1/* 2 * Copyright (C) 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17package android.security.net.config; 18 19import android.content.Context; 20import android.util.ArraySet; 21import libcore.io.IoUtils; 22import java.io.InputStream; 23import java.security.cert.Certificate; 24import java.security.cert.CertificateException; 25import java.security.cert.CertificateFactory; 26import java.security.cert.X509Certificate; 27import java.util.Collection; 28import java.util.Collections; 29import java.util.Set; 30 31import com.android.org.conscrypt.TrustedCertificateIndex; 32 33/** 34 * {@link CertificateSource} based on certificates contained in an application resource file. 35 * @hide 36 */ 37public class ResourceCertificateSource implements CertificateSource { 38 private final Object mLock = new Object(); 39 private final int mResourceId; 40 41 private Set<X509Certificate> mCertificates; 42 private Context mContext; 43 private TrustedCertificateIndex mIndex; 44 45 public ResourceCertificateSource(int resourceId, Context context) { 46 mResourceId = resourceId; 47 mContext = context; 48 } 49 50 private void ensureInitialized() { 51 synchronized (mLock) { 52 if (mCertificates != null) { 53 return; 54 } 55 Set<X509Certificate> certificates = new ArraySet<X509Certificate>(); 56 Collection<? extends Certificate> certs; 57 InputStream in = null; 58 try { 59 CertificateFactory factory = CertificateFactory.getInstance("X.509"); 60 in = mContext.getResources().openRawResource(mResourceId); 61 certs = factory.generateCertificates(in); 62 } catch (CertificateException e) { 63 throw new RuntimeException("Failed to load trust anchors from id " + mResourceId, 64 e); 65 } finally { 66 IoUtils.closeQuietly(in); 67 } 68 TrustedCertificateIndex indexLocal = new TrustedCertificateIndex(); 69 for (Certificate cert : certs) { 70 certificates.add((X509Certificate) cert); 71 indexLocal.index((X509Certificate) cert); 72 } 73 mCertificates = certificates; 74 mIndex = indexLocal; 75 mContext = null; 76 } 77 } 78 79 @Override 80 public Set<X509Certificate> getCertificates() { 81 ensureInitialized(); 82 return mCertificates; 83 } 84 85 @Override 86 public X509Certificate findBySubjectAndPublicKey(X509Certificate cert) { 87 ensureInitialized(); 88 java.security.cert.TrustAnchor anchor = mIndex.findBySubjectAndPublicKey(cert); 89 if (anchor == null) { 90 return null; 91 } 92 return anchor.getTrustedCert(); 93 } 94 95 @Override 96 public X509Certificate findByIssuerAndSignature(X509Certificate cert) { 97 ensureInitialized(); 98 java.security.cert.TrustAnchor anchor = mIndex.findByIssuerAndSignature(cert); 99 if (anchor == null) { 100 return null; 101 } 102 return anchor.getTrustedCert(); 103 } 104 105 @Override 106 public Set<X509Certificate> findAllByIssuerAndSignature(X509Certificate cert) { 107 ensureInitialized(); 108 Set<java.security.cert.TrustAnchor> anchors = mIndex.findAllByIssuerAndSignature(cert); 109 if (anchors.isEmpty()) { 110 return Collections.<X509Certificate>emptySet(); 111 } 112 Set<X509Certificate> certs = new ArraySet<X509Certificate>(anchors.size()); 113 for (java.security.cert.TrustAnchor anchor : anchors) { 114 certs.add(anchor.getTrustedCert()); 115 } 116 return certs; 117 } 118 119 @Override 120 public void handleTrustStorageUpdate() { 121 // Nothing to do, resource sources never change. 122 } 123} 124