| 1 | // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file. |
| 4 | |
| 5 | package org.chromium.net; |
| 6 | |
| 7 | import android.util.Log; |
| 8 | |
| 9 | import java.lang.reflect.InvocationTargetException; |
| 10 | import java.lang.reflect.Method; |
| 11 | import java.math.BigInteger; |
| 12 | import java.security.interfaces.DSAKey; |
| 13 | import java.security.interfaces.DSAPrivateKey; |
| 14 | import java.security.interfaces.DSAParams; |
| 15 | import java.security.interfaces.ECKey; |
| 16 | import java.security.interfaces.ECPrivateKey; |
| 17 | import java.security.interfaces.RSAKey; |
| 18 | import java.security.interfaces.RSAPrivateKey; |
| 19 | import java.security.NoSuchAlgorithmException; |
| 20 | import java.security.PrivateKey; |
| 21 | import java.security.Signature; |
| 22 | import java.security.spec.ECParameterSpec; |
| 23 | |
| 24 | import org.chromium.base.CalledByNative; |
| 25 | import org.chromium.base.JNINamespace; |
| 26 | import org.chromium.net.PrivateKeyType;; |
| 27 | |
| 28 | @JNINamespace("net::android") |
| 29 | public class AndroidKeyStore { |
| 30 | |
| 31 | private static final String TAG = "AndroidKeyStore"; |
| 32 | |
| 33 | //////////////////////////////////////////////////////////////////// |
| 34 | // |
| 35 | // Message signing support. |
| 36 | |
| 37 | /** |
| 38 | * Returns the public modulus of a given RSA private key as a byte |
| 39 | * buffer. |
| 40 | * This can be used by native code to convert the modulus into |
| 41 | * an OpenSSL BIGNUM object. Required to craft a custom native RSA |
| 42 | * object where RSA_size() works as expected. |
| 43 | * |
| 44 | * @param key A PrivateKey instance, must implement RSAKey. |
| 45 | * @return A byte buffer corresponding to the modulus. This is |
| 46 | * big-endian representation of a BigInteger. |
| 47 | */ |
| 48 | @CalledByNative |
| 49 | public static byte[] getRSAKeyModulus(PrivateKey key) { |
| 50 | if (key instanceof RSAKey) { |
| 51 | return ((RSAKey) key).getModulus().toByteArray(); |
| 52 | } else { |
| 53 | Log.w(TAG, "Not a RSAKey instance!"); |
| 54 | return null; |
| 55 | } |
| 56 | } |
| 57 | |
| 58 | /** |
| 59 | * Returns the 'Q' parameter of a given DSA private key as a byte |
| 60 | * buffer. |
| 61 | * This can be used by native code to convert it into an OpenSSL BIGNUM |
| 62 | * object where DSA_size() works as expected. |
| 63 | * |
| 64 | * @param key A PrivateKey instance. Must implement DSAKey. |
| 65 | * @return A byte buffer corresponding to the Q parameter. This is |
| 66 | * a big-endian representation of a BigInteger. |
| 67 | */ |
| 68 | @CalledByNative |
| 69 | public static byte[] getDSAKeyParamQ(PrivateKey key) { |
| 70 | if (key instanceof DSAKey) { |
| 71 | DSAParams params = ((DSAKey) key).getParams(); |
| 72 | return params.getQ().toByteArray(); |
| 73 | } else { |
| 74 | Log.w(TAG, "Not a DSAKey instance!"); |
| 75 | return null; |
| 76 | } |
| 77 | } |
| 78 | |
| 79 | /** |
| 80 | * Returns the 'order' parameter of a given ECDSA private key as a |
| 81 | * a byte buffer. |
| 82 | * @param key A PrivateKey instance. Must implement ECKey. |
| 83 | * @return A byte buffer corresponding to the 'order' parameter. |
| 84 | * This is a big-endian representation of a BigInteger. |
| 85 | */ |
| 86 | @CalledByNative |
| 87 | public static byte[] getECKeyOrder(PrivateKey key) { |
| 88 | if (key instanceof ECKey) { |
| 89 | ECParameterSpec params = ((ECKey) key).getParams(); |
| 90 | return params.getOrder().toByteArray(); |
| 91 | } else { |
| 92 | Log.w(TAG, "Not an ECKey instance!"); |
| 93 | return null; |
| 94 | } |
| 95 | } |
| 96 | |
| 97 | /** |
| 98 | * Returns the encoded data corresponding to a given PrivateKey. |
| 99 | * Note that this will fail for platform keys on Android 4.0.4 |
| 100 | * and higher. It can be used on 4.0.3 and older platforms to |
| 101 | * route around the platform bug described below. |
| 102 | * @param key A PrivateKey instance |
| 103 | * @return encoded key as PKCS#8 byte array, can be null. |
| 104 | */ |
| 105 | @CalledByNative |
| 106 | public static byte[] getPrivateKeyEncodedBytes(PrivateKey key) { |
| 107 | return key.getEncoded(); |
| 108 | } |
| 109 | |
| 110 | /** |
| 111 | * Sign a given message with a given PrivateKey object. This method |
| 112 | * shall only be used to implement signing in the context of SSL |
| 113 | * client certificate support. |
| 114 | * |
