blob: 7c80f70593df51d0366bcc7100861502bebc604a [file] [log] [blame]
/*
* Copyright (C) 2011 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.security;
import static android.security.Credentials.ACTION_MANAGE_CREDENTIALS;
import android.Manifest;
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.annotation.RequiresPermission;
import android.annotation.SdkConstant;
import android.annotation.SdkConstant.SdkConstantType;
import android.annotation.SystemApi;
import android.annotation.TestApi;
import android.annotation.WorkerThread;
import android.app.Activity;
import android.app.PendingIntent;
import android.app.Service;
import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
import android.content.ServiceConnection;
import android.net.Uri;
import android.os.Binder;
import android.os.Handler;
import android.os.IBinder;
import android.os.Looper;
import android.os.Process;
import android.os.RemoteException;
import android.os.UserHandle;
import android.os.UserManager;
import android.security.keystore.AndroidKeyStoreProvider;
import android.security.keystore.KeyPermanentlyInvalidatedException;
import android.security.keystore.KeyProperties;
import android.system.keystore2.Domain;
import android.system.keystore2.KeyDescriptor;
import android.util.Log;
import com.android.org.conscrypt.TrustedCertificateStore;
import java.io.ByteArrayInputStream;
import java.io.Closeable;
import java.io.Serializable;
import java.security.KeyPair;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Locale;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.atomic.AtomicReference;
import javax.security.auth.x500.X500Principal;
/**
* The {@code KeyChain} class provides access to private keys and
* their corresponding certificate chains in credential storage.
*
* <p>Applications accessing the {@code KeyChain} normally go through
* these steps:
*
* <ol>
*
* <li>Receive a callback from an {@link javax.net.ssl.X509KeyManager
* X509KeyManager} that a private key is requested.
*
* <li>Call {@link #choosePrivateKeyAlias
* choosePrivateKeyAlias} to allow the user to select from a
* list of currently available private keys and corresponding
* certificate chains. The chosen alias will be returned by the
* callback {@link KeyChainAliasCallback#alias}, or null if no private
* key is available or the user cancels the request.
*
* <li>Call {@link #getPrivateKey} and {@link #getCertificateChain} to
* retrieve the credentials to return to the corresponding {@link
* javax.net.ssl.X509KeyManager} callbacks.
*
* </ol>
*
* <p>An application may remember the value of a selected alias to
* avoid prompting the user with {@link #choosePrivateKeyAlias
* choosePrivateKeyAlias} on subsequent connections. If the alias is
* no longer valid, null will be returned on lookups using that value
*
* <p>An application can request the installation of private keys and
* certificates via the {@code Intent} provided by {@link
* #createInstallIntent}. Private keys installed via this {@code
* Intent} will be accessible via {@link #choosePrivateKeyAlias} while
* Certificate Authority (CA) certificates will be trusted by all
* applications through the default {@code X509TrustManager}.
*/
// TODO reference intent for credential installation when public
public final class KeyChain {
/**
* @hide
*/
public static final String LOG = "KeyChain";
/**
* @hide Also used by KeyChainService implementation
*/
public static final String ACCOUNT_TYPE = "com.android.keychain";
/**
* Package name for KeyChain chooser.
*/
private static final String KEYCHAIN_PACKAGE = "com.android.keychain";
/**
* Action to bring up the KeyChainActivity
*/
private static final String ACTION_CHOOSER = "com.android.keychain.CHOOSER";
/**
* Package name for the Certificate Installer.
*/
private static final String CERT_INSTALLER_PACKAGE = "com.android.certinstaller";
/**
* Package name for Settings.
*/
private static final String SETTINGS_PACKAGE = "com.android.settings";
/**
* Extra for use with {@link #ACTION_CHOOSER}
* @hide Also used by KeyChainActivity implementation
*/
public static final String EXTRA_RESPONSE = "response";
/**
* Extra for use with {@link #ACTION_CHOOSER}
* @hide Also used by KeyChainActivity implementation
*/
public static final String EXTRA_URI = "uri";
/**
* Extra for use with {@link #ACTION_CHOOSER}
* @hide Also used by KeyChainActivity implementation
*/
public static final String EXTRA_ALIAS = "alias";
/**
* Extra for use with {@link #ACTION_CHOOSER}
* @hide Also used by KeyChainActivity implementation
*/
public static final String EXTRA_SENDER = "sender";
/**
* Extra for use with {@link #ACTION_CHOOSER}
* @hide Also used by KeyChainActivity implementation
*/
public static final String EXTRA_KEY_TYPES = "key_types";
/**
* Extra for use with {@link #ACTION_CHOOSER}
* @hide Also used by KeyChainActivity implementation
*/
public static final String EXTRA_ISSUERS = "issuers";
/**
* Action to bring up the CertInstaller.
*/
private static final String ACTION_INSTALL = "android.credentials.INSTALL";
/**
* Optional extra to specify a {@code String} credential name on
* the {@code Intent} returned by {@link #createInstallIntent}.
