use of com.android.org.conscrypt.TrustedCertificateStore in project platform_frameworks_base by android.
the class KeyChain method getCertificateChain.
/**
* Returns the {@code X509Certificate} chain for the requested
* alias, or null if there is no result.
* <p>
* <strong>Note:</strong> If a certificate chain was explicitly specified when the alias was
* installed, this method will return that chain. If only the client certificate was specified
* at the installation time, this method will try to build a certificate chain using all
* available trust anchors (preinstalled and user-added).
*
* <p> This method may block while waiting for a connection to another process, and must never
* be called from the main thread.
* <p> As {@link Activity} and {@link Service} contexts are short-lived and can be destroyed
* at any time from the main thread, it is safer to rely on a long-lived context such as one
* returned from {@link Context#getApplicationContext()}.
*
* @param alias The alias of the desired certificate chain, typically
* returned via {@link KeyChainAliasCallback#alias}.
* @throws KeyChainException if the alias was valid but there was some problem accessing it.
* @throws IllegalStateException if called from the main thread.
*/
@Nullable
@WorkerThread
public static X509Certificate[] getCertificateChain(@NonNull Context context, @NonNull String alias) throws KeyChainException, InterruptedException {
if (alias == null) {
throw new NullPointerException("alias == null");
}
KeyChainConnection keyChainConnection = bind(context.getApplicationContext());
try {
IKeyChainService keyChainService = keyChainConnection.getService();
final byte[] certificateBytes = keyChainService.getCertificate(alias);
if (certificateBytes == null) {
return null;
}
X509Certificate leafCert = toCertificate(certificateBytes);
final byte[] certChainBytes = keyChainService.getCaCertificates(alias);
// DevicePolicyManager.installKeyPair or CertInstaller, return that chain.
if (certChainBytes != null && certChainBytes.length != 0) {
Collection<X509Certificate> chain = toCertificates(certChainBytes);
ArrayList<X509Certificate> fullChain = new ArrayList<>(chain.size() + 1);
fullChain.add(leafCert);
fullChain.addAll(chain);
return fullChain.toArray(new X509Certificate[fullChain.size()]);
} else {
// If there isn't a certificate chain, either due to a pre-existing keypair
// installed before N, or no chain is explicitly installed under the new logic,
// fall back to old behavior of constructing the chain from trusted credentials.
//
// This logic exists to maintain old behaviour for already installed keypair, at
// the cost of potentially returning extra certificate chain for new clients who
// explicitly installed only the client certificate without a chain. The latter
// case is actually no different from pre-N behaviour of getCertificateChain(),
// in that sense this change introduces no regression. Besides the returned chain
// is still valid so the consumer of the chain should have no problem verifying it.
TrustedCertificateStore store = new TrustedCertificateStore();
List<X509Certificate> chain = store.getCertificateChain(leafCert);
return chain.toArray(new X509Certificate[chain.size()]);
}
} catch (CertificateException e) {
throw new KeyChainException(e);
} catch (RemoteException e) {
throw new KeyChainException(e);
} catch (RuntimeException e) {
// only certain RuntimeExceptions can be propagated across the IKeyChainService call
throw new KeyChainException(e);
} finally {
keyChainConnection.close();
}
}
use of com.android.org.conscrypt.TrustedCertificateStore in project android_frameworks_base by DirtyUnicorns.
the class NetworkSecurityConfigTests method testUserAddedCaOptIn.
public void testUserAddedCaOptIn() throws Exception {
TrustedCertificateStore store = new TrustedCertificateStore();
try {
// Install the test CA.
