1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
|
/*
* Copyright (C) 2011 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.security;
import static android.security.Credentials.ACTION_MANAGE_CREDENTIALS;
import android.Manifest;
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.annotation.RequiresPermission;
import android.annotation.SdkConstant;
import android.annotation.SdkConstant.SdkConstantType;
import android.annotation.SystemApi;
import android.annotation.TestApi;
import android.annotation.WorkerThread;
import android.app.Activity;
import android.app.PendingIntent;
import android.app.Service;
import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
import android.content.ServiceConnection;
import android.net.Uri;
import android.os.Binder;
import android.os.Handler;
import android.os.IBinder;
import android.os.Looper;
import android.os.Process;
import android.os.RemoteException;
import android.os.UserHandle;
import android.os.UserManager;
import android.security.keystore.KeyPermanentlyInvalidatedException;
import android.security.keystore.KeyProperties;
import android.system.keystore2.Domain;
import android.system.keystore2.KeyDescriptor;
import android.util.Log;
import com.android.org.conscrypt.TrustedCertificateStore;
import java.io.ByteArrayInputStream;
import java.io.Closeable;
import java.io.Serializable;
import java.security.KeyPair;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Locale;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.atomic.AtomicReference;
import javax.security.auth.x500.X500Principal;
/**
* The {@code KeyChain} class provides access to private keys and
* their corresponding certificate chains in credential storage.
*
* <p>Applications accessing the {@code KeyChain} normally go through
* these steps:
*
* <ol>
*
* <li>Receive a callback from an {@link javax.net.ssl.X509KeyManager
* X509KeyManager} that a private key is requested.
*
* <li>Call {@link #choosePrivateKeyAlias
* choosePrivateKeyAlias} to allow the user to select from a
* list of currently available private keys and corresponding
* certificate chains. The chosen alias will be returned by the
* callback {@link KeyChainAliasCallback#alias}, or null if no private
* key is available or the user cancels the request.
*
* <li>Call {@link #getPrivateKey} and {@link #getCertificateChain} to
* retrieve the credentials to return to the corresponding {@link
* javax.net.ssl.X509KeyManager} callbacks.
*
* </ol>
*
* <p>An application may remember the value of a selected alias to
* avoid prompting the user with {@link #choosePrivateKeyAlias
* choosePrivateKeyAlias} on subsequent connections. If the alias is
* no longer valid, null will be returned on lookups using that value
*
* <p>An application can request the installation of private keys and
* certificates via the {@code Intent} provided by {@link
* #createInstallIntent}. Private keys installed via this {@code
* Intent} will be accessible via {@link #choosePrivateKeyAlias} while
* Certificate Authority (CA) certificates will be trusted by all
* applications through the default {@code X509TrustManager}.
*/
// TODO reference intent for credential installation when public
public final class KeyChain {
/**
* @hide
*/
public static final String LOG = "KeyChain";
/**
* @hide Also used by KeyChainService implementation
*/
public static final String ACCOUNT_TYPE = "com.android.keychain";
/**
* Package name for KeyChain chooser.
*/
private static final String KEYCHAIN_PACKAGE = "com.android.keychain";
/**
* Action to bring up the KeyChainActivity
*/
private static final String ACTION_CHOOSER = "com.android.keychain.CHOOSER";
/**
* Package name for the Certificate Installer.
*/
private static final String CERT_INSTALLER_PACKAGE = "com.android.certinstaller";
/**
* Package name for Settings.
*/
private static final String SETTINGS_PACKAGE = "com.android.settings";
/**
* Extra for use with {@link #ACTION_CHOOSER}
* @hide Also used by KeyChainActivity implementation
*/
public static final String EXTRA_RESPONSE = "response";
/**
* Extra for use with {@link #ACTION_CHOOSER}
* @hide Also used by KeyChainActivity implementation
*/
public static final String EXTRA_URI = "uri";
/**
* Extra for use with {@link #ACTION_CHOOSER}
* @hide Also used by KeyChainActivity implementation
*/
public static final String EXTRA_ALIAS = "alias";
/**
* Extra for use with {@link #ACTION_CHOOSER}
* @hide Also used by KeyChainActivity implementation
*/
public static final String EXTRA_SENDER = "sender";
/**
* Extra for use with {@link #ACTION_CHOOSER}
* @hide Also used by KeyChainActivity implementation
*/
public static final String EXTRA_KEY_TYPES = "key_types";
/**
* Extra for use with {@link #ACTION_CHOOSER}
* @hide Also used by KeyChainActivity implementation
*/
public static final String EXTRA_ISSUERS = "issuers";
/**
* Action to bring up the CertInstaller.
*/
private static final String ACTION_INSTALL = "android.credentials.INSTALL";
/**
* Optional extra to specify a {@code String} credential name on
* the {@code Intent} returned by {@link #createInstallIntent}.
*/
// Compatible with old com.android.certinstaller.CredentialHelper.CERT_NAME_KEY
public static final String EXTRA_NAME = "name";
/**
* Optional extra to specify an X.509 certificate to install on
* the {@code Intent} returned by {@link #createInstallIntent}.
