Index: net/android/java/src/org/chromium/net/AndroidKeyStore.java |
diff --git a/net/android/java/src/org/chromium/net/AndroidKeyStore.java b/net/android/java/src/org/chromium/net/AndroidKeyStore.java |
index 1396bf1807e215ed38e4d2c61b8f220bf8a32111..96dd6998fc6e5f56636fbebcb6d44dd83866c3c3 100644 |
--- a/net/android/java/src/org/chromium/net/AndroidKeyStore.java |
+++ b/net/android/java/src/org/chromium/net/AndroidKeyStore.java |
@@ -1,306 +1,26 @@ |
-// Copyright 2013 The Chromium Authors. All rights reserved. |
+// Copyright 2014 The Chromium Authors. All rights reserved. |
// Use of this source code is governed by a BSD-style license that can be |
// found in the LICENSE file. |
package org.chromium.net; |
-import android.util.Log; |
+/** |
+ * Abstract key store. It can be implemented either as a local store operating on Java PrivateKeys |
+ * or as a remote store operating on key handles and delegating the calls to another process. |
+ */ |
+public interface AndroidKeyStore { |
+ int getOpenSSLHandleForPrivateKey(AndroidPrivateKey privateKey); |
-import org.chromium.base.CalledByNative; |
-import org.chromium.base.JNINamespace; |
+ int getPrivateKeyType(AndroidPrivateKey privateKey); |
-import java.lang.reflect.Method; |
-import java.security.NoSuchAlgorithmException; |
-import java.security.PrivateKey; |
-import java.security.Signature; |
-import java.security.interfaces.DSAKey; |
-import java.security.interfaces.DSAParams; |
-import java.security.interfaces.DSAPrivateKey; |
-import java.security.interfaces.ECKey; |
-import java.security.interfaces.ECPrivateKey; |
-import java.security.interfaces.RSAKey; |
-import java.security.interfaces.RSAPrivateKey; |
-import java.security.spec.ECParameterSpec; |
+ byte[] rawSignDigestWithPrivateKey(AndroidPrivateKey privateKey, byte[] message); |
-@JNINamespace("net::android") |
-public class AndroidKeyStore { |
+ byte[] getPrivateKeyEncodedBytes(AndroidPrivateKey key); |
- private static final String TAG = "AndroidKeyStore"; |
+ byte[] getECKeyOrder(AndroidPrivateKey key); |
- //////////////////////////////////////////////////////////////////// |
- // |
- // Message signing support. |
+ byte[] getDSAKeyParamQ(AndroidPrivateKey key); |
- /** |
- * Returns the public modulus of a given RSA private key as a byte |
- * buffer. |
- * This can be used by native code to convert the modulus into |
- * an OpenSSL BIGNUM object. Required to craft a custom native RSA |
- * object where RSA_size() works as expected. |
- * |
- * @param key A PrivateKey instance, must implement RSAKey. |
- * @return A byte buffer corresponding to the modulus. This is |
- * big-endian representation of a BigInteger. |
- */ |
- @CalledByNative |
- public static byte[] getRSAKeyModulus(PrivateKey key) { |
- if (key instanceof RSAKey) { |
- return ((RSAKey) key).getModulus().toByteArray(); |
- } else { |
- Log.w(TAG, "Not a RSAKey instance!"); |
- return null; |
- } |
- } |
+ byte[] getRSAKeyModulus(AndroidPrivateKey key); |
- /** |
- * Returns the 'Q' parameter of a given DSA private key as a byte |
- * buffer. |
- * This can be used by native code to convert it into an OpenSSL BIGNUM |
- * object where DSA_size() works as expected. |
- * |
- * @param key A PrivateKey instance. Must implement DSAKey. |
- * @return A byte buffer corresponding to the Q parameter. This is |
- * a big-endian representation of a BigInteger. |
- */ |
- @CalledByNative |
- public static byte[] getDSAKeyParamQ(PrivateKey key) { |
- if (key instanceof DSAKey) { |
- DSAParams params = ((DSAKey) key).getParams(); |
- return params.getQ().toByteArray(); |
- } else { |
- Log.w(TAG, "Not a DSAKey instance!"); |
- return null; |
- } |
- } |
- |
- /** |
- * Returns the 'order' parameter of a given ECDSA private key as a |
- * a byte buffer. |
- * @param key A PrivateKey instance. Must implement ECKey. |
- * @return A byte buffer corresponding to the 'order' parameter. |
- * This is a big-endian representation of a BigInteger. |
- */ |
- @CalledByNative |
- public static byte[] getECKeyOrder(PrivateKey key) { |
- if (key instanceof ECKey) { |
- ECParameterSpec params = ((ECKey) key).getParams(); |
- return params.getOrder().toByteArray(); |
- } else { |