*/
// Compatible with old com.android.certinstaller.CredentialHelper.CERT_NAME_KEY
public static final String EXTRA_NAME = "name";
/**
* Optional extra to specify an X.509 certificate to install on
* the {@code Intent} returned by {@link #createInstallIntent}.
* The extra value should be a PEM or ASN.1 DER encoded {@code
* byte[]}. An {@link X509Certificate} can be converted to DER
* encoded bytes with {@link X509Certificate#getEncoded}.
*
* <p>{@link #EXTRA_NAME} may be used to provide a default alias
* name for the installed certificate.
*/
// Compatible with old android.security.Credentials.CERTIFICATE
public static final String EXTRA_CERTIFICATE = "CERT";
/**
* Optional extra for use with the {@code Intent} returned by
* {@link #createInstallIntent} to specify a PKCS#12 key store to
* install. The extra value should be a {@code byte[]}. The bytes
* may come from an external source or be generated with {@link
* java.security.KeyStore#store} on a "PKCS12" instance.
*
* <p>The user will be prompted for the password to load the key store.
*
* <p>The key store will be scanned for {@link
* java.security.KeyStore.PrivateKeyEntry} entries and both the
* private key and associated certificate chain will be installed.
*
* <p>{@link #EXTRA_NAME} may be used to provide a default alias
* name for the installed credentials.
*/
// Compatible with old android.security.Credentials.PKCS12
public static final String EXTRA_PKCS12 = "PKCS12";
/**
* Extra used by {@link #createManageCredentialsIntent(AppUriAuthenticationPolicy)} to specify
* the authentication policy of the credential management app.
*
* <p>The authentication policy declares which alias for a private key and certificate pair
* should be used for authentication, given a list of apps and URIs.
*
* <p>The extra value should be a {@link AppUriAuthenticationPolicy}.
*
* @hide
*/
public static final String EXTRA_AUTHENTICATION_POLICY =
"android.security.extra.AUTHENTICATION_POLICY";
/**
* Broadcast Action: Indicates the trusted storage has changed. Sent when
* one of this happens:
*
* <ul>
* <li>a new CA is added,
* <li>an existing CA is removed or disabled,
* <li>a disabled CA is enabled,
* <li>trusted storage is reset (all user certs are cleared),
* <li>when permission to access a private key is changed.
* </ul>
*
* @deprecated Use {@link #ACTION_KEYCHAIN_CHANGED}, {@link #ACTION_TRUST_STORE_CHANGED} or
* {@link #ACTION_KEY_ACCESS_CHANGED}. Apps that target a version higher than
* {@link android.os.Build.VERSION_CODES#N_MR1} will only receive this broadcast if they
* register for it at runtime.
*/
@SdkConstant(SdkConstantType.BROADCAST_INTENT_ACTION)
public static final String ACTION_STORAGE_CHANGED = "android.security.STORAGE_CHANGED";
/**
* Broadcast Action: Indicates the contents of the keychain has changed. Sent when a KeyChain
* entry is added, modified or removed.
*/
@SdkConstant(SdkConstantType.BROADCAST_INTENT_ACTION)
public static final String ACTION_KEYCHAIN_CHANGED = "android.security.action.KEYCHAIN_CHANGED";
/**
* Broadcast Action: Indicates the contents of the trusted certificate store has changed. Sent
* when one the following occurs:
*
* <ul>
* <li>A pre-installed CA is disabled or re-enabled</li>
* <li>A CA is added or removed from the trust store</li>
* </ul>
*/
@SdkConstant(SdkConstantType.BROADCAST_INTENT_ACTION)
public static final String ACTION_TRUST_STORE_CHANGED =
"android.security.action.TRUST_STORE_CHANGED";
/**
* Broadcast Action: Indicates that the access permissions for a private key have changed.
*
*/
@SdkConstant(SdkConstantType.BROADCAST_INTENT_ACTION)
public static final String ACTION_KEY_ACCESS_CHANGED =
"android.security.action.KEY_ACCESS_CHANGED";
/**
* Used as a String extra field in {@link #ACTION_KEY_ACCESS_CHANGED} to supply the alias of
* the key.
*/
public static final String EXTRA_KEY_ALIAS = "android.security.extra.KEY_ALIAS";
/**
* Used as a boolean extra field in {@link #ACTION_KEY_ACCESS_CHANGED} to supply if the key is
* accessible to the application.
*/
public static final String EXTRA_KEY_ACCESSIBLE = "android.security.extra.KEY_ACCESSIBLE";
/**
* Indicates that a call to {@link #generateKeyPair} was successful.
* @hide
*/
public static final int KEY_GEN_SUCCESS = 0;
/**
* An alias was missing from the key specifications when calling {@link #generateKeyPair}.
* @hide
*/
public static final int KEY_GEN_MISSING_ALIAS = 1;
/**
* A key attestation challenge was provided to {@link #generateKeyPair}, but it shouldn't
* have been provided.
