Index: net/android/java/src/org/chromium/net/AndroidKeyStore.java |
diff --git a/net/android/java/src/org/chromium/net/AndroidKeyStore.java b/net/android/java/src/org/chromium/net/AndroidKeyStore.java |
index 1396bf1807e215ed38e4d2c61b8f220bf8a32111..bb44530da54a0f8ca9e625ceb86f0f152c493284 100644 |
--- a/net/android/java/src/org/chromium/net/AndroidKeyStore.java |
+++ b/net/android/java/src/org/chromium/net/AndroidKeyStore.java |
@@ -1,108 +1,61 @@ |
-// Copyright 2013 The Chromium Authors. All rights reserved. |
+// Copyright 2014 The Chromium Authors. All rights reserved. |
// Use of this source code is governed by a BSD-style license that can be |
// found in the LICENSE file. |
package org.chromium.net; |
-import android.util.Log; |
- |
import org.chromium.base.CalledByNative; |
import org.chromium.base.JNINamespace; |
-import java.lang.reflect.Method; |
-import java.security.NoSuchAlgorithmException; |
-import java.security.PrivateKey; |
-import java.security.Signature; |
-import java.security.interfaces.DSAKey; |
-import java.security.interfaces.DSAParams; |
-import java.security.interfaces.DSAPrivateKey; |
-import java.security.interfaces.ECKey; |
-import java.security.interfaces.ECPrivateKey; |
-import java.security.interfaces.RSAKey; |
-import java.security.interfaces.RSAPrivateKey; |
-import java.security.spec.ECParameterSpec; |
- |
+/** |
+ * Specifies all the dependencies from the native OpenSSL engine on an Android KeyStore. |
+ */ |
@JNINamespace("net::android") |
-public class AndroidKeyStore { |
- |
- private static final String TAG = "AndroidKeyStore"; |
- |
- //////////////////////////////////////////////////////////////////// |
- // |
- // Message signing support. |
+public interface AndroidKeyStore { |
/** |
- * Returns the public modulus of a given RSA private key as a byte |
- * buffer. |
- * This can be used by native code to convert the modulus into |
- * an OpenSSL BIGNUM object. Required to craft a custom native RSA |
- * object where RSA_size() works as expected. |
+ * Return the system EVP_PKEY handle corresponding to a given PrivateKey |
+ * object. |
* |
- * @param key A PrivateKey instance, must implement RSAKey. |
- * @return A byte buffer corresponding to the modulus. This is |
- * big-endian representation of a BigInteger. |
- */ |
- @CalledByNative |
- public static byte[] getRSAKeyModulus(PrivateKey key) { |
- if (key instanceof RSAKey) { |
- return ((RSAKey) key).getModulus().toByteArray(); |
- } else { |
- Log.w(TAG, "Not a RSAKey instance!"); |
- return null; |
- } |
- } |
- |
- /** |
- * Returns the 'Q' parameter of a given DSA private key as a byte |
- * buffer. |
- * This can be used by native code to convert it into an OpenSSL BIGNUM |
- * object where DSA_size() works as expected. |
+ * This shall only be used when the "NONEwithRSA" signature is not |
+ * available, as described in rawSignDigestWithPrivateKey(). I.e. |
+ * never use this on Android 4.2 or higher. |
* |
- * @param key A PrivateKey instance. Must implement DSAKey. |
- * @return A byte buffer corresponding to the Q parameter. This is |
- * a big-endian representation of a BigInteger. |
- */ |
- @CalledByNative |
- public static byte[] getDSAKeyParamQ(PrivateKey key) { |
- if (key instanceof DSAKey) { |
- DSAParams params = ((DSAKey) key).getParams(); |
- return params.getQ().toByteArray(); |
- } else { |
- Log.w(TAG, "Not a DSAKey instance!"); |
- return null; |
- } |
- } |
- |
- /** |
- * Returns the 'order' parameter of a given ECDSA private key as a |
- * a byte buffer. |
- * @param key A PrivateKey instance. Must implement ECKey. |
- * @return A byte buffer corresponding to the 'order' parameter. |
- * This is a big-endian representation of a BigInteger. |
+ * This can only work in Android 4.0.4 and higher, for older versions |
+ * of the platform (e.g. 4.0.3), there is no system OpenSSL EVP_PKEY, |
