Merge "Accept an XML file containing a list of THM certificates instead of the...

import java.security.PublicKey;

import java.security.SecureRandom;

import java.security.UnrecoverableKeyException;

import java.security.cert.CertPath;

import java.util.ArrayList;

import java.util.List;

import java.util.Map;

            return;

        }

        PublicKey publicKey = mRecoverableKeyStoreDb.getRecoveryServicePublicKey(mUserId,

        PublicKey publicKey;

        CertPath certPath = mRecoverableKeyStoreDb.getRecoveryServiceCertPath(mUserId,

                recoveryAgentUid);

        if (certPath != null) {

            Log.d(TAG, "Using the public key in stored CertPath for syncing");

            publicKey = certPath.getCertificates().get(0).getPublicKey();

        } else {

            Log.d(TAG, "Using the stored raw public key for syncing");

            publicKey = mRecoverableKeyStoreDb.getRecoveryServicePublicKey(mUserId,

                    recoveryAgentUid);

        }

        if (publicKey == null) {

            Log.w(TAG, "Not initialized for KeySync: no public key set. Cancelling task.");

            return;

import static android.security.keystore.RecoveryController.ERROR_SERVICE_INTERNAL_ERROR;

import static android.security.keystore.RecoveryController.ERROR_SESSION_EXPIRED;

import android.Manifest;

import android.annotation.NonNull;

import android.annotation.Nullable;

import android.app.PendingIntent;

import android.content.Context;

import android.Manifest;

import android.os.Binder;

import android.os.RemoteException;

import android.os.ServiceSpecificException;

import android.os.UserHandle;

import android.security.keystore.recovery.KeyChainProtectionParams;

import android.security.keystore.recovery.KeyChainSnapshot;

import android.security.keystore.recovery.RecoveryController;

import com.android.internal.annotations.VisibleForTesting;

import com.android.internal.util.HexDump;

import com.android.server.locksettings.recoverablekeystore.storage.ApplicationKeyStorage;

import com.android.server.locksettings.recoverablekeystore.certificate.CertParsingException;

import com.android.server.locksettings.recoverablekeystore.certificate.CertValidationException;

import com.android.server.locksettings.recoverablekeystore.certificate.CertXml;

import com.android.server.locksettings.recoverablekeystore.certificate.TrustedRootCert;

import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDb;

import com.android.server.locksettings.recoverablekeystore.storage.RecoverySessionStorage;

import com.android.server.locksettings.recoverablekeystore.storage.RecoverySnapshotStorage;

import java.security.KeyStoreException;

import java.security.NoSuchAlgorithmException;

import java.security.PublicKey;

import java.security.spec.InvalidKeySpecException;

import java.security.UnrecoverableKeyException;

import java.security.cert.CertPath;

import java.security.cert.CertificateEncodingException;

import java.security.spec.InvalidKeySpecException;

import java.security.spec.X509EncodedKeySpec;

import java.util.Arrays;

import java.util.HashMap;

    }

    public void initRecoveryService(

            @NonNull String rootCertificateAlias, @NonNull byte[] signedPublicKeyList)

            @NonNull String rootCertificateAlias, @NonNull byte[] recoveryServiceCertFile)

            throws RemoteException {

        checkRecoverKeyStorePermission();

        int userId = UserHandle.getCallingUserId();

        int uid = Binder.getCallingUid();

        // TODO: open /system/etc/security/... cert file, and check the signature on the public keys

        PublicKey publicKey;

        // TODO: Check the public-key signature on the whole file before parsing it

        CertXml certXml;

        try {

            certXml = CertXml.parse(recoveryServiceCertFile);

        } catch (CertParsingException e) {

            // TODO: Do not use raw key bytes anymore once the other components are updated

            Log.d(TAG, "Failed to parse the cert file", e);

            PublicKey publicKey = parseEcPublicKey(recoveryServiceCertFile);

            if (mDatabase.setRecoveryServicePublicKey(userId, uid, publicKey) > 0) {

                mDatabase.setShouldCreateSnapshot(userId, uid, true);

            }

            return;

        }

        // Check serial number

        long newSerial = certXml.getSerial();

        Long oldSerial = mDatabase.getRecoveryServiceCertSerial(userId, uid);

        if (oldSerial != null && oldSerial >= newSerial) {

            if (oldSerial == newSerial) {

                Log.i(TAG, "The cert file serial number is the same, so skip updating.");

            } else {

                Log.e(TAG, "The cert file serial number is older than the one in database.");

            }

            return;

        }

        Log.i(TAG, "Updating the certificate with the new serial number " + newSerial);

