Examples with TrustedCertificateStore com.android.org.conscrypt.TrustedCertificateStore used on opensource projects

Example 1 with TrustedCertificateStore

use of com.android.org.conscrypt.TrustedCertificateStore in project platform_frameworks_base by android.

the class DevicePolicyManager method getCaCertAlias.

/**
     * @return the alias of a given CA certificate in the certificate store, or {@code null} if it
     * doesn't exist.
     */
private static String getCaCertAlias(byte[] certBuffer) throws CertificateException {
    final CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
    final X509Certificate cert = (X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(certBuffer));
    return new TrustedCertificateStore().getCertificateAlias(cert);
}

Example 2 with TrustedCertificateStore

use of com.android.org.conscrypt.TrustedCertificateStore in project platform_frameworks_base by android.

the class DevicePolicyManager method getInstalledCaCerts.

/**
     * Returns all CA certificates that are currently trusted, excluding system CA certificates.
     * If a user has installed any certificates by other means than device policy these will be
     * included too.
     *
     * @param admin Which {@link DeviceAdminReceiver} this request is associated with, or
     *              {@code null} if calling from a delegated certificate installer.
     * @return a List of byte[] arrays, each encoding one user CA certificate.
     * @throws SecurityException if {@code admin} is not {@code null} and not a device or profile
     *         owner.
     */
public List<byte[]> getInstalledCaCerts(@Nullable ComponentName admin) {
    List<byte[]> certs = new ArrayList<byte[]>();
    throwIfParentInstance("getInstalledCaCerts");
    if (mService != null) {
        try {
            mService.enforceCanManageCaCerts(admin);
            final TrustedCertificateStore certStore = new TrustedCertificateStore();
            for (String alias : certStore.userAliases()) {
                try {
                    certs.add(certStore.getCertificate(alias).getEncoded());
                } catch (CertificateException ce) {
                    Log.w(TAG, "Could not encode certificate: " + alias, ce);
                }
            }
        } catch (RemoteException re) {
            throw re.rethrowFromSystemServer();
        }
    }
    return certs;
}

Example 3 with TrustedCertificateStore

use of com.android.org.conscrypt.TrustedCertificateStore in project android_frameworks_base by ResurrectionRemix.

the class KeyChain method getCertificateChain.

/**
     * Returns the {@code X509Certificate} chain for the requested
     * alias, or null if there is no result.
     * <p>
     * <strong>Note:</strong> If a certificate chain was explicitly specified when the alias was
     * installed, this method will return that chain. If only the client certificate was specified
     * at the installation time, this method will try to build a certificate chain using all
     * available trust anchors (preinstalled and user-added).
     *
     * <p> This method may block while waiting for a connection to another process, and must never
     * be called from the main thread.
     * <p> As {@link Activity} and {@link Service} contexts are short-lived and can be destroyed
     * at any time from the main thread, it is safer to rely on a long-lived context such as one
     * returned from {@link Context#getApplicationContext()}.
     *
     * @param alias The alias of the desired certificate chain, typically
     * returned via {@link KeyChainAliasCallback#alias}.
     * @throws KeyChainException if the alias was valid but there was some problem accessing it.
     * @throws IllegalStateException if called from the main thread.
     */
@Nullable
@WorkerThread
public static X509Certificate[] getCertificateChain(@NonNull Context context, @NonNull String alias) throws KeyChainException, InterruptedException {
    if (alias == null) {
        throw new NullPointerException("alias == null");
    }
    KeyChainConnection keyChainConnection = bind(context.getApplicationContext());
    try {
        IKeyChainService keyChainService = keyChainConnection.getService();
        final byte[] certificateBytes = keyChainService.getCertificate(alias);
        if (certificateBytes == null) {
            return null;
        }
        X509Certificate leafCert = toCertificate(certificateBytes);
        final byte[] certChainBytes = keyChainService.getCaCertificates(alias);
        // DevicePolicyManager.installKeyPair or CertInstaller, return that chain.
        if (certChainBytes != null && certChainBytes.length != 0) {
            Collection<X509Certificate> chain = toCertificates(certChainBytes);
            ArrayList<X509Certificate> fullChain = new ArrayList<>(chain.size() + 1);
            fullChain.add(leafCert);
            fullChain.addAll(chain);
            return fullChain.toArray(new X509Certificate[fullChain.size()]);
        } else {
            // If there isn't a certificate chain, either due to a pre-existing keypair
            // installed before N, or no chain is explicitly installed under the new logic,
            // fall back to old behavior of constructing the chain from trusted credentials.
            //
            // This logic exists to maintain old behaviour for already installed keypair, at
            // the cost of potentially returning extra certificate chain for new clients who
            // explicitly installed only the client certificate without a chain. The latter
            // case is actually no different from pre-N behaviour of getCertificateChain(),
            // in that sense this change introduces no regression. Besides the returned chain
            // is still valid so the consumer of the chain should have no problem verifying it.
            TrustedCertificateStore store = new TrustedCertificateStore();
            List<X509Certificate> chain = store.getCertificateChain(leafCert);
            return chain.toArray(new X509Certificate[chain.size()]);
        }
    } catch (CertificateException e) {
        throw new KeyChainException(e);
    } catch (RemoteException e) {
        throw new KeyChainException(e);
    } catch (RuntimeException e) {
        // only certain RuntimeExceptions can be propagated across the IKeyChainService call
        throw new KeyChainException(e);
    } finally {
        keyChainConnection.close();
    }
}

Example 4 with TrustedCertificateStore

use of com.android.org.conscrypt.TrustedCertificateStore in project android_frameworks_base by DirtyUnicorns.

the class KeyChain method getCertificateChain.

