TrustedRootCertificates.java revision b31ab6740d66b21a74ffa77b753ea3364288254e
1/* 2 * Copyright (C) 2018 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17package android.security.keystore.recovery; 18 19import static android.security.keystore.recovery.X509CertificateParsingUtils.decodeBase64Cert; 20 21import android.util.ArrayMap; 22 23import java.security.cert.CertificateException; 24import java.security.cert.X509Certificate; 25import java.util.Map; 26 27/** 28 * Trusted root certificates for use by the 29 * {@link android.security.keystore.recovery.RecoveryController}. These certificates are used to 30 * verify the public keys of remote secure hardware modules. This is to prevent AOSP backing up keys 31 * to untrusted devices. 32 * 33 * @hide 34 */ 35public class TrustedRootCertificates { 36 37 public static final String GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_ALIAS = 38 "GoogleCloudKeyVaultServiceV1"; 39 40 private static final String GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_BASE64 = "" 41 + "MIIFJjCCAw6gAwIBAgIJAIobXsJlzhNdMA0GCSqGSIb3DQEBDQUAMCAxHjAcBgNV" 42 + "BAMMFUdvb2dsZSBDcnlwdEF1dGhWYXVsdDAeFw0xODAyMDIxOTM5MTRaFw0zODAx" 43 + "MjgxOTM5MTRaMCAxHjAcBgNVBAMMFUdvb2dsZSBDcnlwdEF1dGhWYXVsdDCCAiIw" 44 + "DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK2OT5i40/H7LINg/lq/0G0hR65P" 45 + "Q4Mud3OnuVt6UIYV2T18+v6qW1yJd5FcnND/ZKPau4aUAYklqJuSVjOXQD0BjgS2" 46 + "98Xa4dSn8Ci1rUR+5tdmrxqbYUdT2ZvJIUMMR6fRoqi+LlAbKECrV+zYQTyLU68w" 47 + "V66hQpAButjJKiZzkXjmKLfJ5IWrNEn17XM988rk6qAQn/BYCCQGf3rQuJeksGmA" 48 + "N1lJOwNYxmWUyouVwqwZthNEWqTuEyBFMkAT+99PXW7oVDc7oU5cevuihxQWNTYq" 49 + "viGB8cck6RW3cmqrDSaJF/E+N0cXFKyYC7FDcggt6k3UrxNKTuySdDEa8+2RTQqU" 50 + "Y9npxBlQE+x9Ig56OI1BG3bSBsGdPgjpyHadZeh2tgk+oqlGsSsum24YxaxuSysT" 51 + "Qfcu/XhyfUXavfmGrBOXerTzIl5oBh/F5aHTV85M2tYEG0qsPPvSpZAWtdJ/2rca" 52 + "OxvhwOL+leZKr8McjXVR00lBsRuKXX4nTUMwya09CO3QHFPFZtZvqjy2HaMOnVLQ" 53 + "I6b6dHEfmsHybzVOe3yPEoFQSU9UhUdmi71kwwoanPD3j9fJHmXTx4PzYYBRf1ZE" 54 + "o+uPgMPk7CDKQFZLjnR40z1uzu3O8aZ3AKZzP+j7T4XQKJLQLmllKtPgLgNdJyib" 55 + "2Glg7QhXH/jBTL6hAgMBAAGjYzBhMB0GA1UdDgQWBBSbZfrqOYH54EJpkdKMZjMc" 56 + "z/Hp+DAfBgNVHSMEGDAWgBSbZfrqOYH54EJpkdKMZjMcz/Hp+DAPBgNVHRMBAf8E" 57 + "BTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOCAgEAKh9nm/vW" 58 + "glMWp3vcCwWwJW286ecREDlI+CjGh5h+f2N4QRrXd/tKE3qQJWCqGx8sFfIUjmI7" 59 + "KYdsC2gyQ2cA2zl0w7pB2QkuqE6zVbnh1D17Hwl19IMyAakFaM9ad4/EoH7oQmqX" 60 + "nF/f5QXGZw4kf1HcgKgoCHWXjqR8MqHOcXR8n6WFqxjzJf1jxzi6Yo2dZ7PJbnE6" 61 + "+kHIJuiCpiHL75v5g1HM41gT3ddFFSrn88ThNPWItT5Z8WpFjryVzank2Yt02LLl" 62 + "WqZg9IC375QULc5B58NMnaiVJIDJQ8zoNgj1yaxqtUMnJX570lotO2OXe4ec9aCQ" 63 + "DIJ84YLM/qStFdeZ9416E80dchskbDG04GuVJKlzWjxAQNMRFhyaPUSBTLLg+kwP" 64 + "t9+AMmc+A7xjtFQLZ9fBYHOBsndJOmeSQeYeckl+z/1WQf7DdwXn/yijon7mxz4z" 65 + "cCczfKwTJTwBh3wR5SQr2vQm7qaXM87qxF8PCAZrdZaw5I80QwkgTj0WTZ2/GdSw" 66 + "d3o5SyzzBAjpwtG+4bO/BD9h9wlTsHpT6yWOZs4OYAKU5ykQrncI8OyavMggArh3" 67 + "/oM58v0orUWINtIc2hBlka36PhATYQiLf+AiWKnwhCaaHExoYKfQlMtXBodNvOK8" 68 + "xqx69x05q/qbHKEcTHrsss630vxrp1niXvA="; 69 70 /** 71 * The X509 certificate of the trusted root CA cert for the recoverable key store service. 72 * 73 * TODO: Change it to the production certificate root CA before the final launch. 74 */ 75 private static final X509Certificate GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_CERTIFICATE = 76 parseGoogleCloudKeyVaultServiceV1Certificate(); 77 78 private static final int NUMBER_OF_ROOT_CERTIFICATES = 1; 79 80 private static final ArrayMap<String, X509Certificate> ALL_ROOT_CERTIFICATES = 81 constructRootCertificateMap(); 82 83 /** 84 * Returns all available root certificates, keyed by alias. 85 */ 86 public static Map<String, X509Certificate> listRootCertificates() { 87 return new ArrayMap(ALL_ROOT_CERTIFICATES); 88 } 89 90 /** 91 * Gets a root certificate referenced by the given {@code alias}. 92 * 93 * @param alias the alias of the certificate 94 * @return the certificate referenced by the alias, or null if such a certificate doesn't exist. 95 */ 96 public static X509Certificate getRootCertificate(String alias) { 97 return ALL_ROOT_CERTIFICATES.get(alias); 98 } 99 100 private static ArrayMap<String, X509Certificate> constructRootCertificateMap() { 101 ArrayMap<String, X509Certificate> certificates = 102 new ArrayMap<>(NUMBER_OF_ROOT_CERTIFICATES); 103 certificates.put( 104 GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_ALIAS, 105 GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_CERTIFICATE); 106 return certificates; 107 } 108 109 private static X509Certificate parseGoogleCloudKeyVaultServiceV1Certificate() { 110 try { 111 return decodeBase64Cert(GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_BASE64); 112 } catch (CertificateException e) { 113 // Should not happen 114 throw new RuntimeException(e); 115 } 116 } 117} 118