompt the user to select
228     *     a private key; used only to call startActivity(); must not
229     *     be null.
230     * @param response Callback to invoke when the request completes;
231     *     must not be null
232     * @param keyTypes The acceptable types of asymmetric keys such as
233     *     "RSA" or "DSA", or a null array.
234     * @param issuers The acceptable certificate issuers for the
235     *     certificate matching the private key, or null.
236     * @param host The host name of the server requesting the
237     *     certificate, or null if unavailable.
238     * @param port The port number of the server requesting the
239     *     certificate, or -1 if unavailable.
240     * @param alias The alias to preselect if available, or null if
241     *     unavailable.
242     */
243    public static void choosePrivateKeyAlias(Activity activity, KeyChainAliasCallback response,
244                                             String[] keyTypes, Principal[] issuers,
245                                             String host, int port,
246                                             String alias) {
247        /*
248         * TODO currently keyTypes, issuers are unused. They are meant
249         * to follow the semantics and purpose of X509KeyManager
250         * method arguments.
251         *
252         * keyTypes would allow the list to be filtered and typically
253         * will be set correctly by the server. In practice today,
254         * most all users will want only RSA, rarely DSA, and usually
255         * only a small number of certs will be available.
256         *
257         * issuers is typically not useful. Some servers historically
258         * will send the entire list of public CAs known to the
259         * server. Others will send none. If this is used, if there
260         * are no matches after applying the constraint, it should be
261         * ignored.
262         */
263        if (activity == null) {
264            throw new NullPointerException("activity == null");
265        }
266        if (response == null) {
267            throw new NullPointerException("response == null");
268        }
269        Intent intent = new Intent(ACTION_CHOOSER);
270        intent.putExtra(EXTRA_RESPONSE, new AliasResponse(response));
271        intent.putExtra(EXTRA_HOST, host);
272        intent.putExtra(EXTRA_PORT, port);
273        intent.putExtra(EXTRA_ALIAS, alias);
274        // the PendingIntent is used to get calling package name
275        intent.putExtra(EXTRA_SENDER, PendingIntent.getActivity(activity, 0, new Intent(), 0));
276        activity.startActivity(intent);
277    }
278
279    private static class AliasResponse extends IKeyChainAliasCallback.Stub {
280        private final KeyChainAliasCallback keyChainAliasResponse;
281        private AliasResponse(KeyChainAliasCallback keyChainAliasResponse) {
282            this.keyChainAliasResponse = keyChainAliasResponse;
283        }
284        @Override public void alias(String alias) {
285            keyChainAliasResponse.alias(alias);
286        }
287    }
288
289    /**
290     * Returns the {@code PrivateKey} for the requested alias, or null
291     * if no there is no result.
292     *
293     * @param alias The alias of the desired private key, typically
294     * returned via {@link KeyChainAliasCallback#alias}.
295     * @throws KeyChainException if the alias was valid but there was some problem accessing it.
296     */
297    public static PrivateKey getPrivateKey(Context context, String alias)
298            throws KeyChainException, InterruptedException {
299        if (alias == null) {
300            throw new NullPointerException("alias == null");
301        }
302        KeyChainConnection keyChainConnection = bind(context);
303        try {
304            IKeyChainService keyChainService = keyChainConnection.getService();
305            byte[] privateKeyBytes = keyChainService.getPrivateKey(alias);
306            return toPrivateKey(privateKeyBytes);
307        } catch (RemoteException e) {
308            throw new KeyChainException(e);
309        } catch (RuntimeException e) {
310            // only certain RuntimeExceptions can be propagated across the IKeyChainService call
311            throw new KeyChainException(e);
312        } finally {
313            keyChainConnection.close();
314        }
315    }
316
317    /**
318     * Returns the {@code X509Certificate} chain for the requested
319     * alias, or null if no there is no result.
320     *
321     * @param alias The alias of the desired certificate chain, typically
322     * returned via {@link KeyChainAliasCallback#alias}.
323     * @throws KeyChainException if the alias was valid but there was some problem accessing it.
