TrustedRootCertificates.java revision 93d002ca5f94facfec75359999c910f914d7b7c4 
1/*
2 * Copyright (C) 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package android.security.keystore.recovery;
18
19import static android.security.keystore.recovery.X509CertificateParsingUtils.decodeBase64Cert;
20
21import android.util.ArrayMap;
22
23import java.security.cert.CertificateException;
24import java.security.cert.X509Certificate;
25import java.util.Map;
26
27/**
28 * Trusted root certificates for use by the
29 * {@link android.security.keystore.recovery.RecoveryController}. These certificates are used to
30 * verify the public keys of remote secure hardware modules. This is to prevent AOSP backing up keys
31 * to untrusted devices.
32 *
33 * @hide
34 */
35public final class TrustedRootCertificates {
36
37    public static final String GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_ALIAS =
38            "GoogleCloudKeyVaultServiceV1";
39
40    private static final String GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_BASE64 = ""
41            + "MIIFJjCCAw6gAwIBAgIJAIobXsJlzhNdMA0GCSqGSIb3DQEBDQUAMCAxHjAcBgNV"
42            + "BAMMFUdvb2dsZSBDcnlwdEF1dGhWYXVsdDAeFw0xODAyMDIxOTM5MTRaFw0zODAx"
43            + "MjgxOTM5MTRaMCAxHjAcBgNVBAMMFUdvb2dsZSBDcnlwdEF1dGhWYXVsdDCCAiIw"
44            + "DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK2OT5i40/H7LINg/lq/0G0hR65P"
45            + "Q4Mud3OnuVt6UIYV2T18+v6qW1yJd5FcnND/ZKPau4aUAYklqJuSVjOXQD0BjgS2"
46            + "98Xa4dSn8Ci1rUR+5tdmrxqbYUdT2ZvJIUMMR6fRoqi+LlAbKECrV+zYQTyLU68w"
47            + "V66hQpAButjJKiZzkXjmKLfJ5IWrNEn17XM988rk6qAQn/BYCCQGf3rQuJeksGmA"
48            + "N1lJOwNYxmWUyouVwqwZthNEWqTuEyBFMkAT+99PXW7oVDc7oU5cevuihxQWNTYq"
49            + "viGB8cck6RW3cmqrDSaJF/E+N0cXFKyYC7FDcggt6k3UrxNKTuySdDEa8+2RTQqU"
50            + "Y9npxBlQE+x9Ig56OI1BG3bSBsGdPgjpyHadZeh2tgk+oqlGsSsum24YxaxuSysT"
51            + "Qfcu/XhyfUXavfmGrBOXerTzIl5oBh/F5aHTV85M2tYEG0qsPPvSpZAWtdJ/2rca"
52            + "OxvhwOL+leZKr8McjXVR00lBsRuKXX4nTUMwya09CO3QHFPFZtZvqjy2HaMOnVLQ"
53            + "I6b6dHEfmsHybzVOe3yPEoFQSU9UhUdmi71kwwoanPD3j9fJHmXTx4PzYYBRf1ZE"
54            + "o+uPgMPk7CDKQFZLjnR40z1uzu3O8aZ3AKZzP+j7T4XQKJLQLmllKtPgLgNdJyib"
55            + "2Glg7QhXH/jBTL6hAgMBAAGjYzBhMB0GA1UdDgQWBBSbZfrqOYH54EJpkdKMZjMc"
56            + "z/Hp+DAfBgNVHSMEGDAWgBSbZfrqOYH54EJpkdKMZjMcz/Hp+DAPBgNVHRMBAf8E"
57            + "BTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOCAgEAKh9nm/vW"
58            + "glMWp3vcCwWwJW286ecREDlI+CjGh5h+f2N4QRrXd/tKE3qQJWCqGx8sFfIUjmI7"
59            + "KYdsC2gyQ2cA2zl0w7pB2QkuqE6zVbnh1D17Hwl19IMyAakFaM9ad4/EoH7oQmqX"
60            + "nF/f5QXGZw4kf1HcgKgoCHWXjqR8MqHOcXR8n6WFqxjzJf1jxzi6Yo2dZ7PJbnE6"
61            + "+kHIJuiCpiHL75v5g1HM41gT3ddFFSrn88ThNPWItT5Z8WpFjryVzank2Yt02LLl"
62            + "WqZg9IC375QULc5B58NMnaiVJIDJQ8zoNgj1yaxqtUMnJX570lotO2OXe4ec9aCQ"
63            + "DIJ84YLM/qStFdeZ9416E80dchskbDG04GuVJKlzWjxAQNMRFhyaPUSBTLLg+kwP"
64            + "t9+AMmc+A7xjtFQLZ9fBYHOBsndJOmeSQeYeckl+z/1WQf7DdwXn/yijon7mxz4z"
65            + "cCczfKwTJTwBh3wR5SQr2vQm7qaXM87qxF8PCAZrdZaw5I80QwkgTj0WTZ2/GdSw"
66            + "d3o5SyzzBAjpwtG+4bO/BD9h9wlTsHpT6yWOZs4OYAKU5ykQrncI8OyavMggArh3"
67            + "/oM58v0orUWINtIc2hBlka36PhATYQiLf+AiWKnwhCaaHExoYKfQlMtXBodNvOK8"
68            + "xqx69x05q/qbHKEcTHrsss630vxrp1niXvA=";
69
70    /**
71     * The X509 certificate of the trusted root CA cert for the recoverable key store service.
72     *
73     * TODO: Change it to the production certificate root CA before the final launch.
74     */
75    private static final X509Certificate GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_CERTIFICATE =
76            parseGoogleCloudKeyVaultServiceV1Certificate();
77
78    private static final int NUMBER_OF_ROOT_CERTIFICATES = 1;
79
80    private static final ArrayMap<String, X509Certificate> ALL_ROOT_CERTIFICATES =
81            constructRootCertificateMap();
82
83    /**
84     * Returns all available root certificates, keyed by alias.
85     */
86    public static Map<String, X509Certificate> getRootCertificates() {
87        return new ArrayMap(ALL_ROOT_CERTIFICATES);
88    }
89
90    /**
91     * Gets a root certificate referenced by the given {@code alias}.
92     *
93     * @param alias the alias of the certificate
94     * @return the certificate referenced by the alias, or null if such a certificate doesn't exist.
95     */
96    public static X509Certificate getRootCertificate(String alias) {
97        return ALL_ROOT_CERTIFICATES.get(alias);
98    }
99
100    private static ArrayMap<String, X509Certificate> constructRootCertificateMap() {
101        ArrayMap<String, X509Certificate> certificates =
102                new ArrayMap<>(NUMBER_OF_ROOT_CERTIFICATES);
103        certificates.put(
104                GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_ALIAS,
105                GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_CERTIFICATE);
106        return certificates;
107    }
108
109    private static X509Certificate parseGoogleCloudKeyVaultServiceV1Certificate() {
110        try {
111            return decodeBase64Cert(GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_BASE64);
112        } catch (CertificateException e) {
113            // Should not happen
114            throw new RuntimeException(e);
115        }
116    }
117
118    // Statics only
119    private TrustedRootCertificates() {}
120}
121