diff options
author | yfriedman@chromium.org <yfriedman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-02-12 04:16:08 +0000 |
---|---|---|
committer | yfriedman@chromium.org <yfriedman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-02-12 04:16:08 +0000 |
commit | 0a5ae474904e84abda6296fe096826e6ba0f22ee (patch) | |
tree | 556b5bf764b4009555912cc3e7be84b631814aef | |
parent | 3331f0f7d30ecd221079408825b4e3ea204e6df8 (diff) | |
download | chromium_src-0a5ae474904e84abda6296fe096826e6ba0f22ee.zip chromium_src-0a5ae474904e84abda6296fe096826e6ba0f22ee.tar.gz chromium_src-0a5ae474904e84abda6296fe096826e6ba0f22ee.tar.bz2 |
Merge 250624 "Implement client certificate support via SmartCard."
> Implement client certificate support via SmartCard.
>
> Updates SSLClientCertificateRequest such that certificate can retrieved
> from Android store or external PKCS11 KeyStore
>
> NOTRY=true
> COLLABORATOR=ppi@chromium.org
> BUG=341500
>
> Review URL: https://codereview.chromium.org/147573005
TBR=yfriedman@chromium.org
Review URL: https://codereview.chromium.org/159933007
git-svn-id: svn://svn.chromium.org/chrome/branches/1750_77/src@250626 0039d316-1c4b-4281-b951-d872f2087c98
7 files changed, 398 insertions, 86 deletions
diff --git a/chrome/android/java/src/org/chromium/chrome/browser/ChromiumApplication.java b/chrome/android/java/src/org/chromium/chrome/browser/ChromiumApplication.java index d8a594b..c586f2c 100644 --- a/chrome/android/java/src/org/chromium/chrome/browser/ChromiumApplication.java +++ b/chrome/android/java/src/org/chromium/chrome/browser/ChromiumApplication.java @@ -30,4 +30,8 @@ public abstract class ChromiumApplication extends ContentApplication { */ @CalledByNative protected abstract boolean areParentalControlsEnabled(); + + // TODO(yfriedman): This is too widely available. Plumb this through ChromeNetworkDelegate + // instead. + protected abstract PKCS11AuthenticationManager getPKCS11AuthenticationManager(); } diff --git a/chrome/android/java/src/org/chromium/chrome/browser/KeyStoreSelectionDialog.java b/chrome/android/java/src/org/chromium/chrome/browser/KeyStoreSelectionDialog.java new file mode 100644 index 0000000..63820e9 --- /dev/null +++ b/chrome/android/java/src/org/chromium/chrome/browser/KeyStoreSelectionDialog.java @@ -0,0 +1,86 @@ +// Copyright 2014 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +package org.chromium.chrome.browser; + +import android.app.AlertDialog; +import android.app.Dialog; +import android.app.DialogFragment; +import android.content.DialogInterface; +import android.os.Bundle; + +import org.chromium.chrome.R; + +/** + * Client certificate KeyStore selection dialog. When smart card (CAC) support is enabled, this + * dialog allows choosing between (the default) system certificate store and the smart card for + * client authentication. + */ +class KeyStoreSelectionDialog extends DialogFragment { + private static final CharSequence SYSTEM_STORE = "Android"; + + private final Runnable mSystemCallback; + private final Runnable mSmartCardCallback; + private final Runnable mCancelCallback; + + private Runnable mSelectedChoice; + + /** + * Constructor for KeyStore selection dialog. + * + * @param systemCallback Runnable that's invoked when the user selects to use the Android + * system store for authentication + * @param smartCardCallback Runnable that's invoked when the user selects to use the SmartCard + * store for authentication + * @param cancelCallback Runnable that's invoked when the user cancels or closes the dialog. + */ + public KeyStoreSelectionDialog(Runnable systemCallback, Runnable smartCardCallback, + Runnable cancelCallback) { + mSystemCallback = systemCallback; + mSmartCardCallback = smartCardCallback; + mCancelCallback = cancelCallback; + + // Default to SmartCard + mSelectedChoice = mSmartCardCallback; + } + + @Override + public Dialog onCreateDialog(Bundle savedInstanceState) { + final CharSequence[] choices = { + getString(R.string.smartcard_certificate_option), + SYSTEM_STORE + }; + AlertDialog.Builder builder = new AlertDialog.Builder(getActivity()) + .setTitle(R.string.smartcard_dialog_title) + .setSingleChoiceItems(choices, 0, new DialogInterface.OnClickListener() { + @Override + public void onClick(DialogInterface dialog, int id) { + if (choices[id] == SYSTEM_STORE) { + mSelectedChoice = mSystemCallback; + } else { + mSelectedChoice = mSmartCardCallback; + } + } + }) + .setPositiveButton(android.R.string.ok, new