com/android/server/locksettings/recoverablekeystore/certificate/SigXml.java - platform/prebuilts/fullsdk/sources/android-30 - Git at Google

 /*
  * Copyright (C) 2017 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package com.android.server.locksettings.recoverablekeystore.certificate;

 import android.annotation.Nullable;

 import com.android.internal.annotations.VisibleForTesting;

 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Date;
 import java.util.List;

 import org.w3c.dom.Element;

 /**
  * Parses and holds the XML file containing the signature of the XML file containing the list of THM
  * public-key certificates.
  */
 public final class SigXml {

     private static final String INTERMEDIATE_CERT_LIST_TAG = "intermediates";
     private static final String INTERMEDIATE_CERT_ITEM_TAG = "cert";
     private static final String SIGNER_CERT_NODE_TAG = "certificate";
     private static final String SIGNATURE_NODE_TAG = "value";

     private final List<X509Certificate> intermediateCerts;
     private final X509Certificate signerCert;
     private final byte[] signature;

     private SigXml(
             List<X509Certificate> intermediateCerts, X509Certificate signerCert, byte[] signature) {
         this.intermediateCerts = intermediateCerts;
         this.signerCert = signerCert;
         this.signature = signature;
     }

     /**
      * Verifies the signature contained in this XML file against a trusted root certificate and the
      * binary content of another file. The signer's public-key certificate and possible intermediate
      * CA certificates are included in this XML file, and will be validated against the trusted root
      * certificate.
      *
      * @param trustedRoot     the trusted root certificate
      * @param signedFileBytes the original file content that has been signed
      * @throws CertValidationException if the signature verification fails, or the signer's
      *                                 certificate contained in this XML file cannot be validated
      *                                 based on the trusted root certificate
      */
     public void verifyFileSignature(X509Certificate trustedRoot, byte[] signedFileBytes)
             throws CertValidationException {
         verifyFileSignature(trustedRoot, signedFileBytes, /*validationDate=*/ null);
     }

     @VisibleForTesting
     void verifyFileSignature(
             X509Certificate trustedRoot, byte[] signedFileBytes, @Nullable Date validationDate)
             throws CertValidationException {
         CertUtils.validateCert(validationDate, trustedRoot, intermediateCerts, signerCert);
         CertUtils.verifyRsaSha256Signature(signerCert.getPublicKey(), signature, signedFileBytes);
     }

     /**
      * Parses a byte array as the content of the XML file containing the signature and related
      * certificates.
      *
      * @param bytes the bytes of the XML file
      * @return a {@code SigXml} instance that contains the parsing result
      * @throws CertParsingException if any parsing error occurs
      */
     public static SigXml parse(byte[] bytes) throws CertParsingException {
         Element rootNode = CertUtils.getXmlRootNode(bytes);
         return new SigXml(
                 parseIntermediateCerts(rootNode), parseSignerCert(rootNode),
                 parseFileSignature(rootNode));
     }

     private static List<X509Certificate> parseIntermediateCerts(Element rootNode)
             throws CertParsingException {
         List<String> contents =
                 CertUtils.getXmlNodeContents(
                         CertUtils.MUST_EXIST_UNENFORCED,
                         rootNode,
                         INTERMEDIATE_CERT_LIST_TAG,
                         INTERMEDIATE_CERT_ITEM_TAG);
         List<X509Certificate> res = new ArrayList<>();
         for (String content : contents) {
             res.add(CertUtils.decodeCert(CertUtils.decodeBase64(content)));
         }
         return Collections.unmodifiableList(res);
     }

     private static X509Certificate parseSignerCert(Element rootNode) throws CertParsingException {
         List<String> contents =
                 CertUtils.getXmlNodeContents(
                         CertUtils.MUST_EXIST_EXACTLY_ONE, rootNode, SIGNER_CERT_NODE_TAG);
         return CertUtils.decodeCert(CertUtils.decodeBase64(contents.get(0)));
     }

     private static byte[] parseFileSignature(Element rootNode) throws CertParsingException {
         List<String> contents =
                 CertUtils.getXmlNodeContents(
                         CertUtils.MUST_EXIST_EXACTLY_ONE, rootNode, SIGNATURE_NODE_TAG);
         return CertUtils.decodeBase64(contents.get(0));
     }
 }
	/*
	* Copyright (C) 2017 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package com.android.server.locksettings.recoverablekeystore.certificate;

	import android.annotation.Nullable;

	import com.android.internal.annotations.VisibleForTesting;

	import java.security.cert.X509Certificate;
	import java.util.ArrayList;
	import java.util.Collections;
	import java.util.Date;
	import java.util.List;

	import org.w3c.dom.Element;

