KeyChain.java revision b91773bce1126d28a93f73fbef18f3a79245f24e 
1/*
2 * Copyright (C) 2011 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16package android.security;
17
18import android.app.Activity;
19import android.app.PendingIntent;
20import android.content.ComponentName;
21import android.content.Context;
22import android.content.Intent;
23import android.content.ServiceConnection;
24import android.os.IBinder;
25import android.os.Looper;
26import android.os.RemoteException;
27import java.io.ByteArrayInputStream;
28import java.io.Closeable;
29import java.security.InvalidKeyException;
30import java.security.Principal;
31import java.security.PrivateKey;
32import java.security.cert.Certificate;
33import java.security.cert.CertificateException;
34import java.security.cert.CertificateFactory;
35import java.security.cert.X509Certificate;
36import java.util.List;
37import java.util.Locale;
38import java.util.concurrent.BlockingQueue;
39import java.util.concurrent.LinkedBlockingQueue;
40
41import com.android.org.conscrypt.OpenSSLEngine;
42import com.android.org.conscrypt.TrustedCertificateStore;
43
44/**
45 * The {@code KeyChain} class provides access to private keys and
46 * their corresponding certificate chains in credential storage.
47 *
48 * <p>Applications accessing the {@code KeyChain} normally go through
49 * these steps:
50 *
51 * <ol>
52 *
53 * <li>Receive a callback from an {@link javax.net.ssl.X509KeyManager
54 * X509KeyManager} that a private key is requested.
55 *
56 * <li>Call {@link #choosePrivateKeyAlias
57 * choosePrivateKeyAlias} to allow the user to select from a
58 * list of currently available private keys and corresponding
59 * certificate chains. The chosen alias will be returned by the
60 * callback {@link KeyChainAliasCallback#alias}, or null if no private
61 * key is available or the user cancels the request.
62 *
63 * <li>Call {@link #getPrivateKey} and {@link #getCertificateChain} to
64 * retrieve the credentials to return to the corresponding {@link
65 * javax.net.ssl.X509KeyManager} callbacks.
66 *
67 * </ol>
68 *
69 * <p>An application may remember the value of a selected alias to
70 * avoid prompting the user with {@link #choosePrivateKeyAlias
71 * choosePrivateKeyAlias} on subsequent connections. If the alias is
72 * no longer valid, null will be returned on lookups using that value
73 *
74 * <p>An application can request the installation of private keys and
75 * certificates via the {@code Intent} provided by {@link
76 * #createInstallIntent}. Private keys installed via this {@code
77 * Intent} will be accessible via {@link #choosePrivateKeyAlias} while
78 * Certificate Authority (CA) certificates will be trusted by all
79 * applications through the default {@code X509TrustManager}.
80 */
81// TODO reference intent for credential installation when public
82public final class KeyChain {
83
84    private static final String TAG = "KeyChain";
85
86    /**
87     * @hide Also used by KeyChainService implementation
88     */
89    public static final String ACCOUNT_TYPE = "com.android.keychain";
90
91    /**
92     * Action to bring up the KeyChainActivity
93     */
94    private static final String ACTION_CHOOSER = "com.android.keychain.CHOOSER";
95
96    /**
97     * Extra for use with {@link #ACTION_CHOOSER}
98     * @hide Also used by KeyChainActivity implementation
99     */
100    public static final String EXTRA_RESPONSE = "response";
101
102    /**
103     * Extra for use with {@link #ACTION_CHOOSER}
104     * @hide Also used by KeyChainActivity implementation
105     */
106    public static final String EXTRA_HOST = "host";
107
108    /**
109     * Extra for use with {@link #ACTION_CHOOSER}
110     * @hide Also used by KeyChainActivity implementation
111     */
112    public static final String EXTRA_PORT = "port";
113
114    /**
115     * Extra for use with {@link #ACTION_CHOOSER}
116     * @hide Also used by KeyChainActivity implementation
117     */
118    public static final String EXTRA_ALIAS = "alias";
119
120    /**
121     * Extra for use with {@link #ACTION_CHOOSER}
122     * @hide Also used by KeyChainActivity implementation
123     */
124    public static final String EXTRA_SENDER = "sender";
125
126    /**
127     * Action to bring up the CertInstaller.
128     */
129    private static final String ACTION_INSTALL = "android.credentials.INSTALL";
130
131    /**
132     * Optional extra to specify a {@code String} credential name on
133     * the {@code Intent} returned by {@link #createInstallIntent}.