* The extra value should be a PEM or ASN.1 DER encoded {@code
* byte[]}. An {@link X509Certificate} can be converted to DER
* encoded bytes with {@link X509Certificate#getEncoded}.
*
* <p>{@link #EXTRA_NAME} may be used to provide a default alias
* name for the installed certificate.
*/
// Compatible with old android.security.Credentials.CERTIFICATE
public static final String EXTRA_CERTIFICATE = "CERT";
/**
* Optional extra for use with the {@code Intent} returned by
* {@link #createInstallIntent} to specify a PKCS#12 key store to
* install. The extra value should be a {@code byte[]}. The bytes
* may come from an external source or be generated with {@link
* java.security.KeyStore#store} on a "PKCS12" instance.
*
* <p>The user will be prompted for the password to load the key store.
*
* <p>The key store will be scanned for {@link
* java.security.KeyStore.PrivateKeyEntry} entries and both the
* private key and associated certificate chain will be installed.
*
* <p>{@link #EXTRA_NAME} may be used to provide a default alias
* name for the installed credentials.
*/
// Compatible with old android.security.Credentials.PKCS12
public static final String EXTRA_PKCS12 = "PKCS12";
/**
* Extra used by {@link #createManageCredentialsIntent(AppUriAuthenticationPolicy)} to specify
* the authentication policy of the credential management app.
*
* <p>The authentication policy declares which alias for a private key and certificate pair
* should be used for authentication, given a list of apps and URIs.
*
* <p>The extra value should be a {@link AppUriAuthenticationPolicy}.
*
* @hide
*/
public static final String EXTRA_AUTHENTICATION_POLICY =
"android.security.extra.AUTHENTICATION_POLICY";
/**
* Broadcast Action: Indicates the trusted storage has changed. Sent when
* one of this happens:
*
* <ul>
* <li>a new CA is added,
* <li>an existing CA is removed or disabled,
* <li>a disabled CA is enabled,
* <li>trusted storage is reset (all user certs are cleared),
* <li>when permission to access a private key is changed.
* </ul>
*
* @deprecated Use {@link #ACTION_KEYCHAIN_CHANGED}, {@link #ACTION_TRUST_STORE_CHANGED} or
* {@link #ACTION_KEY_ACCESS_CHANGED}. Apps that target a version higher than
* {@link android.os.Build.VERSION_CODES#N_MR1} will only receive this broadcast if they
* register for it at runtime.
*/
@SdkConstant(SdkConstantType.BROADCAST_INTENT_ACTION)
public static final String ACTION_STORAGE_CHANGED = "android.security.STORAGE_CHANGED";
/**
* Broadcast Action: Indicates the contents of the keychain has changed. Sent when a KeyChain
* entry is added, modified or removed.
*/
@SdkConstant(SdkConstantType.BROADCAST_INTENT_ACTION)
public static final String ACTION_KEYCHAIN_CHANGED = "android.security.action.KEYCHAIN_CHANGED";
/**
* Broadcast Action: Indicates the contents of the trusted certificate store has changed. Sent
* when one the following occurs:
*
* <ul>
* <li>A pre-installed CA is disabled or re-enabled</li>
* <li>A CA is added or removed from the trust store</li>
* </ul>
*/
@SdkConstant(SdkConstantType.BROADCAST_INTENT_ACTION)
public static final String ACTION_TRUST_STORE_CHANGED =
"android.security.action.TRUST_STORE_CHANGED";
/**
* Broadcast Action: Indicates that the access permissions for a private key have changed.
*
*/
@SdkConstant(SdkConstantType.BROADCAST_INTENT_ACTION)
public static final String ACTION_KEY_ACCESS_CHANGED =
"android.security.action.KEY_ACCESS_CHANGED";
/**
* Used as a String extra field in {@link #ACTION_KEY_ACCESS_CHANGED} to supply the alias of
* the key.
*/
public static final String EXTRA_KEY_ALIAS = "android.security.extra.KEY_ALIAS";
/**
* Used as a boolean extra field in {@link #ACTION_KEY_ACCESS_CHANGED} to supply if the key is
* accessible to the application.
*/
public static final String EXTRA_KEY_ACCESSIBLE = "android.security.extra.KEY_ACCESSIBLE";
/**
* Indicates that a call to {@link #generateKeyPair} was successful.
* @hide
*/
public static final int KEY_GEN_SUCCESS = 0;
/**
* An alias was missing from the key specifications when calling {@link #generateKeyPair}.
* @hide
*/
public static final int KEY_GEN_MISSING_ALIAS = 1;
/**
* A key attestation challenge was provided to {@link #generateKeyPair}, but it shouldn't
* have been provided.