store.installCertificate(TEST_CA_CERT);
NetworkSecurityConfig preNConfig = NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.M).build();
NetworkSecurityConfig nConfig = NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N).build();
Set<TrustAnchor> preNAnchors = preNConfig.getTrustAnchors();
Set<TrustAnchor> nAnchors = nConfig.getTrustAnchors();
Set<X509Certificate> preNCerts = new HashSet<X509Certificate>();
for (TrustAnchor anchor : preNAnchors) {
preNCerts.add(anchor.certificate);
}
Set<X509Certificate> nCerts = new HashSet<X509Certificate>();
for (TrustAnchor anchor : nAnchors) {
nCerts.add(anchor.certificate);
}
assertTrue(preNCerts.contains(TEST_CA_CERT));
assertFalse(nCerts.contains(TEST_CA_CERT));
} finally {
// Delete the user added CA. We don't know the alias so just delete them all.
for (String alias : store.aliases()) {
if (store.isUser(alias)) {
try {
store.deleteCertificateEntry(alias);
} catch (Exception ignored) {
}
}
}
}
}
use of com.android.org.conscrypt.TrustedCertificateStore in project android_frameworks_base by DirtyUnicorns.
the class DevicePolicyManager method getCaCertAlias.
/**
* @return the alias of a given CA certificate in the certificate store, or {@code null} if it
* doesn't exist.
*/
private static String getCaCertAlias(byte[] certBuffer) throws CertificateException {
final CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
final X509Certificate cert = (X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(certBuffer));
return new TrustedCertificateStore().getCertificateAlias(cert);
}
use of com.android.org.conscrypt.TrustedCertificateStore in project android_frameworks_base by DirtyUnicorns.
the class DevicePolicyManager method getInstalledCaCerts.
/**
* Returns all CA certificates that are currently trusted, excluding system CA certificates.
* If a user has installed any certificates by other means than device policy these will be
* included too.
*
* @param admin Which {@link DeviceAdminReceiver} this request is associated with, or
* {@code null} if calling from a delegated certificate installer.
* @return a List of byte[] arrays, each encoding one user CA certificate.
* @throws SecurityException if {@code admin} is not {@code null} and not a device or profile
* owner.
*/
public List<byte[]> getInstalledCaCerts(@Nullable ComponentName admin) {
List<byte[]> certs = new ArrayList<byte[]>();
throwIfParentInstance("getInstalledCaCerts");
if (mService != null) {
try {
mService.enforceCanManageCaCerts(admin);
final TrustedCertificateStore certStore = new TrustedCertificateStore();
for (String alias : certStore.userAliases()) {
try {
certs.add(certStore.getCertificate(alias).getEncoded());
} catch (CertificateException ce) {
Log.w(TAG, "Could not encode certificate: " + alias, ce);
}
}
} catch (RemoteException re) {
throw re.rethrowFromSystemServer();
}
}
return certs;
}
use of com.android.org.conscrypt.TrustedCertificateStore in project android_frameworks_base by AOSPA.
the class DevicePolicyManager method getInstalledCaCerts.
/**
* Returns all CA certificates that are currently trusted, excluding system CA certificates.
* If a user has installed any certificates by other means than device policy these will be
* included too.
*
* @param admin Which {@link DeviceAdminReceiver} this request is associated with, or
* {@code null} if calling from a delegated certificate installer.
* @return a List of byte[] arrays, each encoding one user CA certificate.
* @throws SecurityException if {@code admin} is not {@code null} and not a device or profile
* owner.
*/
public List<byte[]> getInstalledCaCerts(@Nullable ComponentName admin) {
List<byte[]> certs = new ArrayList<byte[]>();
throwIfParentInstance("getInstalledCaCerts");
if (mService != null) {
try {
mService.enforceCanManageCaCerts(admin);
final TrustedCertificateStore certStore = new TrustedCertificateStore();
for (String alias : certStore.userAliases()) {
try {
certs.add(certStore.getCertificate(alias).getEncoded());
} catch (CertificateException ce) {
Log.w(TAG, "Could not encode certificate: " + alias, ce);
}
}
} catch (RemoteException re) {
throw re.rethrowFromSystemServer();
}
}
return certs;
}
Aggregations