134     */
135    // Compatible with old com.android.certinstaller.CredentialHelper.CERT_NAME_KEY
136    public static final String EXTRA_NAME = "name";
137
138    /**
139     * Optional extra to specify an X.509 certificate to install on
140     * the {@code Intent} returned by {@link #createInstallIntent}.
141     * The extra value should be a PEM or ASN.1 DER encoded {@code
142     * byte[]}. An {@link X509Certificate} can be converted to DER
143     * encoded bytes with {@link X509Certificate#getEncoded}.
144     *
145     * <p>{@link #EXTRA_NAME} may be used to provide a default alias
146     * name for the installed certificate.
147     */
148    // Compatible with old android.security.Credentials.CERTIFICATE
149    public static final String EXTRA_CERTIFICATE = "CERT";
150
151    /**
152     * Optional extra for use with the {@code Intent} returned by
153     * {@link #createInstallIntent} to specify a PKCS#12 key store to
154     * install. The extra value should be a {@code byte[]}. The bytes
155     * may come from an external source or be generated with {@link
156     * java.security.KeyStore#store} on a "PKCS12" instance.
157     *
158     * <p>The user will be prompted for the password to load the key store.
159     *
160     * <p>The key store will be scanned for {@link
161     * java.security.KeyStore.PrivateKeyEntry} entries and both the
162     * private key and associated certificate chain will be installed.
163     *
164     * <p>{@link #EXTRA_NAME} may be used to provide a default alias
165     * name for the installed credentials.
166     */
167    // Compatible with old android.security.Credentials.PKCS12
168    public static final String EXTRA_PKCS12 = "PKCS12";
169
170
171    /**
172     * Broadcast Action: Indicates the trusted storage has changed. Sent when
173     * one of this happens:
174     *
175     * <ul>
176     * <li>a new CA is added,
177     * <li>an existing CA is removed or disabled,
178     * <li>a disabled CA is enabled,
179     * <li>trusted storage is reset (all user certs are cleared),
180     * <li>when permission to access a private key is changed.
181     * </ul>
182     */
183    public static final String ACTION_STORAGE_CHANGED = "android.security.STORAGE_CHANGED";
184
185    /**
186     * Returns an {@code Intent} that can be used for credential
187     * installation. The intent may be used without any extras, in
188     * which case the user will be able to install credentials from
189     * their own source.
190     *
191     * <p>Alternatively, {@link #EXTRA_CERTIFICATE} or {@link
192     * #EXTRA_PKCS12} maybe used to specify the bytes of an X.509
193     * certificate or a PKCS#12 key store for installation. These
194     * extras may be combined with {@link #EXTRA_NAME} to provide a
195     * default alias name for credentials being installed.
196     *
197     * <p>When used with {@link Activity#startActivityForResult},
198     * {@link Activity#RESULT_OK} will be returned if a credential was
199     * successfully installed, otherwise {@link
200     * Activity#RESULT_CANCELED} will be returned.
201     */
202    public static Intent createInstallIntent() {
203        Intent intent = new Intent(ACTION_INSTALL);
204        intent.setClassName("com.android.certinstaller",
205                            "com.android.certinstaller.CertInstallerMain");
206        return intent;
207    }
208
209    /**
210     * Launches an {@code Activity} for the user to select the alias
211     * for a private key and certificate pair for authentication. The
212     * selected alias or null will be returned via the
213     * KeyChainAliasCallback callback.
214     *
215     * <p>{@code keyTypes} and {@code issuers} may be used to
216     * highlight suggested choices to the user, although to cope with
217     * sometimes erroneous values provided by servers, the user may be
218     * able to override these suggestions.
219     *
220     * <p>{@code host} and {@code port} may be used to give the user
221     * more context about the server requesting the credentials.
222     *
223     * <p>{@code alias} allows the chooser to preselect an existing
224     * alias which will still be subject to user confirmation.
225     *
226     * @param activity The {@link Activity} context to use for
227     *     launching the new sub-Activity to prompt the user to select
228     *     a private key; used only to call startActivity(); must not
229     *     be null.
230     * @param response Callback to invoke when the request completes;
231     *     must not be null
232     * @param keyTypes The acceptable types of asymmetric keys such as
233     *     "RSA" or "DSA", or a null array.
234     * @param issuers The acceptable certificate issuers for the
235     *     certificate matching the private key, or null.
236     * @param host The host name of the server requesting the
237     *     certificate, or null if unavailable.
