Package org.conscrypt
Class TrustManagerImpl
- java.lang.Object
-
- javax.net.ssl.X509ExtendedTrustManager
-
- org.conscrypt.TrustManagerImpl
-
- All Implemented Interfaces:
javax.net.ssl.TrustManager
,javax.net.ssl.X509TrustManager
@Internal public final class TrustManagerImpl extends javax.net.ssl.X509ExtendedTrustManager
TrustManager implementation. The implementation is based on CertPathValidator PKIX and CertificateFactory X509 implementations. This implementations should be provided by some certification provider.- See Also:
X509ExtendedTrustManager
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description private static class
TrustManagerImpl.ExtendedKeyUsagePKIXCertPathChecker
If an EKU extension is present in the end-entity certificate, it MUST contain an appropriate key usage.private static class
TrustManagerImpl.TrustAnchorComparator
Comparator for sortingTrustAnchor
s using aCertificatePriorityComparator
.
-
Field Summary
Fields Modifier and Type Field Description private java.security.cert.X509Certificate[]
acceptedIssuers
This is lazily initialized in the AndroidCAStore case since it forces us to bring all the CAs into memory.private CertBlocklist
blocklist
private boolean
ctEnabledOverride
private CTPolicy
ctPolicy
private CTVerifier
ctVerifier
private static ConscryptHostnameVerifier
defaultHostnameVerifier
private java.lang.Exception
err
private java.security.cert.CertificateFactory
factory
private ConscryptHostnameVerifier
hostnameVerifier
private TrustedCertificateIndex
intermediateIndex
An index of intermediate certificates that we've seen.private static java.util.logging.Logger
logger
private CertPinManager
pinManager
The CertPinManager, which validates the chain against a host-to-pin mappingprivate java.security.KeyStore
rootKeyStore
The AndroidCAStore if non-null, null otherwise.private static TrustManagerImpl.TrustAnchorComparator
TRUST_ANCHOR_COMPARATOR
Comparator used for ordering trust anchors during certificate path building.private TrustedCertificateIndex
trustedCertificateIndex
An index of TrustAnchor instances that we've seen.private ConscryptCertStore
trustedCertificateStore
The backing store for the AndroidCAStore if non-null.private java.security.cert.CertPathValidator
validator
-
Constructor Summary
Constructors Constructor Description TrustManagerImpl(java.security.KeyStore keyStore)
Creates X509TrustManager based on a keystoreTrustManagerImpl(java.security.KeyStore keyStore, CertPinManager manager)
TrustManagerImpl(java.security.KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore)
TrustManagerImpl(java.security.KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore, CertBlocklist blocklist)
TrustManagerImpl(java.security.KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore, CertBlocklist blocklist, CTLogStore ctLogStore, CTVerifier ctVerifier, CTPolicy ctPolicy)
For testing only.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description private static java.security.cert.X509Certificate[]
acceptedIssuers(java.security.KeyStore ks)
private void
checkBlocklist(java.security.cert.X509Certificate cert)
void
checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType)
java.util.List<java.security.cert.X509Certificate>
checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.lang.String hostname)
For backward compatibility with older Android API that used String for the hostname only.void
checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.net.Socket socket)
void
checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, javax.net.ssl.SSLEngine engine)
private void
checkCT(java.lang.String host, java.util.List<java.security.cert.X509Certificate> chain, byte[] ocspData, byte[] tlsData)
void
checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType)
java.util.List<java.security.cert.X509Certificate>
checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.lang.String hostname)
For backward compatibility with older Android API that used String for the hostname only.void
checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.net.Socket socket)
void
checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, javax.net.ssl.SSLEngine engine)
java.util.List<java.security.cert.X509Certificate>
checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, javax.net.ssl.SSLSession session)
Validates whether a server is trusted.private java.util.List<java.security.cert.X509Certificate>
checkTrusted(java.security.cert.X509Certificate[] certs, byte[] ocspData, byte[] tlsSctData, java.lang.String authType, java.lang.String host, boolean clientAuth)
private java.util.List<java.security.cert.X509Certificate>
checkTrusted(java.security.cert.X509Certificate[] certs, java.lang.String authType, javax.net.ssl.SSLSession session, javax.net.ssl.SSLParameters parameters, boolean clientAuth)
private java.util.List<java.security.cert.X509Certificate>
checkTrustedRecursive(java.security.cert.X509Certificate[] certs, byte[] ocspData, byte[] tlsSctData, java.lang.String host, boolean clientAuth, java.util.ArrayList<java.security.cert.X509Certificate> untrustedChain, java.util.ArrayList<java.security.cert.TrustAnchor> trustAnchorChain, java.util.Set<java.security.cert.X509Certificate> used)
Recursively build certificate chains until a valid chain is found or all possible paths are exhausted.private java.util.Set<java.security.cert.TrustAnchor>
findAllTrustAnchorsByIssuerAndSignature(java.security.cert.X509Certificate cert)
Find all possible issuing trust anchors ofcert
.private java.security.cert.TrustAnchor
findTrustAnchorBySubjectAndPublicKey(java.security.cert.X509Certificate cert)
Check the trustedCertificateIndex for the cert to see if it is already trusted and failing that check the KeyStore if it is available.java.security.cert.X509Certificate[]
getAcceptedIssuers()
(package private) static ConscryptHostnameVerifier
getDefaultHostnameVerifier()
Returns the currently-set default hostname verifier.private static javax.net.ssl.SSLSession
getHandshakeSessionOrThrow(javax.net.ssl.SSLSocket sslSocket)
(package private) ConscryptHostnameVerifier
getHostnameVerifier()
Returns the currently-set hostname verifier for this instance.private ConscryptHostnameVerifier
getHttpsVerifier()
private static byte[]
getOcspDataFromSession(javax.net.ssl.SSLSession session)
private byte[]
getTlsSctDataFromSession(javax.net.ssl.SSLSession session)
java.util.List<java.security.cert.X509Certificate>
getTrustedChainForServer(java.security.cert.X509Certificate[] certs, java.lang.String authType, java.net.Socket socket)
Returns the full trusted certificate chain found fromcerts
.java.util.List<java.security.cert.X509Certificate>
getTrustedChainForServer(java.security.cert.X509Certificate[] certs, java.lang.String authType, javax.net.ssl.SSLEngine engine)
Returns the full trusted certificate chain found fromcerts
.void
handleTrustStorageUpdate()
void
setCTEnabledOverride(boolean enabled)
void
setCTPolicy(CTPolicy policy)
void
setCTVerifier(CTVerifier verifier)
(package private) static void
setDefaultHostnameVerifier(ConscryptHostnameVerifier verifier)
Set the default hostname verifier that will be used for HTTPS endpoint identification.(package private) void
setHostnameVerifier(ConscryptHostnameVerifier verifier)
Set the hostname verifier that will be used for HTTPS endpoint identification.private void
setOcspResponses(java.security.cert.PKIXParameters params, java.security.cert.X509Certificate cert, byte[] ocspData)
Sets the OCSP response data that was possibly stapled to the TLS response.private static java.util.Collection<java.security.cert.TrustAnchor>
sortPotentialAnchors(java.util.Set<java.security.cert.TrustAnchor> anchors)
Sort potential anchors so that the most preferred for use come first.private static java.util.Set<java.security.cert.TrustAnchor>
trustAnchors(java.security.cert.X509Certificate[] certs)
private java.util.List<java.security.cert.X509Certificate>
verifyChain(java.util.List<java.security.cert.X509Certificate> untrustedChain, java.util.List<java.security.cert.TrustAnchor> trustAnchorChain, java.lang.String host, boolean clientAuth, byte[] ocspData, byte[] tlsSctData)
-
-
-
Field Detail
-
logger
private static final java.util.logging.Logger logger
-
TRUST_ANCHOR_COMPARATOR
private static final TrustManagerImpl.TrustAnchorComparator TRUST_ANCHOR_COMPARATOR
Comparator used for ordering trust anchors during certificate path building.