* @hide
*/
public static final int KEY_GEN_SUPERFLUOUS_ATTESTATION_CHALLENGE = 2;
/**
* Algorithm not supported by {@link #generateKeyPair}
* @hide
*/
public static final int KEY_GEN_NO_SUCH_ALGORITHM = 3;
/**
* Invalid algorithm parameters when calling {@link #generateKeyPair}
* @hide
*/
public static final int KEY_GEN_INVALID_ALGORITHM_PARAMETERS = 4;
/**
* Keystore is not available when calling {@link #generateKeyPair}
* @hide
*/
public static final int KEY_GEN_NO_KEYSTORE_PROVIDER = 5;
/**
* StrongBox unavailable when calling {@link #generateKeyPair}
* @hide
*/
public static final int KEY_GEN_STRONGBOX_UNAVAILABLE = 6;
/**
* General failure while calling {@link #generateKeyPair}
* @hide
*/
public static final int KEY_GEN_FAILURE = 7;
/**
* Successful call to {@link #attestKey}
* @hide
*/
public static final int KEY_ATTESTATION_SUCCESS = 0;
/**
* Attestation challenge missing when calling {@link #attestKey}
* @hide
*/
public static final int KEY_ATTESTATION_MISSING_CHALLENGE = 1;
/**
* The caller requested Device ID attestation when calling {@link #attestKey}, but has no
* permissions to get device identifiers.
* @hide
*/
public static final int KEY_ATTESTATION_CANNOT_COLLECT_DATA = 2;
/**
* The underlying hardware does not support Device ID attestation or cannot attest to the
* identifiers that are stored on the device. This indicates permanent inability
* to get attestation records on the device.
* @hide
*/
public static final int KEY_ATTESTATION_CANNOT_ATTEST_IDS = 3;
/**
* General failure when calling {@link #attestKey}
* @hide
*/
public static final int KEY_ATTESTATION_FAILURE = 4;
/**
* Used by DPC or delegated app in
* {@link android.app.admin.DeviceAdminReceiver#onChoosePrivateKeyAlias} or
* {@link android.app.admin.DelegatedAdminReceiver#onChoosePrivateKeyAlias} to identify that
* the requesting app is not granted access to any key, and nor will the user be able to grant
* access manually.
*/
public static final String KEY_ALIAS_SELECTION_DENIED =
"android:alias-selection-denied";
/**
* Returns an {@code Intent} that can be used for credential
* installation. The intent may be used without any extras, in
* which case the user will be able to install credentials from
* their own source.
*
* <p>Alternatively, {@link #EXTRA_CERTIFICATE} or {@link
* #EXTRA_PKCS12} maybe used to specify the bytes of an X.509
* certificate or a PKCS#12 key store for installation. These
* extras may be combined with {@link #EXTRA_NAME} to provide a
* default alias name for credentials being installed.
*
* <p>When used with {@link Activity#startActivityForResult},
* {@link Activity#RESULT_OK} will be returned if a credential was
* successfully installed, otherwise {@link
* Activity#RESULT_CANCELED} will be returned.
*
* <p>Starting from {@link android.os.Build.VERSION_CODES#R}, the intent returned by this
* method cannot be used for installing CA certificates. Since CA certificates can only be
* installed via Settings, the app should provide the user with a file containing the
* CA certificate. One way to do this would be to use the {@link android.provider.MediaStore}
* API to write the certificate to the {@link android.provider.MediaStore.Downloads}
* collection.
*/
@NonNull
public static Intent createInstallIntent() {
Intent intent = new Intent(ACTION_INSTALL);
intent.setClassName(CERT_INSTALLER_PACKAGE,
"com.android.certinstaller.CertInstallerMain");
return intent;
}
/**
* Returns an {@code Intent} that should be used by an app to request to manage the user's
* credentials. This is limited to unmanaged devices. The authentication policy must be
* provided to be able to make this request successfully.
*
* <p> This intent should be started using {@link Activity#startActivityForResult(Intent, int)}
* to verify whether the request was successful and whether the user accepted or denied the
* request. If the user successfully receives and accepts the request, the result code will be
* {@link Activity#RESULT_OK}, otherwise the result code will be
* {@link Activity#RESULT_CANCELED}.
*
* <p> {@link KeyChain#isCredentialManagementApp(Context)} should be used to determine whether
* an app is already the credential management app.
*
* @param policy The authentication policy determines which alias for a private key and
* certificate pair should be used for authentication.
*/
@NonNull
public static Intent createManageCredentialsIntent(@NonNull AppUriAuthenticationPolicy policy) {
Intent intent = new Intent(ACTION_MANAGE_CREDENTIALS);
intent.setComponent(ComponentName.createRelative(SETTINGS_PACKAGE,
".security.RequestManageCredentials"));
intent.putExtra(EXTRA_AUTHENTICATION_POLICY, policy);
return intent;
}
/**
* Launches an {@code Activity} for the user to select the alias
* for a private key and certificate pair for authentication. The
* selected alias or null will be returned via the
* KeyChainAliasCallback callback.
*
* <p>A device policy controller (as a device or profile owner) can
* intercept the request before the activity is shown, to pick a
* specific private key alias by implementing
* {@link android.app.admin.DeviceAdminReceiver#onChoosePrivateKeyAlias
* onChoosePrivateKeyAlias}.