+ * but the private key contents can be retrieved directly with |
+ * the getEncoded() method. |
+ * |
+ * This assumes that the target device uses a vanilla AOSP |
+ * implementation of its java.security classes, which is also |
+ * based on OpenSSL (fortunately, no OEM has apperently changed to |
+ * a different implementation, according to the Android team). |
+ * |
+ * Note that the object returned was created with the platform version |
+ * of OpenSSL, and _not_ the one that comes with Chromium. Whether the |
+ * object can be used safely with the Chromium OpenSSL library depends |
+ * on differences between their actual ABI / implementation details. |
+ * |
+ * To better understand what's going on below, please refer to the |
+ * following source files in the Android 4.0.4 and 4.1 source trees: |
+ * libcore/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLRSAPrivateKey.java |
+ * libcore/luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp |
+ * |
+ * @param key The PrivateKey handle. |
+ * @return The EVP_PKEY handle, as a 32-bit integer (0 if not available) |
*/ |
@CalledByNative |
- public static byte[] getECKeyOrder(PrivateKey key) { |
- if (key instanceof ECKey) { |
- ECParameterSpec params = ((ECKey) key).getParams(); |
- return params.getOrder().toByteArray(); |
- } else { |
- Log.w(TAG, "Not an ECKey instance!"); |
- return null; |
- } |
- } |
+ int getOpenSSLHandleForPrivateKey(AndroidPrivateKey key); |
Ryan Sleevi
2014/02/14 20:57:51
Why did you re-order these methods? Makes it much
Yaron
2014/02/14 22:06:59
Not intentional, sorry. Can't honestly say when it
|
/** |
- * Returns the encoded data corresponding to a given PrivateKey. |
- * Note that this will fail for platform keys on Android 4.0.4 |
- * and higher. It can be used on 4.0.3 and older platforms to |
- * route around the platform bug described below. |
- * @param key A PrivateKey instance |
- * @return encoded key as PKCS#8 byte array, can be null. |
+ * Return the type of a given PrivateKey object. This is an integer |
+ * that maps to one of the values defined by org.chromium.net.PrivateKeyType, |
+ * which is itself auto-generated from net/android/private_key_type_list.h |
+ * @param key The PrivateKey handle |
+ * @return key type, or PrivateKeyType.INVALID if unknown. |
*/ |
@CalledByNative |
- public static byte[] getPrivateKeyEncodedBytes(PrivateKey key) { |
- return key.getEncoded(); |
- } |
+ int getPrivateKeyType(AndroidPrivateKey key); |
/** |
* Sign a given message with a given PrivateKey object. This method |
@@ -125,7 +78,7 @@ public class AndroidKeyStore { |
* message must be a hash and the function shall compute a direct |
* DSA/ECDSA signature for it. |
* |
- * @param privateKey The PrivateKey handle. |
+ * @param key The PrivateKey handle. |
* @param message The message to sign. |
* @return signature as a byte buffer. |
* |
@@ -134,173 +87,59 @@ public class AndroidKeyStore { |
* getOpenSSLHandleForPrivateKey() below for work-around. |
*/ |
@CalledByNative |
- public static byte[] rawSignDigestWithPrivateKey(PrivateKey privateKey, |
- byte[] message) { |
- // Get the Signature for this key. |
- Signature signature = null; |
- // Hint: Algorithm names come from: |
- // http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html |
- try { |
- if (privateKey instanceof RSAPrivateKey) { |
- // IMPORTANT: Due to a platform bug, this will throw NoSuchAlgorithmException |
- // on Android 4.0.x and 4.1.x. Fixed in 4.2 and higher. |
- // See https://android-review.googlesource.com/#/c/40352/ |
- signature = Signature.getInstance("NONEwithRSA"); |
- } else if (privateKey instanceof DSAPrivateKey) { |
- signature = Signature.getInstance("NONEwithDSA"); |
- } else if (privateKey instanceof ECPrivateKey) { |
- signature = Signature.getInstance("NONEwithECDSA"); |
- } |
