CertificateChainValidator.java revision e97c2006bf7c391c933307e520a392e532aa5d6a
19066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project/* 29066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Copyright (C) 2008 The Android Open Source Project 39066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 49066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Licensed under the Apache License, Version 2.0 (the "License"); 59066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * you may not use this file except in compliance with the License. 69066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * You may obtain a copy of the License at 79066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 89066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * http://www.apache.org/licenses/LICENSE-2.0 99066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 109066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Unless required by applicable law or agreed to in writing, software 119066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * distributed under the License is distributed on an "AS IS" BASIS, 129066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 139066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * See the License for the specific language governing permissions and 149066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * limitations under the License. 159066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 169066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 179066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectpackage android.net.http; 189066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 19e97c2006bf7c391c933307e520a392e532aa5d6aBob Leeimport org.apache.harmony.xnet.provider.jsse.SSLParameters; 20e97c2006bf7c391c933307e520a392e532aa5d6aBob Lee 219066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.io.IOException; 229066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 239066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.Certificate; 249066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.CertificateException; 259066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.CertificateExpiredException; 269066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.CertificateNotYetValidException; 279066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.X509Certificate; 289066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.GeneralSecurityException; 299066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.KeyStore; 309066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 319066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.SSLHandshakeException; 329066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.SSLSession; 339066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.SSLSocket; 349066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.TrustManager; 359066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.TrustManagerFactory; 369066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.X509TrustManager; 379066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 389066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project/** 399066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Class responsible for all server certificate validation functionality 409066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 419066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * {@hide} 429066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 439066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectclass CertificateChainValidator { 449066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 459066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 469066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * The singleton instance of the certificate chain validator 479066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 48886f3d69b79748fe937725e33b8bbb3d67ab82c7Bob Lee private static final CertificateChainValidator sInstance 49886f3d69b79748fe937725e33b8bbb3d67ab82c7Bob Lee = new CertificateChainValidator(); 509066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 519066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 529066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @return The singleton instance of the certificator chain validator 539066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 549066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public static CertificateChainValidator getInstance() { 559066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return sInstance; 569066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 579066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 589066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 599066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Creates a new certificate chain validator. This is a pivate constructor. 609066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * If you need a Certificate chain validator, call getInstance(). 619066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 62e97c2006bf7c391c933307e520a392e532aa5d6aBob Lee private CertificateChainValidator() {} 639066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 649066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 659066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Performs the handshake and server certificates validation 669066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @param sslSocket The secure connection socket 679066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @param domain The website domain 689066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @return An SSL error object if there is an error and null otherwise 699066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 709066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public SslError doHandshakeAndValidateServerCertificates( 719066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpsConnection connection, SSLSocket sslSocket, String domain) 729066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throws IOException { 739066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project X509Certificate[] serverCertificates = null; 749066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 759066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // start handshake, close the socket if we fail 769066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project try { 779066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket.setUseClientMode(true); 789066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket.startHandshake(); 799066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } catch (IOException e) { 809066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project closeSocketThrowException( 819066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket, e.getMessage(), 829066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project "failed to perform SSL handshake"); 839066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 849066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 859066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // retrieve the chain of the server peer certificates 869066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project Certificate[] peerCertificates = 879066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket.getSession().getPeerCertificates(); 889066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 899066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (peerCertificates == null || peerCertificates.length <= 0) { 909066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project closeSocketThrowException( 919066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket, "failed to retrieve peer certificates"); 929066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } else { 939066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project serverCertificates = 949066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project new X509Certificate[peerCertificates.length]; 959066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project for (int i = 0; i < peerCertificates.length; ++i) { 969066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project serverCertificates[i] = 979066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project (X509Certificate)(peerCertificates[i]); 989066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 999066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1009066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // update the SSL certificate associated with the connection 1019066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (connection != null) { 1029066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (serverCertificates[0] != null) { 1039066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project connection.setCertificate( 1049066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project new SslCertificate(serverCertificates[0])); 