CertificateChainValidator.java revision 85ffa26f67efad30912e1561b5123b6f8f5827ee
19066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project/* 29066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Copyright (C) 2008 The Android Open Source Project 39066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 49066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Licensed under the Apache License, Version 2.0 (the "License"); 59066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * you may not use this file except in compliance with the License. 69066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * You may obtain a copy of the License at 79066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 89066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * http://www.apache.org/licenses/LICENSE-2.0 99066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 109066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Unless required by applicable law or agreed to in writing, software 119066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * distributed under the License is distributed on an "AS IS" BASIS, 129066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 139066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * See the License for the specific language governing permissions and 149066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * limitations under the License. 159066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 169066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 179066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectpackage android.net.http; 189066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 192269d1572e5fcfb725ea55f5764d8c3280d69f6dDianne Hackborn 202269d1572e5fcfb725ea55f5764d8c3280d69f6dDianne Hackbornimport com.android.internal.net.DomainNameValidator; 218f028a94fc533e75077485a7d11a04e4de820335Makoto Onuki 2285ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wuimport org.apache.harmony.security.provider.cert.X509CertImpl; 23405d4db50b3db1fc5e015475218e190d193332d4Brian Carlstromimport org.apache.harmony.xnet.provider.jsse.SSLParametersImpl; 24e97c2006bf7c391c933307e520a392e532aa5d6aBob Lee 259066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.io.IOException; 269066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 279066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.Certificate; 289066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.CertificateException; 299066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.CertificateExpiredException; 309066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.CertificateNotYetValidException; 319066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.X509Certificate; 329066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.GeneralSecurityException; 339066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.KeyStore; 34c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wuimport java.util.Date; 359066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 369066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.SSLHandshakeException; 379066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.SSLSession; 389066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.SSLSocket; 399066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.TrustManager; 409066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.TrustManagerFactory; 419066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.X509TrustManager; 429066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 439066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project/** 449066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Class responsible for all server certificate validation functionality 459066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 469066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * {@hide} 479066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 489066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectclass CertificateChainValidator { 499066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 509066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 519066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * The singleton instance of the certificate chain validator 529066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 53886f3d69b79748fe937725e33b8bbb3d67ab82c7Bob Lee private static final CertificateChainValidator sInstance 54886f3d69b79748fe937725e33b8bbb3d67ab82c7Bob Lee = new CertificateChainValidator(); 559066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 569066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 57c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * @return The singleton instance of the certificates chain validator 589066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 599066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public static CertificateChainValidator getInstance() { 609066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return sInstance; 619066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 629066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 639066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 64c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * Creates a new certificate chain validator. This is a private constructor. 659066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * If you need a Certificate chain validator, call getInstance(). 669066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 67e97c2006bf7c391c933307e520a392e532aa5d6aBob Lee private CertificateChainValidator() {} 689066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 699066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 709066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Performs the handshake and server certificates validation 71c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * Notice a new chain will be rebuilt by tracing the issuer and subject 72c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * before calling checkServerTrusted(). 73c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * And if the last traced certificate is self issued and it is expired, it 74c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * will be dropped. 759066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @param sslSocket The secure connection socket 769066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @param domain The website domain 779066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @return An SSL error object if there is an error and null otherwise 789066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 799066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public SslError doHandshakeAndValidateServerCertificates( 809066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpsConnection connection, SSLSocket sslSocket, String domain) 819066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throws IOException { 82e103355d9332e2fab9d5c408e824ac8ab3b915a7Brian Carlstrom // get a valid SSLSession, close the socket if we fail 8385ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu SSLSession sslSession = sslSocket.getSession(); 84e103355d9332e2fab9d5c408e824ac8ab3b915a7Brian Carlstrom if (!sslSession.isValid()) { 85e103355d9332e2fab9d5c408e824ac8ab3b915a7Brian Carlstrom closeSocketThrowException(sslSocket, "failed to perform SSL handshake"); 869066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 879066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 889066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // retrieve the chain of the server peer certificates 899066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project Certificate[] peerCertificates = 909066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket.getSession().getPeerCertificates(); 919066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 9285ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu if (peerCertificates == null || peerCertificates.length == 0) { 939066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project closeSocketThrowException( 949066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket, "failed to retrieve peer certificates"); 959066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } else { 969066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // update the SSL certificate associated with the connection 979066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (connection != null) { 9885ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu if (peerCertificates[0] != null) { 999066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project connection.setCertificate( 10085ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu new SslCertificate((X509Certificate)peerCertificates[0])); 1019066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1029066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1039066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1049066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 10585ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu return verifyServerDomainAndCertificates((X509Certificate[]) peerCertificates, domain); 10685ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu } 10785ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu 10885ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu /** 10985ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * Similar to doHandshakeAndValidateServerCertificates but exposed to JNI for use 11085ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * by Chromium HTTPS stack to validate the cert chain. 