19066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project/* 29066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Copyright (C) 2008 The Android Open Source Project 39066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 49066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Licensed under the Apache License, Version 2.0 (the "License"); 59066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * you may not use this file except in compliance with the License. 69066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * You may obtain a copy of the License at 79066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 89066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * http://www.apache.org/licenses/LICENSE-2.0 99066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 109066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Unless required by applicable law or agreed to in writing, software 119066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * distributed under the License is distributed on an "AS IS" BASIS, 129066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 139066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * See the License for the specific language governing permissions and 149066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * limitations under the License. 159066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 169066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 179066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectpackage android.net.http; 189066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1912e752225aa96888358294be0d725d499a1c9f03Kenny Rootimport com.android.org.conscrypt.SSLParametersImpl; 2012e752225aa96888358294be0d725d499a1c9f03Kenny Rootimport com.android.org.conscrypt.TrustManagerImpl; 212269d1572e5fcfb725ea55f5764d8c3280d69f6dDianne Hackborn 2228b1f0ee02e14241ffb81f431fc54053771c1c90Kenny Rootimport java.io.ByteArrayInputStream; 239066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.io.IOException; 24866666071bc49bd0c4fcd1776c9d9036d4e29fecBrian Carlstromimport java.security.GeneralSecurityException; 25866666071bc49bd0c4fcd1776c9d9036d4e29fecBrian Carlstromimport java.security.KeyManagementException; 269066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.Certificate; 279066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.CertificateException; 2828b1f0ee02e14241ffb81f431fc54053771c1c90Kenny Rootimport java.security.cert.CertificateFactory; 299066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.X509Certificate; 3052cd299eef703030f8fcf7a92f413791301771ccJesse Wilsonimport javax.net.ssl.DefaultHostnameVerifier; 319066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.SSLHandshakeException; 329066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.SSLSession; 339066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.SSLSocket; 3493ba4fedebb78ba47c24e8472c8960ea8fdc933aSelim Gurunimport javax.net.ssl.X509TrustManager; 359066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 369066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project/** 379066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Class responsible for all server certificate validation functionality 3852cd299eef703030f8fcf7a92f413791301771ccJesse Wilson * 399066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * {@hide} 409066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 4193ba4fedebb78ba47c24e8472c8960ea8fdc933aSelim Gurunpublic class CertificateChainValidator { 429066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 439066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 449066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * The singleton instance of the certificate chain validator 459066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 46886f3d69b79748fe937725e33b8bbb3d67ab82c7Bob Lee private static final CertificateChainValidator sInstance 47886f3d69b79748fe937725e33b8bbb3d67ab82c7Bob Lee = new CertificateChainValidator(); 489066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 4952cd299eef703030f8fcf7a92f413791301771ccJesse Wilson private static final DefaultHostnameVerifier sVerifier 5052cd299eef703030f8fcf7a92f413791301771ccJesse Wilson = new DefaultHostnameVerifier(); 5152cd299eef703030f8fcf7a92f413791301771ccJesse Wilson 529066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 53c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * @return The singleton instance of the certificates chain validator 549066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 559066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public static CertificateChainValidator getInstance() { 569066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return sInstance; 579066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 589066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 599066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 60c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * Creates a new certificate chain validator. This is a private constructor. 619066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * If you need a Certificate chain validator, call getInstance(). 629066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 63e97c2006bf7c391c933307e520a392e532aa5d6aBob Lee private CertificateChainValidator() {} 649066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 659066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 669066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Performs the handshake and server certificates validation 67c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * Notice a new chain will be rebuilt by tracing the issuer and subject 68c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * before calling checkServerTrusted(). 69c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * And if the last traced certificate is self issued and it is expired, it 70c4e834dc47885c8dbd3a2911ce4b9fccde21c800Huahui Wu * will be dropped. 