* @hide
*/
public static final int KEY_GEN_SUPERFLUOUS_ATTESTATION_CHALLENGE = 2;
/**
* Algorithm not supported by {@link #generateKeyPair}
* @hide
*/
public static final int KEY_GEN_NO_SUCH_ALGORITHM = 3;
/**
* Invalid algorithm parameters when calling {@link #generateKeyPair}
* @hide
*/
public static final int KEY_GEN_INVALID_ALGORITHM_PARAMETERS = 4;
/**
* Keystore is not available when calling {@link #generateKeyPair}
* @hide
*/
public static final int KEY_GEN_NO_KEYSTORE_PROVIDER = 5;
/**
* StrongBox unavailable when calling {@link #generateKeyPair}
* @hide
*/
public static final int KEY_GEN_STRONGBOX_UNAVAILABLE = 6;
/**
* General failure while calling {@link #generateKeyPair}
* @hide
*/
public static final int KEY_GEN_FAILURE = 7;
/**
* Successful call to {@link #attestKey}
* @hide
*/
public static final int KEY_ATTESTATION_SUCCESS = 0;
/**
* Attestation challenge missing when calling {@link #attestKey}
* @hide
*/
public static final int KEY_ATTESTATION_MISSING_CHALLENGE = 1;
/**
* The caller requested Device ID attestation when calling {@link #attestKey}, but has no
* permissions to get device identifiers.
* @hide
*/
public static final int KEY_ATTESTATION_CANNOT_COLLECT_DATA = 2;
/**
* The underlying hardware does not support Device ID attestation or cannot attest to the
* identifiers that are stored on the device. This indicates permanent inability
* to get attestation records on the device.
* @hide
*/
public static final int KEY_ATTESTATION_CANNOT_ATTEST_IDS = 3;
/**
* General failure when calling {@link #attestKey}
* @hide
*/
public static final int KEY_ATTESTATION_FAILURE = 4;
/**
* Used by DPC or delegated app in
* {@link android.app.admin.DeviceAdminReceiver#onChoosePrivateKeyAlias} or
* {@link android.app.admin.DelegatedAdminReceiver#onChoosePrivateKeyAlias} to identify that
* the requesting app is not granted access to any key, and nor will the user be able to grant
* access manually.
*/
public static final String KEY_ALIAS_SELECTION_DENIED =
"android:alias-selection-denied";
/**
* Returns an {@code Intent} that can be used for credential
* installation. The intent may be used without any extras, in
* which case the user will be able to install credentials from
* their own source.
*
* <p>Alternatively, {@link #EXTRA_CERTIFICATE} or {@link
* #EXTRA_PKCS12} maybe used to specify the bytes of an X.509
* certificate or a PKCS#12 key store for installation. These
* extras may be combined with {@link #EXTRA_NAME} to provide a
* default alias name for credentials being installed.
*
* <p>When used with {@link Activity#startActivityForResult},
* {@link Activity#RESULT_OK} will be returned if a credential was
* successfully installed, otherwise {@link
* Activity#RESULT_CANCELED} will be returned.
*
* <p>Starting from {@link android.os.Build.VERSION_CODES#R}, the intent returned by this
* method cannot be used for installing CA certificates. Since CA certificates can only be
* installed via Settings, the app should provide the user with a file containing the
* CA certificate. One way to do this would be to use the {@link android.provider.MediaStore}
* API to write the certificate to the {@link android.provider.MediaStore.Downloads}
* collection.
*/
@NonNull
public static Intent createInstallIntent() {
Intent intent = new Intent(ACTION_INSTALL);
intent.setClassName(CERT_INSTALLER_PACKAGE,
"com.android.certinstaller.CertInstallerMain");
return intent;
}
/**
* Returns an {@code Intent} that should be used by an app to request to manage the user's
* credentials. This is limited to unmanaged devices. The authentication policy must be
* provided to be able to make this request successfully.
*
* <p> This intent should be started using {@link Activity#startActivityForResult(Intent, int)}
* to verify whether the request was successful and whether the user accepted or denied the
* request. If the user successfully receives and accepts the request, the result code will be
* {@link Activity#RESULT_OK}, otherwise the result code will be
* {@link Activity#RESULT_CANCELED}.
*
* <p> {@link KeyChain#isCredentialManagementApp(Context)} should be used to determine whether
* an app is already the credential management app.
*
* @param policy The authentication policy determines which alias for a private key and
* certificate pair should be used for authentication.
*/
@NonNull
public static Intent createManageCredentialsIntent(@NonNull AppUriAuthenticationPolicy policy) {
Intent intent = new Intent(ACTION_MANAGE_CREDENTIALS);
intent.setComponent(ComponentName.createRelative(SETTINGS_PACKAGE,
".security.RequestManageCredentials"));
intent.putExtra(EXTRA_AUTHENTICATION_POLICY, policy);
return intent;
}
/**
* Launches an {@code Activity} for the user to select the alias
* for a private key and certificate pair for authentication. The
* selected alias or null will be returned via the
* KeyChainAliasCallback callback.
*
* <p>A device policy controller (as a device or profile owner) can
* intercept the request before the activity is shown, to pick a
* specific private key alias by implementing
* {@link android.app.admin.DeviceAdminReceiver#onChoosePrivateKeyAlias
* onChoosePrivateKeyAlias}.
