Update: Sample app code is straight off available on github.
The of late released Android 4.0 (Ice Cream Sandwich, ICS) introduces a new, unified UI for both tablets too handsets, lots of 'people-centric' communication too sharing features too other convenient improvements such equally a improve photographic television receiver camera app too the much-hyped human face upwards unlock. Since everyone is talking most those, nosotros volition create got a await at some of the less-user visible, but all the same of import security-related improvements.
Android is ofttimes said to hold upwards missing crucial safety features to hold upwards seriously accepted inward the corporate world, which has long been the domain of RIM's BlackBerry. Two of those missing features were the powerfulness to command the system's trusted CA certificates too offering a centralized secure credential storage. Since many companies operate private PKI's, the powerfulness to install trusted certificates system-wide is essential for using corporate services secured yesteryear those PKI's. Until now, the exclusively agency to operate those was to embed the needed CA certificates inward each application too create custom
The
This volition prompt yous for the PKCS#12 password inward gild to extract too parse the key too certificate. If the password is correct, yous volition hold upwards prompted for a 'certificate name' equally shown inward the screenshot below. If the PKCS#12 has a friendly get upwards attribute it volition hold upwards shown equally the default, if non yous volition simply driblet dead a long hexadecimal hash string. The string yous instruct inward hither is the key/certificate alias yous volition operate to access those afterward via the
To operate a private key stored inward the organisation credential storage, yous demand to telephone band
The starting fourth dimension parameter is the electrical flow context, the instant -- the callback to invoke, too the 3rd too forth specify the acceptable keys (RSA, DSA or nil for any) too acceptable certificate issuers for the certificate matching the private key (Edit: it turns out both
In gild to driblet dead a reference to a private key, yous demand to telephone band the
We starting fourth dimension driblet dead the private key too certificate chain using the key alias too and thus create too verify a signature to cheque if the key is truly usable. Since nosotros are using a self-signed certificate the 'chain' consists of a unmarried entry, but for a certificate signed yesteryear a CA yous volition demand to notice the actual terminate entity certificate inward the returned array.
Installing a CA certificate is non really dissimilar from installing a PKCS#12 file: yous charge the certificate inward a byte array too move yesteryear it equally an extra to the install intent.
Android volition parse the certificate, too if it's
After the certificate is imported, it volition demo upwards inward the 'Trusted credentials' screen's 'User' tab (Settings->Security->Trusted credentials). Tapping the certificate entry displays a details dialog, where yous tin (finally!) cheque the subject, issuer, validity period, series number too SHA-1/SHA-256 fingerprints. You tin too take the certificate yesteryear pressing the 'Remove' push (scroll downwards to display it).
While yous tin delete private CA certificates, at that topographic point is no agency to delete private keys too user certificates. You tin delete all yesteryear using the 'Clear credentials' choice inward the Credential storage department of the safety settings. Another matter to banknote is that, equally long equally yous create got keys inward the credential storage, yous cannot take the covert lock, since it is used to protect access to the keystore. In previous Android versions, at that topographic point was a carve upwards 'credential storage password', but it seems inward ICS they decided to simplify things yesteryear using the covert lock password to protect credential storage equally well.
The newly introduced
That wraps the starting fourth dimension business office of our Android keystore introduction. In the next part nosotros volition await into all that is hidden behind the
The of late released Android 4.0 (Ice Cream Sandwich, ICS) introduces a new, unified UI for both tablets too handsets, lots of 'people-centric' communication too sharing features too other convenient improvements such equally a improve photographic television receiver camera app too the much-hyped human face upwards unlock. Since everyone is talking most those, nosotros volition create got a await at some of the less-user visible, but all the same of import security-related improvements.
