/* * Copyright (C) 2012 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package android.net.http; import android.annotation.SystemApi; import android.security.net.config.UserCertificateSource; import com.android.org.conscrypt.TrustManagerImpl; import java.lang.reflect.Field; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.List; import javax.net.ssl.X509TrustManager; /** * X509TrustManager wrapper exposing Android-added features. *

* The checkServerTrusted method allows callers to perform additional * verification of certificate chains after they have been successfully verified * by the platform. *

*/ public class X509TrustManagerExtensions { private final TrustManagerImpl mDelegate; // Methods to use when mDelegate is not a TrustManagerImpl and duck typing is being used. private final X509TrustManager mTrustManager; private final Method mCheckServerTrusted; private final Method mIsSameTrustConfiguration; /** * Constructs a new X509TrustManagerExtensions wrapper. * * @param tm A {@link X509TrustManager} as returned by TrustManagerFactory.getInstance(); * @throws IllegalArgumentException If tm is an unsupported TrustManager type. */ public X509TrustManagerExtensions(X509TrustManager tm) throws IllegalArgumentException { if (tm instanceof TrustManagerImpl) { mDelegate = (TrustManagerImpl) tm; mTrustManager = null; mCheckServerTrusted = null; mIsSameTrustConfiguration = null; return; } // Use duck typing if possible. mDelegate = null; mTrustManager = tm; // Check that the hostname aware checkServerTrusted is present. try { mCheckServerTrusted = tm.getClass().getMethod("checkServerTrusted", X509Certificate[].class, String.class, String.class); } catch (NoSuchMethodException e) { throw new IllegalArgumentException("Required method" + " checkServerTrusted(X509Certificate[], String, String, String) missing"); } // Get the option isSameTrustConfiguration method. Method isSameTrustConfiguration = null; try { isSameTrustConfiguration = tm.getClass().getMethod("isSameTrustConfiguration", String.class, String.class); } catch (ReflectiveOperationException ignored) { } mIsSameTrustConfiguration = isSameTrustConfiguration; } /** * Verifies the given certificate chain. * *

See {@link X509TrustManager#checkServerTrusted(X509Certificate[], String)} for a * description of the chain and authType parameters. The final parameter, host, should be the * hostname of the server.

* * @throws CertificateException if the chain does not verify correctly. * @return the properly ordered chain used for verification as a list of X509Certificates. */ public List checkServerTrusted(X509Certificate[] chain, String authType, String host) throws CertificateException { if (mDelegate != null) { return mDelegate.checkServerTrusted(chain, authType, host); } else { try { return (List) mCheckServerTrusted.invoke(mTrustManager, chain, authType, host); } catch (IllegalAccessException e) { throw new CertificateException("Failed to call checkServerTrusted", e); } catch (InvocationTargetException e) { if (e.getCause() instanceof CertificateException) { throw (CertificateException) e.getCause(); } if (e.getCause() instanceof RuntimeException) { throw (RuntimeException) e.getCause(); } throw new CertificateException("checkServerTrusted failed", e.getCause()); } } } /** * Checks whether a CA certificate is added by an user. * *

Since {@link X509TrustManager#checkServerTrusted} may allow its parameter {@code chain} to * chain up to user-added CA certificates, this method can be used to perform additional * policies for user-added CA certificates. * * @return {@code true} to indicate that the certificate authority exists in the user added * certificate store, {@code false} otherwise. */ public boolean isUserAddedCertificate(X509Certificate cert) { return UserCertificateSource.getInstance().findBySubjectAndPublicKey(cert) != null; } /** * Returns {@code true} if the TrustManager uses the same trust configuration for the provided * hostnames. * * @hide */ @SystemApi public boolean isSameTrustConfiguration(String hostname1, String hostname2) { if (mIsSameTrustConfiguration == null) { return true; } try { return (Boolean) mIsSameTrustConfiguration.invoke(mTrustManager, hostname1, hostname2); } catch (IllegalAccessException e) { throw new RuntimeException("Failed to call isSameTrustConfiguration", e); } catch (InvocationTargetException e) { if (e.getCause() instanceof RuntimeException) { throw (RuntimeException) e.getCause(); } else { throw new RuntimeException("isSameTrustConfiguration failed", e.getCause()); } } } }