*
* <p>{@code keyTypes} and {@code issuers} may be used to
* narrow down suggested choices to the user. If either {@code keyTypes}
* or {@code issuers} is specified and non-empty, and there are no
* matching certificates in the KeyChain, then the certificate
* selection prompt would be suppressed entirely.
*
* <p>{@code host} and {@code port} may be used to give the user
* more context about the server requesting the credentials.
*
* <p>{@code alias} allows the caller to preselect an existing
* alias which will still be subject to user confirmation.
*
* @param activity The {@link Activity} context to use for
* launching the new sub-Activity to prompt the user to select
* a private key; used only to call startActivity(); must not
* be null.
* @param response Callback to invoke when the request completes;
* must not be null.
* @param keyTypes The acceptable types of asymmetric keys such as
* "RSA", "EC" or null.
* @param issuers The acceptable certificate issuers for the
* certificate matching the private key, or null.
* @param host The host name of the server requesting the
* certificate, or null if unavailable.
* @param port The port number of the server requesting the
* certificate, or -1 if unavailable.
* @param alias The alias to preselect if available, or null if
* unavailable.
*/
public static void choosePrivateKeyAlias(@NonNull Activity activity,
@NonNull KeyChainAliasCallback response,
@Nullable @KeyProperties.KeyAlgorithmEnum String[] keyTypes,
@Nullable Principal[] issuers,
@Nullable String host, int port, @Nullable String alias) {
Uri uri = null;
if (host != null) {
uri = new Uri.Builder()
.authority(host + (port != -1 ? ":" + port : ""))
.build();
}
choosePrivateKeyAlias(activity, response, keyTypes, issuers, uri, alias);
}
/**
* Launches an {@code Activity} for the user to select the alias
* for a private key and certificate pair for authentication. The
* selected alias or null will be returned via the
* KeyChainAliasCallback callback.
*
* <p>A device policy controller (as a device or profile owner) can
* intercept the request before the activity is shown, to pick a
* specific private key alias by implementing
* {@link android.app.admin.DeviceAdminReceiver#onChoosePrivateKeyAlias
* onChoosePrivateKeyAlias}.
*
* <p>{@code keyTypes} and {@code issuers} may be used to
* narrow down suggested choices to the user. If either {@code keyTypes}
* or {@code issuers} is specified and non-empty, and there are no
* matching certificates in the KeyChain, then the certificate
* selection prompt would be suppressed entirely.
*
* <p>{@code uri} may be used to give the user more context about
* the server requesting the credentials.
*
* <p>{@code alias} allows the caller to preselect an existing
* alias which will still be subject to user confirmation.
*
* @param activity The {@link Activity} context to use for
* launching the new sub-Activity to prompt the user to select
* a private key; used only to call startActivity(); must not
* be null.
* @param response Callback to invoke when the request completes;
* must not be null.
* @param keyTypes The acceptable types of asymmetric keys such as
* "RSA", "EC" or null.
* @param issuers The acceptable certificate issuers for the
* certificate matching the private key, or null.
* @param uri The full URI the server is requesting the certificate
* for, or null if unavailable.
* @param alias The alias to preselect if available, or null if
* unavailable.
* @throws IllegalArgumentException if the specified issuers are not
* of type {@code X500Principal}.
*/
public static void choosePrivateKeyAlias(@NonNull Activity activity,
@NonNull KeyChainAliasCallback response,
@Nullable @KeyProperties.KeyAlgorithmEnum String[] keyTypes,
@Nullable Principal[] issuers,
@Nullable Uri uri, @Nullable String alias) {
/*
* Specifying keyTypes excludes certificates with different key types
* from the list of certificates presented to the user.
* In practice today, most servers would require RSA or EC
* certificates.
*
* Specifying issuers narrows down the list by filtering out
* certificates with issuers which are not matching the provided ones.
* This has been reported to Chrome several times (crbug.com/731769).
* There's no concrete description on what to do when the client has no
* certificates that match the provided issuers.
* To be conservative, Android will not present the user with any
* certificates to choose from.
* If the list of issuers is empty then the client may send any
* certificate, see:
* https://tools.ietf.org/html/rfc5246#section-7.4.4
*/
if (activity == null) {
throw new NullPointerException("activity == null");
}
if (response == null) {
throw new NullPointerException("response == null");
}
Intent intent = new Intent(ACTION_CHOOSER);
intent.setPackage(KEYCHAIN_PACKAGE);
intent.putExtra(EXTRA_RESPONSE, new AliasResponse(response));
intent.putExtra(EXTRA_URI, uri);
intent.putExtra(EXTRA_ALIAS, alias);
intent.putExtra(EXTRA_KEY_TYPES, keyTypes);
ArrayList<byte[]> issuersList = new ArrayList();
if (issuers != null) {
for (Principal issuer: issuers) {
// In a TLS client context (like Chrome), issuers would only
// be specified as X500Principals. No other use cases for
// specifying principals have been brought up. Under these
// circumstances, only allow issuers specified as
// X500Principals.
if (!(issuer instanceof X500Principal)) {
throw new IllegalArgumentException(String.format(
"Issuer %s is of type %s, not X500Principal",
issuer.toString(), issuer.getClass()));
}
// Pass the DER-encoded issuer as that's the most accurate
// representation and what is sent over the wire.
issuersList.add(((X500Principal) issuer).getEncoded());
}
}
intent.putExtra(EXTRA_ISSUERS, (Serializable) issuersList);
// the PendingIntent is used to get calling package name
intent.putExtra(EXTRA_SENDER, PendingIntent.getActivity(activity, 0, new Intent(),
PendingIntent.FLAG_IMMUTABLE));
activity.startActivity(intent);
}
/**
* Check whether the caller is the credential management app {@code CredentialManagementApp}.