*
* <p>{@code keyTypes} and {@code issuers} may be used to
* narrow down suggested choices to the user. If either {@code keyTypes}
* or {@code issuers} is specified and non-empty, and there are no
* matching certificates in the KeyChain, then the certificate
* selection prompt would be suppressed entirely.
*
* <p>{@code host} and {@code port} may be used to give the user
* more context about the server requesting the credentials.
*
* <p>{@code alias} allows the caller to preselect an existing
* alias which will still be subject to user confirmation.
*
* @param activity The {@link Activity} context to use for
* launching the new sub-Activity to prompt the user to select
* a private key; used only to call startActivity(); must not
* be null.
* @param response Callback to invoke when the request completes;
* must not be null.
* @param keyTypes The acceptable types of asymmetric keys such as
* "RSA", "EC" or null.
* @param issuers The acceptable certificate issuers for the
* certificate matching the private key, or null.
* @param host The host name of the server requesting the
* certificate, or null if unavailable.
* @param port The port number of the server requesting the
* certificate, or -1 if unavailable.
* @param alias The alias to preselect if available, or null if
* unavailable.
*/
public static void choosePrivateKeyAlias(@NonNull Activity activity,
@NonNull KeyChainAliasCallback response,
@Nullable @KeyProperties.KeyAlgorithmEnum String[] keyTypes,
@Nullable Principal[] issuers,
@Nullable String host, int port, @Nullable String alias) {
Uri uri = null;
if (host != null) {
uri = new Uri.Builder()
.authority(host + (port != -1 ? ":" + port : ""))
.build();
}
choosePrivateKeyAlias(activity, response, keyTypes, issuers, uri, alias);
}
/**
* Launches an {@code Activity} for the user to select the alias
* for a private key and certificate pair for authentication. The
* selected alias or null will be returned via the
* KeyChainAliasCallback callback.
*
* <p>A device policy controller (as a device or profile owner) can
* intercept the request before the activity is shown, to pick a
* specific private key alias by implementing
* {@link android.app.admin.DeviceAdminReceiver#onChoosePrivateKeyAlias
* onChoosePrivateKeyAlias}.
*
* <p>{@code keyTypes} and {@code issuers} may be used to
* narrow down suggested choices to the user. If either {@code keyTypes}
* or {@code issuers} is specified and non-empty, and there are no
* matching certificates in the KeyChain, then the certificate
* selection prompt would be suppressed entirely.
*
* <p>{@code uri} may be used to give the user more context about
* the server requesting the credentials.
*
* <p>{@code alias} allows the caller to preselect an existing
* alias which will still be subject to user confirmation.
*
* @param activity The {@link Activity} context to use for
* launching the new sub-Activity to prompt the user to select
* a private key; used only to call startActivity(); must not
* be null.
* @param response Callback to invoke when the request completes;
* must not be null.
* @param keyTypes The acceptable types of asymmetric keys such as
* "RSA", "EC" or null.
* @param issuers The acceptable certificate issuers for the
* certificate matching the private key, or null.
* @param uri The full URI the server is requesting the certificate
* for, or null if unavailable.
* @param alias The alias to preselect if available, or null if
* unavailable.
* @throws IllegalArgumentException if the specified issuers are not
* of type {@code X500Principal}.
*/
public static void choosePrivateKeyAlias(@NonNull Activity activity,
@NonNull KeyChainAliasCallback response,
@Nullable @KeyProperties.KeyAlgorithmEnum String[] keyTypes,
@Nullable Principal[] issuers,
@Nullable Uri uri, @Nullable String alias) {
/*
* Specifying keyTypes excludes certificates with different key types
* from the list of certificates presented to the user.
* In practice today, most servers would require RSA or EC
* certificates.
*
* Specifying issuers narrows down the list by filtering out
* certificates with issuers which are not matching the provided ones.
* This has been reported to Chrome several times (crbug.com/731769).
* There's no concrete description on what to do when the client has no
* certificates that match the provided issuers.
* To be conservative, Android will not present the user with any
* certificates to choose from.
* If the list of issuers is empty then the client may send any
* certificate, see:
* https://tools.ietf.org/html/rfc5246#section-7.4.4
*/
if (activity == null) {
throw new NullPointerException("activity == null");
}
if (response == null) {
throw new NullPointerException("response == null");
}
Intent intent = new Intent(ACTION_CHOOSER);
intent.setPackage(KEYCHAIN_PACKAGE);
intent.putExtra(EXTRA_RESPONSE, new AliasResponse(response));
intent.putExtra(EXTRA_URI, uri);
intent.putExtra(EXTRA_ALIAS, alias);
intent.putExtra(EXTRA_KEY_TYPES, keyTypes);
ArrayList<byte[]> issuersList = new ArrayList();
if (issuers != null) {
for (Principal issuer: issuers) {
// In a TLS client context (like Chrome), issuers would only
// be specified as X500Principals. No other use cases for
// specifying principals have been brought up. Under these
// circumstances, only allow issuers specified as
// X500Principals.
if (!(issuer instanceof X500Principal)) {
throw new IllegalArgumentException(String.format(
"Issuer %s is of type %s, not X500Principal",
issuer.toString(), issuer.getClass()));
}
// Pass the DER-encoded issuer as that's the most accurate
// representation and what is sent over the wire.
issuersList.add(((X500Principal) issuer).getEncoded());
}
}
intent.putExtra(EXTRA_ISSUERS, (Serializable) issuersList);
// the PendingIntent is used to get calling package name
intent.putExtra(EXTRA_SENDER, PendingIntent.getActivity(activity, 0, new Intent(),
PendingIntent.FLAG_IMMUTABLE));
activity.startActivity(intent);
}
/**
* Check whether the caller is the credential management app {@code CredentialManagementApp}.