	/**
	* Parses and holds the XML file containing the signature of the XML file containing the list of THM
	* public-key certificates.
	*/
	public final class SigXml {

	private static final String INTERMEDIATE_CERT_LIST_TAG = "intermediates";
	private static final String INTERMEDIATE_CERT_ITEM_TAG = "cert";
	private static final String SIGNER_CERT_NODE_TAG = "certificate";
	private static final String SIGNATURE_NODE_TAG = "value";

	private final List<X509Certificate> intermediateCerts;
	private final X509Certificate signerCert;
	private final byte[] signature;

	private SigXml(
	List<X509Certificate> intermediateCerts, X509Certificate signerCert, byte[] signature) {
	this.intermediateCerts = intermediateCerts;
	this.signerCert = signerCert;
	this.signature = signature;
	}

	/**
	* Verifies the signature contained in this XML file against a trusted root certificate and the
	* binary content of another file. The signer's public-key certificate and possible intermediate
	* CA certificates are included in this XML file, and will be validated against the trusted root
	* certificate.
	*
	* @param trustedRoot the trusted root certificate
	* @param signedFileBytes the original file content that has been signed
	* @throws CertValidationException if the signature verification fails, or the signer's
	* certificate contained in this XML file cannot be validated
	* based on the trusted root certificate
	*/
	public void verifyFileSignature(X509Certificate trustedRoot, byte[] signedFileBytes)
	throws CertValidationException {
	verifyFileSignature(trustedRoot, signedFileBytes, /validationDate=/ null);
	}

	@VisibleForTesting
	void verifyFileSignature(
	X509Certificate trustedRoot, byte[] signedFileBytes, @Nullable Date validationDate)
	throws CertValidationException {
	CertUtils.validateCert(validationDate, trustedRoot, intermediateCerts, signerCert);
	CertUtils.verifyRsaSha256Signature(signerCert.getPublicKey(), signature, signedFileBytes);
	}

	/**
	* Parses a byte array as the content of the XML file containing the signature and related
	* certificates.
	*
	* @param bytes the bytes of the XML file
	* @return a {@code SigXml} instance that contains the parsing result
	* @throws CertParsingException if any parsing error occurs
	*/
	public static SigXml parse(byte[] bytes) throws CertParsingException {
	Element rootNode = CertUtils.getXmlRootNode(bytes);
	return new SigXml(
	parseIntermediateCerts(rootNode), parseSignerCert(rootNode),
	parseFileSignature(rootNode));
	}

	private static List<X509Certificate> parseIntermediateCerts(Element rootNode)
	throws CertParsingException {
	List<String> contents =
	CertUtils.getXmlNodeContents(
	CertUtils.MUST_EXIST_UNENFORCED,
	rootNode,
	INTERMEDIATE_CERT_LIST_TAG,
	INTERMEDIATE_CERT_ITEM_TAG);
	List<X509Certificate> res = new ArrayList<>();
	for (String content : contents) {
	res.add(CertUtils.decodeCert(CertUtils.decodeBase64(content)));
	}
	return Collections.unmodifiableList(res);
	}

	private static X509Certificate parseSignerCert(Element rootNode) throws CertParsingException {
	List<String> contents =
	CertUtils.getXmlNodeContents(
	CertUtils.MUST_EXIST_EXACTLY_ONE, rootNode, SIGNER_CERT_NODE_TAG);
	return CertUtils.decodeCert(CertUtils.decodeBase64(contents.get(0)));
	}

	private static byte[] parseFileSignature(Element rootNode) throws CertParsingException {
	List<String> contents =
	CertUtils.getXmlNodeContents(
	CertUtils.MUST_EXIST_EXACTLY_ONE, rootNode, SIGNATURE_NODE_TAG);
	return CertUtils.decodeBase64(contents.get(0));
	}
	}