diff options
| author | Brian Carlstrom <bdc@google.com> | 2011-01-30 17:41:48 -0800 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2011-01-30 17:41:48 -0800 |
| commit | c0779d54195b5b81be9c29e1b46a18022758ef27 (patch) | |
| tree | 6f840b28bf7f587a69d9224eb39862dabe736514 /luni | |
| parent | a3c20957501930e222d2e1c4dec1c9099cc88f07 (diff) | |
| parent | c906eaf2617d6c8f9eb7a3578386845da390956c (diff) | |
| download | libcore-c0779d54195b5b81be9c29e1b46a18022758ef27.zip libcore-c0779d54195b5b81be9c29e1b46a18022758ef27.tar.gz libcore-c0779d54195b5b81be9c29e1b46a18022758ef27.tar.bz2 | |
am c906eaf2: am 7374d4fa: am 90ff8e2c: Remember intermediate CAs in TrustMangerImpl\'s IndexedPKIXParameters
* commit 'c906eaf2617d6c8f9eb7a3578386845da390956c':
Remember intermediate CAs in TrustMangerImpl's IndexedPKIXParameters
Diffstat (limited to 'luni')
| -rw-r--r-- | luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java | 79 | ||||
| -rw-r--r-- | luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java | 26 |
2 files changed, 52 insertions, 53 deletions
diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java index c48e331..802ec52 100644 --- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java +++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java @@ -17,11 +17,8 @@ package org.apache.harmony.xnet.provider.jsse; import java.security.InvalidAlgorithmParameterException; -import java.security.KeyStore; -import java.security.KeyStoreException; import java.security.PublicKey; import java.security.cert.CertPathValidatorException; -import java.security.cert.CertificateEncodingException; import java.security.cert.PKIXParameters; import java.security.cert.TrustAnchor; import java.security.cert.X509Certificate; @@ -37,7 +34,7 @@ import javax.security.auth.x500.X500Principal; /** * Indexes trust anchors so they can be found in O(1) time instead of O(N). */ -public class IndexedPKIXParameters extends PKIXParameters { +public final class IndexedPKIXParameters extends PKIXParameters { private final Map<X500Principal, List<TrustAnchor>> subjectToTrustAnchors = new HashMap<X500Principal, List<TrustAnchor>>(); @@ -48,22 +45,22 @@ public class IndexedPKIXParameters extends PKIXParameters { index(); } - public IndexedPKIXParameters(KeyStore keyStore) - throws KeyStoreException, InvalidAlgorithmParameterException { - super(keyStore); - index(); - } - private void index() { for (TrustAnchor anchor : getTrustAnchors()) { - X500Principal subject; - X509Certificate cert = anchor.getTrustedCert(); - if (cert != null) { - subject = cert.getSubjectX500Principal(); - } else { - subject = anchor.getCA(); - } + index(anchor); + } + } + public void index(TrustAnchor anchor) { + X500Principal subject; + X509Certificate cert = anchor.getTrustedCert(); + if (cert != null) { + subject = cert.getSubjectX500Principal(); + } else { + subject = anchor.getCA(); + } + + synchronized (subjectToTrustAnchors) { List<TrustAnchor> anchors = subjectToTrustAnchors.get(subject); if (anchors == null) { anchors = new ArrayList<TrustAnchor>(); @@ -76,25 +73,27 @@ public class IndexedPKIXParameters extends PKIXParameters { public TrustAnchor findTrustAnchor(X509Certificate cert) throws CertPathValidatorException { X500Principal issuer = cert.getIssuerX500Principal(); - List<TrustAnchor> anchors = subjectToTrustAnchors.get(issuer); - if (anchors == null) { - return null; - } - Exception verificationException = null; - for (TrustAnchor anchor : anchors) { - PublicKey publicKey; - try { - X509Certificate caCert = anchor.getTrustedCert(); - if (caCert != null) { - publicKey = caCert.getPublicKey(); - } else { - publicKey = anchor.getCAPublicKey(); + synchronized (subjectToTrustAnchors) { + List<TrustAnchor> anchors = subjectToTrustAnchors.get(issuer); + if (anchors == null) { + return null; + } + + for (TrustAnchor anchor : anchors) { + PublicKey publicKey; + try { + X509Certificate caCert = anchor.getTrustedCert(); + if (caCert != null) { + publicKey = caCert.getPublicKey(); + } else { + publicKey = anchor.getCAPublicKey(); + } + cert.verify(publicKey); + return anchor; + } catch (Exception e) { + verificationException = e; } - cert.verify(publicKey); - return anchor; - } catch (Exception e) { - verificationException = e; } } @@ -110,14 +109,16 @@ public class IndexedPKIXParameters extends PKIXParameters { public boolean isTrustAnchor(X509Certificate cert) { X500Principal subject = cert.getSubjectX500Principal(); - List<TrustAnchor> anchors = subjectToTrustAnchors.get(subject); - if (anchors == null) { - return false; + synchronized (subjectToTrustAnchors) { + List<TrustAnchor> anchors = subjectToTrustAnchors.get(subject); + if (anchors == null) { + return false; + } + return isTrustAnchor(cert, anchors); } - return isTrustAnchor(cert, anchors); } - public static boolean isTrustAnchor(X509Certificate cert, Collection<TrustAnchor> anchors) { + private static boolean isTrustAnchor(X509Certificate cert, Collection<TrustAnchor> anchors) { PublicKey certPublicKey = cert.getPublicKey(); for (TrustAnchor anchor : anchors) { PublicKey caPublicKey; diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java index 91ad1f8..01af5b3 100644 --- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java +++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java @@ -48,7 +48,7 @@ public class TrustManagerImpl implements X509TrustManager { private final CertPathValidator validator; - private final PKIXParameters params; + private final IndexedPKIXParameters params; private final X509Certificate[] acceptedIssuers; @@ -64,7 +64,7 @@ public class TrustManagerImpl implements X509TrustManager { public TrustManagerImpl(KeyStore ks) { CertPathValidator validatorLocal = null; CertificateFactory factoryLocal = null; - PKIXParameters paramsLocal = null; + IndexedPKIXParameters paramsLocal = null; X509Certificate[] acceptedIssuersLocal = null; Exception errLocal = null; try { @@ -155,6 +155,15 @@ public class TrustManagerImpl implements X509TrustManager { } try { validator.validate(certPath, params); + // Add intermediate CAs to the index to tolerate sites + // that assume that the browser will have cached these. + // The server certificate is skipped by skipping the + // zeroth element of new chain and note that the root CA + // will have been removed in cleanupCertChain. + // http://b/3404902 + for (int i = 1; i < newChain.length; i++) { + params.index(new TrustAnchor(newChain[i], null)); + } } catch (InvalidAlgorithmParameterException e) { throw new CertificateException(e); } catch (CertPathValidatorException e) { @@ -182,7 +191,7 @@ public class TrustManagerImpl implements X509TrustManager { for (currIndex = 0; currIndex < chain.length; currIndex++) { // If the current cert is a TrustAnchor, we can ignore the rest of the chain. // This avoids including "bridge" CA certs that added for legacy compatability. - if (isTrustAnchor(chain[currIndex])) { + if (params.isTrustAnchor(chain[currIndex])) { currIndex--; break; } @@ -226,17 +235,6 @@ public class TrustManagerImpl implements X509TrustManager { } /** - * Checks whether the given certificate is found in our trust store. - */ - private boolean isTrustAnchor(X509Certificate cert) { - if (params instanceof IndexedPKIXParameters) { - IndexedPKIXParameters index = (IndexedPKIXParameters) params; - return index.isTrustAnchor(cert); - } - return IndexedPKIXParameters.isTrustAnchor(cert, params.getTrustAnchors()); - } - - /** * @see javax.net.ssl.X509TrustManager#getAcceptedIssuers() */ public X509Certificate[] getAcceptedIssuers() { |