* The credential management app has the ability to manage the user's KeyChain credentials
* on unmanaged devices.
*
* <p> {@link KeyChain#createManageCredentialsIntent} should be used by an app to request to
* become the credential management app. The user must approve this request before the app can
* manage the user's credentials. There can only be one credential management on the device.
*
* @return {@code true} if the caller is the credential management app.
*/
@WorkerThread
public static boolean isCredentialManagementApp(@NonNull Context context) {
boolean isCredentialManagementApp = false;
try (KeyChainConnection keyChainConnection = KeyChain.bind(context)) {
isCredentialManagementApp = keyChainConnection.getService()
.isCredentialManagementApp(context.getPackageName());
} catch (RemoteException e) {
e.rethrowAsRuntimeException();
} catch (InterruptedException e) {
throw new RuntimeException("Interrupted while checking whether the caller is the "
+ "credential management app.", e);
} catch (SecurityException e) {
isCredentialManagementApp = false;
}
return isCredentialManagementApp;
}
/**
* Called by the credential management app to get the authentication policy
* {@link AppUriAuthenticationPolicy}.
*
* @return the credential management app's authentication policy.
* @throws SecurityException if the caller is not the credential management app.
*/
@WorkerThread
@NonNull
public static AppUriAuthenticationPolicy getCredentialManagementAppPolicy(
@NonNull Context context) throws SecurityException {
AppUriAuthenticationPolicy policy = null;
try (KeyChainConnection keyChainConnection = KeyChain.bind(context)) {
policy = keyChainConnection.getService().getCredentialManagementAppPolicy();
} catch (RemoteException e) {
e.rethrowAsRuntimeException();
} catch (InterruptedException e) {
throw new RuntimeException(
"Interrupted while getting credential management app policy.", e);
}
return policy;
}
/**
* Set a credential management app. The credential management app has the ability to manage
* the user's KeyChain credentials on unmanaged devices.
*
* <p>There can only be one credential management on the device. If another app requests to
* become the credential management app, then the existing credential management app will
* no longer be able to manage credentials.
*
* @param packageName The package name of the credential management app
* @param authenticationPolicy The authentication policy of the credential management app. This
* policy determines which alias for a private key and certificate
* pair should be used for authentication.
* @return {@code true} if the credential management app was successfully added.
* @hide
*/
@TestApi
@WorkerThread
@RequiresPermission(Manifest.permission.MANAGE_CREDENTIAL_MANAGEMENT_APP)
public static boolean setCredentialManagementApp(@NonNull Context context,
@NonNull String packageName, @NonNull AppUriAuthenticationPolicy authenticationPolicy) {
try (KeyChainConnection keyChainConnection = KeyChain.bind(context)) {
keyChainConnection.getService()
.setCredentialManagementApp(packageName, authenticationPolicy);
return true;
} catch (RemoteException | InterruptedException e) {
Log.w(LOG, "Set credential management app failed", e);
Thread.currentThread().interrupt();
return false;
}
}
/**
* Called by the credential management app {@code CredentialManagementApp} to unregister as
* the credential management app and stop managing the user's credentials.
*
* <p> All credentials previously installed by the credential management app will be removed
* from the user's device.
*
* <p> An app holding {@code MANAGE_CREDENTIAL_MANAGEMENT_APP} permission can also call this
* method to remove the current credential management app, even if it's not the current
* credential management app itself.
*
* @return {@code true} if the credential management app was successfully removed.
*/
@WorkerThread
@RequiresPermission(value = Manifest.permission.MANAGE_CREDENTIAL_MANAGEMENT_APP,
conditional = true)
public static boolean removeCredentialManagementApp(@NonNull Context context) {
try (KeyChainConnection keyChainConnection = KeyChain.bind(context)) {
keyChainConnection.getService().removeCredentialManagementApp();
return true;
} catch (RemoteException | InterruptedException e) {
Log.w(LOG, "Remove credential management app failed", e);
Thread.currentThread().interrupt();
return false;
}
}
private static class AliasResponse extends IKeyChainAliasCallback.Stub {
private final KeyChainAliasCallback keyChainAliasResponse;
private AliasResponse(KeyChainAliasCallback keyChainAliasResponse) {
this.keyChainAliasResponse = keyChainAliasResponse;
}
@Override public void alias(String alias) {
keyChainAliasResponse.alias(alias);
}
}
/**
* Returns the {@code PrivateKey} for the requested alias, or null if the alias does not exist
* or the caller has no permission to access it (see note on exceptions below).