719066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @param sslSocket The secure connection socket 729066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @param domain The website domain 739066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @return An SSL error object if there is an error and null otherwise 749066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 759066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public SslError doHandshakeAndValidateServerCertificates( 769066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpsConnection connection, SSLSocket sslSocket, String domain) 779066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throws IOException { 78e103355d9332e2fab9d5c408e824ac8ab3b915a7Brian Carlstrom // get a valid SSLSession, close the socket if we fail 7985ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu SSLSession sslSession = sslSocket.getSession(); 80e103355d9332e2fab9d5c408e824ac8ab3b915a7Brian Carlstrom if (!sslSession.isValid()) { 81e103355d9332e2fab9d5c408e824ac8ab3b915a7Brian Carlstrom closeSocketThrowException(sslSocket, "failed to perform SSL handshake"); 829066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 839066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 849066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // retrieve the chain of the server peer certificates 859066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project Certificate[] peerCertificates = 869066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket.getSession().getPeerCertificates(); 879066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 8885ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu if (peerCertificates == null || peerCertificates.length == 0) { 899066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project closeSocketThrowException( 909066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSocket, "failed to retrieve peer certificates"); 919066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } else { 929066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // update the SSL certificate associated with the connection 939066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (connection != null) { 9485ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu if (peerCertificates[0] != null) { 959066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project connection.setCertificate( 9685ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu new SslCertificate((X509Certificate)peerCertificates[0])); 979066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 989066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 999066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1009066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1018234bdb36a951c1265b2bc702c06bab09509a615Huahui Wu return verifyServerDomainAndCertificates((X509Certificate[]) peerCertificates, domain, "RSA"); 10285ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu } 10385ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu 10485ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu /** 10585ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * Similar to doHandshakeAndValidateServerCertificates but exposed to JNI for use 10685ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * by Chromium HTTPS stack to validate the cert chain. 1078234bdb36a951c1265b2bc702c06bab09509a615Huahui Wu * @param certChain The bytes for certificates in ASN.1 DER encoded certificates format. 10885ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * @param domain The full website hostname and domain 1098234bdb36a951c1265b2bc702c06bab09509a615Huahui Wu * @param authType The authentication type for the cert chain 11085ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * @return An SSL error object if there is an error and null otherwise 11185ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu */ 11285ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu public static SslError verifyServerCertificates( 11385ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu byte[][] certChain, String domain, String authType) 11485ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu throws IOException { 11585ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu 11685ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu if (certChain == null || certChain.length == 0) { 11785ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu throw new IllegalArgumentException("bad certificate chain"); 11885ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu } 11985ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu 12085ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu X509Certificate[] serverCertificates = new X509Certificate[certChain.length]; 12185ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu 12228b1f0ee02e14241ffb81f431fc54053771c1c90Kenny Root try { 12328b1f0ee02e14241ffb81f431fc54053771c1c90Kenny Root CertificateFactory cf = CertificateFactory.getInstance("X.509"); 12428b1f0ee02e14241ffb81f431fc54053771c1c90Kenny Root for (int i = 0; i < certChain.length; ++i) { 12528b1f0ee02e14241ffb81f431fc54053771c1c90Kenny Root serverCertificates[i] = (X509Certificate) cf.generateCertificate( 12628b1f0ee02e14241ffb81f431fc54053771c1c90Kenny Root new ByteArrayInputStream(certChain[i])); 12728b1f0ee02e14241ffb81f431fc54053771c1c90Kenny Root } 12828b1f0ee02e14241ffb81f431fc54053771c1c90Kenny Root } catch (CertificateException e) { 12928b1f0ee02e14241ffb81f431fc54053771c1c90Kenny Root throw new IOException("can't read certificate", e); 13085ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu } 13185ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu 1328234bdb36a951c1265b2bc702c06bab09509a615Huahui Wu return verifyServerDomainAndCertificates(serverCertificates, domain, authType); 13385ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu } 13485ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu 13585ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu /** 13693ba4fedebb78ba47c24e8472c8960ea8fdc933aSelim Gurun * Handles updates to credential storage. 13793ba4fedebb78ba47c24e8472c8960ea8fdc933aSelim Gurun */ 13893ba4fedebb78ba47c24e8472c8960ea8fdc933aSelim Gurun public static void handleTrustStorageUpdate() { 13993ba4fedebb78ba47c24e8472c8960ea8fdc933aSelim Gurun 140866666071bc49bd0c4fcd1776c9d9036d4e29fecBrian Carlstrom try { 141866666071bc49bd0c4fcd1776c9d9036d4e29fecBrian Carlstrom X509TrustManager x509TrustManager = SSLParametersImpl.getDefaultTrustManager(); 142866666071bc49bd0c4fcd1776c9d9036d4e29fecBrian Carlstrom if( x509TrustManager instanceof TrustManagerImpl ) { 143866666071bc49bd0c4fcd1776c9d9036d4e29fecBrian Carlstrom TrustManagerImpl trustManager = (TrustManagerImpl) x509TrustManager; 144866666071bc49bd0c4fcd1776c9d9036d4e29fecBrian Carlstrom trustManager.handleTrustStorageUpdate(); 145866666071bc49bd0c4fcd1776c9d9036d4e29fecBrian Carlstrom } 146866666071bc49bd0c4fcd1776c9d9036d4e29fecBrian Carlstrom } catch (KeyManagementException ignored) { 14793ba4fedebb78ba47c24e8472c8960ea8fdc933aSelim Gurun } 14893ba4fedebb78ba47c24e8472c8960ea8fdc933aSelim Gurun } 14993ba4fedebb78ba47c24e8472c8960ea8fdc933aSelim Gurun 15093ba4fedebb78ba47c24e8472c8960ea8fdc933aSelim Gurun /** 15185ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * Common code of doHandshakeAndValidateServerCertificates and verifyServerCertificates. 