-
defaultHostnameVerifier
private static ConscryptHostnameVerifier defaultHostnameVerifier
-
rootKeyStore
private final java.security.KeyStore rootKeyStore
The AndroidCAStore if non-null, null otherwise.
-
pinManager
private CertPinManager pinManager
The CertPinManager, which validates the chain against a host-to-pin mapping
-
trustedCertificateStore
private final ConscryptCertStore trustedCertificateStore
The backing store for the AndroidCAStore if non-null. This will be null when the rootKeyStore is null, implying we are not using the AndroidCAStore.
-
validator
private final java.security.cert.CertPathValidator validator
-
trustedCertificateIndex
private final TrustedCertificateIndex trustedCertificateIndex
An index of TrustAnchor instances that we've seen.
-
intermediateIndex
private final TrustedCertificateIndex intermediateIndex
An index of intermediate certificates that we've seen. These certificates are NOT implicitly trusted and must still form a valid chain to an anchor.
-
acceptedIssuers
private final java.security.cert.X509Certificate[] acceptedIssuers
This is lazily initialized in the AndroidCAStore case since it forces us to bring all the CAs into memory. In the non-AndroidCAStore, we initialize this as part of the constructor.
-
err
private final java.lang.Exception err
-
factory
private final java.security.cert.CertificateFactory factory
-
blocklist
private final CertBlocklist blocklist
-
ctVerifier
private CTVerifier ctVerifier
-
ctPolicy
private CTPolicy ctPolicy
-
hostnameVerifier
private ConscryptHostnameVerifier hostnameVerifier
-
ctEnabledOverride
private boolean ctEnabledOverride
-
-
Constructor Detail
-
TrustManagerImpl
public TrustManagerImpl(java.security.KeyStore keyStore)
Creates X509TrustManager based on a keystore- Parameters:
keyStore
-
-
TrustManagerImpl
public TrustManagerImpl(java.security.KeyStore keyStore, CertPinManager manager)
-
TrustManagerImpl
public TrustManagerImpl(java.security.KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore)
-
TrustManagerImpl
public TrustManagerImpl(java.security.KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore, CertBlocklist blocklist)
-
TrustManagerImpl
public TrustManagerImpl(java.security.KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore, CertBlocklist blocklist, CTLogStore ctLogStore, CTVerifier ctVerifier, CTPolicy ctPolicy)
For testing only.
-
-
Method Detail
-
acceptedIssuers
private static java.security.cert.X509Certificate[] acceptedIssuers(java.security.KeyStore ks)
-
trustAnchors
private static java.util.Set<java.security.cert.TrustAnchor> trustAnchors(java.security.cert.X509Certificate[] certs)
-
checkClientTrusted
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType) throws java.security.cert.CertificateException
- Throws:
java.security.cert.CertificateException
-
checkClientTrusted
public java.util.List<java.security.cert.X509Certificate> checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.lang.String hostname) throws java.security.cert.CertificateException
For backward compatibility with older Android API that used String for the hostname only.- Throws:
java.security.cert.CertificateException
-
getHandshakeSessionOrThrow
private static javax.net.ssl.SSLSession getHandshakeSessionOrThrow(javax.net.ssl.SSLSocket sslSocket) throws java.security.cert.CertificateException
- Throws:
java.security.cert.CertificateException
-
checkClientTrusted
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.net.Socket socket) throws java.security.cert.CertificateException
- Specified by:
checkClientTrusted
in classjavax.net.ssl.X509ExtendedTrustManager
- Throws:
java.security.cert.CertificateException
-
checkClientTrusted
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, javax.net.ssl.SSLEngine engine) throws java.security.cert.CertificateException
- Specified by:
checkClientTrusted
in classjavax.net.ssl.X509ExtendedTrustManager
- Throws:
java.security.cert.CertificateException
-
checkServerTrusted
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType) throws java.security.cert.CertificateException
- Throws:
java.security.cert.CertificateException
-
checkServerTrusted
public java.util.List<java.security.cert.X509Certificate> checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.lang.String hostname) throws java.security.cert.CertificateException