*
* <p> This method may block while waiting for a connection to another process, and must never
* be called from the main thread.
* <p> As {@link Activity} and {@link Service} contexts are short-lived and can be destroyed
* at any time from the main thread, it is safer to rely on a long-lived context such as one
* returned from {@link Context#getApplicationContext()}.
*
* <p> If the caller provides a valid alias to which it was not granted access, then the
* caller must invoke {@link #choosePrivateKeyAlias} again to get another valid alias
* or a grant to access the same alias.
* <p>On Android versions prior to Q, when a key associated with the specified alias is
* unavailable, the method will throw a {@code KeyChainException} rather than return null.
* If the exception's cause (as obtained by calling {@code KeyChainException.getCause()})
* is a throwable of type {@code IllegalStateException} then the caller lacks a grant
* to access the key and certificates associated with this alias.
*
* @param alias The alias of the desired private key, typically returned via
* {@link KeyChainAliasCallback#alias}.
* @throws KeyChainException if the alias was valid but there was some problem accessing it.
* @throws IllegalStateException if called from the main thread.
*/
@Nullable @WorkerThread
public static PrivateKey getPrivateKey(@NonNull Context context, @NonNull String alias)
throws KeyChainException, InterruptedException {
KeyPair keyPair = getKeyPair(context, alias);
if (keyPair != null) {
return keyPair.getPrivate();
}
return null;
}
/**
* This prefix is used to disambiguate grant aliase strings from normal key alias strings.
* Technically, a key alias string can use the same prefix. However, a collision does not
* lead to privilege escalation, because grants are access controlled in the Keystore daemon.
* @hide
*/
public static final String GRANT_ALIAS_PREFIX = "ks2_keychain_grant_id:";
private static KeyDescriptor getGrantDescriptor(String keyid) {
KeyDescriptor result = new KeyDescriptor();
result.domain = Domain.GRANT;
result.blob = null;
result.alias = null;
try {
result.nspace = Long.parseUnsignedLong(
keyid.substring(GRANT_ALIAS_PREFIX.length()), 16 /* radix */);
} catch (NumberFormatException e) {
return null;
}
return result;
}
/** @hide */
public static String getGrantString(KeyDescriptor key) {
return String.format(GRANT_ALIAS_PREFIX + "%016X", key.nspace);
}
/** @hide */
@Nullable @WorkerThread
public static KeyPair getKeyPair(@NonNull Context context, @NonNull String alias)
throws KeyChainException, InterruptedException {
if (alias == null) {
throw new NullPointerException("alias == null");
}
if (context == null) {
throw new NullPointerException("context == null");
}
final String keyId;
try (KeyChainConnection keyChainConnection = bind(context.getApplicationContext())) {
keyId = keyChainConnection.getService().requestPrivateKey(alias);
} catch (RemoteException e) {
throw new KeyChainException(e);
} catch (RuntimeException e) {
// only certain RuntimeExceptions can be propagated across the IKeyChainService call
throw new KeyChainException(e);
}
if (keyId == null) {
return null;
}
if (AndroidKeyStoreProvider.isKeystore2Enabled()) {
try {
return android.security.keystore2.AndroidKeyStoreProvider
.loadAndroidKeyStoreKeyPairFromKeystore(
KeyStore2.getInstance(),
getGrantDescriptor(keyId));
} catch (UnrecoverableKeyException | KeyPermanentlyInvalidatedException e) {
throw new KeyChainException(e);
}
} else {
try {
return AndroidKeyStoreProvider.loadAndroidKeyStoreKeyPairFromKeystore(
KeyStore.getInstance(), keyId, KeyStore.UID_SELF);
} catch (RuntimeException | UnrecoverableKeyException
| KeyPermanentlyInvalidatedException e) {
throw new KeyChainException(e);
}
}
}
/**
* Returns the {@code X509Certificate} chain for the requested alias, or null if the alias
* does not exist or the caller has no permission to access it (see note on exceptions
* in {@link #getPrivateKey}).
*
* <p>
* <strong>Note:</strong> If a certificate chain was explicitly specified when the alias was
* installed, this method will return that chain. If only the client certificate was specified
* at the installation time, this method will try to build a certificate chain using all
* available trust anchors (preinstalled and user-added).
*
* <p> This method may block while waiting for a connection to another process, and must never
* be called from the main thread.
* <p> As {@link Activity} and {@link Service} contexts are short-lived and can be destroyed
* at any time from the main thread, it is safer to rely on a long-lived context such as one
* returned from {@link Context#getApplicationContext()}.
* <p> In case the caller specifies an alias for which it lacks a grant, it must call
* {@link #choosePrivateKeyAlias} again. See {@link #getPrivateKey} for more details on
* coping with this scenario.
*
* @param alias The alias of the desired certificate chain, typically
* returned via {@link KeyChainAliasCallback#alias}.
* @throws KeyChainException if the alias was valid but there was some problem accessing it.
* @throws IllegalStateException if called from the main thread.