DialogInterface.OnClickListener() { + @Override + public void onClick(DialogInterface dialog, int id) { + mSelectedChoice.run(); + } + }) + .setNegativeButton(R.string.cancel, new DialogInterface.OnClickListener() { + @Override + public void onClick(DialogInterface dialog, int id) { + mCancelCallback.run(); + } + }); + + return builder.create(); + } + + @Override + public void onDismiss(DialogInterface dialog) { + super.onDismiss(dialog); + } +} diff --git a/chrome/android/java/src/org/chromium/chrome/browser/PKCS11AuthenticationManager.java b/chrome/android/java/src/org/chromium/chrome/browser/PKCS11AuthenticationManager.java new file mode 100644 index 0000000..e3fd436 --- /dev/null +++ b/chrome/android/java/src/org/chromium/chrome/browser/PKCS11AuthenticationManager.java @@ -0,0 +1,46 @@ +// Copyright 2014 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +package org.chromium.chrome.browser; + +import android.content.Context; + +import java.security.PrivateKey; +import java.security.cert.X509Certificate; + +/** + * Defines API for managing interaction with SmartCard-based certificate storage using PKCS11. + */ +public interface PKCS11AuthenticationManager { + + /** + * @return true iff SmartCard-based authentication is available. + */ + public boolean isPKCS11AuthEnabled(); + + /** + * Retrieves the preferred client certificate alias for the given host, port pair, or null if + * none can be retrieved. + * + * @param hostName The host for which to retrieve client certificate. + * @param port The port to use in conjunction with host to retrieve client certificate. + */ + public String getClientCertificateAlias(String hostName, int port); + + /** + * Returns the X509Certificate chain for the requested alias, or null if no there is no result. + */ + public X509Certificate[] getCertificateChain(String alias); + + /** + * Returns the PrivateKey for the requested alias, or null if no there is no result. + */ + public PrivateKey getPrivateKey(String alias); + + /** + * Performs necessary initializing for using a PKCS11-based KeysStore. Note that this can + * perform expensive operations and cannot be done on the UI thread. + */ + public void initialize(Context context); +} diff --git a/chrome/android/java/src/org/chromium/chrome/browser/SSLClientCertificateRequest.java b/chrome/android/java/src/org/chromium/chrome/browser/SSLClientCertificateRequest.java index c22e7dc..31c41fd 100644 --- a/chrome/android/java/src/org/chromium/chrome/browser/SSLClientCertificateRequest.java +++ b/chrome/android/java/src/org/chromium/chrome/browser/SSLClientCertificateRequest.java @@ -24,101 +24,187 @@ import java.security.cert.X509Certificate; import javax.security.auth.x500.X500Principal; +/** + * Handles selection of client certificate on the Java side. This class is responsible for selection + * of the client certificate to be used for authentication and retrieval of the private key and full + * certificate chain. + * + * The entry point is selectClientCertificate() and it will be called on the UI thread. Then the + * class will construct and run an appropriate CertAsyncTask, that will run in background, and + * finally pass the results back to the UI thread, which will return to the native code. + */ @JNINamespace("chrome::android") -class SSLClientCertificateRequest extends AsyncTask<Void, Void, Void> - implements KeyChainAliasCallback { - +class SSLClientCertificateRequest { static final String TAG = "SSLClientCertificateRequest"; - // ClientCertRequest models an asynchronous client certificate request on the Java side. Use - // selectClientCertificate() on the UI thread to start/create a new request, this will launch a - // system activity through KeyChain.choosePrivateKeyAlias() to let the user select a client - // certificate. - // - // The selected certificate will be sent back as a string alias, which is used to call - // KeyChain.getCertificateChain() and KeyChain.getPrivateKey(). Unfortunately, these APIs are - // blocking, thus can't be called from the UI thread. - // - // To solve this, start an AsyncTask when the alias is received. It will retrieve the - // certificate chain and private key in the background, then later send the result back to the - // UI thread. - // - private final int mNativePtr; - private String mAlias; - private byte[][] mEncodedChain; - private PrivateKey mPrivateKey; - - private SSLClientCertificateRequest(int