diff options
author | Kenny Root <kroot@google.com> | 2014-03-20 12:38:31 -0700 |
---|---|---|
committer | Kenny Root <kroot@google.com> | 2014-03-25 09:33:50 -0700 |
commit | 70bf6bc3ad78ed9a0a7a5767381ad6c25debbd70 (patch) | |
tree | 79b350f0ea2f2b0b69c49670e405319f5226952b /support | |
parent | b2a2836df6df3f2a70922f69806759535addee44 (diff) | |
download | libcore-70bf6bc3ad78ed9a0a7a5767381ad6c25debbd70.zip libcore-70bf6bc3ad78ed9a0a7a5767381ad6c25debbd70.tar.gz libcore-70bf6bc3ad78ed9a0a7a5767381ad6c25debbd70.tar.bz2 |
Add X509ExtendedTrustManager
This adds the X509ExtendedTrustManager class and all its ancillary
methods that allow it to be used. This allows the
endpointVerificationAlgorithm setting to be enabled on SSLSocket to
check that the cerificate given for the endpoint during the handshake
matched the expected hostname.
Since X509ExtendedTrustManager allows you to pass in an SSLSocket, there
is a new call added to SSLSocket called getHandshakeSession which does
not force the handshake to take place.
Bug: 13103812
Change-Id: I18a18b4f457d1676c8dc9a2a7bf7c3c4646a0425
Diffstat (limited to 'support')
3 files changed, 123 insertions, 16 deletions
diff --git a/support/src/test/java/libcore/java/security/TestKeyStore.java b/support/src/test/java/libcore/java/security/TestKeyStore.java index 0232969..86d6f4c 100644 --- a/support/src/test/java/libcore/java/security/TestKeyStore.java +++ b/support/src/test/java/libcore/java/security/TestKeyStore.java @@ -154,11 +154,16 @@ public final class TestKeyStore extends Assert { .signer(ROOT_CA.getPrivateKey("RSA", "RSA")) .rootCa(ROOT_CA.getRootCertificate("RSA")) .build(); - SERVER = new Builder() - .aliasPrefix("server") - .signer(INTERMEDIATE_CA.getPrivateKey("RSA", "RSA")) - .rootCa(INTERMEDIATE_CA.getRootCertificate("RSA")) - .build(); + try { + SERVER = new Builder() + .aliasPrefix("server") + .signer(INTERMEDIATE_CA.getPrivateKey("RSA", "RSA")) + .rootCa(INTERMEDIATE_CA.getRootCertificate("RSA")) + .addSubjectAltNameIpAddress(InetAddress.getLocalHost().getAddress()) + .build(); + } catch (UnknownHostException e) { + throw new RuntimeException(e); + } CLIENT = new TestKeyStore(createClient(INTERMEDIATE_CA.keyStore), null, null); CLIENT_CERTIFICATE = new Builder() .aliasPrefix("client") diff --git a/support/src/test/java/libcore/javax/net/ssl/TestSSLContext.java b/support/src/test/java/libcore/javax/net/ssl/TestSSLContext.java index 7f3ac46..64c8ccb 100644 --- a/support/src/test/java/libcore/javax/net/ssl/TestSSLContext.java +++ b/support/src/test/java/libcore/javax/net/ssl/TestSSLContext.java @@ -33,6 +33,7 @@ import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManager; +import javax.net.ssl.X509ExtendedTrustManager; import javax.net.ssl.X509TrustManager; import junit.framework.Assert; import libcore.java.security.StandardNames; @@ -82,8 +83,8 @@ public final class TestSSLContext extends Assert { public final char[] serverStorePassword; public final KeyManager[] clientKeyManagers; public final KeyManager[] serverKeyManagers; - public final X509TrustManager clientTrustManager; - public final X509TrustManager serverTrustManager; + public final X509ExtendedTrustManager clientTrustManager; + public final X509ExtendedTrustManager serverTrustManager; public final SSLContext clientContext; public final SSLContext serverContext; public final SSLServerSocket serverSocket; @@ -96,8 +97,8 @@ public final class TestSSLContext extends Assert { char[] serverStorePassword, KeyManager[] clientKeyManagers, KeyManager[] serverKeyManagers, - X509TrustManager clientTrustManager, - X509TrustManager serverTrustManager, + X509ExtendedTrustManager clientTrustManager, + X509ExtendedTrustManager serverTrustManager, SSLContext clientContext, SSLContext serverContext, SSLServerSocket serverSocket, @@ -176,8 +177,8 @@ public final class TestSSLContext extends Assert { serverKeyStore, serverStorePassword, clientKeyManagers, serverKeyManagers, - (X509TrustManager) clientTrustManagers, - (X509TrustManager) serverTrustManagers, + (X509ExtendedTrustManager) clientTrustManagers, + (X509ExtendedTrustManager) serverTrustManagers, clientContext, serverContext, serverSocket, host, port); } catch (RuntimeException e) { diff --git a/support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java b/support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java index c3511b4..b703984 100644 --- a/support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java +++ b/support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java @@ -17,7 +17,10 @@ package libcore.javax.net.ssl; import java.io.PrintStream; +import java.net.Socket; +import javax.net.ssl.SSLEngine; import javax.net.ssl.TrustManager; +import javax.net.ssl.X509ExtendedTrustManager; import