1/*
2 * Copyright (C) 2012 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package android.net.http;
18
19import com.android.org.conscrypt.TrustManagerImpl;
20
21import java.security.cert.CertificateException;
22import java.security.cert.X509Certificate;
23import java.util.List;
24
25import javax.net.ssl.SSLParameters;
26import javax.net.ssl.SSLSocket;
27import javax.net.ssl.X509TrustManager;
28
29/**
30 * X509TrustManager wrapper exposing Android-added features.
31 * <p>
32 * The checkServerTrusted method allows callers to perform additional
33 * verification of certificate chains after they have been successfully verified
34 * by the platform.
35 * </p>
36 */
37public class X509TrustManagerExtensions {
38
39    TrustManagerImpl mDelegate;
40
41    /**
42     * Constructs a new X509TrustManagerExtensions wrapper.
43     *
44     * @param tm A {@link X509TrustManager} as returned by TrustManagerFactory.getInstance();
45     * @throws IllegalArgumentException If tm is an unsupported TrustManager type.
46     */
47    public X509TrustManagerExtensions(X509TrustManager tm) throws IllegalArgumentException {
48        if (tm instanceof TrustManagerImpl) {
49            mDelegate = (TrustManagerImpl) tm;
50        } else {
51            throw new IllegalArgumentException("tm is an instance of " + tm.getClass().getName() +
52                    " which is not a supported type of X509TrustManager");
53        }
54    }
55
56    /**
57     * Verifies the given certificate chain.
58     *
59     * <p>See {@link X509TrustManager#checkServerTrusted(X509Certificate[], String)} for a
60     * description of the chain and authType parameters. The final parameter, host, should be the
61     * hostname of the server.</p>
62     *
63     * @throws CertificateException if the chain does not verify correctly.
64     * @return the properly ordered chain used for verification as a list of X509Certificates.
65     */
66    public List<X509Certificate> checkServerTrusted(X509Certificate[] chain, String authType,
67                                                    String host) throws CertificateException {
68        return mDelegate.checkServerTrusted(chain, authType, host);
69    }
70
71    /**
72     * Checks whether a CA certificate is added by an user.
73     *
74     * <p>Since {@link X509TrustManager#checkServerTrusted} allows its parameter {@code chain} to
75     * chain up to user-added CA certificates, this method can be used to perform additional
76     * policies for user-added CA certificates.
77     *
78     * @return {@code true} to indicate that the certificate was added by the user, {@code false}
79     * otherwise.
80     */
81    public boolean isUserAddedCertificate(X509Certificate cert) {
82        return mDelegate.isUserAddedCertificate(cert);
83    }
84}
85