| 115 | * The message will actually be a hash, computed and padded by OpenSSL, |
| 116 | * itself, depending on the type of the key. The result should match |
| 117 | * exactly what the vanilla implementations of the following OpenSSL |
| 118 | * function calls do: |
| 119 | * |
| 120 | * - For a RSA private key, this should be equivalent to calling |
| 121 | * RSA_sign(NDI_md5_sha1,....), i.e. it must generate a raw RSA |
| 122 | * signature. The message must a combined, 36-byte MD5+SHA1 message |
| 123 | * digest padded to the length of the modulus using PKCS#1 padding. |
| 124 | * |
| 125 | * - For a DSA and ECDSA private keys, this should be equivalent to |
| 126 | * calling DSA_sign(0,...) and ECDSA_sign(0,...) respectively. The |
| 127 | * message must be a 20-byte SHA1 hash and the function shall |
| 128 | * compute a direct DSA/ECDSA signature for it. |
| 129 | * |
| 130 | * @param privateKey The PrivateKey handle. |
| 131 | * @param message The message to sign. |
| 132 | * @return signature as a byte buffer. |
| 133 | * |
| 134 | * Important: Due to a platform bug, this function will always fail on |
| 135 | * Android < 4.2 for RSA PrivateKey objects. See the |
| 136 | * getOpenSSLHandleForPrivateKey() below for work-around. |
| 137 | */ |
| 138 | @CalledByNative |
| 139 | public static byte[] rawSignDigestWithPrivateKey(PrivateKey privateKey, |
| 140 | byte[] message) { |
| 141 | // Get the Signature for this key. |
| 142 | Signature signature = null; |
| 143 | // Hint: Algorithm names come from: |
| 144 | // http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html |
| 145 | try { |
| 146 | if (privateKey instanceof RSAPrivateKey) { |
| 147 | // IMPORTANT: Due to a platform bug, this will throw NoSuchAlgorithmException |
| 148 | // on Android 4.0.x and 4.1.x. Fixed in 4.2 and higher. |
| 149 | // See https://android-review.googlesource.com/#/c/40352/ |
| 150 | signature = Signature.getInstance("NONEwithRSA"); |
| 151 | } else if (privateKey instanceof DSAPrivateKey) { |
| 152 | signature = Signature.getInstance("NONEwithDSA"); |
| 153 | } else if (privateKey instanceof ECPrivateKey) { |
| 154 | signature = Signature.getInstance("NONEwithECDSA"); |
| 155 | } |
| 156 | } catch (NoSuchAlgorithmException e) { |
| 157 | ; |
| 158 | } |
| 159 | |
| 160 | if (signature == null) { |
| 161 | Log.e(TAG, "Unsupported private key algorithm: " + privateKey.getAlgorithm()); |
| 162 | return null; |
| 163 | } |
| 164 | |
| 165 | // Sign the message. |
| 166 | try { |
| 167 | signature.initSign(privateKey); |
| 168 | signature.update(message); |
| 169 | return signature.sign(); |
| 170 | } catch (Exception e) { |
| 171 | Log.e(TAG, "Exception while signing message with " + privateKey.getAlgorithm() + |
| 172 | " private key: " + e); |
| 173 | return null; |
| 174 | } |
| 175 | } |
| 176 | |
| 177 | /** |
| 178 | * Return the type of a given PrivateKey object. This is an integer |
| 179 | * that maps to one of the values defined by org.chromium.net.PrivateKeyType, |
| 180 | * which is itself auto-generated from net/android/private_key_type_list.h |
| 181 | * @param privateKey The PrivateKey handle |
| 182 | * @return key type, or PrivateKeyType.INVALID if unknown. |
| 183 | */ |
| 184 | @CalledByNative |
| 185 | public static int getPrivateKeyType(PrivateKey privateKey) { |
| 186 | if (privateKey instanceof RSAPrivateKey) |
| 187 | return PrivateKeyType.RSA; |
| 188 | if (privateKey instanceof DSAPrivateKey) |
| 189 | return PrivateKeyType.DSA; |
| 190 | if (privateKey instanceof ECPrivateKey) |
| 191 | return PrivateKeyType.ECDSA; |
| 192 | else |
| 193 | return PrivateKeyType.INVALID; |
| 194 | } |
| 195 | |
| 196 | /** |
| 197 | * Return the system EVP_PKEY handle corresponding to a given PrivateKey |
| 198 | * object, obtained through reflection. |
| 199 | * |
| 200 | * This shall only be used when the "NONEwithRSA" signature is not |
| 201 | * available, as described in rawSignDigestWithPrivateKey(). I.e. |
| 202 | * never use this on Android 4.2 or higher. |
| 203 | * |
| 204 | * This can only work in Android 4.0.4 and higher, for older versions |
| 205 | * of the platform (e.g. 4.0.3), there is no system OpenSSL EVP_PKEY, |
| 206 | * but the private key contents can be retrieved directly with |
| 207 | * the getEncoded() method. |
| 208 | * |
| 209 | * This assumes that the target device uses a vanilla AOSP |
| 210 | * implementation of its java.security classes, which is also |
