diff options
| author | Chung-yih Wang <cywang@google.com> | 2009-07-02 00:22:04 +0800 |
|---|---|---|
| committer | Chung-yih Wang <cywang@google.com> | 2009-07-02 18:56:12 +0800 |
| commit | eec11827a6c06b029030f43c8d54fd871cc3347d (patch) | |
| tree | 6ed138af9f9d632cc6e74dbb517626adb802ac96 | |
| parent | d45dcbec856710f9478ffc5689e7cdf95d757ab8 (diff) | |
| download | frameworks_base-eec11827a6c06b029030f43c8d54fd871cc3347d.zip frameworks_base-eec11827a6c06b029030f43c8d54fd871cc3347d.tar.gz frameworks_base-eec11827a6c06b029030f43c8d54fd871cc3347d.tar.bz2 | |
Add CertTool for handling the keygen and certificate download.
1. Have the new Keystore for mini-keystore impelemntation.
2. Add CertTool library and jni dll for handling keygen and certificates.
3. Make Reply hidden.
4. Revert some 'incorrect' change and correct the description.
| -rw-r--r-- | keystore/java/android/security/CertTool.java | 143 | ||||
| -rw-r--r-- | keystore/java/android/security/Keystore.java | 198 | ||||
| -rw-r--r-- | keystore/java/android/security/Reply.java | 26 | ||||
| -rw-r--r-- | keystore/java/android/security/ServiceCommand.java | 88 | ||||
| -rw-r--r-- | keystore/jni/Android.mk | 31 | ||||
| -rw-r--r-- | keystore/jni/cert.c | 249 | ||||
| -rw-r--r-- | keystore/jni/cert.h | 59 | ||||
| -rw-r--r-- | keystore/jni/certtool.c | 176 |
8 files changed, 829 insertions, 141 deletions
diff --git a/keystore/java/android/security/CertTool.java b/keystore/java/android/security/CertTool.java new file mode 100644 index 0000000..285def2 --- /dev/null +++ b/keystore/java/android/security/CertTool.java @@ -0,0 +1,143 @@ +/* + * Copyright (C) 2009 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security; + +import android.content.Context; +import android.content.Intent; +import android.security.Keystore; +import android.text.TextUtils; + + +/** + * The CertTool class provides the functions to list the certs/keys, + * generate the certificate request(csr) and store the certificate into + * keystore. + * + * {@hide} + */ +public class CertTool { + public static final String ACTION_ADD_CREDENTIAL = + "android.security.ADD_CREDENTIAL"; + public static final String KEY_TYPE_NAME = "typeName"; + public static final String KEY_ITEM = "item"; + public static final String KEY_NAMESPACE = "namespace"; + public static final String KEY_DESCRIPTION = "description"; + + private static final String TAG = "CertTool"; + + private static final String TITLE_CA_CERT = "CA Certificate"; + private static final String TITLE_USER_CERT = "User Certificate"; + private static final String TITLE_PKCS12_KEYSTORE = "PKCS12 Keystore"; + private static final String TITLE_PRIVATE_KEY = "Private Key"; + private static final String UNKNOWN = "Unknown"; + private static final String ISSUER_NAME = "Issuer Name:"; + private static final String DISTINCT_NAME = "Distinct Name:"; + + private static final String CA_CERTIFICATE = "CACERT"; + private static final String USER_CERTIFICATE = "USRCERT"; + private static final String USER_KEY = "USRKEY"; + + private static final String KEYNAME_DELIMITER = " "; + private static final Keystore keystore = Keystore.getInstance(); + + private native String generateCertificateRequest(int bits, String subject); + private native boolean isPkcs12Keystore(byte[] data); + private native int generateX509Certificate(byte[] data); + private native boolean isCaCertificate(int handle); + private native String getIssuerDN(int handle); + private native String getCertificateDN(int handle); + private native String getPrivateKeyPEM(int handle); + private native void freeX509Certificate(int handle); + + public String getUserPrivateKey(String key) { + return USER_KEY + KEYNAME_DELIMITER + key; + } + + public String getUserCertificate(String key) { + return USER_CERTIFICATE + KEYNAME_DELIMITER + key; + } + + public String getCaCertificate(String key) { + return CA_CERTIFICATE + KEYNAME_DELIMITER + key; + } + + public String[] getAllUserCertificateKeys() { + return keystore.listKeys(USER_KEY); + } + + public