diff options
author | Brian Carlstrom <bdc@google.com> | 2011-05-17 00:40:33 -0700 |
---|---|---|
committer | Brian Carlstrom <bdc@google.com> | 2011-05-17 11:34:12 -0700 |
commit | 5aeadd9be22ea51ea2d638f7090618448ecc8ac7 (patch) | |
tree | 4a03c038f31ebf1647a7bb979d5028ca79ec5163 /src | |
parent | a58db5485e7b47880d9d565b036ae8b894ffdc48 (diff) | |
download | android_packages_apps_KeyChain-5aeadd9be22ea51ea2d638f7090618448ecc8ac7.tar.gz android_packages_apps_KeyChain-5aeadd9be22ea51ea2d638f7090618448ecc8ac7.tar.bz2 android_packages_apps_KeyChain-5aeadd9be22ea51ea2d638f7090618448ecc8ac7.zip |
Simplify KeyChain API by removing now unneeded CA certificate lookup (3 of 3)
frameworks/base
Remove getCaCertificates and findIssuer from IKeyChainService,
these are now done via libcore's TrustedCertificateStore (as part
of the default TrustManager implementation)
keystore/java/android/security/IKeyChainService.aidl
Simplify KeyChain API. Now that the CA certificates are visible
through the default TrustManager, the KeyChain is solely focused on
retrieving PrivateKeys and their associated certificates. The
calling API for KeyChain to simply a single KeyChain.get() call
that returns a KeyChainResult, removing the need for a KeyChain
instance that needs to be closed.
keystore/java/android/security/KeyChain.java
keystore/java/android/security/KeyChainResult.java
master/libcore
Remove getDefaultIndexedPKIXParameters and
getIndexedPKIXParameters which was used as part of the prototype
of looking up CAs via the KeyChain but is obsoleted by the new
default TrustManager implementation.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
packages/apps/KeyChain
Tracking simplified IKeyChainService, removing now unneeded
implementation, updating tests.
src/com/android/keychain/KeyChainService.java
tests/src/com/android/keychain/tests/KeyChainServiceTest.java
tests/src/com/android/keychain/tests/KeyChainTestActivity.java
Change-Id: Ie2cb950783f897d87d39cc38a126068a9d68680a
Diffstat (limited to 'src')
-rw-r--r-- | src/com/android/keychain/KeyChainService.java | 96 |
1 files changed, 13 insertions, 83 deletions
diff --git a/src/com/android/keychain/KeyChainService.java b/src/com/android/keychain/KeyChainService.java index 1190368..3b3d144 100644 --- a/src/com/android/keychain/KeyChainService.java +++ b/src/com/android/keychain/KeyChainService.java @@ -64,39 +64,15 @@ public class KeyChainService extends Service { private final TrustedCertificateStore mTrustedCertificateStore = new TrustedCertificateStore(); - private boolean isKeyStoreUnlocked() { - return (mKeyStore.test() == KeyStore.NO_ERROR); - } - - @Override public byte[] getPrivate(String alias, String authToken) { - if (alias == null) { - throw new NullPointerException("alias == null"); - } - if (authToken == null) { - throw new NullPointerException("authToken == null"); - } - if (!isKeyStoreUnlocked()) { - throw new IllegalStateException("keystore locked"); - } - if (!mAccountManager.peekAuthToken(mAccount, alias).equals(authToken)) { - throw new IllegalStateException("authtoken mismatch"); - } - String key = Credentials.USER_PRIVATE_KEY + alias; - byte[] bytes = mKeyStore.get(key.getBytes(Charsets.UTF_8)); - if (bytes == null) { - throw new IllegalStateException("keystore value missing"); - } - return bytes; + @Override public byte[] getPrivateKey(String alias, String authToken) { + return getKeyStoreEntry(Credentials.USER_PRIVATE_KEY, alias, authToken); } @Override public byte[] getCertificate(String alias, String authToken) { - return getCert(Credentials.USER_CERTIFICATE, alias, authToken); - } - @Override public byte[] getCaCertificate(String alias, String authToken) { - return getCert(Credentials.CA_CERTIFICATE, alias, authToken); + return getKeyStoreEntry(Credentials.USER_CERTIFICATE, alias, authToken); } - private byte[] getCert(String type, String alias, String authToken) { + private byte[] getKeyStoreEntry(String type, String alias, String authToken) { if (alias == null) { throw new NullPointerException("alias == null"); } @@ -106,10 +82,7 @@ public class KeyChainService extends Service { if (!isKeyStoreUnlocked()) { throw new IllegalStateException("keystore locked"); } - String authAlias = (type.equals(Credentials.CA_CERTIFICATE)) - ? (alias + KeyChain.CA_SUFFIX) - : alias; - if (!mAccountManager.peekAuthToken(mAccount, authAlias).equals(authToken)) { + if (!mAccountManager.peekAuthToken(mAccount, alias).equals(authToken)) { throw new IllegalStateException("authtoken mismatch"); } String key = type + alias; @@ -120,57 +93,8 @@ public class KeyChainService extends Service { return bytes; } - @Override public String findIssuer(Bundle bundle) { - if (bundle == null) { - throw new NullPointerException("bundle == null"); - } - X509Certificate cert = KeyChain.toCertificate(bundle); - if (cert == null) { - throw new IllegalArgumentException("no cert in bundle"); - } - X500Principal issuer = cert.getIssuerX500Principal(); - if (issuer == null) { - throw new IllegalStateException(); - } - byte[] aliasPrefix = Credentials.CA_CERTIFICATE.getBytes(Charsets.UTF_8); - byte[][] aliasSuffixes = mKeyStore.saw(aliasPrefix); - if (aliasSuffixes == null) { - return null; - } - - // TODO if the keystore would notify us of changes, we - // could cache the certs and perform a lookup by issuer - for (byte[] aliasSuffix : aliasSuffixes) { - byte[] alias = concatenate(aliasPrefix, aliasSuffix); - byte[] bytes = mKeyStore.get(alias); - try { - // TODO we could at least cache the byte to cert parsing - X509Certificate caCert = parseCertificate(bytes); - if (issuer.equals(caCert.getSubjectX500Principal())) { - // will throw exception on failure to verify. - // this can happen if there are two CAs with - // the same name but with different public - // keys, which does in fact happen, so we will - // try to continue and not just fail fast. - cert.verify(caCert.getPublicKey()); - return new String(aliasSuffix, Charsets.UTF_8); - } - } catch (Exception ignored) { - } - } - return null; - } - - private X509Certificate parseCertificate(byte[] bytes) throws CertificateException { - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - return (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(bytes)); - } - - private byte[] concatenate(byte[] a, byte[] b) { - byte[] result = new byte[a.length + b.length]; - System.arraycopy(a, 0, result, 0, a.length); - System.arraycopy(b, 0, result, a.length, b.length); - return result; + private boolean isKeyStoreUnlocked() { + return (mKeyStore.test() == KeyStore.NO_ERROR); } @Override public void installCaCertificate(byte[] caCertificate) { @@ -190,6 +114,12 @@ public class KeyChainService extends Service { throw new IllegalStateException(e); } } + + private X509Certificate parseCertificate(byte[] bytes) throws CertificateException { + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + return (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(bytes)); + } + @Override public boolean reset() { // only Settings should be able to reset final String expectedPackage = "android.uid.system:1000"; |