TrustedRootCertificates.java revision fd4ae0b2ddd58f6acbb19632f20e40024e3d85b1
1/* 2 * Copyright (C) 2018 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17package android.security.keystore.recovery; 18 19import static android.security.keystore.recovery.X509CertificateParsingUtils.decodeBase64Cert; 20 21import android.annotation.NonNull; 22import android.util.ArrayMap; 23 24import java.security.cert.CertificateException; 25import java.security.cert.X509Certificate; 26import java.util.Map; 27 28/** 29 * Trusted root certificates for use by the 30 * {@link android.security.keystore.recovery.RecoveryController}. These certificates are used to 31 * verify the public keys of remote secure hardware modules. This is to prevent AOSP backing up keys 32 * to untrusted devices. 33 * 34 * @hide 35 */ 36public final class TrustedRootCertificates { 37 38 public static final String GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_ALIAS = 39 "GoogleCloudKeyVaultServiceV1"; 40 41 private static final String GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_BASE64 = "" 42 + "MIIFJjCCAw6gAwIBAgIJAIobXsJlzhNdMA0GCSqGSIb3DQEBDQUAMCAxHjAcBgNV" 43 + "BAMMFUdvb2dsZSBDcnlwdEF1dGhWYXVsdDAeFw0xODAyMDIxOTM5MTRaFw0zODAx" 44 + "MjgxOTM5MTRaMCAxHjAcBgNVBAMMFUdvb2dsZSBDcnlwdEF1dGhWYXVsdDCCAiIw" 45 + "DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK2OT5i40/H7LINg/lq/0G0hR65P" 46 + "Q4Mud3OnuVt6UIYV2T18+v6qW1yJd5FcnND/ZKPau4aUAYklqJuSVjOXQD0BjgS2" 47 + "98Xa4dSn8Ci1rUR+5tdmrxqbYUdT2ZvJIUMMR6fRoqi+LlAbKECrV+zYQTyLU68w" 48 + "V66hQpAButjJKiZzkXjmKLfJ5IWrNEn17XM988rk6qAQn/BYCCQGf3rQuJeksGmA" 49 + "N1lJOwNYxmWUyouVwqwZthNEWqTuEyBFMkAT+99PXW7oVDc7oU5cevuihxQWNTYq" 50 + "viGB8cck6RW3cmqrDSaJF/E+N0cXFKyYC7FDcggt6k3UrxNKTuySdDEa8+2RTQqU" 51 + "Y9npxBlQE+x9Ig56OI1BG3bSBsGdPgjpyHadZeh2tgk+oqlGsSsum24YxaxuSysT" 52 + "Qfcu/XhyfUXavfmGrBOXerTzIl5oBh/F5aHTV85M2tYEG0qsPPvSpZAWtdJ/2rca" 53 + "OxvhwOL+leZKr8McjXVR00lBsRuKXX4nTUMwya09CO3QHFPFZtZvqjy2HaMOnVLQ" 54 + "I6b6dHEfmsHybzVOe3yPEoFQSU9UhUdmi71kwwoanPD3j9fJHmXTx4PzYYBRf1ZE" 55 + "o+uPgMPk7CDKQFZLjnR40z1uzu3O8aZ3AKZzP+j7T4XQKJLQLmllKtPgLgNdJyib" 56 + "2Glg7QhXH/jBTL6hAgMBAAGjYzBhMB0GA1UdDgQWBBSbZfrqOYH54EJpkdKMZjMc" 57 + "z/Hp+DAfBgNVHSMEGDAWgBSbZfrqOYH54EJpkdKMZjMcz/Hp+DAPBgNVHRMBAf8E" 58 + "BTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOCAgEAKh9nm/vW" 59 + "glMWp3vcCwWwJW286ecREDlI+CjGh5h+f2N4QRrXd/tKE3qQJWCqGx8sFfIUjmI7" 60 + "KYdsC2gyQ2cA2zl0w7pB2QkuqE6zVbnh1D17Hwl19IMyAakFaM9ad4/EoH7oQmqX" 61 + "nF/f5QXGZw4kf1HcgKgoCHWXjqR8MqHOcXR8n6WFqxjzJf1jxzi6Yo2dZ7PJbnE6" 62 + "+kHIJuiCpiHL75v5g1HM41gT3ddFFSrn88ThNPWItT5Z8WpFjryVzank2Yt02LLl" 63 + "WqZg9IC375QULc5B58NMnaiVJIDJQ8zoNgj1yaxqtUMnJX570lotO2OXe4ec9aCQ" 64 + "DIJ84YLM/qStFdeZ9416E80dchskbDG04GuVJKlzWjxAQNMRFhyaPUSBTLLg+kwP" 65 + "t9+AMmc+A7xjtFQLZ9fBYHOBsndJOmeSQeYeckl+z/1WQf7DdwXn/yijon7mxz4z" 66 + "cCczfKwTJTwBh3wR5SQr2vQm7qaXM87qxF8PCAZrdZaw5I80QwkgTj0WTZ2/GdSw" 67 + "d3o5SyzzBAjpwtG+4bO/BD9h9wlTsHpT6yWOZs4OYAKU5ykQrncI8OyavMggArh3" 68 + "/oM58v0orUWINtIc2hBlka36PhATYQiLf+AiWKnwhCaaHExoYKfQlMtXBodNvOK8" 69 + "xqx69x05q/qbHKEcTHrsss630vxrp1niXvA="; 70 71 /** 72 * The X509 certificate of the trusted root CA cert for the recoverable key store service. 73 * 74 * TODO: Change it to the production certificate root CA before the final launch. 75 */ 76 private static final X509Certificate GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_CERTIFICATE = 77 parseGoogleCloudKeyVaultServiceV1Certificate(); 78 79 private static final int NUMBER_OF_ROOT_CERTIFICATES = 1; 80 81 private static final ArrayMap<String, X509Certificate> ALL_ROOT_CERTIFICATES = 82 constructRootCertificateMap(); 83 84 /** 85 * Returns all available root certificates, keyed by alias. 86 */ 87 public static @NonNull Map<String, X509Certificate> getRootCertificates() { 88 return new ArrayMap(ALL_ROOT_CERTIFICATES); 89 } 90 91 /** 92 * Gets a root certificate referenced by the given {@code alias}. 93 * 94 * @param alias the alias of the certificate 95 * @return the certificate referenced by the alias, or null if such a certificate doesn't exist. 96 */ 97 public static @NonNull X509Certificate getRootCertificate(String alias) { 98 return ALL_ROOT_CERTIFICATES.get(alias); 99 } 100 101 private static ArrayMap<String, X509Certificate> constructRootCertificateMap() { 102 ArrayMap<String, X509Certificate> certificates = 103 new ArrayMap<>(NUMBER_OF_ROOT_CERTIFICATES); 104 certificates.put( 105 GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_ALIAS, 106 GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_CERTIFICATE); 107 return certificates; 108 } 109 110 private static X509Certificate parseGoogleCloudKeyVaultServiceV1Certificate() { 111 try { 112 return decodeBase64Cert(GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_BASE64); 113 } catch (CertificateException e) { 114 // Should not happen 115 throw new RuntimeException(e); 116 } 117 } 118 119 // Statics only 120 private TrustedRootCertificates() {} 121} 122