19066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project/* 29066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Copyright (C) 2008 The Android Open Source Project 39066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 49066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Licensed under the Apache License, Version 2.0 (the "License"); 59066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * you may not use this file except in compliance with the License. 69066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * You may obtain a copy of the License at 79066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 89066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * http://www.apache.org/licenses/LICENSE-2.0 99066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 109066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Unless required by applicable law or agreed to in writing, software 119066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * distributed under the License is distributed on an "AS IS" BASIS, 129066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 139066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * See the License for the specific language governing permissions and 149066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * limitations under the License. 159066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 169066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 179066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectpackage android.net.http; 189066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 192269d1572e5fcfb725ea55f5764d8c3280d69f6dDianne Hackborn 202269d1572e5fcfb725ea55f5764d8c3280d69f6dDianne Hackbornimport com.android.internal.net.DomainNameValidator; 218f028a94fc533e75077485a7d11a04e4de820335Makoto Onuki 22e97c2006bf7c391c933307e520a392e532aa5d6aBob Leeimport org.apache.harmony.xnet.provider.jsse.SSLParameters; 23e97c2006bf7c391c933307e520a392e532aa5d6aBob Lee 249066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.io.IOException; 259066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 269066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.Certificate; 279066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.CertificateException; 289066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.CertificateExpiredException; 299066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.CertificateNotYetValidException; 309066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.X509Certificate; 319066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.GeneralSecurityException; 329066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.KeyStore; 33c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wuimport java.util.Date; 349066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 359066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.SSLHandshakeException; 369066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.SSLSession; 379066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.SSLSocket; 389066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.TrustManager; 399066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.TrustManagerFactory; 409066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.X509TrustManager; 419066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 429066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project/** 439066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Class responsible for all server certificate validation functionality 449066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 459066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * {@hide} 469066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 479066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectclass CertificateChainValidator { 489066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 499066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 509066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * The singleton instance of the certificate chain validator 519066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 52886f3d69b79748fe937725e33b8bbb3d67ab82c7Bob Lee private static final CertificateChainValidator sInstance 53886f3d69b79748fe937725e33b8bbb3d67ab82c7Bob Lee = new CertificateChainValidator(); 549066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 559066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 56c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * @return The singleton instance of the certificates chain validator 579066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 589066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public static CertificateChainValidator getInstance() { 599066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return sInstance; 609066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 619066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 629066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 63c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * Creates a new certificate chain validator. This is a private constructor. 649066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * If you need a Certificate chain validator, call getInstance(). 659066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 66e97c2006bf7c391c933307e520a392e532aa5d6aBob Lee private CertificateChainValidator() {} 679066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 689066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 699066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Performs the handshake and server certificates validation 70c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * Notice a new chain will be rebuilt by tracing the issuer and subject 71c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * before calling checkServerTrusted(). 72c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * And if the last traced certificate is self issued and it is expired, it 73c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * will be dropped. 749066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @param sslSocket The secure connection socket 759066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @param domain The website domain 769066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @return An SSL error object if there is an error and null otherwise 779066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 789066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public SslError doHandshakeAndValidateServerCertificates( 799066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpsConnection connection, SSLSocket sslSocket, String domain) 809066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throws IOException { 819066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project X509Certificate[] serverCertificates = null; 829066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 839066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // start handshake, close the socket if we fail 849066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project try { 859066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket.setUseClientMode(true); 869066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket.startHandshake(); 879066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } catch (IOException e) { 889066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project closeSocketThrowException( 899066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket, e.getMessage(), 909066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project "failed to perform SSL handshake"); 919066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 929066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 939066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // retrieve the chain of the server peer certificates 949066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project Certificate[] peerCertificates = 959066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket.getSession().getPeerCertificates(); 969066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 979066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (peerCertificates == null || peerCertificates.length <= 0) { 989066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project closeSocketThrowException( 999066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket, "failed to retrieve peer certificates"); 1009066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } else { 1019066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project serverCertificates = 1029066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project new X509Certificate[peerCertificates.length]; 1039066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project for (int i = 0; i < peerCertificates.length; ++i) { 1049066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project serverCertificates[i] = 1059066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project (X509Certificate)(peerCertificates[i]); 1069066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1079066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1089066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // update the SSL certificate associated with the connection 1099066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (connection != null) { 1109066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (serverCertificates[0] != null) { 1119066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project connection.setCertificate( 1129066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project new SslCertificate(serverCertificates[0])); 1139066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1149066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1159066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1169066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1179066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // check if the first certificate in the chain is for this site 1189066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project X509Certificate currCertificate = serverCertificates[0]; 1199066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (currCertificate == null) { 1209066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project closeSocketThrowException( 1219066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket, "certificate