public final class TrustedCertificateStore extends Object
TrustedCertificateKeyStoreSpi
wrapper to allow a traditional
KeyStore interface for use with javax.net.ssl.TrustManagerFactory.init
.
The CAs are accessed via KeyStore
style aliases. Aliases
are made up of a prefix identifying the source ("system:" vs
"user:") and a suffix based on the OpenSSL X509_NAME_hash_old
function of the CA's subject name. For example, the system CA for
"C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification
Authority" could be represented as "system:7651b327.0". By using
the subject hash, operations such as getCertificateAlias
can be implemented efficiently without
scanning the entire store.
In addition to supporting the TrustedCertificateKeyStoreSpi
implementation, TrustedCertificateStore
also provides the additional public
methods isTrustAnchor(java.security.cert.X509Certificate)
and findIssuer(java.security.cert.X509Certificate)
to allow
efficient lookup operations for CAs again based on the file naming
convention.
The KeyChainService users the installCertificate
and
deleteCertificateEntry(java.lang.String)
to install user CAs as well as
delete those user CAs as well as system CAs. The deletion of system
CAs is performed by placing an exact copy of that CA in the deleted
directory. Such deletions are intended to persist across upgrades
but not intended to mask a CA with a matching name or public key
but is otherwise reissued in a system update. Reinstalling a
deleted system certificate simply removes the copy from the deleted
directory, reenabling the original in the system directory.
Note that the default mutable directory is created by init via configuration in the system/core/rootdir/init.rc file. The directive "mkdir /data/misc/keychain 0775 system system" ensures that its owner and group are the system uid and system gid and that it is world readable but only writable by the system user.
Constructor and Description |
---|
TrustedCertificateStore() |
TrustedCertificateStore(File systemDir,
File addedDir,
File deletedDir) |
Modifier and Type | Method and Description |
---|---|
Set<String> |
aliases() |
Set<String> |
allSystemAliases() |
boolean |
containsAlias(String alias) |
void |
deleteCertificateEntry(String alias)
This could be considered the implementation of
TrustedCertificateKeyStoreSpi.engineDeleteEntry but we
consider TrustedCertificateKeyStoreSpi to be read
only. |
X509Certificate |
findIssuer(X509Certificate c)
This non-
KeyStoreSpi public interface is used by TrustManagerImpl to locate the CA certificate that signed the
provided X509Certificate . |
Certificate |
getCertificate(String alias) |
Certificate |
getCertificate(String alias,
boolean includeDeletedSystem) |
String |
getCertificateAlias(Certificate c) |
List<X509Certificate> |
getCertificateChain(X509Certificate leaf)
Attempt to build a certificate chain from the supplied
leaf
argument through the chain of issuers as high up as known. |
Date |
getCreationDate(String alias) |
void |
installCertificate(X509Certificate cert)
This non-
KeyStoreSpi public interface is used by the
KeyChainService to install new CA certificates. |
static boolean |
isSystem(String alias) |
boolean |
isTrustAnchor(X509Certificate c)
This non-
KeyStoreSpi public interface is used by TrustManagerImpl to locate a CA certificate with the same name
and public key as the provided X509Certificate . |
static boolean |
isUser(String alias) |
boolean |
isUserAddedCertificate(X509Certificate cert)
Returns true to indicate that the certificate was added by the
user, false otherwise.
|
Set<String> |
userAliases() |
public static final boolean isSystem(String alias)
public static final boolean isUser(String alias)
public Certificate getCertificate(String alias)
public Certificate getCertificate(String alias, boolean includeDeletedSystem)
public boolean containsAlias(String alias)
public String getCertificateAlias(Certificate c)
public boolean isUserAddedCertificate(X509Certificate cert)
public boolean isTrustAnchor(X509Certificate c)
KeyStoreSpi
public interface is used by TrustManagerImpl
to locate a CA certificate with the same name
and public key as the provided X509Certificate
. We
match on the name and public key and not the entire certificate
since a CA may be reissued with the same name and PublicKey but
with other differences (for example when switching signature
from md2WithRSAEncryption to SHA1withRSA)public X509Certificate findIssuer(X509Certificate c)
KeyStoreSpi
public interface is used by TrustManagerImpl
to locate the CA certificate that signed the
provided X509Certificate
.public List<X509Certificate> getCertificateChain(X509Certificate leaf)
leaf
argument through the chain of issuers as high up as known. If the chain
can't be completed, the most complete chain available will be returned.
This means that a list with only the leaf
certificate is returned
if no issuer certificates could be found.public void installCertificate(X509Certificate cert) throws IOException, CertificateException
KeyStoreSpi
public interface is used by the
KeyChainService
to install new CA certificates. It
silently ignores the certificate if it already exists in the
store.IOException
CertificateException
public void deleteCertificateEntry(String alias) throws IOException, CertificateException
TrustedCertificateKeyStoreSpi.engineDeleteEntry
but we
consider TrustedCertificateKeyStoreSpi
to be read
only. Instead, this is used by the KeyChainService
to
delete CA certificates.IOException
CertificateException