/*
* Copyright (C) 2012 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.net.http;
import android.annotation.SystemApi;
import android.security.net.config.UserCertificateSource;
import com.android.org.conscrypt.TrustManagerImpl;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.net.ssl.X509TrustManager;
/**
* X509TrustManager wrapper exposing Android-added features.
* <p>
* The checkServerTrusted method allows callers to perform additional
* verification of certificate chains after they have been successfully verified
* by the platform.
* </p>
*/
public class X509TrustManagerExtensions {
private final TrustManagerImpl mDelegate;
// Methods to use when mDelegate is not a TrustManagerImpl and duck typing is being used.
private final X509TrustManager mTrustManager;
private final Method mCheckServerTrusted;
private final Method mIsSameTrustConfiguration;
/**
* Constructs a new X509TrustManagerExtensions wrapper.
*
* @param tm A {@link X509TrustManager} as returned by TrustManagerFactory.getInstance();
* @throws IllegalArgumentException If tm is an unsupported TrustManager type.
*/
public X509TrustManagerExtensions(X509TrustManager tm) throws IllegalArgumentException {
if (tm instanceof TrustManagerImpl) {
mDelegate = (TrustManagerImpl) tm;
mTrustManager = null;
mCheckServerTrusted = null;
mIsSameTrustConfiguration = null;
return;
}
// Use duck typing if possible.
mDelegate = null;
mTrustManager = tm;
// Check that the hostname aware checkServerTrusted is present.
try {
mCheckServerTrusted = tm.getClass().getMethod("checkServerTrusted",
X509Certificate[].class,
String.class,
String.class);
} catch (NoSuchMethodException e) {
throw new IllegalArgumentException("Required method"
+ " checkServerTrusted(X509Certificate[], String, String, String) missing");
}
// Get the option isSameTrustConfiguration method.
Method isSameTrustConfiguration = null;
try {
isSameTrustConfiguration = tm.getClass().getMethod("isSameTrustConfiguration",
String.class,
String.class);
} catch (ReflectiveOperationException ignored) {
}
mIsSameTrustConfiguration = isSameTrustConfiguration;
}
/**
* Verifies the given certificate chain.
*
* <p>See {@link X509TrustManager#checkServerTrusted(X509Certificate[], String)} for a
* description of the chain and authType parameters. The final parameter, host, should be the
* hostname of the server.</p>
*
* @throws CertificateException if the chain does not verify correctly.
* @return the properly ordered chain used for verification as a list of X509Certificates.
*/
public List<X509Certificate> checkServerTrusted(X509Certificate[] chain, String authType,
String host) throws CertificateException {
if (mDelegate != null) {
return mDelegate.checkServerTrusted(chain, authType, host);
} else {
try {
return (List<X509Certificate>) mCheckServerTrusted.invoke(mTrustManager, chain,
authType, host);
} catch (IllegalAccessException e) {
throw new CertificateException("Failed to call checkServerTrusted", e);
} catch (InvocationTargetException e) {
if (e.getCause() instanceof CertificateException) {
throw (CertificateException) e.getCause();
}
if (e.getCause() instanceof RuntimeException) {
throw (RuntimeException) e.getCause();
}
throw new CertificateException("checkServerTrusted failed", e.getCause());
}
}
}
/**
* Checks whether a CA certificate is added by an user.
*
* <p>Since {@link X509TrustManager#checkServerTrusted} may allow its parameter {@code chain} to
* chain up to user-added CA certificates, this method can be used to perform additional
* policies for user-added CA certificates.
*
* @return {@code true} to indicate that the certificate authority exists in the user added
* certificate store, {@code false} otherwise.
*/
public boolean isUserAddedCertificate(X509Certificate cert) {
return UserCertificateSource.getInstance().findBySubjectAndPublicKey(cert) != null;
}
/**
* Returns {@code true} if the TrustManager uses the same trust configuration for the provided
* hostnames.
*/
@SystemApi
public boolean isSameTrustConfiguration(String hostname1, String hostname2) {
if (mIsSameTrustConfiguration == null) {
return true;
}
try {
return (Boolean) mIsSameTrustConfiguration.invoke(mTrustManager, hostname1, hostname2);
} catch (IllegalAccessException e) {
throw new RuntimeException("Failed to call isSameTrustConfiguration", e);
} catch (InvocationTargetException e) {
if (e.getCause() instanceof RuntimeException) {
throw (RuntimeException) e.getCause();
} else {
throw new RuntimeException("isSameTrustConfiguration failed", e.getCause());
}
}
}
}