diff options
Diffstat (limited to 'keystore/java/android/security')
| -rw-r--r-- | keystore/java/android/security/CertTool.java | 158 | ||||
| -rw-r--r-- | keystore/java/android/security/Keystore.java | 239 | ||||
| -rw-r--r-- | keystore/java/android/security/Reply.java | 26 | ||||
| -rw-r--r-- | keystore/java/android/security/ServiceCommand.java | 196 |
4 files changed, 619 insertions, 0 deletions
diff --git a/keystore/java/android/security/CertTool.java b/keystore/java/android/security/CertTool.java new file mode 100644 index 0000000..26d22ae --- /dev/null +++ b/keystore/java/android/security/CertTool.java @@ -0,0 +1,158 @@ +/* + * Copyright (C) 2009 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security; + +import android.content.Context; +import android.content.Intent; +import android.security.Keystore; +import android.text.TextUtils; + + +/** + * The CertTool class provides the functions to list the certs/keys, + * generate the certificate request(csr) and store the certificate into + * keystore. + * + * {@hide} + */ +public class CertTool { + static { + System.loadLibrary("certtool_jni"); + } + + public static final String ACTION_ADD_CREDENTIAL = + "android.security.ADD_CREDENTIAL"; + public static final String KEY_TYPE_NAME = "typeName"; + public static final String KEY_ITEM = "item"; + public static final String KEY_NAMESPACE = "namespace"; + public static final String KEY_DESCRIPTION = "description"; + + private static final String TAG = "CertTool"; + + private static final String TITLE_CA_CERT = "CA Certificate"; + private static final String TITLE_USER_CERT = "User Certificate"; + private static final String TITLE_PKCS12_KEYSTORE = "PKCS12 Keystore"; + private static final String TITLE_PRIVATE_KEY = "Private Key"; + private static final String UNKNOWN = "Unknown"; + private static final String ISSUER_NAME = "Issuer Name:"; + private static final String DISTINCT_NAME = "Distinct Name:"; + + private static final String CA_CERTIFICATE = "CACERT"; + private static final String USER_CERTIFICATE = "USRCERT"; + private static final String USER_KEY = "USRKEY"; + + private static final String KEYNAME_DELIMITER = "_"; + private static final Keystore sKeystore = Keystore.getInstance(); + + private native String generateCertificateRequest(int bits, String subject); + private native boolean isPkcs12Keystore(byte[] data); + private native int generateX509Certificate(byte[] data); + private native boolean isCaCertificate(int handle); + private native String getIssuerDN(int handle); + private native String getCertificateDN(int handle); + private native String getPrivateKeyPEM(int handle); + private native void freeX509Certificate(int handle); + + private static CertTool singleton = null; + + private CertTool() { } + + public static final CertTool getInstance() { + if (singleton == null) { + singleton = new CertTool(); + } + return singleton; + } + + public String getUserPrivateKey(String key) { + return USER_KEY + KEYNAME_DELIMITER + key; + } + + public String getUserCertificate(String key) { + return USER_CERTIFICATE + KEYNAME_DELIMITER + key; + } + + public String getCaCertificate(String key) { + return CA_CERTIFICATE + KEYNAME_DELIMITER + key; + } + + public String[] getAllUserCertificateKeys() { + return sKeystore.listKeys(USER_KEY); + } + + public String[] getAllCaCertificateKeys() { + return sKeystore.listKeys(CA_CERTIFICATE); + } + + public String[] getSupportedKeyStrenghs() { + return new String[] {"High Grade", "Medium Grade"}; + } + + private int getKeyLength(int index) { + if (index == 0) return 2048; + return 1024; + } + + public String generateKeyPair(int keyStrengthIndex, String challenge, + String dirName) { + return generateCertificateRequest(getKeyLength(keyStrengthIndex), + dirName); + } + + private Intent prepareIntent(String title, byte[] data, String namespace, + String issuer, String distinctName) { + Intent intent = new Intent(ACTION_ADD_CREDENTIAL); + intent.putExtra(KEY_TYPE_NAME, title); + intent.putExtra(KEY_ITEM + "0", data); + intent.putExtra(KEY_NAMESPACE + "0", namespace); + intent.putExtra(KEY_DESCRIPTION + "0", ISSUER_NAME + issuer); + intent.putExtra(KEY_DESCRIPTION + "1", DISTINCT_NAME + distinctName); + return intent; + } + + private void addExtraIntentInfo(Intent intent, String namespace, + String data) { + intent.putExtra(KEY_ITEM + "1", data); + intent.putExtra(KEY_NAMESPACE + "1", namespace); + } + + public synchronized void