- Log.w(TAG, "Not an ECKey instance!"); |
- return null; |
- } |
- } |
- |
- /** |
- * Returns the encoded data corresponding to a given PrivateKey. |
- * Note that this will fail for platform keys on Android 4.0.4 |
- * and higher. It can be used on 4.0.3 and older platforms to |
- * route around the platform bug described below. |
- * @param key A PrivateKey instance |
- * @return encoded key as PKCS#8 byte array, can be null. |
- */ |
- @CalledByNative |
- public static byte[] getPrivateKeyEncodedBytes(PrivateKey key) { |
- return key.getEncoded(); |
- } |
- |
- /** |
- * Sign a given message with a given PrivateKey object. This method |
- * shall only be used to implement signing in the context of SSL |
- * client certificate support. |
- * |
- * The message will actually be a hash, computed by OpenSSL itself, |
- * depending on the type of the key. The result should match exactly |
- * what the vanilla implementations of the following OpenSSL function |
- * calls do: |
- * |
- * - For a RSA private key, this should be equivalent to calling |
- * RSA_private_encrypt(..., RSA_PKCS1_PADDING), i.e. it must |
- * generate a raw RSA signature. The message must be either a |
- * combined, 36-byte MD5+SHA1 message digest or a DigestInfo |
- * value wrapping a message digest. |
- * |
- * - For a DSA and ECDSA private keys, this should be equivalent to |
- * calling DSA_sign(0,...) and ECDSA_sign(0,...) respectively. The |
- * message must be a hash and the function shall compute a direct |
- * DSA/ECDSA signature for it. |
- * |
- * @param privateKey The PrivateKey handle. |
- * @param message The message to sign. |
- * @return signature as a byte buffer. |
- * |
- * Important: Due to a platform bug, this function will always fail on |
- * Android < 4.2 for RSA PrivateKey objects. See the |
- * getOpenSSLHandleForPrivateKey() below for work-around. |
- */ |
- @CalledByNative |
- public static byte[] rawSignDigestWithPrivateKey(PrivateKey privateKey, |
- byte[] message) { |
- // Get the Signature for this key. |
- Signature signature = null; |
- // Hint: Algorithm names come from: |
- // http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html |
- try { |
- if (privateKey instanceof RSAPrivateKey) { |
- // IMPORTANT: Due to a platform bug, this will throw NoSuchAlgorithmException |
- // on Android 4.0.x and 4.1.x. Fixed in 4.2 and higher. |
- // See https://android-review.googlesource.com/#/c/40352/ |
- signature = Signature.getInstance("NONEwithRSA"); |
- } else if (privateKey instanceof DSAPrivateKey) { |
- signature = Signature.getInstance("NONEwithDSA"); |
- } else if (privateKey instanceof ECPrivateKey) { |
- signature = Signature.getInstance("NONEwithECDSA"); |
- } |
- } catch (NoSuchAlgorithmException e) { |
- ; |
- } |
- |
- if (signature == null) { |
- Log.e(TAG, "Unsupported private key algorithm: " + privateKey.getAlgorithm()); |
- return null; |
- } |
- |
- // Sign the message. |
- try { |
- signature.initSign(privateKey); |
- signature.update(message); |
- return signature.sign(); |
- } catch (Exception e) { |
- Log.e(TAG, "Exception while signing message with " + privateKey.getAlgorithm() + |
- " private key: " + e); |
- return null; |
- } |
- } |
- |
- /** |
- * Return the type of a given PrivateKey object. This is an integer |
- * that maps to one of the values defined by org.chromium.net.PrivateKeyType, |
- * which is itself auto-generated from net/android/private_key_type_list.h |
- * @param privateKey The PrivateKey handle |
- * @return key type, or PrivateKeyType.INVALID if unknown. |
- */ |
- @CalledByNative |
- public static int getPrivateKeyType(PrivateKey privateKey) { |
- if (privateKey instanceof RSAPrivateKey) |
- return PrivateKeyType.RSA; |
- if (privateKey instanceof DSAPrivateKey) |
- return PrivateKeyType.DSA; |
- if (privateKey instanceof ECPrivateKey) |
- return PrivateKeyType.ECDSA; |
- else |
- return PrivateKeyType.INVALID; |
- } |
- |
- /** |
- * Return the system EVP_PKEY handle corresponding to a given PrivateKey |
- * object, obtained through reflection. |
- * |
- * This shall only be used when the "NONEwithRSA" signature is not |
- * available, as described in rawSignDigestWithPrivateKey(). I.e. |
- * never use this on Android 4.2 or higher. |