11185ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * @param certChain The bytes for certificates in ASN.1 DER encoded certficates format. 11285ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * @param domain The full website hostname and domain 11385ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * @return An SSL error object if there is an error and null otherwise 11485ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu */ 11585ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu public static SslError verifyServerCertificates( 11685ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu byte[][] certChain, String domain, String authType) 11785ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu throws IOException { 11885ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu 11985ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu if (certChain == null || certChain.length == 0) { 12085ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu throw new IllegalArgumentException("bad certificate chain"); 12185ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu } 12285ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu 12385ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu X509Certificate[] serverCertificates = new X509Certificate[certChain.length]; 12485ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu 12585ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu for (int i = 0; i < certChain.length; ++i) { 12685ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu serverCertificates[i] = new X509CertImpl(certChain[i]); 12785ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu } 12885ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu 12985ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu return verifyServerDomainAndCertificates(serverCertificates, domain); 13085ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu } 13185ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu 13285ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu /** 13385ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * Common code of doHandshakeAndValidateServerCertificates and verifyServerCertificates. 13485ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * Calls DomainNamevalidator to valide the domain, and TrustManager to valide the certs. 13585ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * @param chain the cert chain in X509 cert format. 13685ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * @param domain The full website hostname and domain 13785ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * @return An SSL error object if there is an error and null otherwise 13885ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu */ 13985ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu private static SslError verifyServerDomainAndCertificates( 14085ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu X509Certificate[] chain, String domain) 14185ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu throws IOException { 1429066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // check if the first certificate in the chain is for this site 14385ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu X509Certificate currCertificate = chain[0]; 1449066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (currCertificate == null) { 14585ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu throw new IllegalArgumentException("certificate for this site is null"); 14685ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu } 1479066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 14885ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu if (!DomainNameValidator.match(currCertificate, domain)) { 14985ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu if (HttpLog.LOGV) { 15085ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu HttpLog.v("certificate not for this host: " + domain); 1519066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 15285ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu return new SslError(SslError.SSL_IDMISMATCH, currCertificate); 1539066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1549066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1559066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project try { 15685ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu SSLParametersImpl.getDefaultTrustManager().checkServerTrusted(chain, "RSA"); 15785ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu return null; // No errors. 1589066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } catch (CertificateException e) { 1599066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (HttpLog.LOGV) { 16085ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu HttpLog.v("failed to validate the certificate chain, error: " + 1619066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project e.getMessage()); 1629066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 16385ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu return new SslError(SslError.SSL_UNTRUSTED, currCertificate); 1649066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1659066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1669066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 16785ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu 1689066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project private void closeSocketThrowException( 1699066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SSLSocket socket, String errorMessage, String defaultErrorMessage) 1709066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throws IOException { 1719066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project closeSocketThrowException( 1729066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project socket, errorMessage != null ? errorMessage : defaultErrorMessage); 1739066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1749066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1759066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project private void closeSocketThrowException(SSLSocket socket, 1769066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String errorMessage) throws IOException { 1779066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (HttpLog.LOGV) { 1789066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpLog.v("validation error: " + errorMessage); 1799066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1809066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1819066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (socket != null) { 1829066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SSLSession session = socket.getSession(); 1839066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (session != null) { 1849066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project session.invalidate(); 1859066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1869066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1879066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project socket.close(); 1889066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1899066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1909066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throw new SSLHandshakeException(errorMessage); 1919066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1929066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project} 193