nativePtr) { - mNativePtr = nativePtr; - mAlias = null; - mEncodedChain = null; - mPrivateKey = null; - } + /** + * Common implementation for anynchronous task of handling the certificate request. This + * AsyncTask uses the abstract methods to retrieve the authentication material from a + * generalized key store. The key store is accessed in background, as the APIs being exercised + * may be blocking. The results are posted back to native on the UI thread. + */ + abstract static class CertAsyncTask extends AsyncTask<Void, Void, Void> { + // These fields will store the results computed in doInBackground so that they can be posted + // back in onPostExecute. + private byte[][] mEncodedChain; + private PrivateKey mPrivateKey; - // KeyChainAliasCallback implementation - @Override - public void alias(final String alias) { - // This is called by KeyChainActivity in a background thread. Post task to handle the - // certificate selection on the UI thread. - ThreadUtils.runOnUiThread(new Runnable() { - @Override - public void run() { - if (alias == null) { - // No certificate was selected. - onPostExecute(null); - } else { - mAlias = alias; - // Launch background thread. - execute(); + // Pointer to the native certificate request needed to return the results. + private final int mNativePtr; + + CertAsyncTask(int nativePtr) { + mNativePtr = nativePtr; + } + + // These overriden methods will be used to access the key store. + abstract String getAlias(); + abstract PrivateKey getPrivateKey(String alias); + abstract X509Certificate[] getCertificateChain(String alias); + + @Override + protected Void doInBackground(Void... params) { + String alias = getAlias(); + if (alias == null) return null; + + PrivateKey key = getPrivateKey(alias); + X509Certificate[] chain = getCertificateChain(alias); + if (key == null || chain == null || chain.length == 0) { + Log.w(TAG, "Empty client certificate chain?"); + return null; + } + + // Encode the certificate chain. + byte[][] encodedChain = new byte[chain.length][]; + try { + for (int i = 0; i < chain.length; ++i) { + encodedChain[i] = chain[i].getEncoded(); } + } catch (CertificateEncodingException e) { + Log.w(TAG, "Could not retrieve encoded certificate chain: " + e); + return null; } - }); - } - @Override - protected Void doInBackground(Void... params) { - // Executed in a background thread, can call blocking APIs. - X509Certificate[] chain = null; - PrivateKey key = null; - Context context = ActivityStatus.getActivity().getApplicationContext(); - try { - key = KeyChain.getPrivateKey(context, mAlias); - chain = KeyChain.getCertificateChain(context, mAlias); - } catch (KeyChainException e) { - Log.w(TAG, "KeyChainException when looking for '" + mAlias + "' certificate"); - return null; - } catch (InterruptedException e) { - Log.w(TAG, "InterruptedException when looking for '" + mAlias + "'certificate"); + mEncodedChain = encodedChain; + mPrivateKey = key; return null; } - if (key == null || chain == null || chain.length == 0) { - Log.w(TAG, "Empty client certificate chain?"); - return null; + @Override + protected void onPostExecute(Void result) { + ThreadUtils.assertOnUiThread(); + nativeOnSystemRequestCompletion(mNativePtr, mEncodedChain, mPrivateKey); + } + } + + /** Implementation of CertAsyncTask for the system KeyChain API. */ + private static class CertAsyncTaskKeyChain extends CertAsyncTask { + final Context mContext; + final String mAlias; + + CertAsyncTaskKeyChain(Context context, int nativePtr, String alias) { + super(nativePtr); + mContext = context; + assert alias != null; + mAlias = alias; } - // Get the encoded certificate chain. - byte[][] encodedChain = new byte[chain.length][]; - try { - for (int i = 0; i < chain.length; ++i) { - encodedChain[i] = chain[i].getEncoded(); + @Override + String getAlias() { + return mAlias; + } + + @Override + PrivateKey getPrivateKey(String alias) { + try { + return KeyChain.getPrivateKey(mContext, alias); + } catch (KeyChainException e) { + Log.w(TAG, "KeyChainException when looking for '" + alias + "' certificate"); + return null; + } catch (InterruptedException e) { + Log.w(TAG, "InterruptedException when looking for '" + alias + "'certificate"); + return null; } - } catch (CertificateEncodingException e) { - Log.w(TAG, "Could not retrieve encoded certificate chain: " + e); - return null; } - mEncodedChain = encodedChain; - mPrivateKey = key; - return null; + @Override + X509Certificate[] getCertificateChain(String alias) { + try { + return KeyChain.getCertificateChain(mContext, alias); + } catch (KeyChainException e) { + Log.w(TAG, "KeyChainException when looking for '" + alias + "' certificate"); + return null; + } catch (InterruptedException e) { + Log.w(TAG, "InterruptedException when looking for '" + alias + "'certificate"); + return null; + } + } } - @Override - protected void onPostExecute(Void result) { - // Back to the UI thread. - nativeOnSystemRequestCompletion(mNativePtr, mEncodedChain, mPrivateKey); + /** Implementation of CertAsyncTask for use with a PKCS11-backed KeyStore. */ + private static class CertAsyncTaskPKCS11 extends CertAsyncTask { + private final PKCS11AuthenticationManager mPKCS11AuthManager; + private final String mHostName; + private final int mPort; + + CertAsyncTaskPKCS11(int nativePtr, String hostName, int port, + PKCS11AuthenticationManager pkcs11CardAuthManager) { + super(nativePtr); + mHostName = hostName; + mPort = port; + mPKCS11AuthManager = pkcs11CardAuthManager; + } + + @Override + String getAlias() { + return mPKCS11AuthManager.getClientCertificateAlias(mHostName, mPort); + } + + @Override + PrivateKey getPrivateKey(String alias) { + return mPKCS11AuthManager.getPrivateKey(alias); + } + + @Override + X509Certificate[] getCertificateChain(String alias) { + return mPKCS11AuthManager.getCertificateChain(alias); + } } + /** + * The system KeyChain API will call us back on the alias() method, passing the alias of the + * certificate selected by the user. + */ + private static class KeyChainCertSelectionCallback implements KeyChainAliasCallback { + private final int mNativePtr; + private final Context mContext; + + KeyChainCertSelectionCallback(Context context, int nativePtr) { + mContext = context; + mNativePtr = nativePtr; + } + + @Override + public void alias(final String alias) { + // This is called by KeyChainActivity in a background thread. Post task to + // handle the certificate selection on the UI thread. + ThreadUtils.runOnUiThread(new Runnable() { + @Override + public void run() { + if (alias == null) { + // No certificate was selected. + ThreadUtils.runOnUiThread(new Runnable() { + @Override + public void run() { + nativeOnSystemRequestCompletion(mNativePtr, null, null); + } + }); + } else { + new CertAsyncTaskKeyChain(mContext, mNativePtr, alias).execute(); + } + } + }); + } + } /** * Create a new asynchronous request to select a client certificate. @@ -132,11 +218,10 @@ class SSLClientCertificateRequest extends AsyncTask<Void, Void, Void> * Note that nativeOnSystemRequestComplete will be called iff this method returns true. */ @CalledByNative - private static boolean selectClientCertificate(int nativePtr, String[] keyTypes, - byte[][] encodedPrincipals, String hostName, int port) { + private static boolean selectClientCertificate(final int nativePtr, final String[] keyTypes, + byte[][] encodedPrincipals, final String hostName, final int port) { ThreadUtils.assertOnUiThread(); - - Activity activity = ActivityStatus.getActivity(); + final Activity activity = ActivityStatus.getActivity(); if (activity == null) { Log.w(TAG, "No active Chromium main activity!?"); return false; @@ -151,18 +236,55 @@ class SSLClientCertificateRequest extends AsyncTask<Void, Void, Void> principals[n] = new X500Principal(encodedPrincipals[n]); } } catch (Exception e) { - // Bail on error. Log.w(TAG, "Exception while decoding issuers list: " + e); return false; } } - // All good, create new request, add it to our list and launch the certificate selection - // activity. - SSLClientCertificateRequest request = new SSLClientCertificateRequest(nativePtr); + final Principal[] principalsForCallback = principals; + // Certificate for client authentication can be obtained either from the system store of + // from a smart card (if available). + Runnable useSystemStore = new Runnable() { + @Override + public void run() { + KeyChainCertSelectionCallback callback = + new KeyChainCertSelectionCallback(activity.getApplicationContext(), + nativePtr); + KeyChain.choosePrivateKeyAlias(activity, callback, keyTypes, principalsForCallback, + hostName, port, null); + } + }; + + final Context appContext = activity.getApplicationContext(); + final PKCS11AuthenticationManager smartCardAuthManager = + ((ChromiumApplication) appContext).getPKCS11AuthenticationManager(); + if (smartCardAuthManager.isPKCS11AuthEnabled()) { + // Smart card support is