324     */
325    public static X509Certificate[] getCertificateChain(Context context, String alias)
326            throws KeyChainException, InterruptedException {
327        if (alias == null) {
328            throw new NullPointerException("alias == null");
329        }
330        KeyChainConnection keyChainConnection = bind(context);
331        try {
332            IKeyChainService keyChainService = keyChainConnection.getService();
333            byte[] certificateBytes = keyChainService.getCertificate(alias);
334            List<X509Certificate> chain = new ArrayList<X509Certificate>();
335            chain.add(toCertificate(certificateBytes));
336            TrustedCertificateStore store = new TrustedCertificateStore();
337            for (int i = 0; true; i++) {
338                X509Certificate cert = chain.get(i);
339                if (Objects.equal(cert.getSubjectX500Principal(), cert.getIssuerX500Principal())) {
340                    break;
341                }
342                X509Certificate issuer = store.findIssuer(cert);
343                if (issuer == null) {
344                    break;
345                }
346                chain.add(issuer);
347            }
348            return chain.toArray(new X509Certificate[chain.size()]);
349        } catch (RemoteException e) {
350            throw new KeyChainException(e);
351        } catch (RuntimeException e) {
352            // only certain RuntimeExceptions can be propagated across the IKeyChainService call
353            throw new KeyChainException(e);
354        } finally {
355            keyChainConnection.close();
356        }
357    }
358
359    private static PrivateKey toPrivateKey(byte[] bytes) {
360        if (bytes == null) {
361            throw new IllegalArgumentException("bytes == null");
362        }
363        try {
364            KeyPair keyPair = (KeyPair) Credentials.convertFromPem(bytes).get(0);
365            return keyPair.getPrivate();
366        } catch (IOException e) {
367            throw new AssertionError(e);
368        }
369    }
370
371    private static X509Certificate toCertificate(byte[] bytes) {
372        if (bytes == null) {
373            throw new IllegalArgumentException("bytes == null");
374        }
375        try {
376            CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
377            Certificate cert = certFactory.generateCertificate(new ByteArrayInputStream(bytes));
378            return (X509Certificate) cert;
379        } catch (CertificateException e) {
380            throw new AssertionError(e);
381        }
382    }
383
384    /**
385     * @hide for reuse by CertInstaller and Settings.
386     * @see KeyChain#bind
387     */
388    public final static class KeyChainConnection implements Closeable {
389        private final Context context;
390        private final ServiceConnection serviceConnection;
391        private final IKeyChainService service;
392        private KeyChainConnection(Context context,
393                                   ServiceConnection serviceConnection,
394                                   IKeyChainService service) {
395            this.context = context;
396            this.serviceConnection = serviceConnection;
397            this.service = service;
398        }
399        @Override public void close() {
400            context.unbindService(serviceConnection);
401        }
402        public IKeyChainService getService() {
403            return service;
404        }
405    }
406
407    /**
408     * @hide for reuse by CertInstaller and Settings.
409     *
410     * Caller should call unbindService on the result when finished.
411     */
412    public static KeyChainConnection bind(Context context) throws InterruptedException {
413        if (context == null) {
414            throw new NullPointerException("context == null");
415        }
416        ensureNotOnMainThread(context);
417        final BlockingQueue<IKeyChainService> q = new LinkedBlockingQueue<IKeyChainService>(1);
418        ServiceConnection keyChainServiceConnection = new ServiceConnection() {
419            volatile boolean mConnectedAtLeastOnce = false;
420            @Override public void onServiceConnected(ComponentName name, IBinder service) {
421                if (!mConnectedAtLeastOnce) {
422                    mConnectedAtLeastOnce = true;
423                    try {
424                        q.put(IKeyChainService.Stub.asInterface(service));
425                    } catch (InterruptedException e) {
426                        // will never happen, since the queue starts with one available slot
427                    }
428                }
429            }
430            @Override public void onServiceDisconnected(ComponentName name) {}
431        };
432        boolean isBound = context.bindService(new Intent(IKeyChainService.class.getName()),
433                                              keyChainServiceConnection,
434                                              Context.BIND_AUTO_CREATE);
435        if (!isBound) {
436            throw new AssertionError("could not bind to KeyChainService");
437        }
438        return new KeyChainConnection(context, keyChainServiceConnection, q.take());
439    }
440
441    private static void ensureNotOnMainThread(Context context) {
442        Looper looper = Looper.myLooper();
443        if (looper != null && looper == context.getMainLooper()) {
444            throw new IllegalStateException(
445                    "calling this from your main thread can lead to deadlock");
446        }
447    }
448}
449