- } catch (NoSuchAlgorithmException e) { |
- ; |
- } |
- |
- if (signature == null) { |
- Log.e(TAG, "Unsupported private key algorithm: " + privateKey.getAlgorithm()); |
- return null; |
- } |
+ byte[] rawSignDigestWithPrivateKey(AndroidPrivateKey key, byte[] message); |
- // Sign the message. |
- try { |
- signature.initSign(privateKey); |
- signature.update(message); |
- return signature.sign(); |
- } catch (Exception e) { |
- Log.e(TAG, "Exception while signing message with " + privateKey.getAlgorithm() + |
- " private key: " + e); |
- return null; |
- } |
- } |
+ /** |
+ * Returns the encoded data corresponding to a given PrivateKey. |
+ * Note that this will fail for platform keys on Android 4.0.4 |
+ * and higher. It can be used on 4.0.3 and older platforms to |
+ * route around the platform bug described below. |
+ * @param key A PrivateKey instance |
+ * @return encoded key as PKCS#8 byte array, can be null. |
+ */ |
+ @CalledByNative |
+ byte[] getPrivateKeyEncodedBytes(AndroidPrivateKey key); |
/** |
- * Return the type of a given PrivateKey object. This is an integer |
- * that maps to one of the values defined by org.chromium.net.PrivateKeyType, |
- * which is itself auto-generated from net/android/private_key_type_list.h |
- * @param privateKey The PrivateKey handle |
- * @return key type, or PrivateKeyType.INVALID if unknown. |
+ * Returns the 'order' parameter of a given ECDSA private key as a |
+ * a byte buffer. |
+ * @param key A PrivateKey instance. Must implement ECKey. |
+ * @return A byte buffer corresponding to the 'order' parameter. |
+ * This is a big-endian representation of a BigInteger. |
*/ |
@CalledByNative |
- public static int getPrivateKeyType(PrivateKey privateKey) { |
- if (privateKey instanceof RSAPrivateKey) |
- return PrivateKeyType.RSA; |
- if (privateKey instanceof DSAPrivateKey) |
- return PrivateKeyType.DSA; |
- if (privateKey instanceof ECPrivateKey) |
- return PrivateKeyType.ECDSA; |
- else |
- return PrivateKeyType.INVALID; |
- } |
+ byte[] getECKeyOrder(AndroidPrivateKey key); |
/** |
- * Return the system EVP_PKEY handle corresponding to a given PrivateKey |
- * object, obtained through reflection. |
- * |
- * This shall only be used when the "NONEwithRSA" signature is not |
- * available, as described in rawSignDigestWithPrivateKey(). I.e. |
- * never use this on Android 4.2 or higher. |
- * |
- * This can only work in Android 4.0.4 and higher, for older versions |
- * of the platform (e.g. 4.0.3), there is no system OpenSSL EVP_PKEY, |
- * but the private key contents can be retrieved directly with |
- * the getEncoded() method. |
- * |
- * This assumes that the target device uses a vanilla AOSP |
- * implementation of its java.security classes, which is also |
- * based on OpenSSL (fortunately, no OEM has apperently changed to |
- * a different implementation, according to the Android team). |
- * |
- * Note that the object returned was created with the platform version |
- * of OpenSSL, and _not_ the one that comes with Chromium. Whether the |
- * object can be used safely with the Chromium OpenSSL library depends |
- * on differences between their actual ABI / implementation details. |
- * |
- * To better understand what's going on below, please refer to the |
- * following source files in the Android 4.0.4 and 4.1 source trees: |
- * libcore/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLRSAPrivateKey.java |
- * libcore/luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp |
+ * Returns the 'Q' parameter of a given DSA private key as a byte |
+ * buffer. |
+ * This can be used by native code to convert it into an OpenSSL BIGNUM |
+ * object where DSA_size() works as expected. |
* |
- * @param privateKey The PrivateKey handle. |
- * @return The EVP_PKEY handle, as a 32-bit integer (0 if not available) |