        CertPath certPath;

        try {

            Log.d(TAG, "Getting and validating a random endpoint certificate");

            certPath = certXml.getRandomEndpointCert(TrustedRootCert.TRUSTED_ROOT_CERT);

        } catch (CertValidationException e) {

            Log.e(TAG, "Invalid endpoint cert", e);

            throw new ServiceSpecificException(

                    ERROR_BAD_CERTIFICATE_FORMAT, "Failed to validate certificate.");

        }

        try {

            Log.d(TAG, "Saving the randomly chosen endpoint certificate to database");

            if (mDatabase.setRecoveryServiceCertPath(userId, uid, certPath) > 0) {

                mDatabase.setRecoveryServiceCertSerial(userId, uid, newSerial);

                mDatabase.setShouldCreateSnapshot(userId, uid, true);

            }

        } catch (CertificateEncodingException e) {

            Log.e(TAG, "Failed to encode CertPath", e);

            throw new ServiceSpecificException(

                    ERROR_BAD_CERTIFICATE_FORMAT, "Failed to encode CertPath.");

        }

    }

    private PublicKey parseEcPublicKey(@NonNull byte[] bytes) throws ServiceSpecificException {

        try {

            KeyFactory kf = KeyFactory.getInstance("EC");

            // TODO: Randomly choose a key from the list -- right now we just use the whole input

            X509EncodedKeySpec pkSpec = new X509EncodedKeySpec(signedPublicKeyList);

            publicKey = kf.generatePublic(pkSpec);

            X509EncodedKeySpec pkSpec = new X509EncodedKeySpec(bytes);

            return kf.generatePublic(pkSpec);

        } catch (NoSuchAlgorithmException e) {

            Log.wtf(TAG, "EC algorithm not available. AOSP must support this.", e);

            throw new ServiceSpecificException(ERROR_SERVICE_INTERNAL_ERROR, e.getMessage());

            throw new ServiceSpecificException(

                    ERROR_BAD_CERTIFICATE_FORMAT, "Not a valid X509 certificate.");

        }

        long updatedRows = mDatabase.setRecoveryServicePublicKey(userId, uid, publicKey);

        if (updatedRows > 0) {

            mDatabase.setShouldCreateSnapshot(userId, uid, true);

        }

    }

    /**

import org.xml.sax.SAXException;

/** Utility functions related to parsing and validating public-key certificates. */

final class CertUtils {

public final class CertUtils {

    private static final String CERT_FORMAT = "X.509";

    private static final String CERT_PATH_ALG = "PKIX";

     * @return the decoding decoding result

     * @throws CertParsingException if the input string is not a properly base64-encoded string

     */

    static byte[] decodeBase64(String str) throws CertParsingException {

    public static byte[] decodeBase64(String str) throws CertParsingException {

        try {

            return Base64.getDecoder().decode(str);

        } catch (IllegalArgumentException e) {

/*

 * Copyright (C) 2017 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package com.android.server.locksettings.recoverablekeystore.certificate;

import java.security.cert.X509Certificate;

/**

 * Holds the X509 certificate of the trusted root CA cert for the recoverable key store service.

 *

 * TODO: Read the certificate from a PEM file directly and remove this class.

 */

public final class TrustedRootCert {

    private  static final String TRUSTED_ROOT_CERT_BASE64 = ""

            + "MIIFJjCCAw6gAwIBAgIJAIobXsJlzhNdMA0GCSqGSIb3DQEBDQUAMCAxHjAcBgNV"

            + "BAMMFUdvb2dsZSBDcnlwdEF1dGhWYXVsdDAeFw0xODAyMDIxOTM5MTRaFw0zODAx"

            + "MjgxOTM5MTRaMCAxHjAcBgNVBAMMFUdvb2dsZSBDcnlwdEF1dGhWYXVsdDCCAiIw"

            + "DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK2OT5i40/H7LINg/lq/0G0hR65P"

            + "Q4Mud3OnuVt6UIYV2T18+v6qW1yJd5FcnND/ZKPau4aUAYklqJuSVjOXQD0BjgS2"

            + "98Xa4dSn8Ci1rUR+5tdmrxqbYUdT2ZvJIUMMR6fRoqi+LlAbKECrV+zYQTyLU68w"

            + "V66hQpAButjJKiZzkXjmKLfJ5IWrNEn17XM988rk6qAQn/BYCCQGf3rQuJeksGmA"

            + "N1lJOwNYxmWUyouVwqwZthNEWqTuEyBFMkAT+99PXW7oVDc7oU5cevuihxQWNTYq"

            + "viGB8cck6RW3cmqrDSaJF/E+N0cXFKyYC7FDcggt6k3UrxNKTuySdDEa8+2RTQqU"

            + "Y9npxBlQE+x9Ig56OI1BG3bSBsGdPgjpyHadZeh2tgk+oqlGsSsum24YxaxuSysT"