*/
@Nullable @WorkerThread
public static X509Certificate[] getCertificateChain(@NonNull Context context,
@NonNull String alias) throws KeyChainException, InterruptedException {
if (alias == null) {
throw new NullPointerException("alias == null");
}
final byte[] certificateBytes;
final byte[] certChainBytes;
try (KeyChainConnection keyChainConnection = bind(context.getApplicationContext())) {
IKeyChainService keyChainService = keyChainConnection.getService();
certificateBytes = keyChainService.getCertificate(alias);
if (certificateBytes == null) {
return null;
}
certChainBytes = keyChainService.getCaCertificates(alias);
} catch (RemoteException e) {
throw new KeyChainException(e);
} catch (RuntimeException e) {
// only certain RuntimeExceptions can be propagated across the IKeyChainService call
throw new KeyChainException(e);
}
try {
X509Certificate leafCert = toCertificate(certificateBytes);
// If the keypair is installed with a certificate chain by either
// DevicePolicyManager.installKeyPair or CertInstaller, return that chain.
if (certChainBytes != null && certChainBytes.length != 0) {
Collection<X509Certificate> chain = toCertificates(certChainBytes);
ArrayList<X509Certificate> fullChain = new ArrayList<>(chain.size() + 1);
fullChain.add(leafCert);
fullChain.addAll(chain);
return fullChain.toArray(new X509Certificate[fullChain.size()]);
} else {
// If there isn't a certificate chain, either due to a pre-existing keypair
// installed before N, or no chain is explicitly installed under the new logic,
// fall back to old behavior of constructing the chain from trusted credentials.
//
// This logic exists to maintain old behaviour for already installed keypair, at
// the cost of potentially returning extra certificate chain for new clients who
// explicitly installed only the client certificate without a chain. The latter
// case is actually no different from pre-N behaviour of getCertificateChain(),
// in that sense this change introduces no regression. Besides the returned chain
// is still valid so the consumer of the chain should have no problem verifying it.
TrustedCertificateStore store = new TrustedCertificateStore();
List<X509Certificate> chain = store.getCertificateChain(leafCert);
return chain.toArray(new X509Certificate[chain.size()]);
}
} catch (CertificateException | RuntimeException e) {
throw new KeyChainException(e);
}
}
/**
* Returns {@code true} if the current device's {@code KeyChain} supports a
* specific {@code PrivateKey} type indicated by {@code algorithm} (e.g.,
* "RSA").
*/
public static boolean isKeyAlgorithmSupported(
@NonNull @KeyProperties.KeyAlgorithmEnum String algorithm) {
final String algUpper = algorithm.toUpperCase(Locale.US);
return KeyProperties.KEY_ALGORITHM_EC.equals(algUpper)
|| KeyProperties.KEY_ALGORITHM_RSA.equals(algUpper);
}
/**
* Returns {@code true} if the current device's {@code KeyChain} binds any
* {@code PrivateKey} of the given {@code algorithm} to the device once
* imported or generated. This can be used to tell if there is special
* hardware support that can be used to bind keys to the device in a way
* that makes it non-exportable.
*
* @deprecated Whether the key is bound to the secure hardware is known only
* once the key has been imported. To find out, use:
* <pre>{@code
* PrivateKey key = ...; // private key from KeyChain
*
* KeyFactory keyFactory =
* KeyFactory.getInstance(key.getAlgorithm(), "AndroidKeyStore");
* KeyInfo keyInfo = keyFactory.getKeySpec(key, KeyInfo.class);
* if (keyInfo.isInsideSecureHardware()) {
* // The key is bound to the secure hardware of this Android
* }}</pre>
*/
@Deprecated
public static boolean isBoundKeyAlgorithm(
@NonNull @KeyProperties.KeyAlgorithmEnum String algorithm) {
// All supported algorithms are hardware backed. Individual keys may not be.
return true;
}
/** @hide */
@NonNull
public static X509Certificate toCertificate(@NonNull byte[] bytes) {
if (bytes == null) {
throw new IllegalArgumentException("bytes == null");
}
try {
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
Certificate cert = certFactory.generateCertificate(new ByteArrayInputStream(bytes));
return (X509Certificate) cert;
} catch (CertificateException e) {
throw new AssertionError(e);
}
}
/** @hide */
@NonNull
public static Collection<X509Certificate> toCertificates(@NonNull byte[] bytes) {
if (bytes == null) {
throw new IllegalArgumentException("bytes == null");
}
try {
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
return (Collection<X509Certificate>) certFactory.generateCertificates(
new ByteArrayInputStream(bytes));
} catch (CertificateException e) {
throw new AssertionError(e);
}
}
/**
* @hide for reuse by CertInstaller and Settings.
* @see KeyChain#bind
*/
public static class KeyChainConnection implements Closeable {
private final Context mContext;
private final ServiceConnection mServiceConnection;
private final IKeyChainService mService;
protected KeyChainConnection(Context context,
ServiceConnection serviceConnection,
IKeyChainService service) {
this.mContext = context;
this.mServiceConnection = serviceConnection;
this.mService = service;
}
@Override public void close() {
mContext.unbindService(mServiceConnection);
}
/** returns the service binder. */
public IKeyChainService getService() {
return mService;
}
}
/**
* Bind to KeyChainService in the current user.
