TrustedRootCertificates.java revision fd4ae0b2ddd58f6acbb19632f20e40024e3d85b1 
1/*
2 * Copyright (C) 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package android.security.keystore.recovery;
18
19import static android.security.keystore.recovery.X509CertificateParsingUtils.decodeBase64Cert;
20
21import android.annotation.NonNull;
22import android.util.ArrayMap;
23
24import java.security.cert.CertificateException;
25import java.security.cert.X509Certificate;
26import java.util.Map;
27
28/**
29 * Trusted root certificates for use by the
30 * {@link android.security.keystore.recovery.RecoveryController}. These certificates are used to
31 * verify the public keys of remote secure hardware modules. This is to prevent AOSP backing up keys
32 * to untrusted devices.
33 *
34 * @hide
35 */
36public final class TrustedRootCertificates {
37
38    public static final String GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_ALIAS =
39            "GoogleCloudKeyVaultServiceV1";
40
41    private static final String GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_BASE64 = ""
42            + "MIIFJjCCAw6gAwIBAgIJAIobXsJlzhNdMA0GCSqGSIb3DQEBDQUAMCAxHjAcBgNV"
43            + "BAMMFUdvb2dsZSBDcnlwdEF1dGhWYXVsdDAeFw0xODAyMDIxOTM5MTRaFw0zODAx"
44            + "MjgxOTM5MTRaMCAxHjAcBgNVBAMMFUdvb2dsZSBDcnlwdEF1dGhWYXVsdDCCAiIw"
45            + "DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK2OT5i40/H7LINg/lq/0G0hR65P"
46            + "Q4Mud3OnuVt6UIYV2T18+v6qW1yJd5FcnND/ZKPau4aUAYklqJuSVjOXQD0BjgS2"
47            + "98Xa4dSn8Ci1rUR+5tdmrxqbYUdT2ZvJIUMMR6fRoqi+LlAbKECrV+zYQTyLU68w"
48            + "V66hQpAButjJKiZzkXjmKLfJ5IWrNEn17XM988rk6qAQn/BYCCQGf3rQuJeksGmA"
49            + "N1lJOwNYxmWUyouVwqwZthNEWqTuEyBFMkAT+99PXW7oVDc7oU5cevuihxQWNTYq"
50            + "viGB8cck6RW3cmqrDSaJF/E+N0cXFKyYC7FDcggt6k3UrxNKTuySdDEa8+2RTQqU"
51            + "Y9npxBlQE+x9Ig56OI1BG3bSBsGdPgjpyHadZeh2tgk+oqlGsSsum24YxaxuSysT"
52            + "Qfcu/XhyfUXavfmGrBOXerTzIl5oBh/F5aHTV85M2tYEG0qsPPvSpZAWtdJ/2rca"
53            + "OxvhwOL+leZKr8McjXVR00lBsRuKXX4nTUMwya09CO3QHFPFZtZvqjy2HaMOnVLQ"
54            + "I6b6dHEfmsHybzVOe3yPEoFQSU9UhUdmi71kwwoanPD3j9fJHmXTx4PzYYBRf1ZE"
55            + "o+uPgMPk7CDKQFZLjnR40z1uzu3O8aZ3AKZzP+j7T4XQKJLQLmllKtPgLgNdJyib"
56            + "2Glg7QhXH/jBTL6hAgMBAAGjYzBhMB0GA1UdDgQWBBSbZfrqOYH54EJpkdKMZjMc"
57            + "z/Hp+DAfBgNVHSMEGDAWgBSbZfrqOYH54EJpkdKMZjMcz/Hp+DAPBgNVHRMBAf8E"
58            + "BTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOCAgEAKh9nm/vW"
59            + "glMWp3vcCwWwJW286ecREDlI+CjGh5h+f2N4QRrXd/tKE3qQJWCqGx8sFfIUjmI7"
60            + "KYdsC2gyQ2cA2zl0w7pB2QkuqE6zVbnh1D17Hwl19IMyAakFaM9ad4/EoH7oQmqX"
61            + "nF/f5QXGZw4kf1HcgKgoCHWXjqR8MqHOcXR8n6WFqxjzJf1jxzi6Yo2dZ7PJbnE6"
62            + "+kHIJuiCpiHL75v5g1HM41gT3ddFFSrn88ThNPWItT5Z8WpFjryVzank2Yt02LLl"
63            + "WqZg9IC375QULc5B58NMnaiVJIDJQ8zoNgj1yaxqtUMnJX570lotO2OXe4ec9aCQ"
64            + "DIJ84YLM/qStFdeZ9416E80dchskbDG04GuVJKlzWjxAQNMRFhyaPUSBTLLg+kwP"
65            + "t9+AMmc+A7xjtFQLZ9fBYHOBsndJOmeSQeYeckl+z/1WQf7DdwXn/yijon7mxz4z"
66            + "cCczfKwTJTwBh3wR5SQr2vQm7qaXM87qxF8PCAZrdZaw5I80QwkgTj0WTZ2/GdSw"
67            + "d3o5SyzzBAjpwtG+4bO/BD9h9wlTsHpT6yWOZs4OYAKU5ykQrncI8OyavMggArh3"
68            + "/oM58v0orUWINtIc2hBlka36PhATYQiLf+AiWKnwhCaaHExoYKfQlMtXBodNvOK8"
69            + "xqx69x05q/qbHKEcTHrsss630vxrp1niXvA=";
70
71    /**
72     * The X509 certificate of the trusted root CA cert for the recoverable key store service.
73     *
74     * TODO: Change it to the production certificate root CA before the final launch.
75     */
76    private static final X509Certificate GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_CERTIFICATE =
77            parseGoogleCloudKeyVaultServiceV1Certificate();
78
79    private static final int NUMBER_OF_ROOT_CERTIFICATES = 1;
80
81    private static final ArrayMap<String, X509Certificate> ALL_ROOT_CERTIFICATES =
82            constructRootCertificateMap();
83
84    /**
85     * Returns all available root certificates, keyed by alias.
86     */
87    public static @NonNull Map<String, X509Certificate> getRootCertificates() {
88        return new ArrayMap(ALL_ROOT_CERTIFICATES);
89    }
90
91    /**
92     * Gets a root certificate referenced by the given {@code alias}.
93     *
94     * @param alias the alias of the certificate
95     * @return the certificate referenced by the alias, or null if such a certificate doesn't exist.
96     */
97    public static @NonNull X509Certificate getRootCertificate(String alias) {
98        return ALL_ROOT_CERTIFICATES.get(alias);
99    }
100
101    private static ArrayMap<String, X509Certificate> constructRootCertificateMap() {
102        ArrayMap<String, X509Certificate> certificates =
103                new ArrayMap<>(NUMBER_OF_ROOT_CERTIFICATES);
104        certificates.put(
105                GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_ALIAS,
106                GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_CERTIFICATE);
107        return certificates;
108    }
109
110    private static X509Certificate parseGoogleCloudKeyVaultServiceV1Certificate() {
111        try {
112            return decodeBase64Cert(GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_BASE64);
113        } catch (CertificateException e) {
114            // Should not happen
115            throw new RuntimeException(e);
116        }
117    }
118
119    // Statics only
120    private TrustedRootCertificates() {}
121}
122