            + "Qfcu/XhyfUXavfmGrBOXerTzIl5oBh/F5aHTV85M2tYEG0qsPPvSpZAWtdJ/2rca"

            + "OxvhwOL+leZKr8McjXVR00lBsRuKXX4nTUMwya09CO3QHFPFZtZvqjy2HaMOnVLQ"

            + "I6b6dHEfmsHybzVOe3yPEoFQSU9UhUdmi71kwwoanPD3j9fJHmXTx4PzYYBRf1ZE"

            + "o+uPgMPk7CDKQFZLjnR40z1uzu3O8aZ3AKZzP+j7T4XQKJLQLmllKtPgLgNdJyib"

            + "2Glg7QhXH/jBTL6hAgMBAAGjYzBhMB0GA1UdDgQWBBSbZfrqOYH54EJpkdKMZjMc"

            + "z/Hp+DAfBgNVHSMEGDAWgBSbZfrqOYH54EJpkdKMZjMcz/Hp+DAPBgNVHRMBAf8E"

            + "BTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOCAgEAKh9nm/vW"

            + "glMWp3vcCwWwJW286ecREDlI+CjGh5h+f2N4QRrXd/tKE3qQJWCqGx8sFfIUjmI7"

            + "KYdsC2gyQ2cA2zl0w7pB2QkuqE6zVbnh1D17Hwl19IMyAakFaM9ad4/EoH7oQmqX"

            + "nF/f5QXGZw4kf1HcgKgoCHWXjqR8MqHOcXR8n6WFqxjzJf1jxzi6Yo2dZ7PJbnE6"

            + "+kHIJuiCpiHL75v5g1HM41gT3ddFFSrn88ThNPWItT5Z8WpFjryVzank2Yt02LLl"

            + "WqZg9IC375QULc5B58NMnaiVJIDJQ8zoNgj1yaxqtUMnJX570lotO2OXe4ec9aCQ"

            + "DIJ84YLM/qStFdeZ9416E80dchskbDG04GuVJKlzWjxAQNMRFhyaPUSBTLLg+kwP"

            + "t9+AMmc+A7xjtFQLZ9fBYHOBsndJOmeSQeYeckl+z/1WQf7DdwXn/yijon7mxz4z"

            + "cCczfKwTJTwBh3wR5SQr2vQm7qaXM87qxF8PCAZrdZaw5I80QwkgTj0WTZ2/GdSw"

            + "d3o5SyzzBAjpwtG+4bO/BD9h9wlTsHpT6yWOZs4OYAKU5ykQrncI8OyavMggArh3"

            + "/oM58v0orUWINtIc2hBlka36PhATYQiLf+AiWKnwhCaaHExoYKfQlMtXBodNvOK8"

            + "xqx69x05q/qbHKEcTHrsss630vxrp1niXvA=";

    /**

     * The X509 certificate of the trusted root CA cert for the recoverable key store service.

     *

     * TODO: Change it to the production certificate root CA before the final launch.

     */

    public static final X509Certificate TRUSTED_ROOT_CERT;

    static {

        try {

            TRUSTED_ROOT_CERT = CertUtils.decodeCert(

                    CertUtils.decodeBase64(TRUSTED_ROOT_CERT_BASE64));

        } catch (CertParsingException e) {

            // Should not happen

            throw new RuntimeException(e);

        }

    }

}

import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDbContract.RecoveryServiceMetadataEntry;

import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDbContract.UserMetadataEntry;

import java.io.ByteArrayInputStream;

import java.security.KeyFactory;

import java.security.NoSuchAlgorithmException;

import java.security.PublicKey;

import java.security.cert.CertPath;

import java.security.cert.CertificateEncodingException;

import java.security.cert.CertificateException;

import java.security.cert.CertificateFactory;

import java.security.spec.InvalidKeySpecException;

import java.security.spec.X509EncodedKeySpec;

import java.util.ArrayList;

    private static final String TAG = "RecoverableKeyStoreDb";

    private static final int IDLE_TIMEOUT_SECONDS = 30;

    private static final int LAST_SYNCED_AT_UNSYNCED = -1;

    private static final String CERT_PATH_ENCODING = "PkiPath";

    private final RecoverableKeyStoreDbHelper mKeyStoreDbHelper;

                publicKey.getEncoded());

    }

    /**

     * Returns the serial number of the XML file containing certificates of the recovery service.

     *

     * @param userId The userId of the profile the application is running under.

     * @param uid The uid of the application who initializes the local recovery components.

     * @return The value that were previously set, or null if there's none.