addCertificate(byte[] data, Context context) { + int handle; + Intent intent = null; + + if (isPkcs12Keystore(data)) { + intent = prepareIntent(TITLE_PKCS12_KEYSTORE, data, USER_KEY, + UNKNOWN, UNKNOWN); + } else if ((handle = generateX509Certificate(data)) != 0) { + String issuer = getIssuerDN(handle); + String distinctName = getCertificateDN(handle); + String privateKeyPEM = getPrivateKeyPEM(handle); + if (isCaCertificate(handle)) { + intent = prepareIntent(TITLE_CA_CERT, data, CA_CERTIFICATE, + issuer, distinctName); + } else { + intent = prepareIntent(TITLE_USER_CERT, data, USER_CERTIFICATE, + issuer, distinctName); + if (!TextUtils.isEmpty(privateKeyPEM)) { + addExtraIntentInfo(intent, USER_KEY, privateKeyPEM); + } + } + freeX509Certificate(handle); + } + if (intent != null) context.startActivity(intent); + } +} diff --git a/keystore/java/android/security/Keystore.java b/keystore/java/android/security/Keystore.java new file mode 100644 index 0000000..1f14da7 --- /dev/null +++ b/keystore/java/android/security/Keystore.java @@ -0,0 +1,239 @@ +/* + * Copyright (C) 2009 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security; + +/** + * The Keystore class provides the functions to list the certs/keys in keystore. + * {@hide} + */ + +public abstract class Keystore { + private static final String TAG = "Keystore"; + private static final String[] NOTFOUND = new String[0]; + + // Keystore States + public static final int BOOTUP = 0; + public static final int UNINITIALIZED = 1; + public static final int LOCKED = 2; + public static final int UNLOCKED = 3; + + /** + */ + public static Keystore getInstance() { + return new FileKeystore(); + } + + public abstract int lock(); + public abstract int unlock(String password); + public abstract int getState(); + public abstract int changePassword(String oldPassword, String newPassword); + public abstract int setPassword(String firstPassword); + public abstract String[] listKeys(String namespace); + public abstract int put(String namespace, String keyname, String value); + public abstract String get(String namespace, String keyname); + public abstract int remove(String namespace, String keyname); + public abstract int reset(); + + // TODO: for migrating to the mini-keystore, clean up from here + /** + */ + public abstract String getCaCertificate(String key); + + /** + */ + public abstract String getUserCertificate(String key); + + /** + */ + public abstract String getUserPrivateKey(String key); + + /** + * Returns the array of the certificate keynames in keystore if successful. + * Or return an empty array if error. + * + * @return array of the certificate keynames + */ + public abstract String[] getAllUserCertificateKeys(); + + /** + */ + public abstract String[] getAllCaCertificateKeys(); + + /** + */ + public abstract String[] getSupportedKeyStrenghs(); + + /** + * Generates a key pair and returns the certificate request. + * @param keyStrengthIndex index to the array of supported key strengths + * @param challenge the challenge message in the keygen tag + * @param organizations the organization string, e.g., + * "/C=US/ST={state}/L={city}/O={company}/OU={app}/CN={hostname}" + * @return the certificate request + */ + public abstract String generateKeyPair( + int keyStrengthIndex, String challenge, String organizations); + + public abstract void addCertificate(byte[] cert); + // to here + + private static class FileKeystore extends Keystore { + private static final String SERVICE_NAME = "keystore"; + private static final String CA_CERTIFICATE = "CaCertificate"; + private static final String USER_CERTIFICATE = "UserCertificate"; + private static final String USER_KEY = "UserPrivateKey"; + private static final String COMMAND_DELIMITER = " "; + private static final ServiceCommand mServiceCommand = + new ServiceCommand(SERVICE_NAME); + + // TODO: for migrating to the mini-keystore, start from here + @Override + public String getUserPrivateKey(String key) { + return ""; + } + + @Override + public String getUserCertificate(String key) { + return ""; + } + + @Override + public String getCaCertificate(String key) { + return ""; + } + + @Override + public String[] getAllUserCertificateKeys() { + return new String[0]; + } + + @Override + public String[] getAllCaCertificateKeys() { + return new String[0]; + } + + @Override + public String[] getSupportedKeyStrenghs() { + // TODO: real implementation + return new String[] {"High Grade", "Medium Grade"}; + } + + @Override + public String generateKeyPair(int keyStrengthIndex, String challenge, + String organizations) { + // TODO: real implementation + return "-----BEGIN CERTIFICATE REQUEST-----" + + "\nMIICzjCCAbYCAQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh" + + "\nMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYw" + + "\nFAYDVQQLEw1SZW1vdGUgQWNjZXNzMRAwDgYDVQQLEwdHbGFwdG9wMQ0wCwYDVQQD" + + "\nEwR0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAznwy7a16O35u" + + "\nODLQOw6yHAxozrrX1J+c0reiIh8GYohwKrBedFnQ/FnTls6bxY4fNHD+SZvFFgvU" + + "\nECBFOfRmRm7AFo51qT0t2a8qgvDLM6L1qGkmy94W28Q3OlcpF2QianHYdjyGT+Ac" + + "\nYDek1Zi/E/mdPzuVM/K8tkB7n8ktC0PTm1ZtdMRauE5R0WrEhWuF6In/2gy1Q/Zh" + + "\noy7/zQqpbPl2ouulvkx1Y3OXHM6XPNFLoHS1gH0HyAuBUokO0QmetRn6ngJSvz7e" + + "\nVD7QYRppGp+g4BxqaV9XSxhaaKrMs4PAld9enV51X9qjvjCRBve2QxtuJgMfGJdU" + + "\njGr/JweZoQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBADtxOtEseoLOVYh6sh4b" + + "\nWCdngK87uHn2bdGipFwKdNTxQDdxNQLAKdoGYIfbVsC1cDgFiufeNwVukxxymdnm" + + "\nk0GGK+0O0tZKENv8ysgfbgEsHpJH9FoR5Y5XEq1etejkcgCp59dyhrSk0DLyVm0D" + + "\nIfTC/nsK95H7AAGOkbbDFo2otyLNNrthYncQ9diAG0UzzLacA+86JXZmD3HyC48u" + + "\nI9hsivVnTTfl9afcfVAhfxbQ6HgkhZZjbjFjfABSd4v8wKlAAqK58VxCajNVOVcV" + + "\ncCzOWf6NpE7xEHCf32i8bWDP6hi0WgQcdpQwnZNKhhTLGNb23Uty6HYlJhbxexC7" + + "\nUoM=" + + "\n-----END CERTIFICATE REQUEST-----"; + } + + @Override + public void addCertificate(byte[] cert) { + // TODO: real implementation + } + + // to here + + @Override + public int lock() { + Reply result = mServiceCommand.execute(ServiceCommand.LOCK, null); + return (result != null) ? result.returnCode : -1; + } + + @Override + public int unlock(String password) { + Reply result = mServiceCommand.execute(ServiceCommand.UNLOCK, + password); + return (result != null) ? result.returnCode : -1; + } + + @Override + public int getState() { + Reply result = mServiceCommand.execute(ServiceCommand.GET_STATE, + null); + return (result != null) ? result.returnCode : -1; + } + + @Override + public int changePassword(String oldPassword, String newPassword) { + Reply result = mServiceCommand.execute(ServiceCommand.PASSWD, + oldPassword + " " + newPassword); + return (result != null) ? result.returnCode : -1; + } + + @Override + public int setPassword(String firstPassword) { + Reply result = mServiceCommand.execute(ServiceCommand.PASSWD, + firstPassword); + return (result != null) ? result.returnCode : -1; + } + + @Override + public String[] listKeys(String namespace) { + Reply result = mServiceCommand.execute(ServiceCommand.LIST_KEYS, + namespace); + if ((result == null) || (result.returnCode != 0) || + (result.len == 0)) { + return NOTFOUND; + } + return new String(result.data, 0, result.len).split("\\s+"); + } + + @Override + public int put(String namespace, String keyname, String value) { + Reply result = mServiceCommand.execute(ServiceCommand.PUT_KEY, + namespace + " " + keyname + " " + value); + return (result != null) ? result.returnCode : -1; + } + + @Override + public String get(String namespace, String keyname) { + Reply result = mServiceCommand.execute(ServiceCommand.GET_KEY, + namespace + " " + keyname); + return (result != null) ? ((result.returnCode != 0) ? null : + new String(result.data, 0, result.len)) : null; + } + + @Override + public int remove(String namespace, String keyname) { + Reply result = mServiceCommand.execute(ServiceCommand.REMOVE_KEY, + namespace + " " + keyname); + return (result != null) ? result.returnCode : -1; + } + + @Override + public int reset() { + Reply result = mServiceCommand.execute(ServiceCommand.RESET, null); + return (result != null) ? result.returnCode : -1; + } + } +} diff --git a/keystore/java/android/security/Reply.java b/keystore/java/android/security/Reply.java new file mode 100644 index 0000000..15a0dde --- /dev/null +++ b/keystore/java/android/security/Reply.java @@ -0,0 +1,26 @@ +/* + * Copyright (C) 2009 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security; + +/* + * {@hide} + */ +public class Reply { + public int len; + public int returnCode; + public byte[] data = new byte[ServiceCommand.BUFFER_LENGTH]; +} diff --git a/keystore/java/android/security/ServiceCommand.java b/keystore/java/android/security/ServiceCommand.java new file mode 100644 index 0000000..6178d59 --- /dev/null +++ b/keystore/java/android/security/ServiceCommand.java @@ -0,0 +1,196 @@ +/* + * Copyright (C) 2009 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security; + +import