* The credential management app has the ability to manage the user's KeyChain credentials
* on unmanaged devices.
*
* <p> {@link KeyChain#createManageCredentialsIntent} should be used by an app to request to
* become the credential management app. The user must approve this request before the app can
* manage the user's credentials. There can only be one credential management on the device.
*
* @return {@code true} if the caller is the credential management app.
*/
@WorkerThread
public static boolean isCredentialManagementApp(@NonNull Context context) {
boolean isCredentialManagementApp = false;
try (KeyChainConnection keyChainConnection = KeyChain.bind(context)) {
isCredentialManagementApp = keyChainConnection.getService()
.isCredentialManagementApp(context.getPackageName());
} catch (RemoteException e) {
e.rethrowAsRuntimeException();
} catch (InterruptedException e) {
throw new RuntimeException("Interrupted while checking whether the caller is the "
+ "credential management app.", e);
} catch (SecurityException e) {
isCredentialManagementApp = false;
}
return isCredentialManagementApp;
}
/**
* Called by the credential management app to get the authentication policy
* {@link AppUriAuthenticationPolicy}.
*
* @return the credential management app's authentication policy.
* @throws SecurityException if the caller is not the credential management app.
*/
@WorkerThread
@NonNull
public static AppUriAuthenticationPolicy getCredentialManagementAppPolicy(
@NonNull Context context) throws SecurityException {
AppUriAuthenticationPolicy policy = null;
try (KeyChainConnection keyChainConnection = KeyChain.bind(context)) {
policy = keyChainConnection.getService().getCredentialManagementAppPolicy();
} catch (RemoteException e) {
e.rethrowAsRuntimeException();
} catch (InterruptedException e) {
throw new RuntimeException(
"Interrupted while getting credential management app policy.", e);
}
return policy;
}
/**
* Set a credential management app. The credential management app has the ability to manage
* the user's KeyChain credentials on unmanaged devices.
*
* <p>There can only be one credential management on the device. If another app requests to
* become the credential management app, then the existing credential management app will
* no longer be able to manage credentials.
*
* @param packageName The package name of the credential management app
* @param authenticationPolicy The authentication policy of the credential management app. This
* policy determines which alias for a private key and certificate
* pair should be used for authentication.
* @return {@code true} if the credential management app was successfully added.
* @hide
*/
@TestApi
@WorkerThread
@RequiresPermission(Manifest.permission.MANAGE_CREDENTIAL_MANAGEMENT_APP)
public static boolean setCredentialManagementApp(@NonNull Context context,
@NonNull String packageName, @NonNull AppUriAuthenticationPolicy authenticationPolicy) {
try (KeyChainConnection keyChainConnection = KeyChain.bind(context)) {
keyChainConnection.getService()
.setCredentialManagementApp(packageName, authenticationPolicy);
return true;
} catch (RemoteException | InterruptedException e) {
Log.w(LOG, "Set credential management app failed", e);
Thread.currentThread().interrupt();
return false;
}
}
/**
* Called by the credential management app {@code CredentialManagementApp} to unregister as
* the credential management app and stop managing the user's credentials.
*
* <p> All credentials previously installed by the credential management app will be removed
* from the user's device.
*
* <p> An app holding {@code MANAGE_CREDENTIAL_MANAGEMENT_APP} permission can also call this
* method to remove the current credential management app, even if it's not the current
* credential management app itself.
*
* @return {@code true} if the credential management app was successfully removed.
*/
@WorkerThread
@RequiresPermission(value = Manifest.permission.MANAGE_CREDENTIAL_MANAGEMENT_APP,
conditional = true)
public static boolean removeCredentialManagementApp(@NonNull Context context) {
try (KeyChainConnection keyChainConnection = KeyChain.bind(context)) {
keyChainConnection.getService().removeCredentialManagementApp();
return true;
} catch (RemoteException | InterruptedException e) {
Log.w(LOG, "Remove credential management app failed", e);
Thread.currentThread().interrupt();
return false;
}
}
private static class AliasResponse extends IKeyChainAliasCallback.Stub {
private final KeyChainAliasCallback keyChainAliasResponse;
private AliasResponse(KeyChainAliasCallback keyChainAliasResponse) {
this.keyChainAliasResponse = keyChainAliasResponse;
}
@Override public void alias(String alias) {
keyChainAliasResponse.alias(alias);
}
}
/**
* Returns the {@code PrivateKey} for the requested alias, or null if the alias does not exist
* or the caller has no permission to access it (see note on exceptions below).
