diff options
Diffstat (limited to 'src/java/com/android/internal/net/ipsec/ike/message/IkeCertPayload.java')
-rw-r--r-- | src/java/com/android/internal/net/ipsec/ike/message/IkeCertPayload.java | 175 |
1 files changed, 0 insertions, 175 deletions
diff --git a/src/java/com/android/internal/net/ipsec/ike/message/IkeCertPayload.java b/src/java/com/android/internal/net/ipsec/ike/message/IkeCertPayload.java deleted file mode 100644 index 9227dda9..00000000 --- a/src/java/com/android/internal/net/ipsec/ike/message/IkeCertPayload.java +++ /dev/null @@ -1,175 +0,0 @@ -/* - * Copyright (C) 2018 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.android.internal.net.ipsec.ike.message; - -import android.annotation.IntDef; -import android.annotation.Nullable; -import android.net.ipsec.ike.exceptions.IkeProtocolException; - -import com.android.internal.net.ipsec.ike.exceptions.AuthenticationFailedException; - -import java.io.IOException; -import java.lang.annotation.Retention; -import java.lang.annotation.RetentionPolicy; -import java.nio.ByteBuffer; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.ProviderException; -import java.security.cert.CertificateException; -import java.security.cert.TrustAnchor; -import java.security.cert.X509CRL; -import java.security.cert.X509Certificate; -import java.util.List; -import java.util.Set; - -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import javax.net.ssl.X509TrustManager; - -/** - * IkeCertPayload is an abstract class that represents the common information for all Certificate - * Payload carrying different types of certifciate-related data and static methods related to - * certificate validation. - * - * <p>Certificate Payload is only sent in IKE_AUTH exchange. - * - * @see <a href="https://tools.ietf.org/html/rfc7296#section-3.6">RFC 7296, Internet Key Exchange - * Protocol Version 2 (IKEv2)</a> - */ -public abstract class IkeCertPayload extends IkePayload { - // Length of certificate encoding type field in octets. - private static final int CERT_ENCODING_LEN = 1; - - private static final String KEY_STORE_TYPE_PKCS12 = "PKCS12"; - private static final String CERT_PATH_ALGO_PKIX = "PKIX"; - private static final String CERT_AUTH_TYPE_RSA = "RSA"; - - @Retention(RetentionPolicy.SOURCE) - @IntDef({ - CERTIFICATE_ENCODING_X509_CERT_SIGNATURE, - CERTIFICATE_ENCODING_CRL, - CERTIFICATE_ENCODING_X509_CERT_HASH_URL, - }) - public @interface CertificateEncoding {} - - public static final int CERTIFICATE_ENCODING_X509_CERT_SIGNATURE = 4; - public static final int CERTIFICATE_ENCODING_CRL = 7; - public static final int CERTIFICATE_ENCODING_X509_CERT_HASH_URL = 12; - - @CertificateEncoding public final int certEncodingType; - - protected IkeCertPayload(@CertificateEncoding int encodingType) { - this(false /*critical*/, encodingType); - } - - protected IkeCertPayload(boolean critical, @CertificateEncoding int encodingType) { - super(PAYLOAD_TYPE_CERT, critical); - certEncodingType = encodingType; - } - - protected static IkeCertPayload getIkeCertPayload(boolean critical, byte[] payloadBody) - throws IkeProtocolException { - ByteBuffer inputBuffer = ByteBuffer.wrap(payloadBody); - - int certEncodingType = Byte.toUnsignedInt(inputBuffer.get()); - byte[] certData = new byte[payloadBody.length - CERT_ENCODING_LEN]; - inputBuffer.get(certData); - switch (certEncodingType) { - case CERTIFICATE_ENCODING_X509_CERT_SIGNATURE: - return new IkeCertX509CertPayload(critical, certData); - // TODO: Support decoding CRL and "Hash and URL". - case CERTIFICATE_ENCODING_CRL: - throw new AuthenticationFailedException( - "CERTIFICATE_ENCODING_CRL decoding is unsupported."); - case CERTIFICATE_ENCODING_X509_CERT_HASH_URL: - throw new AuthenticationFailedException( - "CERTIFICATE_ENCODING_X509_CERT_HASH_URL decoding is unsupported"); - default: - throw new AuthenticationFailedException("Unrecognized certificate encoding type."); - } - } - - /** - * Validate an end certificate against the received chain and trust anchors. - * - * <p>Validation is done by checking if there is a valid certificate path from end certificate - * to provided trust anchors. - * - * <p>TrustManager implementation used in this method MUST conforms RFC 4158 and RFC 5280. As - * indicated in RFC 4158, Key Identifiers(KIDs) are not required to match during certification - * path validation and cannot be used to eliminate certificates. - * - * <p>Validation will fail if any certficate in the certificate chain is using RSA public key - * whose RSA modulus is smaller than 1024 bits. - * - * @param endCert the end certificate that will be used to verify AUTH payload - * @param certList all the received certificates (include the end certificate) - * @param crlList the certificate revocation lists - * @param trustAnchorSet the certificate authority set to validate the end certificate - * @throws AuthenticationFailedException if there is no valid certificate path - */ - public static void validateCertificates( - X509Certificate endCert, - List<X509Certificate> certList, - @Nullable List<X509CRL> crlList, - Set<TrustAnchor> trustAnchorSet) - throws AuthenticationFailedException { - try { - // TODO: b/122676944 Support CRL checking - - // Create a new keyStore with all trusted anchors - KeyStore keyStore = - KeyStore.getInstance(KEY_STORE_TYPE_PKCS12, IkeMessage.getSecurityProvider()); - keyStore.load(null); - for (TrustAnchor t : trustAnchorSet) { - X509Certificate trustedCert = t.getTrustedCert(); - String alias = - trustedCert.getSubjectX500Principal().getName() + trustedCert.hashCode(); - keyStore.setCertificateEntry(alias, trustedCert); - } - - // Build X509TrustManager with all keystore - TrustManagerFactory tmFactory = - TrustManagerFactory.getInstance( - CERT_PATH_ALGO_PKIX, IkeMessage.getTrustManagerProvider()); - tmFactory.init(keyStore); - - X509TrustManager trustManager = null; - for (TrustManager tm : tmFactory.getTrustManagers()) { - if (tm instanceof X509TrustManager) { - trustManager = (X509TrustManager) tm; - } - } - if (trustManager == null) { - throw new ProviderException( - "X509TrustManager is not supported by " - + IkeMessage.getTrustManagerProvider().getName()); - } - - // Build and validate certificate path - trustManager.checkServerTrusted( - certList.toArray(new X509Certificate[certList.size()]), CERT_AUTH_TYPE_RSA); - } catch (NoSuchAlgorithmException e) { - throw new ProviderException("Algorithm is not supported by the provider", e); - } catch (IOException | KeyStoreException e) { - throw new IllegalStateException(e); - } catch (CertificateException e) { - throw new AuthenticationFailedException(e); - } - } -} |