android.net.LocalSocketAddress; +import android.net.LocalSocket; +import android.util.Config; +import android.util.Log; + +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.net.Socket; + +/* + * ServiceCommand is used to connect to a service throught the local socket, + * and send out the command, return the result to the caller. + * {@hide} + */ +public class ServiceCommand { + public static final String SUCCESS = "0"; + public static final String FAILED = "-1"; + + // Opcodes for keystore commands. + public static final int LOCK = 0; + public static final int UNLOCK = 1; + public static final int PASSWD = 2; + public static final int GET_STATE = 3; + public static final int LIST_KEYS = 4; + public static final int GET_KEY = 5; + public static final int PUT_KEY = 6; + public static final int REMOVE_KEY = 7; + public static final int RESET = 8; + public static final int MAX_CMD_INDEX = 9; + + public static final int BUFFER_LENGTH = 4096; + + private String mServiceName; + private String mTag; + private InputStream mIn; + private OutputStream mOut; + private LocalSocket mSocket; + + private boolean connect() { + if (mSocket != null) { + return true; + } + Log.i(mTag, "connecting..."); + try { + mSocket = new LocalSocket(); + + LocalSocketAddress address = new LocalSocketAddress( + mServiceName, LocalSocketAddress.Namespace.RESERVED); + + mSocket.connect(address); + + mIn = mSocket.getInputStream(); + mOut = mSocket.getOutputStream(); + } catch (IOException ex) { + disconnect(); + return false; + } + return true; + } + + private void disconnect() { + Log.i(mTag,"disconnecting..."); + try { + if (mSocket != null) mSocket.close(); + } catch (IOException ex) { } + try { + if (mIn != null) mIn.close(); + } catch (IOException ex) { } + try { + if (mOut != null) mOut.close(); + } catch (IOException ex) { } + mSocket = null; + mIn = null; + mOut = null; + } + + private boolean readBytes(byte buffer[], int len) { + int off = 0, count; + if (len < 0) return false; + while (off != len) { + try { + count = mIn.read(buffer, off, len - off); + if (count <= 0) { + Log.e(mTag, "read error " + count); + break; + } + off += count; + } catch (IOException ex) { + Log.e(mTag,"read exception"); + break; + } + } + if (off == len) return true; + disconnect(); + return false; + } + + private Reply readReply() { + byte buf[] = new byte[4]; + Reply reply = new Reply(); + + if (!readBytes(buf, 4)) return null; + reply.len = (((int) buf[0]) & 0xff) | ((((int) buf[1]) & 0xff) << 8) | + ((((int) buf[2]) & 0xff) << 16) | + ((((int) buf[3]) & 0xff) << 24); + + if (!readBytes(buf, 4)) return null; + reply.returnCode = (((int) buf[0]) & 0xff) | + ((((int) buf[1]) & 0xff) << 8) | + ((((int) buf[2]) & 0xff) << 16) | + ((((int) buf[3]) & 0xff) << 24); + + if (reply.len > BUFFER_LENGTH) { + Log.e(mTag,"invalid reply length (" + reply.len + ")"); + disconnect(); + return null; + } + if (!readBytes(reply.data, reply.len)) return null; + return reply; + } + + private boolean writeCommand(int cmd, String _data) { + byte buf[] = new byte[8]; + byte[] data = (_data == null) ? new byte[0] : _data.getBytes(); + int len = data.length; + // the length of data + buf[0] = (byte) (len & 0xff); + buf[1] = (byte) ((len >> 8) & 0xff); + buf[2] = (byte) ((len >> 16) & 0xff); + buf[3] = (byte) ((len >> 24) & 0xff); + // the opcode of the command + buf[4] = (byte) (cmd & 0xff); + buf[5] = (byte) ((cmd >> 8) & 0xff); + buf[6] = (byte) ((cmd >> 16) & 0xff); + buf[7] = (byte) ((cmd >> 24) & 0xff); + try { + mOut.write(buf, 0, 8); + mOut.write(data, 0, len); + } catch (IOException ex) { + Log.e(mTag,"write error"); + disconnect(); + return false; + } + return true; + } + + private Reply executeCommand(int cmd, String data) { + if (!writeCommand(cmd, data)) { + /* If service died and restarted in the background + * (unlikely but possible) we'll fail on the next + * write (this one). Try to reconnect and write + * the command one more time before giving up. + */ + Log.e(mTag, "write command failed? reconnect!"); + if (!connect() || !writeCommand(cmd, data)) { + return null; + } + } + return readReply(); + } + + public synchronized Reply execute(int cmd, String data) { + Reply result; + if (!connect()) { + Log.e(mTag, "connection failed"); + return null; + } + result = executeCommand(cmd, data); + disconnect(); + return result; + } + + public ServiceCommand(String service) { + mServiceName = service; + mTag = service; + } +} |