*
* <p> This method may block while waiting for a connection to another process, and must never
* be called from the main thread.
* <p> As {@link Activity} and {@link Service} contexts are short-lived and can be destroyed
* at any time from the main thread, it is safer to rely on a long-lived context such as one
* returned from {@link Context#getApplicationContext()}.
*
* <p> If the caller provides a valid alias to which it was not granted access, then the
* caller must invoke {@link #choosePrivateKeyAlias} again to get another valid alias
* or a grant to access the same alias.
* <p>On Android versions prior to Q, when a key associated with the specified alias is
* unavailable, the method will throw a {@code KeyChainException} rather than return null.
* If the exception's cause (as obtained by calling {@code KeyChainException.getCause()})
* is a throwable of type {@code IllegalStateException} then the caller lacks a grant
* to access the key and certificates associated with this alias.
*
* @param alias The alias of the desired private key, typically returned via
* {@link KeyChainAliasCallback#alias}.
* @throws KeyChainException if the alias was valid but there was some problem accessing it.
* @throws IllegalStateException if called from the main thread.
*/
@Nullable @WorkerThread
public static PrivateKey getPrivateKey(@NonNull Context context, @NonNull String alias)
throws KeyChainException, InterruptedException {
KeyPair keyPair = getKeyPair(context, alias);
if (keyPair != null) {
return keyPair.getPrivate();
}
return null;
}
/**
* This prefix is used to disambiguate grant aliase strings from normal key alias strings.
* Technically, a key alias string can use the same prefix. However, a collision does not
* lead to privilege escalation, because grants are access controlled in the Keystore daemon.
* @hide
*/
public static final String GRANT_ALIAS_PREFIX = "ks2_keychain_grant_id:";
private static KeyDescriptor getGrantDescriptor(String keyid) {
KeyDescriptor result = new KeyDescriptor();
result.domain = Domain.GRANT;
result.blob = null;
result.alias = null;
try {
result.nspace = Long.parseUnsignedLong(
keyid.substring(GRANT_ALIAS_PREFIX.length()), 16 /* radix */);
} catch (NumberFormatException e) {
return null;
}
return result;
}
/** @hide */
public static String getGrantString(KeyDescriptor key) {
return String.format(GRANT_ALIAS_PREFIX + "%016X", key.nspace);
}
/** @hide */
@Nullable @WorkerThread
public static KeyPair getKeyPair(@NonNull Context context, @NonNull String alias)
throws KeyChainException, InterruptedException {
if (alias == null) {
throw new NullPointerException("alias == null");
}
if (context == null) {
throw new NullPointerException("context == null");
}
final String keyId;
try (KeyChainConnection keyChainConnection = bind(context.getApplicationContext())) {
keyId = keyChainConnection.getService().requestPrivateKey(alias);
} catch (RemoteException e) {
throw new KeyChainException(e);
} catch (RuntimeException e) {
// only certain RuntimeExceptions can be propagated across the IKeyChainService call
throw new KeyChainException(e);
}
if (keyId == null) {
return null;
}
try {
return android.security.keystore2.AndroidKeyStoreProvider
.loadAndroidKeyStoreKeyPairFromKeystore(
KeyStore2.getInstance(),
getGrantDescriptor(keyId));
} catch (UnrecoverableKeyException | KeyPermanentlyInvalidatedException e) {
throw new KeyChainException(e);
}
}
/**
* Returns the {@code X509Certificate} chain for the requested alias, or null if the alias
* does not exist or the caller has no permission to access it (see note on exceptions
* in {@link #getPrivateKey}).
*
* <p>
* <strong>Note:</strong> If a certificate chain was explicitly specified when the alias was
* installed, this method will return that chain. If only the client certificate was specified
* at the installation time, this method will try to build a certificate chain using all
* available trust anchors (preinstalled and user-added).
*
* <p> This method may block while waiting for a connection to another process, and must never
* be called from the main thread.
* <p> As {@link Activity} and {@link Service} contexts are short-lived and can be destroyed
* at any time from the main thread, it is safer to rely on a long-lived context such as one
* returned from {@link Context#getApplicationContext()}.
* <p> In case the caller specifies an alias for which it lacks a grant, it must call
* {@link #choosePrivateKeyAlias} again. See {@link #getPrivateKey} for more details on
* coping with this scenario.
*
* @param alias The alias of the desired certificate chain, typically
* returned via {@link KeyChainAliasCallback#alias}.
* @throws KeyChainException if the alias was valid but there was some problem accessing it.
* @throws IllegalStateException if called from the main thread.