     *

     * @hide

     */

    @Nullable

    public Long getRecoveryServiceCertSerial(int userId, int uid) {

        return getLong(userId, uid, RecoveryServiceMetadataEntry.COLUMN_NAME_CERT_SERIAL);

    }

    /**

     * Records the serial number of the XML file containing certificates of the recovery service.

     *

     * @param userId The userId of the profile the application is running under.

     * @param uid The uid of the application who initializes the local recovery components.

     * @param serial The serial number contained in the XML file for recovery service certificates.

     * @return The primary key of the inserted row, or -1 if failed.

     *

     * @hide

     */

    public long setRecoveryServiceCertSerial(int userId, int uid, long serial) {

        return setLong(userId, uid, RecoveryServiceMetadataEntry.COLUMN_NAME_CERT_SERIAL, serial);

    }

    /**

     * Returns the {@code CertPath} of the recovery service.

     *

     * @param userId The userId of the profile the application is running under.

     * @param uid The uid of the application who initializes the local recovery components.

     * @return The value that were previously set, or null if there's none.

     *

     * @hide

     */

    @Nullable

    public CertPath getRecoveryServiceCertPath(int userId, int uid) {

        byte[] bytes = getBytes(userId, uid, RecoveryServiceMetadataEntry.COLUMN_NAME_CERT_PATH);

        if (bytes == null) {

            return null;

        }

        try {

            return decodeCertPath(bytes);

        } catch (CertificateException e) {

            Log.wtf(TAG,

                    String.format(Locale.US,

                            "Recovery service CertPath entry cannot be decoded for "

                                    + "userId=%d uid=%d.",

                            userId, uid), e);

            return null;

        }

    }

    /**

     * Sets the {@code CertPath} of the recovery service.

     *

     * @param userId The userId of the profile the application is running under.

     * @param uid The uid of the application who initializes the local recovery components.

     * @param certPath The certificate path of the recovery service.

     * @return The primary key of the inserted row, or -1 if failed.

     * @hide

     */

    public long setRecoveryServiceCertPath(int userId, int uid, CertPath certPath) throws

            CertificateEncodingException {

        if (certPath.getCertificates().size() == 0) {

            throw new CertificateEncodingException("No certificate contained in the cert path.");

        }

        return setBytes(userId, uid, RecoveryServiceMetadataEntry.COLUMN_NAME_CERT_PATH,

                certPath.getEncoded(CERT_PATH_ENCODING));

    }

    /**

     * Returns the list of recovery agents initialized for given {@code userId}

     * @param userId The userId of the profile the application is running under.

        }

    }

    /**

     * Returns the first (and only?) public key for {@code userId}.

     *

     * @param userId The userId of the profile whose keys are to be synced.

     * @return The public key, or null if none exists.

     */

    @Nullable

    public PublicKey getRecoveryServicePublicKey(int userId) {

        SQLiteDatabase db = mKeyStoreDbHelper.getReadableDatabase();

        String[] projection = { RecoveryServiceMetadataEntry.COLUMN_NAME_PUBLIC_KEY };

        String selection =

                RecoveryServiceMetadataEntry.COLUMN_NAME_USER_ID + " = ?";

        String[] selectionArguments = { Integer.toString(userId) };

        try (

            Cursor cursor = db.query(

                    RecoveryServiceMetadataEntry.TABLE_NAME,

                    projection,

                    selection,

                    selectionArguments,

                    /*groupBy=*/ null,

                    /*having=*/ null,

                    /*orderBy=*/ null)

        ) {

            if (cursor.getCount() < 1) {

                return null;

            }

            cursor.moveToFirst();

            byte[] keyBytes = cursor.getBlob(cursor.getColumnIndexOrThrow(

                    RecoveryServiceMetadataEntry.COLUMN_NAME_PUBLIC_KEY));

            try {

                return decodeX509Key(keyBytes);

            } catch (InvalidKeySpecException e) {

                Log.wtf(TAG, "Could not decode public key for " + userId);

                return null;

            }

        }

    }

    /**

     * Updates the counterId

     *

        return getLong(userId, uid, RecoveryServiceMetadataEntry.COLUMN_NAME_COUNTER_ID);

    }

    /**

     * Updates the server parameters given by the application initializing the local recovery

     * components.

            throw new RuntimeException(e);

        }

    }

    @Nullable

    private static CertPath decodeCertPath(byte[] bytes) throws CertificateException {

        CertificateFactory certFactory;

        try {

            certFactory = CertificateFactory.getInstance("X.509");

        } catch (CertificateException e) {

            // Should not happen, as X.509 is mandatory for all providers.

            throw new RuntimeException(e);

        }

        return certFactory.generateCertPath(new ByteArrayInputStream(bytes), CERT_PATH_ENCODING);

    }

}