238     * @param port The port number of the server requesting the
239     *     certificate, or -1 if unavailable.
240     * @param alias The alias to preselect if available, or null if
241     *     unavailable.
242     */
243    public static void choosePrivateKeyAlias(Activity activity, KeyChainAliasCallback response,
244                                             String[] keyTypes, Principal[] issuers,
245                                             String host, int port,
246                                             String alias) {
247        /*
248         * TODO currently keyTypes, issuers are unused. They are meant
249         * to follow the semantics and purpose of X509KeyManager
250         * method arguments.
251         *
252         * keyTypes would allow the list to be filtered and typically
253         * will be set correctly by the server. In practice today,
254         * most all users will want only RSA, rarely DSA, and usually
255         * only a small number of certs will be available.
256         *
257         * issuers is typically not useful. Some servers historically
258         * will send the entire list of public CAs known to the
259         * server. Others will send none. If this is used, if there
260         * are no matches after applying the constraint, it should be
261         * ignored.
262         */
263        if (activity == null) {
264            throw new NullPointerException("activity == null");
265        }
266        if (response == null) {
267            throw new NullPointerException("response == null");
268        }
269        Intent intent = new Intent(ACTION_CHOOSER);
270        intent.putExtra(EXTRA_RESPONSE, new AliasResponse(response));
271        intent.putExtra(EXTRA_HOST, host);
272        intent.putExtra(EXTRA_PORT, port);
273        intent.putExtra(EXTRA_ALIAS, alias);
274        // the PendingIntent is used to get calling package name
275        intent.putExtra(EXTRA_SENDER, PendingIntent.getActivity(activity, 0, new Intent(), 0));
276        activity.startActivity(intent);
277    }
278
279    private static class AliasResponse extends IKeyChainAliasCallback.Stub {
280        private final KeyChainAliasCallback keyChainAliasResponse;
281        private AliasResponse(KeyChainAliasCallback keyChainAliasResponse) {
282            this.keyChainAliasResponse = keyChainAliasResponse;
283        }
284        @Override public void alias(String alias) {
285            keyChainAliasResponse.alias(alias);
286        }
287    }
288
289    /**
290     * Returns the {@code PrivateKey} for the requested alias, or null
291     * if no there is no result.
292     *
293     * @param alias The alias of the desired private key, typically
294     * returned via {@link KeyChainAliasCallback#alias}.
295     * @throws KeyChainException if the alias was valid but there was some problem accessing it.
296     */
297    public static PrivateKey getPrivateKey(Context context, String alias)
298            throws KeyChainException, InterruptedException {
299        if (alias == null) {
300            throw new NullPointerException("alias == null");
301        }
302        KeyChainConnection keyChainConnection = bind(context);
303        try {
304            final IKeyChainService keyChainService = keyChainConnection.getService();
305            final String keyId = keyChainService.requestPrivateKey(alias);
306            if (keyId == null) {
307                throw new KeyChainException("keystore had a problem");
308            }
309
310            final OpenSSLEngine engine = OpenSSLEngine.getInstance("keystore");
311            return engine.getPrivateKeyById(keyId);
312        } catch (RemoteException e) {
313            throw new KeyChainException(e);
314        } catch (RuntimeException e) {
315            // only certain RuntimeExceptions can be propagated across the IKeyChainService call
316            throw new KeyChainException(e);
317        } catch (InvalidKeyException e) {
318            throw new KeyChainException(e);
319        } finally {
320            keyChainConnection.close();
321        }
322    }
323
324    /**
325     * Returns the {@code X509Certificate} chain for the requested
326     * alias, or null if no there is no result.
327     *
328     * @param alias The alias of the desired certificate chain, typically
329     * returned via {@link KeyChainAliasCallback#alias}.
330     * @throws KeyChainException if the alias was valid but there was some problem accessing it.
331     */
332    public static X509Certificate[] getCertificateChain(Context context, String alias)
333            throws KeyChainException, InterruptedException {
334        if (alias == null) {
335            throw new NullPointerException("alias == null");
336        }
337        KeyChainConnection keyChainConnection = bind(context);
338        try {
339            IKeyChainService keyChainService = keyChainConnection.getService();
340
341            final byte[] certificateBytes = keyChainService.getCertificate(alias);
342            if (certificateBytes == null) {
343                return null;
344            }
345
346            TrustedCertificateStore store = new TrustedCertificateStore();
347            List<X509Certificate> chain = store
348                    .getCertificateChain(toCertificate(certificateBytes));
349            return chain.toArray(new X509Certificate[chain.size()]);
350        } catch (CertificateException e) {
351            throw new KeyChainException(e);
352        } catch (RemoteException e) {
353            throw new KeyChainException(e);
354        } catch (RuntimeException e) {
355            // only certain RuntimeExceptions can be propagated across the IKeyChainService call
356            throw new KeyChainException(e);
357        } finally {
358            keyChainConnection.close();
359        }
360    }
361
362    /**
363     * Returns {@code true} if the current device's {@code KeyChain} supports a
364     * specific {@code PrivateKey} type indicated by {@code algorithm} (e.g.,
365     * "RSA").