*/
@Nullable @WorkerThread
public static X509Certificate[] getCertificateChain(@NonNull Context context,
@NonNull String alias) throws KeyChainException, InterruptedException {
if (alias == null) {
throw new NullPointerException("alias == null");
}
final byte[] certificateBytes;
final byte[] certChainBytes;
try (KeyChainConnection keyChainConnection = bind(context.getApplicationContext())) {
IKeyChainService keyChainService = keyChainConnection.getService();
certificateBytes = keyChainService.getCertificate(alias);
if (certificateBytes == null) {
return null;
}
certChainBytes = keyChainService.getCaCertificates(alias);
} catch (RemoteException e) {
throw new KeyChainException(e);
} catch (RuntimeException e) {
// only certain RuntimeExceptions can be propagated across the IKeyChainService call
throw new KeyChainException(e);
}
try {
X509Certificate leafCert = toCertificate(certificateBytes);
// If the keypair is installed with a certificate chain by either
// DevicePolicyManager.installKeyPair or CertInstaller, return that chain.
if (certChainBytes != null && certChainBytes.length != 0) {
Collection<X509Certificate> chain = toCertificates(certChainBytes);
ArrayList<X509Certificate> fullChain = new ArrayList<>(chain.size() + 1);
fullChain.add(leafCert);
fullChain.addAll(chain);
return fullChain.toArray(new X509Certificate[fullChain.size()]);
} else {
// If there isn't a certificate chain, either due to a pre-existing keypair
// installed before N, or no chain is explicitly installed under the new logic,
// fall back to old behavior of constructing the chain from trusted credentials.
//
// This logic exists to maintain old behaviour for already installed keypair, at
// the cost of potentially returning extra certificate chain for new clients who
// explicitly installed only the client certificate without a chain. The latter
// case is actually no different from pre-N behaviour of getCertificateChain(),
// in that sense this change introduces no regression. Besides the returned chain
// is still valid so the consumer of the chain should have no problem verifying it.
TrustedCertificateStore store = new TrustedCertificateStore();
List<X509Certificate> chain = store.getCertificateChain(leafCert);
return chain.toArray(new X509Certificate[chain.size()]);
}
} catch (CertificateException | RuntimeException e) {
throw new KeyChainException(e);
}
}
/**
* Returns {@code true} if the current device's {@code KeyChain} supports a
* specific {@code PrivateKey} type indicated by {@code algorithm} (e.g.,
* "RSA").
*/
public static boolean isKeyAlgorithmSupported(
@NonNull @KeyProperties.KeyAlgorithmEnum String algorithm) {
final String algUpper = algorithm.toUpperCase(Locale.US);
return KeyProperties.KEY_ALGORITHM_EC.equals(algUpper)
|| KeyProperties.KEY_ALGORITHM_RSA.equals(algUpper);
}
/**
* Returns {@code true} if the current device's {@code KeyChain} binds any
* {@code PrivateKey} of the given {@code algorithm} to the device once
* imported or generated. This can be used to tell if there is special
* hardware support that can be used to bind keys to the device in a way
* that makes it non-exportable.
*
* @deprecated Whether the key is bound to the secure hardware is known only
* once the key has been imported. To find out, use:
* <pre>{@code
* PrivateKey key = ...; // private key from KeyChain
*
* KeyFactory keyFactory =
* KeyFactory.getInstance(key.getAlgorithm(), "AndroidKeyStore");
* KeyInfo keyInfo = keyFactory.getKeySpec(key, KeyInfo.class);
* if (keyInfo.isInsideSecureHardware()) {
* // The key is bound to the secure hardware of this Android
* }}</pre>
*/
@Deprecated
public static boolean isBoundKeyAlgorithm(
@NonNull @KeyProperties.KeyAlgorithmEnum String algorithm) {
// All supported algorithms are hardware backed. Individual keys may not be.
return true;
}
/** @hide */
@NonNull
public static X509Certificate toCertificate(@NonNull byte[] bytes) {
if (bytes == null) {
throw new IllegalArgumentException("bytes == null");
}
try {
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
Certificate cert = certFactory.generateCertificate(new ByteArrayInputStream(bytes));
return (X509Certificate) cert;
} catch (CertificateException e) {
throw new AssertionError(e);
}
}
/** @hide */
@NonNull
public static Collection<X509Certificate> toCertificates(@NonNull byte[] bytes) {
if (bytes == null) {
throw new IllegalArgumentException("bytes == null");
}
try {
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
return (Collection<X509Certificate>) certFactory.generateCertificates(
new ByteArrayInputStream(bytes));
} catch (CertificateException e) {
throw new AssertionError(e);
}
}
/**
* @hide for reuse by CertInstaller and Settings.
* @see KeyChain#bind
*/
public static class KeyChainConnection implements Closeable {
private final Context mContext;
private final ServiceConnection mServiceConnection;
private final IKeyChainService mService;
protected KeyChainConnection(Context context,
ServiceConnection serviceConnection,
IKeyChainService service) {
this.mContext = context;
this.mServiceConnection = serviceConnection;
this.mService = service;
}
@Override public void close() {
mContext.unbindService(mServiceConnection);
}
/** returns the service binder. */
public IKeyChainService getService() {
return mService;
}
}
/**
* Bind to KeyChainService in the current user.
* Caller should call unbindService on the result when finished.
*
*@throws InterruptedException if interrupted during binding.