javax.net.ssl.X509TrustManager; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -26,15 +29,16 @@ import libcore.java.security.StandardNames; /** * TestTrustManager is a simple proxy class that wraps an existing - * X509TrustManager to provide debug logging and recording of + * X509ExtendedTrustManager to provide debug logging and recording of * values. */ -public final class TestTrustManager implements X509TrustManager { +public final class TestTrustManager extends X509ExtendedTrustManager { private static final boolean LOG = false; private static final PrintStream out = LOG ? System.out : new NullPrintStream(); private final X509TrustManager trustManager; + private final X509ExtendedTrustManager extendedTrustManager; public static TrustManager[] wrap(TrustManager[] trustManagers) { TrustManager[] result = trustManagers.clone(); @@ -45,14 +49,23 @@ public final class TestTrustManager implements X509TrustManager { } public static TrustManager wrap(TrustManager trustManager) { - if (!(trustManager instanceof X509TrustManager)) { - return trustManager; + if (trustManager instanceof X509ExtendedTrustManager) { + return new TestTrustManager((X509ExtendedTrustManager) trustManager); + } else if (trustManager instanceof X509TrustManager) { + return new TestTrustManager((X509TrustManager) trustManager); } - return new TestTrustManager((X509TrustManager) trustManager); + return trustManager; + } + + public TestTrustManager(X509ExtendedTrustManager trustManager) { + out.println("TestTrustManager.<init> extendedTrustManager=" + trustManager); + this.extendedTrustManager = trustManager; + this.trustManager = trustManager; } public TestTrustManager(X509TrustManager trustManager) { out.println("TestTrustManager.<init> trustManager=" + trustManager); + this.extendedTrustManager = null; this.trustManager = trustManager; } @@ -71,6 +84,50 @@ public final class TestTrustManager implements X509TrustManager { } } + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) + throws CertificateException { + if (extendedTrustManager == null) { + out.print("(fallback to X509TrustManager) "); + checkClientTrusted(chain, authType); + return; + } + out.print("TestTrustManager.checkClientTrusted " + + "chain=" + chain.length + " " + + "authType=" + authType + " " + + "socket=" + socket + " "); + try { + assertClientAuthType(authType); + extendedTrustManager.checkClientTrusted(chain, authType, socket); + out.println("OK"); + } catch (CertificateException e) { + e.printStackTrace(out); + throw e; + } + } + + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) + throws CertificateException { + if (extendedTrustManager == null) { + out.print("(fallback to X509TrustManager) "); + checkClientTrusted(chain, authType); + return; + } + out.print("TestTrustManager.checkClientTrusted " + + "chain=" + chain.length + " " + + "authType=" + authType + " " + + "engine=" + engine + " "); + try { + assertClientAuthType(authType); + extendedTrustManager.checkClientTrusted(chain, authType, engine); + out.println("OK"); + } catch (CertificateException e) { + e.printStackTrace(out); + throw e; + } + } + private void assertClientAuthType(String authType) { if (!StandardNames.CLIENT_AUTH_TYPES.contains(authType)) { throw new AssertionError("Unexpected client auth type " + authType); @@ -92,6 +149,50 @@ public final class TestTrustManager implements X509TrustManager { } } + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) + throws CertificateException { + if (extendedTrustManager == null) { + out.print("(fallback to X509TrustManager) "); + checkServerTrusted(chain, authType); + return; + } + out.print("TestTrustManager.checkServerTrusted " + + "chain=" + chain.length + " " + + "authType=" + authType + " " + + "socket=" + socket.toString() + " "); + try { + assertServerAuthType(authType); + extendedTrustManager.checkServerTrusted(chain, authType, socket); + out.println("OK"); + } catch (CertificateException e) { + e.printStackTrace(out); + throw e; + } + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) + throws CertificateException { + if (extendedTrustManager == null) { + out.print("(fallback to X509TrustManager) "); + checkServerTrusted(chain, authType); + return; + } + out.print("TestTrustManager.checkServerTrusted " + + "chain=" + chain.length + " " + + "authType=" + authType + " " + + "engine=" + engine.toString() + " "); + try { + assertServerAuthType(authType); + extendedTrustManager.checkServerTrusted(chain, authType, engine); + out.println("OK"); + } catch (CertificateException e) { + e.printStackTrace(out); + throw e; + } + } + private void assertServerAuthType(String authType) { if (!StandardNames.SERVER_AUTH_TYPES.contains(authType)) { throw new AssertionError("Unexpected server auth type " + authType); |