String[] getAllCaCertificateKeys() { + return keystore.listKeys(CA_CERTIFICATE); + } + + public String[] getSupportedKeyStrenghs() { + return new String[] {"High Grade", "Medium Grade"}; + } + + private int getKeyLength(int index) { + if (index == 0) return 2048; + return 1024; + } + + public String generateKeyPair(int keyStrengthIndex, String challenge, + String dirName) { + return generateCertificateRequest(getKeyLength(keyStrengthIndex), + dirName); + } + + private Intent prepareIntent(String title, byte[] data, String namespace, + String issuer, String distinctName) { + Intent intent = new Intent(ACTION_ADD_CREDENTIAL); + intent.putExtra(KEY_TYPE_NAME, title); + intent.putExtra(KEY_ITEM + "0", data); + intent.putExtra(KEY_NAMESPACE + "0", namespace); + intent.putExtra(KEY_DESCRIPTION + "0", ISSUER_NAME + issuer); + intent.putExtra(KEY_DESCRIPTION + "1", DISTINCT_NAME + distinctName); + return intent; + } + + private void addExtraIntentInfo(Intent intent, String namespace, + String data) { + intent.putExtra(KEY_ITEM + "1", data); + intent.putExtra(KEY_NAMESPACE + "1", namespace); + } + + public synchronized void addCertificate(byte[] data, Context context) { + int handle; + Intent intent = null; + + if (isPkcs12Keystore(data)) { + intent = prepareIntent(TITLE_PKCS12_KEYSTORE, data, USER_KEY, + UNKNOWN, UNKNOWN); + } else if ((handle = generateX509Certificate(data)) != 0) { + String issuer = getIssuerDN(handle); + String distinctName = getCertificateDN(handle); + String privateKeyPEM = getPrivateKeyPEM(handle); + if (isCaCertificate(handle)) { + intent = prepareIntent(TITLE_CA_CERT, data, CA_CERTIFICATE, + issuer, distinctName); + } else { + intent = prepareIntent(TITLE_USER_CERT, data, USER_CERTIFICATE, + issuer, distinctName); + if (!TextUtils.isEmpty(privateKeyPEM)) { + addExtraIntentInfo(intent, USER_KEY, privateKeyPEM); + } + } + freeX509Certificate(handle); + } + if (intent != null) context.startActivity(intent); + } +} diff --git a/keystore/java/android/security/Keystore.java b/keystore/java/android/security/Keystore.java index 2a3e6a7..462645a 100644 --- a/keystore/java/android/security/Keystore.java +++ b/keystore/java/android/security/Keystore.java @@ -20,6 +20,7 @@ package android.security; * The Keystore class provides the functions to list the certs/keys in keystore. * {@hide} */ + public abstract class Keystore { private static final String TAG = "Keystore"; private static final String[] NOTFOUND = new String[0]; @@ -30,25 +31,18 @@ public abstract class Keystore { return new FileKeystore(); } - // for compatiblity, start from here - /** - */ - public abstract String getUserkey(String key); - - /** - */ - public abstract String getCertificate(String key); - - /** - */ - public abstract String[] getAllCertificateKeys(); - - /** - */ - public abstract String[] getAllUserkeyKeys(); - - // to here - + public abstract int lock(); + public abstract int unlock(String password); + public abstract int getState(); + public abstract int changePassword(String oldPassword, String newPassword); + public abstract int setPassword(String firstPassword); + public abstract String[] listKeys(String namespace); + public abstract int put(String namespace, String keyname, String value); + public abstract String get(String namespace, String keyname); + public abstract int remove(String namespace, String keyname); + public abstract int reset(); + + // TODO: for migrating to the mini-keystore, clean up from here /** */ public abstract String getCaCertificate(String key); @@ -89,101 +83,41 @@ public abstract class Keystore { int keyStrengthIndex, String challenge, String organizations); public abstract void addCertificate(byte[] cert); + // to here private static class FileKeystore extends Keystore { private static final String SERVICE_NAME = "keystore"; - private static final String LIST_CA_CERTIFICATES = "listcacerts"; - private static final String LIST_USER_CERTIFICATES = "listusercerts"; - private static final String GET_CA_CERTIFICATE = "getcacert"; - private static final String GET_USER_CERTIFICATE = "getusercert"; - private static final String GET_USER_KEY = "getuserkey"; - private static final String ADD_CA_CERTIFICATE = "addcacert"; - private static final String ADD_USER_CERTIFICATE = "addusercert"; - private static final String ADD_USER_KEY = "adduserkey"; - private static final String COMMAND_DELIMITER = "\t"; + private static final String CA_CERTIFICATE = "CaCertificate"; + private static final String USER_CERTIFICATE = "UserCertificate"; + private static final String USER_KEY = "UserPrivateKey"; + private static final String COMMAND_DELIMITER = " "; private static final ServiceCommand mServiceCommand = new ServiceCommand(SERVICE_NAME); - // for compatiblity, start from here - - private static final String LIST_CERTIFICATES = "listcerts"; - private static final String LIST_USERKEYS = "listuserkeys"; - private static final String PATH = "/data/misc/keystore/"; - private static final String USERKEY_PATH = PATH + "userkeys/"; - private static final String CERT_PATH = PATH + "certs/"; - - @Override - public String getUserkey(String key) { - return USERKEY_PATH + key; - } - - @Override - public String getCertificate(String key) { - return CERT_PATH + key; - } - - @Override - public String[] getAllCertificateKeys() { - try { - String result = mServiceCommand.execute(LIST_CERTIFICATES); - if (result != null) return result.split("\\s+"); - return NOTFOUND; - } catch (NumberFormatException ex) { - return NOTFOUND; - } - } - - @Override - public String[] getAllUserkeyKeys() { - try { - String result = mServiceCommand.execute(LIST_USERKEYS); - if (result != null) return result.split("\\s+"); - return NOTFOUND; - } catch (NumberFormatException ex) { - return NOTFOUND; - } - } - - // to here - + // TODO: for migrating to the mini-keystore, start from here @Override public String getUserPrivateKey(String key) { - return mServiceCommand.execute( - GET_USER_KEY + COMMAND_DELIMITER + key); + return ""; } @Override public String getUserCertificate(String key) { - return mServiceCommand.execute( - GET_USER_CERTIFICATE + COMMAND_DELIMITER + key); + return ""; } @Override public String getCaCertificate(String key) { - return mServiceCommand.execute( - GET_CA_CERTIFICATE + COMMAND_DELIMITER + key); + return ""; } @Override public String[] getAllUserCertificateKeys() { - try { - String result = mServiceCommand.execute(LIST_USER_CERTIFICATES); - if (result != null) return result.split("\\s+"); - return NOTFOUND; - } catch (NumberFormatException ex) { - return NOTFOUND; - } + return new String[0]; } @Override public String[] getAllCaCertificateKeys() { - try { - String result = mServiceCommand.execute(LIST_CA_CERTIFICATES); - if (result != null) return result.split("\\s+"); - return NOTFOUND; - } catch (NumberFormatException ex) { - return NOTFOUND; - } + return new String[0]; } @Override @@ -221,25 +155,77 @@ public abstract class Keystore { // TODO: real implementation } - private boolean addUserCertificate(String key, String certificate, - String privateKey) { - if(mServiceCommand.execute(ADD_USER_CERTIFICATE + COMMAND_DELIMITER - + key + COMMAND_DELIMITER + certificate) != null) { - if (mServiceCommand.execute(ADD_USER_KEY + COMMAND_DELIMITER - + key + COMMAND_DELIMITER + privateKey) != null) { - return true; - } - } - return false; + // to here + + @Override + public int lock() { + Reply result = mServiceCommand.execute(ServiceCommand.LOCK, null); + return (result != null) ? result.returnCode : -1; + } + + @Override + public int unlock(String password) { + Reply result = mServiceCommand.execute(ServiceCommand.UNLOCK, + password); + return (result != null) ? result.returnCode : -1; } - private boolean addCaCertificate(String key, String content) { - if (mServiceCommand.execute(ADD_CA_CERTIFICATE + COMMAND_DELIMITER - + key + COMMAND_DELIMITER + content) != null) { - return true; - } - return false; + @Override + public int getState() { + Reply result = mServiceCommand.execute(ServiceCommand.GET_STATE, + null); + return (result != null) ? result.returnCode : -1; + } + + @Override + public int changePassword(String oldPassword, String newPassword) { + Reply result = mServiceCommand.execute(ServiceCommand.PASSWD, + oldPassword + " " + newPassword); + return (result != null) ? result.returnCode : -1; + } + + @Override + public int setPassword(String firstPassword) { + Reply result = mServiceCommand.execute(ServiceCommand.PASSWD, + firstPassword); + return (result != null) ? result.returnCode : -1; } + @Override + public String[] listKeys(String namespace) { + Reply result = mServiceCommand.execute(ServiceCommand.LIST_KEYS, + namespace); + return (result != null) ? ((result.returnCode != 0) ? NOTFOUND : + new String(result.data, 0, result.len).split("\\s+")) + : NOTFOUND; + } + + @Override + public int put(String namespace, String keyname, String value) { + Reply result = mServiceCommand.execute(ServiceCommand.PUT_KEY, + namespace + " " + keyname + " " + value); + return (result != null) ? result.returnCode : -1; + } + + @Override + public String get(String namespace, String keyname) { + Reply result = mServiceCommand.execute(ServiceCommand.GET_KEY, + namespace + " " + keyname); + return (result != null) ? ((result.returnCode != 0) ? null : + new String(result.data, 0, result.len)) : null; + } + + @Override + public int remove(String namespace, String keyname) { + Reply result = mServiceCommand.execute(ServiceCommand.REMOVE_KEY, + namespace + " " + keyname); + return (result != null) ? result.returnCode : -1; + } + + @Override + public int reset() { + Reply result = mServiceCommand.execute(ServiceCommand.RESET, null); + return (result != null) ? result.returnCode : -1; + } } } diff --git a/keystore/java/android/security/Reply.java b/keystore/java/android/security/Reply.java new file mode 100644 index 0000000..15a0dde --- /dev/null +++ b/keystore/java/android/security/Reply.java @@ -0,0 +1,26 @@ +/* + * Copyright (C) 2009 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security; + +/* + * {@hide} + */ +public class Reply { + public int len; + public int returnCode; + public byte[] data = new byte[ServiceCommand.BUFFER_LENGTH]; +} diff --git a/keystore/java/android/security/ServiceCommand.java b/keystore/java/android/security/ServiceCommand.java index f1d4302..2f335be 100644 --- a/keystore/java/android/security/ServiceCommand.java +++ b/keystore/java/android/security/ServiceCommand.java @@ -35,15 +35,25 @@ public class ServiceCommand { public static final String SUCCESS = "0"; public static final String FAILED = "-1"; + // Opcodes for keystore commands. + public static final int LOCK = 0; + public static final int UNLOCK = 1; + public static final int PASSWD = 2; + public static final int GET_STATE = 3; + public static final int LIST_KEYS = 4; + public static final int GET_KEY = 5; + public static final int PUT_KEY = 6; + public static final int REMOVE_KEY = 7; + public static final int RESET = 8; + public static final int MAX_CMD_INDEX = 9; + + public static final int BUFFER_LENGTH = 4096; + private String mServiceName; private String mTag; private InputStream mIn; private OutputStream mOut; private LocalSocket mSocket; - private static final int BUFFER_LENGTH = 1024; - - private byte buf[] = new byte[BUFFER_LENGTH]; - private int buflen = 0; private boolean connect() { if (mSocket != null) { @@ -104,35 +114,47 @@ public class ServiceCommand { return false; } - private boolean readReply() { - int len, ret; - buflen = 0; + private Reply readReply() { + byte buf[] = new byte[4]; + Reply reply = new Reply(); - if (!readBytes(buf, 2)) return false; - ret = (((int) buf[0]) & 0xff) | ((((int) buf[1]) & 0xff) << 8); - if (ret != 0) return false; + if (!readBytes(buf, 4)) return null; + reply.len = (((int) buf[0]) & 0xff) | ((((int) buf[1]) & 0xff) << 8) | + ((((int) buf[2]) & 0xff) << 16) | + ((((int) buf[3]) & 0xff) << 24); - if (!readBytes(buf, 2)) return false; - len = (((int) buf[0]) & 0xff) | ((((int) buf[1]) & 0xff) << 8); - if (len > BUFFER_LENGTH) { - Log.e(mTag,"invalid reply length (" + len + ")"); + if (!readBytes(buf, 4)) return null; + reply.returnCode = (((int) buf[0]) & 0xff) | + ((((int) buf[1]) & 0xff) << 8) | + ((((int) buf[2]) & 0xff) << 16) | + ((((int) buf[3]) & 0xff) << 24); + + if (reply.len > BUFFER_LENGTH) { + Log.e(mTag,"invalid reply length (" + reply.len + ")"); disconnect(); - return false; + return null; } - if (!readBytes(buf, len)) return false; - buflen = len; - return true; + if (!readBytes(reply.data, reply.len)) return null; + return reply; } - private boolean writeCommand(String _cmd) { - byte[] cmd = _cmd.getBytes(); - int len = cmd.length; - if ((len < 1) || (len > BUFFER_LENGTH)) return false; + private boolean writeCommand(int cmd, String _data) { + byte buf[] = new byte[8]; + byte[] data = _data.getBytes(); + int len = data.length; + // the length of data buf[0] = (byte) (len & 0xff); buf[1] = (byte) ((len >> 8) & 0xff); + buf[2] = (byte) ((len >> 16) & 0xff); + buf[3] = (byte) ((len >> 24) & 0xff); + // the opcode of the command + buf[4] = (byte) (cmd & 0xff); + buf[5] = (byte) ((cmd >> 8) & 0xff); + buf[6] = (byte) ((cmd >> 16) & 0xff); + buf[7] = (byte) ((cmd >> 24) & 0xff); try { - mOut.write(buf, 0, 2); - mOut.write(cmd, 0, len); + mOut.write(buf, 0, 8); + mOut.write(data, 0, len); } catch (IOException ex) { Log.e(mTag,"write error"); disconnect(); @@ -141,32 +163,28 @@ public class ServiceCommand { return true; } - private String executeCommand(String cmd) { - if (!writeCommand(cmd)) { + private Reply executeCommand(int cmd, String data) { + if (!writeCommand(cmd, data)) { /* If service died and restarted in the background * (unlikely but possible) we'll fail on the next * write (this one). Try to reconnect and write * the command one more time before giving up. */ Log.e(mTag, "write command failed? reconnect!"); - if (!connect() || !writeCommand(cmd)) { + if (!connect() || !writeCommand(cmd, data)) { return null; } } - if (readReply()) { - return new String(buf, 0, buflen); - } else { - return null; - } + return readReply(); } - public synchronized String execute(String cmd) { - String result; + public synchronized Reply execute(int cmd, String data) { + Reply result; if (!connect()) { Log.e(mTag, "connection failed"); return null; } - result = executeCommand(cmd); + result = executeCommand(cmd, data); disconnect(); return result; } diff --git a/keystore/jni/Android.mk b/keystore/jni/Android.mk new file mode 100644 index 0000000..92c2d6d --- /dev/null +++ b/keystore/jni/Android.mk @@ -0,0 +1,31 @@ +LOCAL_PATH:= $(call my-dir) +include $(CLEAR_VARS) + +LOCAL_SRC_FILES:= \ + cert.c certtool.c + +LOCAL_C_INCLUDES += \ + $(JNI_H_INCLUDE) \ + external/openssl/include + +LOCAL_SHARED_LIBRARIES := \ + libcutils \ + libnativehelper \ + libutils \ + libcrypto + +ifeq ($(TARGET_SIMULATOR),true) +ifeq ($(TARGET_OS),linux) +ifeq ($(TARGET_ARCH),x86) +LOCAL_LDLIBS += -lpthread -ldl -lrt -lssl +endif +endif +endif + +ifeq ($(WITH_MALLOC_LEAK_CHECK),true) + LOCAL_CFLAGS += -DMALLOC_LEAK_CHECK +endif + +LOCAL_MODULE:= libcerttool_jni + +include $(BUILD_SHARED_LIBRARY) diff --git a/keystore/jni/cert.c b/keystore/jni/cert.c new file mode 100644 index 0000000..07f0e86 --- /dev/null +++ b/keystore/jni/cert.c @@ -0,0 +1,249 @@ +/* +** +** Copyright 2009, The Android Open Source Project +** +** Licensed under the Apache License, Version 2.0 (the "License"); +** you may not use this file except in compliance with the License. +** You may obtain a copy of the License at +** +** http://www.apache.org/licenses/LICENSE-2.0 +** +** Unless required by applicable law or agreed to in writing, software +** distributed under the License is distributed on an "AS IS" BASIS, +** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +** See the License for the specific language governing permissions and +** limitations under the License. +*/ + +#define LOG_TAG "CertTool" + +#include <stdio.h> +#include <openssl/engine.h> +#include <openssl/pem.h> +#include <openssl/pkcs12.h> +#include <openssl/rsa.h> +#include <openssl/x509v3.h> +#include <cutils/log.h> + +#include "cert.h" + +static PKEY_STORE pkey_store[KEYGEN_STORE_SIZE]; +static int store_index = 0; + +static char emsg[][30] = { + "", + STR(ERR_INVALID_KEY_LENGTH), + STR(ERR_CONSTRUCT_NEW_DATA), + STR(ERR_RSA_KEYGEN), + STR(ERR_X509_PROCESS), + STR(ERR_BIO_READ), +}; + +static void save_in_store(X509_REQ *req, EVP_PKEY *pkey) +{ + EVP_PKEY *newpkey = EVP_PKEY_new(); + RSA *rsa = EVP_PKEY_get1_RSA(pkey); + EVP_PKEY_set1_RSA(newpkey, rsa); + PKEY_STORE_free(pkey_store[store_index]); + pkey_store[store_index].key_len = + i2d_X509_PUBKEY(req->req_info->pubkey, &pkey_store[store_index].public_key); + pkey_store[store_index++].pkey = newpkey; + store_index %= KEYGEN_STORE_SIZE; + RSA_free(rsa); +} + +static EVP_PKEY *get_pkey_from_store(X509 *cert) +{ + int i, key_len; + unsigned char *buf = NULL; + if ((key_len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf)) == 0) { + return NULL; + } + for (i = 0 ; i < KEYGEN_STORE_SIZE ; ++i) { + if ((key_len == pkey_store[i].key_len) && + memcmp(buf, pkey_store[i].public_key, key_len) == 0) { + break; + } + } + free(buf); + return (i == KEYGEN_STORE_SIZE) ? NULL : pkey_store[i].pkey; +} + +int gen_csr(int bits, const char *organizations, char reply[REPLY_MAX]) +{ + int len, ret_code = 0; + BIGNUM *bn = NULL; + BIO *bio = NULL; + EVP_PKEY *pkey = NULL; + RSA *rsa = NULL; + X509_REQ *req = NULL; + X509_NAME *name = NULL; + + if ((bio = BIO_new(BIO_s_mem())) == NULL) goto err; + + if ((bits != KEYLENGTH_MEDIUM) && (bits != KEYLENGTH_MAXIMUM)) { + ret_code = ERR_INVALID_KEY_LENGTH; + goto err; + } + + if (((pkey = EVP_PKEY_new()) == NULL) || + ((req = X509_REQ_new()) == NULL) || + ((rsa = RSA_new()) == NULL) || ((bn = BN_new()) == NULL)) { + ret_code = ERR_CONSTRUCT_NEW_DATA; + goto err; + } + + if (!BN_set_word(bn, RSA_F4) || + !RSA_generate_key_ex(rsa, bits, bn, NULL) || + !EVP_PKEY_assign_RSA(pkey, rsa)) { + ret_code = ERR_RSA_KEYGEN; + goto err; + } + + // rsa will be part of the req, it will be freed in X509_REQ_free(req) + rsa = NULL; + + X509_REQ_set_pubkey(req, pkey); + name = X509_REQ_get_subject_name(req); + + X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, + (const unsigned char *)"US", -1, -1, 0); + X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, + (const unsigned char *) ANDROID_KEYSTORE, + -1, -1, 0); + X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, + (const unsigned char *)organizations, -1, -1, 0); + + if (!X509_REQ_sign(req, pkey, EVP_md5()) || + (PEM_write_bio_X509_REQ(bio, req) <= 0)) { + ret_code = ERR_X509_PROCESS; + goto err; + } + if ((len = BIO_read(bio, reply, REPLY_MAX - 1)) > 0) { + reply[len] = 0; + save_in_store(req, pkey); + } else { + ret_code = ERR_BIO_READ; + } + +err: + if (rsa) RSA_free(rsa); + if (bn) BN_free(bn); + if (req) X509_REQ_free(req); + if (pkey) EVP_PKEY_free(pkey); + if (bio) BIO_free(bio); + if ((ret_code > 0) && (ret_code < ERR_MAXIMUM)) LOGE(emsg[ret_code]); + return ret_code; +} + +int is_pkcs12(const char *buf, int bufLen) +{ + int ret = 0; + BIO *bp = NULL; + PKCS12 *p12 = NULL; + + if (!buf || bufLen < 1) goto err; + + if (buf[0] != 48) goto err; // it is not DER. + + if (!BIO_write(bp, buf, bufLen)) goto err; + + if ((p12 = d2i_PKCS12_bio(bp, NULL)) != NULL) { + PKCS12_free(p12); + ret = 1; + } +err: + if (bp) BIO_free(bp); + return ret; +} + +X509* parse_cert(const char *buf, int bufLen) +{ + X509 *cert = NULL; + BIO *bp = NULL; + + if(!buf || bufLen < 1) + return NULL; + + bp = BIO_new(BIO_s_mem()); + if (!bp) goto err; + + if (!BIO_write(bp, buf, bufLen)) goto err; + + cert = PEM_read_bio_X509(bp, NULL, NULL, NULL); + if (!cert) { + BIO_free(bp); + if((bp = BIO_new(BIO_s_mem())) == NULL) goto err; + + if(!BIO_write(bp, (char *) buf, bufLen)) goto err; + cert = d2i_X509_bio(bp, NULL); + } + +err: + if (bp) BIO_free(bp); + return cert; +} + +static int get_distinct_name(X509_NAME *dname, char *buf, int size) +{ + int i, len; + char *p, *name; + + if (X509_NAME_oneline(dname, buf, size) == NULL) { + return -1; + } + name = strstr(buf, "/CN="); + p = name = name ? (name + 4) : buf; + while (*p != 0) { + if (*p == ' ') *p = '_'; + if (*p == '/') { + *p = 0; + break; + } + ++p; + } + return 0; +} + +int get_cert_name(X509 *cert, char *buf, int size) +{ + if (!cert) return -1; + return get_distinct_name(X509_get_subject_name(cert), buf, size); +} + +int get_issuer_name(X509 *cert, char *buf, int size) +{ + if (!cert) return -1; + return get_distinct_name(X509_get_issuer_name(cert), buf, size); +} + +int is_ca_cert(X509 *cert) +{ + int ret = 0; + BASIC_CONSTRAINTS *bs = (BASIC_CONSTRAINTS *) + X509_get_ext_d2i(cert, NID_basic_constraints, NULL, NULL); + if (bs != NULL) ret = bs->ca; + if (bs) BASIC_CONSTRAINTS_free(bs); + return ret; +} + +int get_private_key_pem(X509 *cert, char *buf, int size) +{ + int len = 0; + BIO *bio = NULL; + EVP_PKEY *pkey = get_pkey_from_store(cert); + + if (pkey == NULL) return -1; + + bio = BIO_new(BIO_s_mem()); + if ((bio = BIO_new(BIO_s_mem())) == NULL) goto err; + if (!PEM_write_bio_PrivateKey(bio, pkey, NULL,NULL,0,NULL, NULL)) { + goto err; + } + if ((len = BIO_read(bio, buf, size - 1)) > 0) { + buf[len] = 0; + } +err: + if (bio) BIO_free(bio); + return (len == 0) ? -1 : 0; +} diff --git a/keystore/jni/cert.h b/keystore/jni/cert.h new file mode 100644 index 0000000..a9807b1 --- /dev/null +++ b/keystore/jni/cert.h @@ -0,0 +1,59 @@ +/* +** +** Copyright 2009, The Android Open Source Project +** +** Licensed under the Apache License, Version 2.0 (the "License"); +** you may not use this file except in compliance with the License. +** You may obtain a copy of the License at +** +** http://www.apache.org/licenses/LICENSE-2.0 +** +** Unless required by applicable law or agreed to in writing, software +** distributed under the License is distributed on an "AS IS" BASIS, +** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +** See the License for the specific language governing permissions and +** limitations under the License. +*/ + +#ifndef __CERT_H__ +#define __CERT_H__ + +#define ANDROID_KEYSTORE "Android Keystore" +#define KEYGEN_STORE_SIZE 5 +#define KEYLENGTH_MEDIUM 1024 +#define KEYLENGTH_MAXIMUM 2048 +#define MAX_CERT_NAME_LEN 128 +#define MAX_PEM_LENGTH 4096 +#define REPLY_MAX MAX_PEM_LENGTH + + +#define STR(token) #token +#define ERR_INVALID_KEY_LENGTH 1 +#define ERR_CONSTRUCT_NEW_DATA 2 +#define ERR_RSA_KEYGEN 3 +#define ERR_X509_PROCESS 4 +#define ERR_BIO_READ 5 +#define ERR_MAXIMUM 6 + +typedef struct { + EVP_PKEY *pkey; + unsigned char *public_key; + int key_len; +} PKEY_STORE; + +#define PKEY_STORE_free(x) { \ + if(x.pkey) EVP_PKEY_free(x.pkey); \ + if(x.public_key) free(x.public_key); \ +} + +#define nelem(x) (sizeof (x) / sizeof *(x)) + +int gen_csr(int bits, const char *organizations, char reply[REPLY_MAX]); +int is_pkcs12(const char *buf, int bufLen); +X509* parse_cert(const char *buf, int bufLen); +int get_cert_name(X509 *cert, char *buf, int size); +int get_issuer_name(X509 *cert, char *buf, int size); +int is_ca_cert(X509 *cert); +int get_private_key_pem(X509 *cert, char *buf, int size); + +#endif diff --git a/keystore/jni/certtool.c b/keystore/jni/certtool.c new file mode 100644 index 0000000..c2a137e --- /dev/null +++ b/keystore/jni/certtool.c @@ -0,0 +1,176 @@ +/* +** +** Copyright 2009, The Android Open Source Project +** +** Licensed under the Apache License, Version 2.0 (the "License"); +** you may not use this file except in compliance with the License. +** You may obtain a copy of the License at +** +** http://www.apache.org/licenses/LICENSE-2.0 +** +** Unless required by applicable law or agreed to in writing, software +** distributed under the License is distributed on an "AS IS" BASIS, +** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +** See the License for the specific language governing permissions and +** limitations under the License. +*/ +#define LOG_TAG "CertTool" + +#include <string.h> +#include <jni.h> +#include <cutils/log.h> +#include <openssl/x509v3.h> + +#include "cert.h" + +jstring +android_security_CertTool_generateCertificateRequest(JNIEnv* env, + jobject thiz, + jint bits, + jstring subject) + +{ + char csr[REPLY_MAX]; + if (gen_csr(bits, subject, csr) == 0) { + return (*env)->NewStringUTF(env, csr); + } + return NULL; +} + +jboolean +android_security_CertTool_isPkcs12Keystore(JNIEnv* env, + jobject thiz, + jbyteArray data) +{ + char buf[REPLY_MAX]; + int len = (*env)->GetArrayLength(env, data); + + if (len > REPLY_MAX) return 0; + (*env)->GetByteArrayRegion(env, data, 0, len, (jbyte*)buf); + return (jboolean) is_pkcs12(buf, len); +} + +jint +android_security_CertTool_generateX509Certificate(JNIEnv* env, + jobject thiz, + jbyteArray data) +{ + char buf[REPLY_MAX]; + int len = (*env)->GetArrayLength(env, data); + + if (len > REPLY_MAX) return 0; + (*env)->GetByteArrayRegion(env, data, 0, len, (jbyte*)buf); + return (jint) parse_cert(buf, len); +} + +jboolean android_security_CertTool_isCaCertificate(JNIEnv* env, + jobject thiz, + jint handle) +{ + return (handle == 0) ? (jboolean)0 : (jboolean) is_ca_cert((X509*)handle); +} + +jstring android_security_CertTool_getIssuerDN(JNIEnv* env, + jobject thiz, + jint handle) +{ + char issuer[MAX_CERT_NAME_LEN]; + + if (handle == 0) return NULL; + if (get_issuer_name((X509*)handle, issuer, MAX_CERT_NAME_LEN)) return NULL; + return (*env)->NewStringUTF(env, issuer); +} + +jstring android_security_CertTool_getCertificateDN(JNIEnv* env, + jobject thiz, + jint handle) +{ + char name[MAX_CERT_NAME_LEN]; + if (handle == 0) return NULL; + if (get_cert_name((X509*)handle, name, MAX_CERT_NAME_LEN)) return NULL; + return (*env)->NewStringUTF(env, name); +} + +jstring android_security_CertTool_getPrivateKeyPEM(JNIEnv* env, + jobject thiz, + jint handle) +{ + char pem[MAX_PEM_LENGTH]; + if (handle == 0) return NULL; + if (get_private_key_pem((X509*)handle, pem, MAX_PEM_LENGTH)) return NULL; + return (*env)->NewStringUTF(env, pem); +} + +void android_security_CertTool_freeX509Certificate(JNIEnv* env, + jobject thiz, + jint handle) +{ + if (handle != 0) X509_free((X509*)handle); +} + +/* + * Table of methods associated with the CertTool class. + */ +static JNINativeMethod gCertToolMethods[] = { + /* name, signature, funcPtr */ + {"generateCertificateRequest", "(ILjava/lang/String;)Ljava/lang/String;", + (void*)android_security_CertTool_generateCertificateRequest}, + {"isPkcs12Keystore", "(B[)I", + (void*)android_security_CertTool_isPkcs12Keystore}, + {"generateX509Certificate", "(B[)I", + (void*)android_security_CertTool_generateX509Certificate}, + {"isCaCertificate", "(I)Z", + (void*)android_security_CertTool_isCaCertificate}, + {"getIssuerDN", "(I)Ljava/lang/String;", + (void*)android_security_CertTool_getIssuerDN}, + {"getCertificateDN", "(I)Ljava/lang/String;", + (void*)android_security_CertTool_getCertificateDN}, + {"getPrivateKeyPEM", "(I)Ljava/lang/String;", + (void*)android_security_CertTool_getPrivateKeyPEM}, + {"freeX509Certificate", "(I)V", + (void*)android_security_CertTool_freeX509Certificate}, +}; + +/* + * Register several native methods for one class. + */ +static int registerNatives(JNIEnv* env, const char* className, + JNINativeMethod* gMethods, int numMethods) +{ + jclass clazz; + + clazz = (*env)->FindClass(env, className); + if (clazz == NULL) { + LOGE("Can not find class %s\n", className); + return JNI_FALSE; + } + + if ((*env)->RegisterNatives(env, clazz, gMethods, numMethods) < 0) { + LOGE("Can not RegisterNatives\n"); + return JNI_FALSE; + } + + return JNI_TRUE; +} + +jint JNI_OnLoad(JavaVM* vm, void* reserved) +{ + JNIEnv* env = NULL; + jint result = -1; + + + if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_4) != JNI_OK) { + goto bail; + } + + if (!registerNatives(env, "android/security/CertTool", + gCertToolMethods, nelem(gCertToolMethods))) { + goto bail; + } + + /* success -- return valid version number */ + result = JNI_VERSION_1_4; + +bail: + return result; +} |