summaryrefslogtreecommitdiffstats
path: root/support
diff options
context:
space:
mode:
authorKenny Root <kroot@google.com>2014-03-20 12:38:31 -0700
committerKenny Root <kroot@google.com>2014-03-25 09:33:50 -0700
commit70bf6bc3ad78ed9a0a7a5767381ad6c25debbd70 (patch)
tree79b350f0ea2f2b0b69c49670e405319f5226952b /support
parentb2a2836df6df3f2a70922f69806759535addee44 (diff)
downloadlibcore-70bf6bc3ad78ed9a0a7a5767381ad6c25debbd70.zip
libcore-70bf6bc3ad78ed9a0a7a5767381ad6c25debbd70.tar.gz
libcore-70bf6bc3ad78ed9a0a7a5767381ad6c25debbd70.tar.bz2
Add X509ExtendedTrustManager
This adds the X509ExtendedTrustManager class and all its ancillary methods that allow it to be used. This allows the endpointVerificationAlgorithm setting to be enabled on SSLSocket to check that the cerificate given for the endpoint during the handshake matched the expected hostname. Since X509ExtendedTrustManager allows you to pass in an SSLSocket, there is a new call added to SSLSocket called getHandshakeSession which does not force the handshake to take place. Bug: 13103812 Change-Id: I18a18b4f457d1676c8dc9a2a7bf7c3c4646a0425
Diffstat (limited to 'support')
-rw-r--r--support/src/test/java/libcore/java/security/TestKeyStore.java15
-rw-r--r--support/src/test/java/libcore/javax/net/ssl/TestSSLContext.java13
-rw-r--r--support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java111
3 files changed, 123 insertions, 16 deletions
diff --git a/support/src/test/java/libcore/java/security/TestKeyStore.java b/support/src/test/java/libcore/java/security/TestKeyStore.java
index 0232969..86d6f4c 100644
--- a/support/src/test/java/libcore/java/security/TestKeyStore.java
+++ b/support/src/test/java/libcore/java/security/TestKeyStore.java
@@ -154,11 +154,16 @@ public final class TestKeyStore extends Assert {
.signer(ROOT_CA.getPrivateKey("RSA", "RSA"))
.rootCa(ROOT_CA.getRootCertificate("RSA"))
.build();
- SERVER = new Builder()
- .aliasPrefix("server")
- .signer(INTERMEDIATE_CA.getPrivateKey("RSA", "RSA"))
- .rootCa(INTERMEDIATE_CA.getRootCertificate("RSA"))
- .build();
+ try {
+ SERVER = new Builder()
+ .aliasPrefix("server")
+ .signer(INTERMEDIATE_CA.getPrivateKey("RSA", "RSA"))
+ .rootCa(INTERMEDIATE_CA.getRootCertificate("RSA"))
+ .addSubjectAltNameIpAddress(InetAddress.getLocalHost().getAddress())
+ .build();
+ } catch (UnknownHostException e) {
+ throw new RuntimeException(e);
+ }
CLIENT = new TestKeyStore(createClient(INTERMEDIATE_CA.keyStore), null, null);
CLIENT_CERTIFICATE = new Builder()
.aliasPrefix("client")
diff --git a/support/src/test/java/libcore/javax/net/ssl/TestSSLContext.java b/support/src/test/java/libcore/javax/net/ssl/TestSSLContext.java
index 7f3ac46..64c8ccb 100644
--- a/support/src/test/java/libcore/javax/net/ssl/TestSSLContext.java
+++ b/support/src/test/java/libcore/javax/net/ssl/TestSSLContext.java
@@ -33,6 +33,7 @@ import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import junit.framework.Assert;
import libcore.java.security.StandardNames;
@@ -82,8 +83,8 @@ public final class TestSSLContext extends Assert {
public final char[] serverStorePassword;
public final KeyManager[] clientKeyManagers;
public final KeyManager[] serverKeyManagers;
- public final X509TrustManager clientTrustManager;
- public final X509TrustManager serverTrustManager;
+ public final X509ExtendedTrustManager clientTrustManager;
+ public final X509ExtendedTrustManager serverTrustManager;
public final SSLContext clientContext;
public final SSLContext serverContext;
public final SSLServerSocket serverSocket;
@@ -96,8 +97,8 @@ public final class TestSSLContext extends Assert {
char[] serverStorePassword,
KeyManager[] clientKeyManagers,
KeyManager[] serverKeyManagers,
- X509TrustManager clientTrustManager,
- X509TrustManager serverTrustManager,
+ X509ExtendedTrustManager clientTrustManager,
+ X509ExtendedTrustManager serverTrustManager,
SSLContext clientContext,
SSLContext serverContext,
SSLServerSocket serverSocket,
@@ -176,8 +177,8 @@ public final class TestSSLContext extends Assert {
serverKeyStore, serverStorePassword,
clientKeyManagers,
serverKeyManagers,
- (X509TrustManager) clientTrustManagers,
- (X509TrustManager) serverTrustManagers,
+ (X509ExtendedTrustManager) clientTrustManagers,
+ (X509ExtendedTrustManager) serverTrustManagers,
clientContext, serverContext,
serverSocket, host, port);
} catch (RuntimeException e) {
diff --git a/support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java b/support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java
index c3511b4..b703984 100644
--- a/support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java
+++ b/support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java
@@ -17,7 +17,10 @@
package libcore.javax.net.ssl;
import java.io.PrintStream;
+import java.net.Socket;
+import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
@@ -26,15 +29,16 @@ import libcore.java.security.StandardNames;
/**
* TestTrustManager is a simple proxy class that wraps an existing
- * X509TrustManager to provide debug logging and recording of
+ * X509ExtendedTrustManager to provide debug logging and recording of
* values.