366     */
367    public static boolean isKeyAlgorithmSupported(String algorithm) {
368        final String algUpper = algorithm.toUpperCase(Locale.US);
369        return "DSA".equals(algUpper) || "EC".equals(algUpper) || "RSA".equals(algUpper);
370    }
371
372    /**
373     * Returns {@code true} if the current device's {@code KeyChain} binds any
374     * {@code PrivateKey} of the given {@code algorithm} to the device once
375     * imported or generated. This can be used to tell if there is special
376     * hardware support that can be used to bind keys to the device in a way
377     * that makes it non-exportable.
378     */
379    public static boolean isBoundKeyAlgorithm(String algorithm) {
380        if (!isKeyAlgorithmSupported(algorithm)) {
381            return false;
382        }
383
384        return KeyStore.getInstance().isHardwareBacked(algorithm);
385    }
386
387    private static X509Certificate toCertificate(byte[] bytes) {
388        if (bytes == null) {
389            throw new IllegalArgumentException("bytes == null");
390        }
391        try {
392            CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
393            Certificate cert = certFactory.generateCertificate(new ByteArrayInputStream(bytes));
394            return (X509Certificate) cert;
395        } catch (CertificateException e) {
396            throw new AssertionError(e);
397        }
398    }
399
400    /**
401     * @hide for reuse by CertInstaller and Settings.
402     * @see KeyChain#bind
403     */
404    public final static class KeyChainConnection implements Closeable {
405        private final Context context;
406        private final ServiceConnection serviceConnection;
407        private final IKeyChainService service;
408        private KeyChainConnection(Context context,
409                                   ServiceConnection serviceConnection,
410                                   IKeyChainService service) {
411            this.context = context;
412            this.serviceConnection = serviceConnection;
413            this.service = service;
414        }
415        @Override public void close() {
416            context.unbindService(serviceConnection);
417        }
418        public IKeyChainService getService() {
419            return service;
420        }
421    }
422
423    /**
424     * @hide for reuse by CertInstaller and Settings.
425     *
426     * Caller should call unbindService on the result when finished.
427     */
428    public static KeyChainConnection bind(Context context) throws InterruptedException {
429        if (context == null) {
430            throw new NullPointerException("context == null");
431        }
432        ensureNotOnMainThread(context);
433        final BlockingQueue<IKeyChainService> q = new LinkedBlockingQueue<IKeyChainService>(1);
434        ServiceConnection keyChainServiceConnection = new ServiceConnection() {
435            volatile boolean mConnectedAtLeastOnce = false;
436            @Override public void onServiceConnected(ComponentName name, IBinder service) {
437                if (!mConnectedAtLeastOnce) {
438                    mConnectedAtLeastOnce = true;
439                    try {
440                        q.put(IKeyChainService.Stub.asInterface(service));
441                    } catch (InterruptedException e) {
442                        // will never happen, since the queue starts with one available slot
443                    }
444                }
445            }
446            @Override public void onServiceDisconnected(ComponentName name) {}
447        };
448        Intent intent = new Intent(IKeyChainService.class.getName());
449        ComponentName comp = intent.resolveSystemService(context.getPackageManager(), 0);
450        intent.setComponent(comp);
451        boolean isBound = context.bindService(intent,
452                                              keyChainServiceConnection,
453                                              Context.BIND_AUTO_CREATE);
454        if (!isBound) {
455            throw new AssertionError("could not bind to KeyChainService");
456        }
457        return new KeyChainConnection(context, keyChainServiceConnection, q.take());
458    }
459
460    private static void ensureNotOnMainThread(Context context) {
461        Looper looper = Looper.myLooper();
462        if (looper != null && looper == context.getMainLooper()) {
463            throw new IllegalStateException(
464                    "calling this from your main thread can lead to deadlock");
465        }
466    }
467}
468