1/*
2 * Copyright (C) 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package com.android.server.locksettings.recoverablekeystore;
18
19import static android.security.keystore.recovery.RecoveryController.ERROR_INVALID_CERTIFICATE;
20
21import com.android.internal.widget.LockPatternUtils;
22import android.annotation.NonNull;
23import android.annotation.Nullable;
24import android.os.RemoteException;
25import android.os.ServiceSpecificException;
26import android.security.keystore.recovery.TrustedRootCertificates;
27import android.util.Log;
28
29import java.util.HashMap;
30import java.security.cert.X509Certificate;
31import java.util.Map;
32import javax.crypto.SecretKey;
33
34/**
35 * The class provides helper methods to support end-to-end test with insecure certificate.
36 */
37public class TestOnlyInsecureCertificateHelper {
38    private static final String TAG = "TestCertHelper";
39
40    /**
41     * Constructor for the helper class.
42     */
43    public TestOnlyInsecureCertificateHelper() {
44    }
45
46    /**
47     * Returns a root certificate installed in the system for given alias.
48     * Returns default secure certificate if alias is empty or null.
49     * Can return insecure certificate for its alias.
50     */
51    public @NonNull X509Certificate
52            getRootCertificate(String rootCertificateAlias) throws RemoteException {
53        rootCertificateAlias = getDefaultCertificateAliasIfEmpty(rootCertificateAlias);
54        if (isTestOnlyCertificateAlias(rootCertificateAlias)) {
55            return TrustedRootCertificates.getTestOnlyInsecureCertificate();
56        }
57
58        X509Certificate rootCertificate =
59                TrustedRootCertificates.getRootCertificate(rootCertificateAlias);
60        if (rootCertificate == null) {
61            throw new ServiceSpecificException(
62                    ERROR_INVALID_CERTIFICATE, "The provided root certificate alias is invalid");
63        }
64        return rootCertificate;
65    }
66
67    public @NonNull String getDefaultCertificateAliasIfEmpty(
68            @Nullable String rootCertificateAlias) {
69        if (rootCertificateAlias == null || rootCertificateAlias.isEmpty()) {
70            Log.e(TAG, "rootCertificateAlias is null or empty - use secure default value");
71            // Use the default Google Key Vault Service CA certificate if the alias is not provided
72            rootCertificateAlias = TrustedRootCertificates.GOOGLE_CLOUD_KEY_VAULT_SERVICE_V1_ALIAS;
73        }
74        return rootCertificateAlias;
75    }
76
77    public boolean isTestOnlyCertificateAlias(String rootCertificateAlias) {
78        return TrustedRootCertificates.TEST_ONLY_INSECURE_CERTIFICATE_ALIAS
79                .equals(rootCertificateAlias);
80    }
81
82    public boolean isValidRootCertificateAlias(String rootCertificateAlias) {
83        return TrustedRootCertificates.getRootCertificates().containsKey(rootCertificateAlias)
84                || isTestOnlyCertificateAlias(rootCertificateAlias);
85    }
86
87    public boolean doesCredentialSupportInsecureMode(int credentialType, String credential) {
88        return (credentialType == LockPatternUtils.CREDENTIAL_TYPE_PASSWORD)
89            && (credential != null)
90            && credential.startsWith(TrustedRootCertificates.INSECURE_PASSWORD_PREFIX);
91    }
92
93    public Map<String, SecretKey> keepOnlyWhitelistedInsecureKeys(Map<String, SecretKey> rawKeys) {
94        if (rawKeys == null) {
95            return null;
96        }
97        Map<String, SecretKey> filteredKeys = new HashMap<>();
98        for (Map.Entry<String, SecretKey> entry : rawKeys.entrySet()) {
99            String alias = entry.getKey();
100            if (alias != null
101                    && alias.startsWith(TrustedRootCertificates.INSECURE_KEY_ALIAS_PREFIX)) {
102                filteredKeys.put(entry.getKey(), entry.getValue());
103                Log.d(TAG, "adding key with insecure alias " + alias + " to the recovery snapshot");
104            }
105        }
106        return filteredKeys;
107    }
108}
109