For backward compatibility with older Android API that used String for the hostname only.- Throws:
java.security.cert.CertificateException
-
getTrustedChainForServer
public java.util.List<java.security.cert.X509Certificate> getTrustedChainForServer(java.security.cert.X509Certificate[] certs, java.lang.String authType, java.net.Socket socket) throws java.security.cert.CertificateException
Returns the full trusted certificate chain found fromcerts
. ThrowsCertificateException
when no trusted chain can be found fromcerts
.- Throws:
java.security.cert.CertificateException
-
getTrustedChainForServer
public java.util.List<java.security.cert.X509Certificate> getTrustedChainForServer(java.security.cert.X509Certificate[] certs, java.lang.String authType, javax.net.ssl.SSLEngine engine) throws java.security.cert.CertificateException
Returns the full trusted certificate chain found fromcerts
. ThrowsCertificateException
when no trusted chain can be found fromcerts
.- Throws:
java.security.cert.CertificateException
-
checkServerTrusted
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.net.Socket socket) throws java.security.cert.CertificateException
- Specified by:
checkServerTrusted
in classjavax.net.ssl.X509ExtendedTrustManager
- Throws:
java.security.cert.CertificateException
-
checkServerTrusted
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, javax.net.ssl.SSLEngine engine) throws java.security.cert.CertificateException
- Specified by:
checkServerTrusted
in classjavax.net.ssl.X509ExtendedTrustManager
- Throws:
java.security.cert.CertificateException
-
checkServerTrusted
public java.util.List<java.security.cert.X509Certificate> checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, javax.net.ssl.SSLSession session) throws java.security.cert.CertificateException
Validates whether a server is trusted. If session is given and non-null it also checks if chain is pinned appropriately for that peer host. If null, it does not check for pinned certs. The return value is a list of the certificates used for making the trust decision.- Throws:
java.security.cert.CertificateException
-
handleTrustStorageUpdate
public void handleTrustStorageUpdate()
-
checkTrusted
private java.util.List<java.security.cert.X509Certificate> checkTrusted(java.security.cert.X509Certificate[] certs, java.lang.String authType, javax.net.ssl.SSLSession session, javax.net.ssl.SSLParameters parameters, boolean clientAuth) throws java.security.cert.CertificateException
- Throws:
java.security.cert.CertificateException
-
getOcspDataFromSession
private static byte[] getOcspDataFromSession(javax.net.ssl.SSLSession session)
-
getTlsSctDataFromSession
private byte[] getTlsSctDataFromSession(javax.net.ssl.SSLSession session)
-
checkTrusted
private java.util.List<java.security.cert.X509Certificate> checkTrusted(java.security.cert.X509Certificate[] certs, byte[] ocspData, byte[] tlsSctData, java.lang.String authType, java.lang.String host, boolean clientAuth) throws java.security.cert.CertificateException
- Throws:
java.security.cert.CertificateException
-
checkTrustedRecursive
private java.util.List<java.security.cert.X509Certificate> checkTrustedRecursive(java.security.cert.X509Certificate[] certs, byte[] ocspData, byte[] tlsSctData, java.lang.String host, boolean clientAuth, java.util.ArrayList<java.security.cert.X509Certificate> untrustedChain, java.util.ArrayList<java.security.cert.TrustAnchor> trustAnchorChain, java.util.Set<java.security.cert.X509Certificate> used) throws java.security.cert.CertificateException
Recursively build certificate chains until a valid chain is found or all possible paths are exhausted. The chain is built in two sections, the complete trusted path is the the combination ofuntrustedChain
andtrustAnchorChain
. The chain begins at the leaf certificate and ends in the final trusted root certificate.- Parameters:
certs
- the bag of certs provided by the peer. No order is assumed.host
- the host being connected to.clientAuth
- if a client is being authorized instead of a server.untrustedChain
- the untrusted section of the chain built so far. Must be mutable.trustAnchorChain
- the trusted section of the chain built so far. Must be mutable.used
- the set certificates used so far in path building. Must be mutable.- Returns:
- The entire valid chain starting with the leaf certificate. This is the concatenation of untrustedChain and trustAnchorChain.