| 211 | * based on OpenSSL (fortunately, no OEM has apperently changed to |
| 212 | * a different implementation, according to the Android team). |
| 213 | * |
| 214 | * Note that the object returned was created with the platform version |
| 215 | * of OpenSSL, and _not_ the one that comes with Chromium. Whether the |
| 216 | * object can be used safely with the Chromium OpenSSL library depends |
| 217 | * on differences between their actual ABI / implementation details. |
| 218 | * |
| 219 | * To better understand what's going on below, please refer to the |
| 220 | * following source files in the Android 4.0.4 and 4.1 source trees: |
| 221 | * libcore/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLRSAPrivateKey.java |
| 222 | * libcore/luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp |
| 223 | * |
| 224 | * @param privateKey The PrivateKey handle. |
| 225 | * @return The EVP_PKEY handle, as a 32-bit integer (0 if not available) |
| 226 | */ |
| 227 | @CalledByNative |
| 228 | public static int getOpenSSLHandleForPrivateKey(PrivateKey privateKey) { |
| 229 | // Sanity checks |
| 230 | if (privateKey == null) { |
| 231 | Log.e(TAG, "privateKey == null"); |
| 232 | return 0; |
| 233 | } |
| 234 | if (!(privateKey instanceof RSAPrivateKey)) { |
| 235 | Log.e(TAG, "does not implement RSAPrivateKey"); |
| 236 | return 0; |
| 237 | } |
| 238 | // First, check that this is a proper instance of OpenSSLRSAPrivateKey |
| 239 | // or one of its sub-classes. |
| 240 | Class<?> superClass; |
| 241 | try { |
| 242 | superClass = Class.forName( |
| 243 | "org.apache.harmony.xnet.provider.jsse.OpenSSLRSAPrivateKey"); |
| 244 | } catch (Exception e) { |
| 245 | // This may happen if the target device has a completely different |
| 246 | // implementation of the java.security APIs, compared to vanilla |
| 247 | // Android. Highly unlikely, but still possible. |
| 248 | Log.e(TAG, "Cannot find system OpenSSLRSAPrivateKey class: " + e); |
| 249 | return 0; |
| 250 | } |
| 251 | if (!superClass.isInstance(privateKey)) { |
| 252 | // This may happen if the PrivateKey was not created by the "AndroidOpenSSL" |
| 253 | // provider, which should be the default. That could happen if an OEM decided |
| 254 | // to implement a different default provider. Also highly unlikely. |
| 255 | Log.e(TAG, "Private key is not an OpenSSLRSAPrivateKey instance, its class name is:" + |
| 256 | privateKey.getClass().getCanonicalName()); |
| 257 | return 0; |
| 258 | } |
| 259 | |
| 260 | try { |
| 261 | // Use reflection to invoke the 'getOpenSSLKey()' method on |
| 262 | // the private key. This returns another Java object that wraps |
| 263 | // a native EVP_PKEY. Note that the method is final, so calling |
| 264 | // the superclass implementation is ok. |
| 265 | Method getKey = superClass.getDeclaredMethod("getOpenSSLKey"); |
| 266 | getKey.setAccessible(true); |
| 267 | Object opensslKey = null; |
| 268 | try { |
| 269 | opensslKey = getKey.invoke(privateKey); |
| 270 | } finally { |
| 271 | getKey.setAccessible(false); |
| 272 | } |
| 273 | if (opensslKey == null) { |
| 274 | // Bail when detecting OEM "enhancement". |
| 275 | Log.e(TAG, "getOpenSSLKey() returned null"); |
| 276 | return 0; |
| 277 | } |
| 278 | |
| 279 | // Use reflection to invoke the 'getPkeyContext' method on the |
| 280 | // result of the getOpenSSLKey(). This is an 32-bit integer |
| 281 | // which is the address of an EVP_PKEY object. |
| 282 | Method getPkeyContext; |
| 283 | try { |
| 284 | getPkeyContext = opensslKey.getClass().getDeclaredMethod("getPkeyContext"); |
| 285 | } catch (Exception e) { |
| 286 | // Bail here too, something really not working as expected. |
| 287 | Log.e(TAG, "No getPkeyContext() method on OpenSSLKey member:" + e); |
| 288 | return 0; |
| 289 | } |
| 290 | getPkeyContext.setAccessible(true); |
| 291 | int evp_pkey = 0; |
| 292 | try { |
| 293 | evp_pkey = (Integer) getPkeyContext.invoke(opensslKey); |
| 294 | } finally { |
| 295 | getPkeyContext.setAccessible(false); |
| 296 | } |
| 297 | if (evp_pkey == 0) { |
| 298 | // The PrivateKey is probably rotten for some reason. |
| 299 | Log.e(TAG, "getPkeyContext() returned null"); |
| 300 | } |
| 301 | return evp_pkey; |
| 302 | |
| 303 | } catch (Exception e) { |
| 304 | Log.e(TAG, "Exception while trying to retrieve system EVP_PKEY handle: " + e); |
| 305 | return 0; |
| 306 | } |
| 307 | } |
| 308 | } |