/**
     * Returns the {@code X509Certificate} chain for the requested
     * alias, or null if there is no result.
     * <p>
     * <strong>Note:</strong> If a certificate chain was explicitly specified when the alias was
     * installed, this method will return that chain. If only the client certificate was specified
     * at the installation time, this method will try to build a certificate chain using all
     * available trust anchors (preinstalled and user-added).
     *
     * <p> This method may block while waiting for a connection to another process, and must never
     * be called from the main thread.
     * <p> As {@link Activity} and {@link Service} contexts are short-lived and can be destroyed
     * at any time from the main thread, it is safer to rely on a long-lived context such as one
     * returned from {@link Context#getApplicationContext()}.
     *
     * @param alias The alias of the desired certificate chain, typically
     * returned via {@link KeyChainAliasCallback#alias}.
     * @throws KeyChainException if the alias was valid but there was some problem accessing it.
     * @throws IllegalStateException if called from the main thread.
     */
@Nullable
@WorkerThread
public static X509Certificate[] getCertificateChain(@NonNull Context context, @NonNull String alias) throws KeyChainException, InterruptedException {
    if (alias == null) {
        throw new NullPointerException("alias == null");
    }
    KeyChainConnection keyChainConnection = bind(context.getApplicationContext());
    try {
        IKeyChainService keyChainService = keyChainConnection.getService();
        final byte[] certificateBytes = keyChainService.getCertificate(alias);
        if (certificateBytes == null) {
            return null;
        }
        X509Certificate leafCert = toCertificate(certificateBytes);
        final byte[] certChainBytes = keyChainService.getCaCertificates(alias);
        // DevicePolicyManager.installKeyPair or CertInstaller, return that chain.
        if (certChainBytes != null && certChainBytes.length != 0) {
            Collection<X509Certificate> chain = toCertificates(certChainBytes);
            ArrayList<X509Certificate> fullChain = new ArrayList<>(chain.size() + 1);
            fullChain.add(leafCert);
            fullChain.addAll(chain);
            return fullChain.toArray(new X509Certificate[fullChain.size()]);
        } else {
            // If there isn't a certificate chain, either due to a pre-existing keypair
            // installed before N, or no chain is explicitly installed under the new logic,
            // fall back to old behavior of constructing the chain from trusted credentials.
            //
            // This logic exists to maintain old behaviour for already installed keypair, at
            // the cost of potentially returning extra certificate chain for new clients who
            // explicitly installed only the client certificate without a chain. The latter
            // case is actually no different from pre-N behaviour of getCertificateChain(),
            // in that sense this change introduces no regression. Besides the returned chain
            // is still valid so the consumer of the chain should have no problem verifying it.
            TrustedCertificateStore store = new TrustedCertificateStore();
            List<X509Certificate> chain = store.getCertificateChain(leafCert);
            return chain.toArray(new X509Certificate[chain.size()]);
        }
    } catch (CertificateException e) {
        throw new KeyChainException(e);
    } catch (RemoteException e) {
        throw new KeyChainException(e);
    } catch (RuntimeException e) {
        // only certain RuntimeExceptions can be propagated across the IKeyChainService call
        throw new KeyChainException(e);
    } finally {
        keyChainConnection.close();
    }
}

Example 5 with TrustedCertificateStore

use of com.android.org.conscrypt.TrustedCertificateStore in project android_frameworks_base by crdroidandroid.

the class NetworkSecurityConfigTests method testUserAddedCaOptIn.

public void testUserAddedCaOptIn() throws Exception {
    TrustedCertificateStore store = new TrustedCertificateStore();
    try {
        // Install the test CA.
        store.installCertificate(TEST_CA_CERT);
        NetworkSecurityConfig preNConfig = NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.M).build();
        NetworkSecurityConfig nConfig = NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N).build();
        Set<TrustAnchor> preNAnchors = preNConfig.getTrustAnchors();
        Set<TrustAnchor> nAnchors = nConfig.getTrustAnchors();
        Set<X509Certificate> preNCerts = new HashSet<X509Certificate>();
        for (TrustAnchor anchor : preNAnchors) {
            preNCerts.add(anchor.certificate);
        }
        Set<X509Certificate> nCerts = new HashSet<X509Certificate>();
        for (TrustAnchor anchor : nAnchors) {
            nCerts.add(anchor.certificate);
        }
        assertTrue(preNCerts.contains(TEST_CA_CERT));
        assertFalse(nCerts.contains(TEST_CA_CERT));
    } finally {
        // Delete the user added CA. We don't know the alias so just delete them all.
        for (String alias : store.aliases()) {
            if (store.isUser(alias)) {
                try {
                    store.deleteCertificateEntry(alias);
                } catch (Exception ignored) {
                }
            }
        }
    }
}