* Caller should call unbindService on the result when finished.
*
*@throws InterruptedException if interrupted during binding.
*@throws AssertionError if unable to bind to KeyChainService.
* @hide for reuse by CertInstaller and Settings.
*/
@WorkerThread
public static KeyChainConnection bind(@NonNull Context context) throws InterruptedException {
return bindAsUser(context, Process.myUserHandle());
}
/**
* Bind to KeyChainService in the target user.
* Caller should call unbindService on the result when finished.
*
* @throws InterruptedException if interrupted during binding.
* @throws AssertionError if unable to bind to KeyChainService.
* @hide
*/
@WorkerThread
public static KeyChainConnection bindAsUser(@NonNull Context context, UserHandle user)
throws InterruptedException {
return bindAsUser(context, null, user);
}
/**
* Returns a persistable grant string that allows WiFi stack to access the key using Keystore
* SSL engine.
*
* @return grant string or null if key is not granted or doesn't exist.
*
* The key should be granted to Process.WIFI_UID.
* @hide
*/
@SystemApi
@Nullable
@WorkerThread
public static String getWifiKeyGrantAsUser(
@NonNull Context context, @NonNull UserHandle user, @NonNull String alias) {
try (KeyChainConnection keyChainConnection =
bindAsUser(context.getApplicationContext(), user)) {
return keyChainConnection.getService().getWifiKeyGrantAsUser(alias);
} catch (RemoteException | RuntimeException e) {
Log.i(LOG, "Couldn't get grant for wifi", e);
return null;
} catch (InterruptedException e) {
Thread.currentThread().interrupt();
Log.i(LOG, "Interrupted while getting grant for wifi", e);
return null;
}
}
/**
* Returns whether the key is granted to WiFi stack.
* @hide
*/
@SystemApi
@WorkerThread
public static boolean hasWifiKeyGrantAsUser(
@NonNull Context context, @NonNull UserHandle user, @NonNull String alias) {
try (KeyChainConnection keyChainConnection =
bindAsUser(context.getApplicationContext(), user)) {
return keyChainConnection.getService().hasGrant(Process.WIFI_UID, alias);
} catch (RemoteException | RuntimeException e) {
Log.i(LOG, "Couldn't query grant for wifi", e);
return false;
} catch (InterruptedException e) {
Thread.currentThread().interrupt();
Log.i(LOG, "Interrupted while querying grant for wifi", e);
return false;
}
}
/**
* Bind to KeyChainService in the target user.
* Caller should call unbindService on the result when finished.
*
* @throws InterruptedException if interrupted during binding.
* @throws AssertionError if unable to bind to KeyChainService.
* @hide
*/
public static KeyChainConnection bindAsUser(@NonNull Context context, @Nullable Handler handler,
UserHandle user) throws InterruptedException {
if (context == null) {
throw new NullPointerException("context == null");
}
if (handler == null) {
ensureNotOnMainThread(context);
}
if (!UserManager.get(context).isUserUnlocked(user)) {
throw new IllegalStateException("User must be unlocked");
}
final CountDownLatch countDownLatch = new CountDownLatch(1);
final AtomicReference<IKeyChainService> keyChainService = new AtomicReference<>();
ServiceConnection keyChainServiceConnection = new ServiceConnection() {
volatile boolean mConnectedAtLeastOnce = false;
@Override public void onServiceConnected(ComponentName name, IBinder service) {
if (!mConnectedAtLeastOnce) {
mConnectedAtLeastOnce = true;
keyChainService.set(
IKeyChainService.Stub.asInterface(Binder.allowBlocking(service)));
countDownLatch.countDown();
}
}
@Override public void onBindingDied(ComponentName name) {
if (!mConnectedAtLeastOnce) {
mConnectedAtLeastOnce = true;
countDownLatch.countDown();
}
}
@Override public void onServiceDisconnected(ComponentName name) {}
};
Intent intent = new Intent(IKeyChainService.class.getName());
ComponentName comp = intent.resolveSystemService(context.getPackageManager(), 0);
if (comp == null) {
throw new AssertionError("could not resolve KeyChainService");
}
intent.setComponent(comp);
final boolean bindSucceed;
if (handler != null) {
bindSucceed = context.bindServiceAsUser(
intent, keyChainServiceConnection, Context.BIND_AUTO_CREATE, handler, user);
} else {
bindSucceed = context.bindServiceAsUser(
intent, keyChainServiceConnection, Context.BIND_AUTO_CREATE, user);
}
if (!bindSucceed) {
throw new AssertionError("could not bind to KeyChainService");
}
countDownLatch.await();
IKeyChainService service = keyChainService.get();
if (service != null) {
return new KeyChainConnection(context, keyChainServiceConnection, service);
} else {
context.unbindService(keyChainServiceConnection);
throw new AssertionError("KeyChainService died while binding");
}
}
private static void ensureNotOnMainThread(@NonNull Context context) {
Looper looper = Looper.myLooper();
if (looper != null && looper == context.getMainLooper()) {
throw new IllegalStateException(
"calling this from your main thread can lead to deadlock");
}
}
}