for this site is null"); 1229066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } else { 1238f028a94fc533e75077485a7d11a04e4de820335Makoto Onuki if (!DomainNameValidator.match(currCertificate, domain)) { 1249066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String errorMessage = "certificate not for this host: " + domain; 1259066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1269066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (HttpLog.LOGV) { 1279066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpLog.v(errorMessage); 1289066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1299066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1309066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket.getSession().invalidate(); 1319066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return new SslError( 1329066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SslError.SSL_IDMISMATCH, currCertificate); 1339066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1349066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1359066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 136c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu // Clean up the certificates chain and build a new one. 137c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu // Theoretically, we shouldn't have to do this, but various web servers 138c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu // in practice are mis-configured to have out-of-order certificates or 139c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu // expired self-issued root certificate. 140c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu int chainLength = serverCertificates.length; 141c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu if (serverCertificates.length > 1) { 142c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu // 1. we clean the received certificates chain. 143c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu // We start from the end-entity certificate, tracing down by matching 144c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu // the "issuer" field and "subject" field until we can't continue. 145c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu // This helps when the certificates are out of order or 146c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu // some certificates are not related to the site. 147c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu int currIndex; 148c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu for (currIndex = 0; currIndex < serverCertificates.length; ++currIndex) { 149c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu boolean foundNext = false; 150c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu for (int nextIndex = currIndex + 1; 151c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu nextIndex < serverCertificates.length; 152c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu ++nextIndex) { 153c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu if (serverCertificates[currIndex].getIssuerDN().equals( 154c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu serverCertificates[nextIndex].getSubjectDN())) { 155c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu foundNext = true; 156c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu // Exchange certificates so that 0 through currIndex + 1 are in proper order 157c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu if (nextIndex != currIndex + 1) { 158c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu X509Certificate tempCertificate = serverCertificates[nextIndex]; 159c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu serverCertificates[nextIndex] = serverCertificates[currIndex + 1]; 160c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu serverCertificates[currIndex + 1] = tempCertificate; 161c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu } 162c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu break; 163c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu } 164c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu } 165c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu if (!foundNext) break; 166c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu } 167c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu 168c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu // 2. we exam if the last traced certificate is self issued and it is expired. 169c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu // If so, we drop it and pass the rest to checkServerTrusted(), hoping we might 170c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu // have a similar but unexpired trusted root. 171c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu chainLength = currIndex + 1; 172c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu X509Certificate lastCertificate = serverCertificates[chainLength - 1]; 173c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu Date now = new Date(); 174c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu if (lastCertificate.getSubjectDN().equals(lastCertificate.getIssuerDN()) 175c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu && now.after(lastCertificate.getNotAfter())) { 176c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu --chainLength; 177c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu } 178c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu } 179c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu 180c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu // 3. Now we copy the newly built chain into an appropriately sized array. 181c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu X509Certificate[] newServerCertificates = null; 182c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu newServerCertificates = new X509Certificate[chainLength]; 183c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu for (int i = 0; i < chainLength; ++i) { 184c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu newServerCertificates[i] = serverCertificates[i]; 185c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu } 186c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu 187c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu // first, we validate the new chain using the standard validation 1889066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // solution; if we do not find any errors, we are done; if we 1899066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // fail the standard validation, we re-validate again below, 1909066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // this time trying to retrieve any individual errors we can 1919066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // report back to the user. 1929066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // 1939066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project try { 194e97c2006bf7c391c933307e520a392e532aa5d6aBob Lee SSLParameters.getDefaultTrustManager().checkServerTrusted( 195c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu newServerCertificates, "RSA"); 1969066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 197886f3d69b79748fe937725e33b8bbb3d67ab82c7Bob Lee // no errors!!! 198886f3d69b79748fe937725e33b8bbb3d67ab82c7Bob Lee return null; 1999066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } catch (CertificateException e) { 200c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu sslSocket.getSession().invalidate(); 201c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu 2029066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (HttpLog.LOGV) { 2039066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpLog.v( 2049066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project "failed to pre-validate the certificate chain, error: " + 2059066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project e.getMessage()); 2069066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2079066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return new SslError( 2089066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SslError.SSL_UNTRUSTED, currCertificate); 2099066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2109066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2119066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2129066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project private void closeSocketThrowException( 2139066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SSLSocket socket, String errorMessage, String defaultErrorMessage) 2149066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throws IOException { 2159066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project closeSocketThrowException( 2169066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project socket, errorMessage != null ? errorMessage : defaultErrorMessage); 2179066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2189066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2199066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project private void closeSocketThrowException(SSLSocket socket, 2209066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String errorMessage) throws IOException { 2219066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (HttpLog.LOGV) { 2229066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpLog.v("validation error: " + errorMessage); 2239066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2249066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2259066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (socket != null) { 2269066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SSLSession session = socket.getSession(); 2279066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (session != null) { 2289066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project session.invalidate(); 2299066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2309066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2319066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project socket.close(); 2329066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2339066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2349066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throw new SSLHandshakeException(errorMessage); 2359066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2369066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project} 237