xref: /frameworks/base/packages/Osu/src/com/android/hotspot2/osu/WiFiKeyManager.java

package com.android.hotspot2.osu;

import android.util.Log;

import java.io.IOException;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;

import javax.net.ssl.X509KeyManager;
import javax.security.auth.x500.X500Principal;

public class WiFiKeyManager implements X509KeyManager {
    private final KeyStore mKeyStore;
    private final Map<X500Principal, String[]> mAliases = new HashMap<>();

    public WiFiKeyManager(KeyStore keyStore) throws IOException {
        mKeyStore = keyStore;
    }

    public void enableClientAuth(List<String> issuerNames) throws GeneralSecurityException,
            IOException {

        Set<X500Principal> acceptedIssuers = new HashSet<>();
        for (String issuerName : issuerNames) {
            acceptedIssuers.add(new X500Principal(issuerName));
        }

        Enumeration<String> aliases = mKeyStore.aliases();
        while (aliases.hasMoreElements()) {
            String alias = aliases.nextElement();
            Certificate cert = mKeyStore.getCertificate(alias);
            if ((cert instanceof X509Certificate) && mKeyStore.getKey(alias, null) != null) {
                X509Certificate x509Certificate = (X509Certificate) cert;
                X500Principal issuer = x509Certificate.getIssuerX500Principal();
                if (acceptedIssuers.contains(issuer)) {
                    mAliases.put(issuer, new String[]{alias, cert.getPublicKey().getAlgorithm()});
                }
            }
        }

        if (mAliases.isEmpty()) {
            throw new IOException("No aliases match requested issuers: " + issuerNames);
        }
    }

    private static class AliasEntry implements Comparable<AliasEntry> {
        private final int mPreference;
        private final String mAlias;

        private AliasEntry(int preference, String alias) {
            mPreference = preference;
            mAlias = alias;
        }

        public int getPreference() {
            return mPreference;
        }

        public String getAlias() {
            return mAlias;
        }

        @Override
        public int compareTo(AliasEntry other) {
            return Integer.compare(getPreference(), other.getPreference());
        }
    }

    @Override
    public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {

        Map<String, Integer> keyPrefs = new HashMap<>(keyTypes.length);
        int pref = 0;
        for (String keyType : keyTypes) {
            keyPrefs.put(keyType, pref++);
        }

        List<AliasEntry> aliases = new ArrayList<>();
        if (issuers != null) {
            for (Principal issuer : issuers) {
                if (issuer instanceof X500Principal) {
                    String[] aliasAndKey = mAliases.get((X500Principal) issuer);
                    if (aliasAndKey != null) {
                        Integer preference = keyPrefs.get(aliasAndKey[1]);
                        if (preference != null) {
                            aliases.add(new AliasEntry(preference, aliasAndKey[0]));
                        }
                    }
                }
            }
        } else {
            for (String[] aliasAndKey : mAliases.values()) {
                Integer preference = keyPrefs.get(aliasAndKey[1]);
                if (preference != null) {
                    aliases.add(new AliasEntry(preference, aliasAndKey[0]));
                }
            }
        }
        Collections.sort(aliases);
        return aliases.isEmpty() ? null : aliases.get(0).getAlias();
    }

    @Override
    public String[] getClientAliases(String keyType, Principal[] issuers) {
        List<String> aliases = new ArrayList<>();
        if (issuers != null) {
            for (Principal issuer : issuers) {
                if (issuer instanceof X500Principal) {
                    String[] aliasAndKey = mAliases.get((X500Principal) issuer);
                    if (aliasAndKey != null) {
                        aliases.add(aliasAndKey[0]);
                    }
                }
            }
        } else {
            for (String[] aliasAndKey : mAliases.values()) {
                aliases.add(aliasAndKey[0]);
            }
        }
        return aliases.isEmpty() ? null : aliases.toArray(new String[aliases.size()]);
    }

    @Override
    public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
        throw new UnsupportedOperationException();
    }

    @Override
    public String[] getServerAliases(String keyType, Principal[] issuers) {
        throw new UnsupportedOperationException();
    }

    @Override
    public X509Certificate[] getCertificateChain(String alias) {
        try {
            List<X509Certificate> certs = new ArrayList<>();
            for (Certificate certificate : mKeyStore.getCertificateChain(alias)) {
                if (certificate instanceof X509Certificate) {
                    certs.add((X509Certificate) certificate);
                }
            }
            return certs.toArray(new X509Certificate[certs.size()]);
        } catch (KeyStoreException kse) {
            Log.w(OSUManager.TAG, "Failed to retrieve certificates: " + kse);
            return null;
        }
    }

    @Override
    public PrivateKey getPrivateKey(String alias) {
        try {
            return (PrivateKey) mKeyStore.getKey(alias, null);
        } catch (GeneralSecurityException gse) {
            Log.w(OSUManager.TAG, "Failed to retrieve private key: " + gse);
            return null;
        }
    }
}