*@throws AssertionError if unable to bind to KeyChainService.
* @hide for reuse by CertInstaller and Settings.
*/
@WorkerThread
public static KeyChainConnection bind(@NonNull Context context) throws InterruptedException {
return bindAsUser(context, Process.myUserHandle());
}
/**
* Bind to KeyChainService in the target user.
* Caller should call unbindService on the result when finished.
*
* @throws InterruptedException if interrupted during binding.
* @throws AssertionError if unable to bind to KeyChainService.
* @hide
*/
@WorkerThread
public static KeyChainConnection bindAsUser(@NonNull Context context, UserHandle user)
throws InterruptedException {
return bindAsUser(context, null, user);
}
/**
* Returns a persistable grant string that allows WiFi stack to access the key using Keystore
* SSL engine.
*
* @return grant string or null if key is not granted or doesn't exist.
*
* The key should be granted to Process.WIFI_UID.
* @hide
*/
@SystemApi
@Nullable
@WorkerThread
public static String getWifiKeyGrantAsUser(
@NonNull Context context, @NonNull UserHandle user, @NonNull String alias) {
try (KeyChainConnection keyChainConnection =
bindAsUser(context.getApplicationContext(), user)) {
return keyChainConnection.getService().getWifiKeyGrantAsUser(alias);
} catch (RemoteException | RuntimeException e) {
Log.i(LOG, "Couldn't get grant for wifi", e);
return null;
} catch (InterruptedException e) {
Thread.currentThread().interrupt();
Log.i(LOG, "Interrupted while getting grant for wifi", e);
return null;
}
}
/**
* Returns whether the key is granted to WiFi stack.
* @hide
*/
@SystemApi
@WorkerThread
public static boolean hasWifiKeyGrantAsUser(
@NonNull Context context, @NonNull UserHandle user, @NonNull String alias) {
try (KeyChainConnection keyChainConnection =
bindAsUser(context.getApplicationContext(), user)) {
return keyChainConnection.getService().hasGrant(Process.WIFI_UID, alias);
} catch (RemoteException | RuntimeException e) {
Log.i(LOG, "Couldn't query grant for wifi", e);
return false;
} catch (InterruptedException e) {
Thread.currentThread().interrupt();
Log.i(LOG, "Interrupted while querying grant for wifi", e);
return false;
}
}
/**
* Bind to KeyChainService in the target user.
* Caller should call unbindService on the result when finished.
*
* @throws InterruptedException if interrupted during binding.
* @throws AssertionError if unable to bind to KeyChainService.
* @hide
*/
public static KeyChainConnection bindAsUser(@NonNull Context context, @Nullable Handler handler,
UserHandle user) throws InterruptedException {
if (context == null) {
throw new NullPointerException("context == null");
}
if (handler == null) {
ensureNotOnMainThread(context);
}
if (!UserManager.get(context).isUserUnlocked(user)) {
throw new IllegalStateException("User must be unlocked");
}
final CountDownLatch countDownLatch = new CountDownLatch(1);
final AtomicReference<IKeyChainService> keyChainService = new AtomicReference<>();
ServiceConnection keyChainServiceConnection = new ServiceConnection() {
volatile boolean mConnectedAtLeastOnce = false;
@Override public void onServiceConnected(ComponentName name, IBinder service) {
if (!mConnectedAtLeastOnce) {
mConnectedAtLeastOnce = true;
keyChainService.set(
IKeyChainService.Stub.asInterface(Binder.allowBlocking(service)));
countDownLatch.countDown();
}
}
@Override public void onBindingDied(ComponentName name) {
if (!mConnectedAtLeastOnce) {
mConnectedAtLeastOnce = true;
countDownLatch.countDown();
}
}
@Override public void onServiceDisconnected(ComponentName name) {}
};
Intent intent = new Intent(IKeyChainService.class.getName());
ComponentName comp = intent.resolveSystemService(context.getPackageManager(), 0);
if (comp == null) {
throw new AssertionError("could not resolve KeyChainService");
}
intent.setComponent(comp);
final boolean bindSucceed;
if (handler != null) {
bindSucceed = context.bindServiceAsUser(
intent, keyChainServiceConnection, Context.BIND_AUTO_CREATE, handler, user);
} else {
bindSucceed = context.bindServiceAsUser(
intent, keyChainServiceConnection, Context.BIND_AUTO_CREATE, user);
}
if (!bindSucceed) {
context.unbindService(keyChainServiceConnection);
throw new AssertionError("could not bind to KeyChainService");
}
countDownLatch.await();
IKeyChainService service = keyChainService.get();
if (service != null) {
return new KeyChainConnection(context, keyChainServiceConnection, service);
} else {
context.unbindService(keyChainServiceConnection);
throw new AssertionError("KeyChainService died while binding");
}
}
private static void ensureNotOnMainThread(@NonNull Context context) {
Looper looper = Looper.myLooper();
if (looper != null && looper == context.getMainLooper()) {
throw new IllegalStateException(
"calling this from your main thread can lead to deadlock");
}
}
}
|
