/* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.squareup.okhttp.internal.tls; import java.security.GeneralSecurityException; import java.security.cert.Certificate; import java.security.cert.X509Certificate; import java.util.ArrayDeque; import java.util.ArrayList; import java.util.Deque; import java.util.Iterator; import java.util.List; import javax.net.ssl.SSLPeerUnverifiedException; /** * Computes the effective certificate chain from the raw array returned by Java's built in TLS APIs. * Cleaning a chain returns a list of certificates where the first element is {@code chain[0]}, each * certificate is signed by the certificate that follows, and the last certificate is a trusted CA * certificate. * *
Use of the chain cleaner is necessary to omit unexpected certificates that aren't relevant to * the TLS handshake and to extract the trusted CA certificate for the benefit of certificate * pinning. * *
This class includes code from Conscrypt's {@code * TrustManagerImpl} and {@code TrustedCertificateIndex}. */ public final class CertificateChainCleaner { /** The maximum number of signers in a chain. We use 9 for consistency with OpenSSL. */ private static final int MAX_SIGNERS = 9; private final TrustRootIndex trustRootIndex; public CertificateChainCleaner(TrustRootIndex trustRootIndex) { this.trustRootIndex = trustRootIndex; } /** * Returns a cleaned chain for {@code chain}. * *
This method throws if the complete chain to a trusted CA certificate cannot be constructed.
* This is unexpected unless the trust root index in this class has a different trust manager than
* what was used to establish {@code chain}.
*/
public List