/*
 * Copyright (C) 2016 Square, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.squareup.okhttp.internal.tls;

import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import javax.net.ssl.X509TrustManager;

/**
 * A index of trusted root certificates that exploits knowledge of Android implementation details.
 * This class is potentially much faster to initialize than {@link RealTrustRootIndex} because
 * it doesn't need to load and index trusted CA certificates.
 */
public final class AndroidTrustRootIndex implements TrustRootIndex {
  private final X509TrustManager trustManager;
  private final Method findByIssuerAndSignatureMethod;

  public AndroidTrustRootIndex(
      X509TrustManager trustManager, Method findByIssuerAndSignatureMethod) {
    this.findByIssuerAndSignatureMethod = findByIssuerAndSignatureMethod;
    this.trustManager = trustManager;
  }

  @Override public X509Certificate findByIssuerAndSignature(X509Certificate cert) {
    try {
      TrustAnchor trustAnchor = (TrustAnchor) findByIssuerAndSignatureMethod.invoke(
          trustManager, cert);
      return trustAnchor != null
          ? trustAnchor.getTrustedCert()
          : null;
    } catch (IllegalAccessException e) {
      throw new AssertionError();
    } catch (InvocationTargetException e) {
      return null;
    }
  }

  public static TrustRootIndex get(X509TrustManager trustManager) {
    // From org.conscrypt.TrustManagerImpl, we want the method with this signature:
    // private TrustAnchor findTrustAnchorByIssuerAndSignature(X509Certificate lastCert);
    try {
      Method method = trustManager.getClass().getDeclaredMethod(
          "findTrustAnchorByIssuerAndSignature", X509Certificate.class);
      method.setAccessible(true);
      return new AndroidTrustRootIndex(trustManager, method);
    } catch (NoSuchMethodException e) {
      return null;
    }
  }
}