1059066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1069066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1079066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1089066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1099066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // check if the first certificate in the chain is for this site 1109066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project X509Certificate currCertificate = serverCertificates[0]; 1119066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (currCertificate == null) { 1129066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project closeSocketThrowException( 1139066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket, "certificate for this site is null"); 1149066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } else { 1159066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (!DomainNameChecker.match(currCertificate, domain)) { 1169066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String errorMessage = "certificate not for this host: " + domain; 1179066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1189066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (HttpLog.LOGV) { 1199066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpLog.v(errorMessage); 1209066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1219066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1229066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket.getSession().invalidate(); 1239066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return new SslError( 1249066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SslError.SSL_IDMISMATCH, currCertificate); 1259066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1269066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1279066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1289066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // first, we validate the chain using the standard validation 1299066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // solution; if we do not find any errors, we are done; if we 1309066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // fail the standard validation, we re-validate again below, 1319066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // this time trying to retrieve any individual errors we can 1329066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // report back to the user. 1339066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // 1349066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project try { 135e97c2006bf7c391c933307e520a392e532aa5d6aBob Lee SSLParameters.getDefaultTrustManager().checkServerTrusted( 136886f3d69b79748fe937725e33b8bbb3d67ab82c7Bob Lee serverCertificates, "RSA"); 1379066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 138886f3d69b79748fe937725e33b8bbb3d67ab82c7Bob Lee // no errors!!! 139886f3d69b79748fe937725e33b8bbb3d67ab82c7Bob Lee return null; 1409066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } catch (CertificateException e) { 1419066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (HttpLog.LOGV) { 1429066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpLog.v( 1439066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project "failed to pre-validate the certificate chain, error: " + 1449066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project e.getMessage()); 1459066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1469066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1479066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1489066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket.getSession().invalidate(); 1499066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1509066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SslError error = null; 1519066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1529066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // we check the root certificate separately from the rest of the 1539066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // chain; this is because we need to know what certificate in 1549066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // the chain resulted in an error if any 1559066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project currCertificate = 1569066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project serverCertificates[serverCertificates.length - 1]; 1579066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (currCertificate == null) { 1589066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project closeSocketThrowException( 1599066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket, "root certificate is null"); 1609066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1619066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1629066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // check if the last certificate in the chain (root) is trusted 1639066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project X509Certificate[] rootCertificateChain = { currCertificate }; 1649066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project try { 165e97c2006bf7c391c933307e520a392e532aa5d6aBob Lee SSLParameters.getDefaultTrustManager().checkServerTrusted( 166886f3d69b79748fe937725e33b8bbb3d67ab82c7Bob Lee rootCertificateChain, "RSA"); 1679066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } catch (CertificateExpiredException e) { 1689066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String errorMessage = e.getMessage(); 1699066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (errorMessage == null) { 1709066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project errorMessage = "root certificate has expired"; 1719066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1729066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1739066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (HttpLog.LOGV) { 1749066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpLog.v(errorMessage); 1759066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1769066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1779066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project error = new SslError( 1789066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SslError.SSL_EXPIRED, currCertificate); 1799066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } catch (CertificateNotYetValidException e) { 1809066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String errorMessage = e.getMessage(); 1819066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (errorMessage == null) { 1829066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project errorMessage = "root certificate not valid yet"; 1839066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1849066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1859066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (HttpLog.LOGV) { 1869066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpLog.v(errorMessage); 1879066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1889066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1899066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project error = new SslError( 1909066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SslError.SSL_NOTYETVALID, currCertificate); 1919066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } catch (CertificateException e) { 1929066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String errorMessage = e.getMessage(); 1939066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (errorMessage == null) { 1949066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project errorMessage = "root certificate not trusted"; 1959066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1969066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1979066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (HttpLog.LOGV) { 1989066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpLog.v(errorMessage); 1999066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2009066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2019066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return new SslError( 2029066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SslError.SSL_UNTRUSTED, currCertificate); 2039066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2049066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2059066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // Then go through the certificate chain checking that each 2069066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // certificate trusts the next and that each certificate is 2079066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // within its valid date range. Walk the chain in the order 2089066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // from the CA to the end-user 2099066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project X509Certificate prevCertificate = 2109066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project serverCertificates[serverCertificates.length - 1]; 2119066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2129066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project for (int i = serverCertificates.length - 2; i >= 0; --i) { 