Android is ofttimes said to hold upwards missing crucial safety features to hold upwards seriously accepted inward the corporate world, which has long been the domain of RIM's BlackBerry. Two of those missing features were the powerfulness to command the system's trusted CA certificates too offering a centralized secure credential storage. Since many companies operate private PKI's, the powerfulness to install trusted certificates system-wide is essential for using corporate services secured yesteryear those PKI's. Until now, the exclusively agency to operate those was to embed the needed CA certificates inward each application too create custom
TrustStores to hold upwards able to connect using SSL. Influenza A virus subtype H5N1 system-wide credential storage has truly been available for a while, but it was exclusively usable yesteryear the built-in VPN too WiFi (EAP) clients. One could install a private key/certificate duet using the Settings app, but at that topographic point was no populace API to access the installed keys from applications. ICS offers SDK API's for both trusted certificate administration too the secure credential storage via the KeyChain class. We volition create got a await at how it is used inward the next sections.The
KeyChain shape is deceptively simple: it offers exclusively 4 populace static methods, but those are sufficient to exercise most certificate-related tasks. Let's starting fourth dimension run into how ane would install a private key/certificate duet too operate those to sign too verify some data. The KeyChain API lets yous install a private key/certificate duet bundled inward a PKCS#12 file. Instead of offering an API to direct install the key too certificate, KeyChain provides a mill method, createInstallIntent() that returns a organisation intent to parse too install keys/certificates (that is truly the same intent offered yesteryear the Settings app inward previous versions). To install a PKCS#12 file, yous create got to read it to a binary array, shop it nether the EXTRA_PKCS12 key inward the intent's extras, too start the associated activity:Intent intent = KeyChain.createInstallIntent(); byte[] p12 = readFile("keystore-test.pfx"); intent.putExtra(KeyChain.EXTRA_PKCS12, p12); startActivity(intent); This volition prompt yous for the PKCS#12 password inward gild to extract too parse the key too certificate. If the password is correct, yous volition hold upwards prompted for a 'certificate name' equally shown inward the screenshot below. If the PKCS#12 has a friendly get upwards attribute it volition hold upwards shown equally the default, if non yous volition simply driblet dead a long hexadecimal hash string. The string yous instruct inward hither is the key/certificate alias yous volition operate to access those afterward via the
KeyChain API. You volition hold upwards prompted to laid a lock covert PIN or password to protect the credential storage if yous haven't already laid one.
To operate a private key stored inward the organisation credential storage, yous demand to telephone band
KeyChain.choosePrivateKeyAlias() too render a callback implementation that receives the selected alias:public shape KeystoreTest extends Activity implements OnClickListener, KeyChainAliasCallback { @Override populace void onClick(View v) { KeyChain.choosePrivateKeyAlias(this, this, novel String[] { "RSA" }, null, null, -1, null); } @Override populace void alias(final String alias) { Log.d(TAG, "Thread: " + Thread.currentThread().getName()); Log.d(TAG, "selected alias: " + alias); } } The starting fourth dimension parameter is the electrical flow context, the instant -- the callback to invoke, too the 3rd too forth specify the acceptable keys (RSA, DSA or nil for any) too acceptable certificate issuers for the certificate matching the private key (Edit: it turns out both
keyTypes too issuers are currently unused, thus simply move yesteryear null). The adjacent ii parameters are the host too port number of the server requesting a certificate, too the finally ane is the alias to preselect. We move out all but the key type equally unspecified (null or -1) hither to hold upwards able to select from all available certificates. One matter to banknote hither is that the alias() callback will not hold upwards called on the top dog thread, thus yous shouldn't endeavor to direct manipulate the UI (it is called on a binder thread). Using the key requires user authorization, thus Android volition display a key choice dialog which too serves to allow access to the selected key.
