1/*
2 * Copyright (C) 2012 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package android.net.http;
18
19import com.android.org.conscrypt.TrustManagerImpl;
20
21import java.security.cert.CertificateException;
22import java.security.cert.X509Certificate;
23import java.util.List;
24
25import javax.net.ssl.X509TrustManager;
26
27/**
28 * X509TrustManager wrapper exposing Android-added features.
29 * <p>
30 * The checkServerTrusted method allows callers to perform additional
31 * verification of certificate chains after they have been successfully verified
32 * by the platform.
33 * </p>
34 */
35public class X509TrustManagerExtensions {
36
37    final TrustManagerImpl mDelegate;
38
39    /**
40     * Constructs a new X509TrustManagerExtensions wrapper.
41     *
42     * @param tm A {@link X509TrustManager} as returned by TrustManagerFactory.getInstance();
43     * @throws IllegalArgumentException If tm is an unsupported TrustManager type.
44     */
45    public X509TrustManagerExtensions(X509TrustManager tm) throws IllegalArgumentException {
46        if (tm instanceof TrustManagerImpl) {
47            mDelegate = (TrustManagerImpl) tm;
48        } else {
49            mDelegate = null;
50            throw new IllegalArgumentException("tm is an instance of " + tm.getClass().getName() +
51                    " which is not a supported type of X509TrustManager");
52        }
53    }
54
55    /**
56     * Verifies the given certificate chain.
57     *
58     * <p>See {@link X509TrustManager#checkServerTrusted(X509Certificate[], String)} for a
59     * description of the chain and authType parameters. The final parameter, host, should be the
60     * hostname of the server.</p>
61     *
62     * @throws CertificateException if the chain does not verify correctly.
63     * @return the properly ordered chain used for verification as a list of X509Certificates.
64     */
65    public List<X509Certificate> checkServerTrusted(X509Certificate[] chain, String authType,
66                                                    String host) throws CertificateException {
67        return mDelegate.checkServerTrusted(chain, authType, host);
68    }
69
70    /**
71     * Checks whether a CA certificate is added by an user.
72     *
73     * <p>Since {@link X509TrustManager#checkServerTrusted} allows its parameter {@code chain} to
74     * chain up to user-added CA certificates, this method can be used to perform additional
75     * policies for user-added CA certificates.
76     *
77     * @return {@code true} to indicate that the certificate was added by the user, {@code false}
78     * otherwise.
79     */
80    public boolean isUserAddedCertificate(X509Certificate cert) {
81        return mDelegate.isUserAddedCertificate(cert);
82    }
83}
84