2139066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project currCertificate = serverCertificates[i]; 2149066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2159066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // if a certificate is null, we cannot verify the chain 2169066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (currCertificate == null) { 2179066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project closeSocketThrowException( 2189066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket, "null certificate in the chain"); 2199066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2209066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2219066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // verify if trusted by chain 2229066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (!prevCertificate.getSubjectDN().equals( 2239066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project currCertificate.getIssuerDN())) { 2249066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String errorMessage = "not trusted by chain"; 2259066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2269066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (HttpLog.LOGV) { 2279066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpLog.v(errorMessage); 2289066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2299066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2309066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return new SslError( 2319066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SslError.SSL_UNTRUSTED, currCertificate); 2329066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2339066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2349066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project try { 2359066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project currCertificate.verify(prevCertificate.getPublicKey()); 2369066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } catch (GeneralSecurityException e) { 2379066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String errorMessage = e.getMessage(); 2389066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (errorMessage == null) { 2399066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project errorMessage = "not trusted by chain"; 2409066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2419066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2429066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (HttpLog.LOGV) { 2439066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpLog.v(errorMessage); 2449066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2459066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2469066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return new SslError( 2479066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SslError.SSL_UNTRUSTED, currCertificate); 2489066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2499066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2509066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // verify if the dates are valid 2519066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project try { 2529066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project currCertificate.checkValidity(); 2539066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } catch (CertificateExpiredException e) { 2549066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String errorMessage = e.getMessage(); 2559066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (errorMessage == null) { 2569066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project errorMessage = "certificate expired"; 2579066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2589066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2599066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (HttpLog.LOGV) { 2609066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpLog.v(errorMessage); 2619066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2629066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2639066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (error == null || 2649066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project error.getPrimaryError() < SslError.SSL_EXPIRED) { 2659066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project error = new SslError( 2669066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SslError.SSL_EXPIRED, currCertificate); 2679066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2689066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } catch (CertificateNotYetValidException e) { 2699066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String errorMessage = e.getMessage(); 2709066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (errorMessage == null) { 2719066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project errorMessage = "certificate not valid yet"; 2729066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2739066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2749066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (HttpLog.LOGV) { 2759066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpLog.v(errorMessage); 2769066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2779066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2789066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (error == null || 2799066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project error.getPrimaryError() < SslError.SSL_NOTYETVALID) { 2809066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project error = new SslError( 2819066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SslError.SSL_NOTYETVALID, currCertificate); 2829066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2839066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2849066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2859066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project prevCertificate = currCertificate; 2869066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2879066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2889066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // if we do not have an error to report back to the user, throw 2899066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // an exception (a generic error will be reported instead) 2909066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (error == null) { 2919066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project closeSocketThrowException( 2929066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket, 2939066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project "failed to pre-validate the certificate chain due to a non-standard error"); 2949066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2959066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2969066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return error; 2979066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2989066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2999066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project private void closeSocketThrowException( 3009066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SSLSocket socket, String errorMessage, String defaultErrorMessage) 3019066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throws IOException { 3029066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project closeSocketThrowException( 3039066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project socket, errorMessage != null ? errorMessage : defaultErrorMessage); 3049066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 3059066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 3069066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project private void closeSocketThrowException(SSLSocket socket, 3079066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String errorMessage) throws IOException { 3089066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (HttpLog.LOGV) { 3099066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpLog.v("validation error: " + errorMessage); 3109066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 3119066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 3129066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (socket != null) { 3139066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SSLSession session = socket.getSession(); 3149066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (session != null) { 3159066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project session.invalidate(); 3169066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 3179066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 3189066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project socket.close(); 3199066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 3209066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 3219066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throw new SSLHandshakeException(errorMessage); 3229066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 3239066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project} 324