In gild to driblet dead a reference to a private key, yous demand to telephone band the
KeyChain.getPrivateKey() method passing the key alias get upwards received inward the previous step. This doesn't seem to hold upwards documented but if yous endeavor to telephone band this method on the top dog thread yous volition driblet dead an exception maxim that this may 'lead to a deadlock'. Here nosotros telephone band it on a background thread using AsyncTask (which is almost ever the right matter to exercise when dealing alongside potentially time-consuming I/O operations).new AsyncTask<Void, Void, Boolean>() { private Exception error; @Override protected Boolean doInBackground(Void... arg) { endeavor { PrivateKey pk = KeyChain.getPrivateKey(ctx, alias); X509Certificate[] chain = KeyChain.getCertificateChain(ctx, alias); byte[] information = "foobar".getBytes("ASCII"); Signature sig = Signature.getInstance("SHA1withRSA"); sig.initSign(pk); sig.update(data); byte[] signed = sig.sign(); PublicKey pubk = chain[0].getPublicKey(); sig.initVerify(pubk); sig.update(data); boolean valid = sig.verify(signed); Log.d(TAG, "signature is valid: " + valid); render valid; } take grip of (Exception e) { e.printStackTrace(); fault = e; render null; } } @Override protected void onPostExecute(Boolean valid) { if (error != null) { Toast.makeText(ctx, "Error: " + error.getMessage(), Toast.LENGTH_LONG).show(); return; } Toast.makeText(ctx, "Signature is valid: " + valid, Toast.LENGTH_SHORT).show(); } }.execute(); We starting fourth dimension driblet dead the private key too certificate chain using the key alias too and thus create too verify a signature to cheque if the key is truly usable. Since nosotros are using a self-signed certificate the 'chain' consists of a unmarried entry, but for a certificate signed yesteryear a CA yous volition demand to notice the actual terminate entity certificate inward the returned array.
Installing a CA certificate is non really dissimilar from installing a PKCS#12 file: yous charge the certificate inward a byte array too move yesteryear it equally an extra to the install intent.
Intent intent = KeyChain.createInstallIntent(); intent.putExtra(KeyChain.EXTRA_CERTIFICATE, cert); startActivity(intent); Android volition parse the certificate, too if it's
Basic Constraints extension is laid to CA:TRUE it volition consider it a CA certificate too import it into the user trust store. You volition demand to authenticate to import the certificate, but the funny matter is that the import dialog does non demo neither the certificate DN, nor its hash value. The user has no agency of knowing what they are importing, until it's done. Very few people volition bother to truly check, thus this could hold upwards a potential safety threat: malicious applications powerfulness fox people into installing rogue certificates. Here's how the import dialog looks:
After the certificate is imported, it volition demo upwards inward the 'Trusted credentials' screen's 'User' tab (Settings->Security->Trusted credentials). Tapping the certificate entry displays a details dialog, where yous tin (finally!) cheque the subject, issuer, validity period, series number too SHA-1/SHA-256 fingerprints. You tin too take the certificate yesteryear pressing the 'Remove' push (scroll downwards to display it).
While yous tin delete private CA certificates, at that topographic point is no agency to delete private keys too user certificates. You tin delete all yesteryear using the 'Clear credentials' choice inward the Credential storage department of the safety settings. Another matter to banknote is that, equally long equally yous create got keys inward the credential storage, yous cannot take the covert lock, since it is used to protect access to the keystore. In previous Android versions, at that topographic point was a carve upwards 'credential storage password', but it seems inward ICS they decided to simplify things yesteryear using the covert lock password to protect credential storage equally well.
The newly introduced
KeyChain API lets yous install too access private keys inward a centralized too secure credential storage, equally good equally add together system-wide trusted certificates. It doesn't render low-level access to the underlying keystore, utilizing the Android intent dispatching machinery instead to telephone band a organisation activeness that does the actual work. The CA certificate install dialog is missing a crucial characteristic (displaying details most the certificate), but all inward all, providing the access to the organisation keystore service is a pace inward the right direction.That wraps the starting fourth dimension business office of our Android keystore introduction. In the next part nosotros volition await into all that is hidden behind the
KeyChain facade, too endeavor to give some details most the underlying implementation.
Tag :
android security
0 Komentar untuk "Droidcedas : Using The Ics Keychain Api"