available, prompt the user whether to use it or Android system + // store. + Runnable useSmartCard = new Runnable() { + @Override + public void run() { + new CertAsyncTaskPKCS11(nativePtr, hostName, port, + smartCardAuthManager).execute(); + } + }; + Runnable cancelRunnable = new Runnable() { + @Override + public void run() { + // We took ownership of the request, need to delete it. + nativeOnSystemRequestCompletion(nativePtr, null, null); + } + }; + + KeyStoreSelectionDialog selectionDialog = new KeyStoreSelectionDialog( + useSystemStore, useSmartCard, cancelRunnable); + selectionDialog.show(activity.getFragmentManager(), null); + } else { + // Smart card support is not available, use the system store unconditionally. + useSystemStore.run(); + } - KeyChain.choosePrivateKeyAlias( - activity, request, keyTypes, principals, hostName, port, null); + // We've taken ownership of the native ssl request object. return true; } diff --git a/chrome/android/testshell/java/src/org/chromium/chrome/testshell/ChromiumTestShellApplication.java b/chrome/android/testshell/java/src/org/chromium/chrome/testshell/ChromiumTestShellApplication.java index d7c43d1..5fcdba7 100644 --- a/chrome/android/testshell/java/src/org/chromium/chrome/testshell/ChromiumTestShellApplication.java +++ b/chrome/android/testshell/java/src/org/chromium/chrome/testshell/ChromiumTestShellApplication.java @@ -9,6 +9,7 @@ import android.content.Intent; import org.chromium.base.CommandLine; import org.chromium.base.PathUtils; import org.chromium.chrome.browser.ChromiumApplication; +import org.chromium.chrome.browser.PKCS11AuthenticationManager; import org.chromium.chrome.browser.UmaUtils; import org.chromium.chrome.browser.invalidation.UniqueIdInvalidationClientNameGenerator; import org.chromium.content.browser.ResourceExtractor; @@ -87,4 +88,9 @@ public class ChromiumTestShellApplication extends ChromiumApplication { protected boolean areParentalControlsEnabled() { return false; } + + @Override + protected PKCS11AuthenticationManager getPKCS11AuthenticationManager() { + return new TestShellPKCS11AuthenticationManager(); + } } diff --git a/chrome/android/testshell/java/src/org/chromium/chrome/testshell/TestShellPKCS11AuthenticationManager.java b/chrome/android/testshell/java/src/org/chromium/chrome/testshell/TestShellPKCS11AuthenticationManager.java new file mode 100644 index 0000000..691e650 --- /dev/null +++ b/chrome/android/testshell/java/src/org/chromium/chrome/testshell/TestShellPKCS11AuthenticationManager.java @@ -0,0 +1,42 @@ +// Copyright 2014 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +package org.chromium.chrome.testshell; + +import android.content.Context; + +import org.chromium.chrome.browser.PKCS11AuthenticationManager; + +import java.security.PrivateKey; +import java.security.cert.X509Certificate; + +/** + * Chromium TestShell stub implementation of PKCS11AuthenticationManager. + */ +public class TestShellPKCS11AuthenticationManager implements PKCS11AuthenticationManager { + @Override + public boolean isPKCS11AuthEnabled() { + return false; + } + + @Override + public String getClientCertificateAlias(String hostName, int port) { + return null; + } + + @Override + public void initialize(Context context) { + } + + + @Override + public X509Certificate[] getCertificateChain(String alias) { + return null; + } + + @Override + public PrivateKey getPrivateKey(String alias) { + return null; + } +} diff --git a/chrome/test/android/unit_tests_apk/src/org/chromium/chrome/unit_tests_apk/ChromeNativeTestApplication.java b/chrome/test/android/unit_tests_apk/src/org/chromium/chrome/unit_tests_apk/ChromeNativeTestApplication.java index 3d87b70..232428e 100644 --- a/chrome/test/android/unit_tests_apk/src/org/chromium/chrome/unit_tests_apk/ChromeNativeTestApplication.java +++ b/chrome/test/android/unit_tests_apk/src/org/chromium/chrome/unit_tests_apk/ChromeNativeTestApplication.java @@ -5,6 +5,7 @@ package org.chromium.chrome.unit_tests_apk; import org.chromium.chrome.browser.ChromiumApplication; +import org.chromium.chrome.browser.PKCS11AuthenticationManager; /** * A stub implementation of the chrome application to be used in chrome unit_tests. @@ -27,4 +28,9 @@ public class ChromeNativeTestApplication extends ChromiumApplication { protected boolean areParentalControlsEnabled() { return false; } + + @Override + protected PKCS11AuthenticationManager getPKCS11AuthenticationManager() { + return null; + } } |