1528234bdb36a951c1265b2bc702c06bab09509a615Huahui Wu * Calls DomainNamevalidator to verify the domain, and TrustManager to verify the certs. 15385ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * @param chain the cert chain in X509 cert format. 15485ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * @param domain The full website hostname and domain 1558234bdb36a951c1265b2bc702c06bab09509a615Huahui Wu * @param authType The authentication type for the cert chain 15685ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu * @return An SSL error object if there is an error and null otherwise 15785ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu */ 15885ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu private static SslError verifyServerDomainAndCertificates( 1598234bdb36a951c1265b2bc702c06bab09509a615Huahui Wu X509Certificate[] chain, String domain, String authType) 16085ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu throws IOException { 1619066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // check if the first certificate in the chain is for this site 16285ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu X509Certificate currCertificate = chain[0]; 1639066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (currCertificate == null) { 16485ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu throw new IllegalArgumentException("certificate for this site is null"); 16585ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu } 1669066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 16752cd299eef703030f8fcf7a92f413791301771ccJesse Wilson boolean valid = domain != null 16852cd299eef703030f8fcf7a92f413791301771ccJesse Wilson && !domain.isEmpty() 16952cd299eef703030f8fcf7a92f413791301771ccJesse Wilson && sVerifier.verify(domain, currCertificate); 17052cd299eef703030f8fcf7a92f413791301771ccJesse Wilson if (!valid) { 17185ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu if (HttpLog.LOGV) { 17285ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu HttpLog.v("certificate not for this host: " + domain); 1739066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 17485ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu return new SslError(SslError.SSL_IDMISMATCH, currCertificate); 1759066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1769066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1779066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project try { 178f743e54f2d761c742d99ac868705818616dcf74fGeremy Condra X509TrustManager x509TrustManager = SSLParametersImpl.getDefaultTrustManager(); 179f743e54f2d761c742d99ac868705818616dcf74fGeremy Condra if (x509TrustManager instanceof TrustManagerImpl) { 180f743e54f2d761c742d99ac868705818616dcf74fGeremy Condra TrustManagerImpl trustManager = (TrustManagerImpl) x509TrustManager; 181f743e54f2d761c742d99ac868705818616dcf74fGeremy Condra trustManager.checkServerTrusted(chain, authType, domain); 182f743e54f2d761c742d99ac868705818616dcf74fGeremy Condra } else { 183f743e54f2d761c742d99ac868705818616dcf74fGeremy Condra x509TrustManager.checkServerTrusted(chain, authType); 184f743e54f2d761c742d99ac868705818616dcf74fGeremy Condra } 18585ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu return null; // No errors. 186866666071bc49bd0c4fcd1776c9d9036d4e29fecBrian Carlstrom } catch (GeneralSecurityException e) { 1879066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (HttpLog.LOGV) { 18885ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu HttpLog.v("failed to validate the certificate chain, error: " + 1899066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project e.getMessage()); 1909066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 19185ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu return new SslError(SslError.SSL_UNTRUSTED, currCertificate); 1929066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1939066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1949066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 19585ffa26f67efad30912e1561b5123b6f8f5827eeHuahui Wu 1969066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project private void closeSocketThrowException( 1979066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SSLSocket socket, String errorMessage, String defaultErrorMessage) 1989066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throws IOException { 1999066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project closeSocketThrowException( 2009066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project socket, errorMessage != null ? errorMessage : defaultErrorMessage); 2019066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2029066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2039066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project private void closeSocketThrowException(SSLSocket socket, 2049066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String errorMessage) throws IOException { 2059066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (HttpLog.LOGV) { 2069066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project HttpLog.v("validation error: " + errorMessage); 2079066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2089066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2099066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (socket != null) { 2109066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SSLSession session = socket.getSession(); 2119066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (session != null) { 2129066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project session.invalidate(); 2139066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2149066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2159066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project socket.close(); 2169066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2179066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2189066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throw new SSLHandshakeException(errorMessage); 2199066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2209066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project} 221