- Throws:
java.security.cert.CertificateException
- If no valid chain could be constructed. Note that there may be multiple reasons why no valid chain exists and there is no guarantee that the most severe is reported in this exception. As such applications MUST NOT use the specifics of this error for trust decisions (e.g. showing the user a click through page based on the specific error).
-
verifyChain
private java.util.List<java.security.cert.X509Certificate> verifyChain(java.util.List<java.security.cert.X509Certificate> untrustedChain, java.util.List<java.security.cert.TrustAnchor> trustAnchorChain, java.lang.String host, boolean clientAuth, byte[] ocspData, byte[] tlsSctData) throws java.security.cert.CertificateException
- Throws:
java.security.cert.CertificateException
-
checkBlocklist
private void checkBlocklist(java.security.cert.X509Certificate cert) throws java.security.cert.CertificateException
- Throws:
java.security.cert.CertificateException
-
checkCT
private void checkCT(java.lang.String host, java.util.List<java.security.cert.X509Certificate> chain, byte[] ocspData, byte[] tlsData) throws java.security.cert.CertificateException
- Throws:
java.security.cert.CertificateException
-
setOcspResponses
private void setOcspResponses(java.security.cert.PKIXParameters params, java.security.cert.X509Certificate cert, byte[] ocspData)
Sets the OCSP response data that was possibly stapled to the TLS response.
-
sortPotentialAnchors
private static java.util.Collection<java.security.cert.TrustAnchor> sortPotentialAnchors(java.util.Set<java.security.cert.TrustAnchor> anchors)
Sort potential anchors so that the most preferred for use come first.- See Also:
CertificatePriorityComparator
-
findAllTrustAnchorsByIssuerAndSignature
private java.util.Set<java.security.cert.TrustAnchor> findAllTrustAnchorsByIssuerAndSignature(java.security.cert.X509Certificate cert)
Find all possible issuing trust anchors ofcert
.
-
findTrustAnchorBySubjectAndPublicKey
private java.security.cert.TrustAnchor findTrustAnchorBySubjectAndPublicKey(java.security.cert.X509Certificate cert)
Check the trustedCertificateIndex for the cert to see if it is already trusted and failing that check the KeyStore if it is available.
-
getAcceptedIssuers
public java.security.cert.X509Certificate[] getAcceptedIssuers()
-
setDefaultHostnameVerifier
static void setDefaultHostnameVerifier(ConscryptHostnameVerifier verifier)
Set the default hostname verifier that will be used for HTTPS endpoint identification. Ifnull
(the default), endpoint identification will use the default hostname verifier set inHttpsURLConnection.setDefaultHostnameVerifier(javax.net.ssl.HostnameVerifier)
.
-
getDefaultHostnameVerifier
static ConscryptHostnameVerifier getDefaultHostnameVerifier()
Returns the currently-set default hostname verifier.
-
setHostnameVerifier
void setHostnameVerifier(ConscryptHostnameVerifier verifier)
Set the hostname verifier that will be used for HTTPS endpoint identification. Ifnull
(the default), endpoint identification will use the default hostname verifier set insetDefaultHostnameVerifier(ConscryptHostnameVerifier)
.
-
getHostnameVerifier
ConscryptHostnameVerifier getHostnameVerifier()
Returns the currently-set hostname verifier for this instance.
-
getHttpsVerifier
private ConscryptHostnameVerifier getHttpsVerifier()
-
setCTEnabledOverride
public void setCTEnabledOverride(boolean enabled)
-
setCTVerifier
public void setCTVerifier(CTVerifier verifier)
-
setCTPolicy
public void setCTPolicy(CTPolicy policy)
-
-