*/
-public final class TestTrustManager implements X509TrustManager {
+public final class TestTrustManager extends X509ExtendedTrustManager {
private static final boolean LOG = false;
private static final PrintStream out = LOG ? System.out : new NullPrintStream();
private final X509TrustManager trustManager;
+ private final X509ExtendedTrustManager extendedTrustManager;
public static TrustManager[] wrap(TrustManager[] trustManagers) {
TrustManager[] result = trustManagers.clone();
@@ -45,14 +49,23 @@ public final class TestTrustManager implements X509TrustManager {
}
public static TrustManager wrap(TrustManager trustManager) {
- if (!(trustManager instanceof X509TrustManager)) {
- return trustManager;
+ if (trustManager instanceof X509ExtendedTrustManager) {
+ return new TestTrustManager((X509ExtendedTrustManager) trustManager);
+ } else if (trustManager instanceof X509TrustManager) {
+ return new TestTrustManager((X509TrustManager) trustManager);
}
- return new TestTrustManager((X509TrustManager) trustManager);
+ return trustManager;
+ }
+
+ public TestTrustManager(X509ExtendedTrustManager trustManager) {
+ out.println("TestTrustManager.<init> extendedTrustManager=" + trustManager);
+ this.extendedTrustManager = trustManager;
+ this.trustManager = trustManager;
}
public TestTrustManager(X509TrustManager trustManager) {
out.println("TestTrustManager.<init> trustManager=" + trustManager);
+ this.extendedTrustManager = null;
this.trustManager = trustManager;
}
@@ -71,6 +84,50 @@ public final class TestTrustManager implements X509TrustManager {
}
}
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket)
+ throws CertificateException {
+ if (extendedTrustManager == null) {
+ out.print("(fallback to X509TrustManager) ");
+ checkClientTrusted(chain, authType);
+ return;
+ }
+ out.print("TestTrustManager.checkClientTrusted "
+ + "chain=" + chain.length + " "
+ + "authType=" + authType + " "
+ + "socket=" + socket + " ");
+ try {
+ assertClientAuthType(authType);
+ extendedTrustManager.checkClientTrusted(chain, authType, socket);
+ out.println("OK");
+ } catch (CertificateException e) {
+ e.printStackTrace(out);
+ throw e;
+ }
+ }
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
+ throws CertificateException {
+ if (extendedTrustManager == null) {
+ out.print("(fallback to X509TrustManager) ");
+ checkClientTrusted(chain, authType);
+ return;
+ }
+ out.print("TestTrustManager.checkClientTrusted "
+ + "chain=" + chain.length + " "
+ + "authType=" + authType + " "
+ + "engine=" + engine + " ");
+ try {
+ assertClientAuthType(authType);
+ extendedTrustManager.checkClientTrusted(chain, authType, engine);
+ out.println("OK");
+ } catch (CertificateException e) {
+ e.printStackTrace(out);
+ throw e;
+ }
+ }
+
private void assertClientAuthType(String authType) {
if (!StandardNames.CLIENT_AUTH_TYPES.contains(authType)) {
throw new AssertionError("Unexpected client auth type " + authType);
@@ -92,6 +149,50 @@ public final class TestTrustManager implements X509TrustManager {
}
}
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket)
+ throws CertificateException {
+ if (extendedTrustManager == null) {
+ out.print("(fallback to X509TrustManager) ");
+ checkServerTrusted(chain, authType);
+ return;
+ }
+ out.print("TestTrustManager.checkServerTrusted "
+ + "chain=" + chain.length + " "
+ + "authType=" + authType + " "
+ + "socket=" + socket.toString() + " ");
+ try {
+ assertServerAuthType(authType);
+ extendedTrustManager.checkServerTrusted(chain, authType, socket);
+ out.println("OK");
+ } catch (CertificateException e) {
+ e.printStackTrace(out);
+ throw e;
+ }
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
+ throws CertificateException {
+ if (extendedTrustManager == null) {
+ out.print("(fallback to X509TrustManager) ");
+ checkServerTrusted(chain, authType);
+ return;
+ }
+ out.print("TestTrustManager.checkServerTrusted "
+ + "chain=" + chain.length + " "
+ + "authType=" + authType + " "
+ + "engine=" + engine.toString() + " ");
+ try {
+ assertServerAuthType(authType);
+ extendedTrustManager.checkServerTrusted(chain, authType, engine);
+ out.println("OK");
+ } catch (CertificateException e) {
+ e.printStackTrace(out);
+ throw e;
+ }
+ }
+
private void assertServerAuthType(String authType) {
if (!StandardNames.SERVER_AUTH_TYPES.contains(authType)) {
throw new AssertionError("Unexpected server auth type " + authType);