+ * @param key A PrivateKey instance. Must implement DSAKey. |
+ * @return A byte buffer corresponding to the Q parameter. This is |
+ * a big-endian representation of a BigInteger. |
*/ |
@CalledByNative |
- public static int getOpenSSLHandleForPrivateKey(PrivateKey privateKey) { |
- // Sanity checks |
- if (privateKey == null) { |
- Log.e(TAG, "privateKey == null"); |
- return 0; |
- } |
- if (!(privateKey instanceof RSAPrivateKey)) { |
- Log.e(TAG, "does not implement RSAPrivateKey"); |
- return 0; |
- } |
- // First, check that this is a proper instance of OpenSSLRSAPrivateKey |
- // or one of its sub-classes. |
- Class<?> superClass; |
- try { |
- superClass = Class.forName( |
- "org.apache.harmony.xnet.provider.jsse.OpenSSLRSAPrivateKey"); |
- } catch (Exception e) { |
- // This may happen if the target device has a completely different |
- // implementation of the java.security APIs, compared to vanilla |
- // Android. Highly unlikely, but still possible. |
- Log.e(TAG, "Cannot find system OpenSSLRSAPrivateKey class: " + e); |
- return 0; |
- } |
- if (!superClass.isInstance(privateKey)) { |
- // This may happen if the PrivateKey was not created by the "AndroidOpenSSL" |
- // provider, which should be the default. That could happen if an OEM decided |
- // to implement a different default provider. Also highly unlikely. |
- Log.e(TAG, "Private key is not an OpenSSLRSAPrivateKey instance, its class name is:" + |
- privateKey.getClass().getCanonicalName()); |
- return 0; |
- } |
+ byte[] getDSAKeyParamQ(AndroidPrivateKey key); |
- try { |
- // Use reflection to invoke the 'getOpenSSLKey()' method on |
- // the private key. This returns another Java object that wraps |
- // a native EVP_PKEY. Note that the method is final, so calling |
- // the superclass implementation is ok. |
- Method getKey = superClass.getDeclaredMethod("getOpenSSLKey"); |
- getKey.setAccessible(true); |
- Object opensslKey = null; |
- try { |
- opensslKey = getKey.invoke(privateKey); |
- } finally { |
- getKey.setAccessible(false); |
- } |
- if (opensslKey == null) { |
- // Bail when detecting OEM "enhancement". |
- Log.e(TAG, "getOpenSSLKey() returned null"); |
- return 0; |
- } |
- |
- // Use reflection to invoke the 'getPkeyContext' method on the |
- // result of the getOpenSSLKey(). This is an 32-bit integer |
- // which is the address of an EVP_PKEY object. |
- Method getPkeyContext; |
- try { |
- getPkeyContext = opensslKey.getClass().getDeclaredMethod("getPkeyContext"); |
- } catch (Exception e) { |
- // Bail here too, something really not working as expected. |
- Log.e(TAG, "No getPkeyContext() method on OpenSSLKey member:" + e); |
- return 0; |
- } |
- getPkeyContext.setAccessible(true); |
- int evp_pkey = 0; |
- try { |
- evp_pkey = (Integer) getPkeyContext.invoke(opensslKey); |
- } finally { |
- getPkeyContext.setAccessible(false); |
- } |
- if (evp_pkey == 0) { |
- // The PrivateKey is probably rotten for some reason. |
- Log.e(TAG, "getPkeyContext() returned null"); |
- } |
- return evp_pkey; |
+ /** |
+ * Returns the public modulus of a given RSA private key as a byte |
+ * buffer. |
+ * This can be used by native code to convert the modulus into |
+ * an OpenSSL BIGNUM object. Required to craft a custom native RSA |
+ * object where RSA_size() works as expected. |
+ * |
+ * @param key A PrivateKey instance, must implement RSAKey. |
+ * @return A byte buffer corresponding to the modulus. This is |
+ * big-endian representation of a BigInteger. |
+ */ |
+ @CalledByNative |
+ byte[] getRSAKeyModulus(AndroidPrivateKey key); |
- } catch (Exception e) { |
- Log.e(TAG, "Exception while trying to retrieve system EVP_PKEY handle: " + e); |
- return 0; |
- } |
- } |
+ /** |
+ * Called when the native OpenSSL engine no longer needs access to the underlying key. |
+ */ |
+ @CalledByNative |
+ void releaseKey(AndroidPrivateKey key); |
} |