- * |
- * This can only work in Android 4.0.4 and higher, for older versions |
- * of the platform (e.g. 4.0.3), there is no system OpenSSL EVP_PKEY, |
- * but the private key contents can be retrieved directly with |
- * the getEncoded() method. |
- * |
- * This assumes that the target device uses a vanilla AOSP |
- * implementation of its java.security classes, which is also |
- * based on OpenSSL (fortunately, no OEM has apperently changed to |
- * a different implementation, according to the Android team). |
- * |
- * Note that the object returned was created with the platform version |
- * of OpenSSL, and _not_ the one that comes with Chromium. Whether the |
- * object can be used safely with the Chromium OpenSSL library depends |
- * on differences between their actual ABI / implementation details. |
- * |
- * To better understand what's going on below, please refer to the |
- * following source files in the Android 4.0.4 and 4.1 source trees: |
- * libcore/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLRSAPrivateKey.java |
- * libcore/luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp |
- * |
- * @param privateKey The PrivateKey handle. |
- * @return The EVP_PKEY handle, as a 32-bit integer (0 if not available) |
- */ |
- @CalledByNative |
- public static int getOpenSSLHandleForPrivateKey(PrivateKey privateKey) { |
- // Sanity checks |
- if (privateKey == null) { |
- Log.e(TAG, "privateKey == null"); |
- return 0; |
- } |
- if (!(privateKey instanceof RSAPrivateKey)) { |
- Log.e(TAG, "does not implement RSAPrivateKey"); |
- return 0; |
- } |
- // First, check that this is a proper instance of OpenSSLRSAPrivateKey |
- // or one of its sub-classes. |
- Class<?> superClass; |
- try { |
- superClass = Class.forName( |
- "org.apache.harmony.xnet.provider.jsse.OpenSSLRSAPrivateKey"); |
- } catch (Exception e) { |
- // This may happen if the target device has a completely different |
- // implementation of the java.security APIs, compared to vanilla |
- // Android. Highly unlikely, but still possible. |
- Log.e(TAG, "Cannot find system OpenSSLRSAPrivateKey class: " + e); |
- return 0; |
- } |
- if (!superClass.isInstance(privateKey)) { |
- // This may happen if the PrivateKey was not created by the "AndroidOpenSSL" |
- // provider, which should be the default. That could happen if an OEM decided |
- // to implement a different default provider. Also highly unlikely. |
- Log.e(TAG, "Private key is not an OpenSSLRSAPrivateKey instance, its class name is:" + |
- privateKey.getClass().getCanonicalName()); |
- return 0; |
- } |
- |
- try { |
- // Use reflection to invoke the 'getOpenSSLKey()' method on |
- // the private key. This returns another Java object that wraps |
- // a native EVP_PKEY. Note that the method is final, so calling |
- // the superclass implementation is ok. |
- Method getKey = superClass.getDeclaredMethod("getOpenSSLKey"); |
- getKey.setAccessible(true); |
- Object opensslKey = null; |
- try { |
- opensslKey = getKey.invoke(privateKey); |
- } finally { |
- getKey.setAccessible(false); |
- } |
- if (opensslKey == null) { |
- // Bail when detecting OEM "enhancement". |
- Log.e(TAG, "getOpenSSLKey() returned null"); |
- return 0; |
- } |
- |
- // Use reflection to invoke the 'getPkeyContext' method on the |
- // result of the getOpenSSLKey(). This is an 32-bit integer |
- // which is the address of an EVP_PKEY object. |
- Method getPkeyContext; |
- try { |
- getPkeyContext = opensslKey.getClass().getDeclaredMethod("getPkeyContext"); |
- } catch (Exception e) { |
- // Bail here too, something really not working as expected. |
- Log.e(TAG, "No getPkeyContext() method on OpenSSLKey member:" + e); |
- return 0; |
- } |
- getPkeyContext.setAccessible(true); |
- int evp_pkey = 0; |
- try { |
- evp_pkey = (Integer) getPkeyContext.invoke(opensslKey); |
- } finally { |
- getPkeyContext.setAccessible(false); |
- } |
- if (evp_pkey == 0) { |
- // The PrivateKey is probably rotten for some reason. |
- Log.e(TAG, "getPkeyContext() returned null"); |
- } |
- return evp_pkey; |
- |
- } catch (Exception e) { |
- Log.e(TAG, "Exception while trying to retrieve system EVP_PKEY handle: " + e); |
- return 0; |
- } |
- } |
} |