Package org.conscrypt

Class TrustManagerImpl

  • All Implemented Interfaces:
    javax.net.ssl.TrustManager, javax.net.ssl.X509TrustManager

    @Internal
    public final class TrustManagerImpl
    extends javax.net.ssl.X509ExtendedTrustManager
    TrustManager implementation. The implementation is based on CertPathValidator PKIX and CertificateFactory X509 implementations. This implementations should be provided by some certification provider.
    See Also:
    X509ExtendedTrustManager
    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      private static java.security.cert.X509Certificate[] acceptedIssuers​(java.security.KeyStore ks)  
      private void checkBlocklist​(java.security.cert.X509Certificate cert)  
      void checkClientTrusted​(java.security.cert.X509Certificate[] chain, java.lang.String authType)  
      java.util.List<java.security.cert.X509Certificate> checkClientTrusted​(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.lang.String hostname)
      For backward compatibility with older Android API that used String for the hostname only.
      void checkClientTrusted​(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.net.Socket socket)  
      void checkClientTrusted​(java.security.cert.X509Certificate[] chain, java.lang.String authType, javax.net.ssl.SSLEngine engine)  
      private void checkCT​(java.lang.String host, java.util.List<java.security.cert.X509Certificate> chain, byte[] ocspData, byte[] tlsData)  
      void checkServerTrusted​(java.security.cert.X509Certificate[] chain, java.lang.String authType)  
      java.util.List<java.security.cert.X509Certificate> checkServerTrusted​(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.lang.String hostname)
      For backward compatibility with older Android API that used String for the hostname only.
      void checkServerTrusted​(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.net.Socket socket)  
      void checkServerTrusted​(java.security.cert.X509Certificate[] chain, java.lang.String authType, javax.net.ssl.SSLEngine engine)  
      java.util.List<java.security.cert.X509Certificate> checkServerTrusted​(java.security.cert.X509Certificate[] chain, java.lang.String authType, javax.net.ssl.SSLSession session)
      Validates whether a server is trusted.
      private java.util.List<java.security.cert.X509Certificate> checkTrusted​(java.security.cert.X509Certificate[] certs, byte[] ocspData, byte[] tlsSctData, java.lang.String authType, java.lang.String host, boolean clientAuth)  
      private java.util.List<java.security.cert.X509Certificate> checkTrusted​(java.security.cert.X509Certificate[] certs, java.lang.String authType, javax.net.ssl.SSLSession session, javax.net.ssl.SSLParameters parameters, boolean clientAuth)  
      private java.util.List<java.security.cert.X509Certificate> checkTrustedRecursive​(java.security.cert.X509Certificate[] certs, byte[] ocspData, byte[] tlsSctData, java.lang.String host, boolean clientAuth, java.util.ArrayList<java.security.cert.X509Certificate> untrustedChain, java.util.ArrayList<java.security.cert.TrustAnchor> trustAnchorChain, java.util.Set<java.security.cert.X509Certificate> used)
      Recursively build certificate chains until a valid chain is found or all possible paths are exhausted.
      private java.util.Set<java.security.cert.TrustAnchor> findAllTrustAnchorsByIssuerAndSignature​(java.security.cert.X509Certificate cert)
      Find all possible issuing trust anchors of cert.
      private java.security.cert.TrustAnchor findTrustAnchorBySubjectAndPublicKey​(java.security.cert.X509Certificate cert)
      Check the trustedCertificateIndex for the cert to see if it is already trusted and failing that check the KeyStore if it is available.
      java.security.cert.X509Certificate[] getAcceptedIssuers()  
      (package private) static ConscryptHostnameVerifier getDefaultHostnameVerifier()
      Returns the currently-set default hostname verifier.
      private static javax.net.ssl.SSLSession getHandshakeSessionOrThrow​(javax.net.ssl.SSLSocket sslSocket)  
      (package private) ConscryptHostnameVerifier getHostnameVerifier()
      Returns the currently-set hostname verifier for this instance.
      private ConscryptHostnameVerifier getHttpsVerifier()  
      private static byte[] getOcspDataFromSession​(javax.net.ssl.SSLSession session)  
      private byte[] getTlsSctDataFromSession​(javax.net.ssl.SSLSession session)  
      java.util.List<java.security.cert.X509Certificate> getTrustedChainForServer​(java.security.cert.X509Certificate[] certs, java.lang.String authType, java.net.Socket socket)
      Returns the full trusted certificate chain found from certs.
      java.util.List<java.security.cert.X509Certificate> getTrustedChainForServer​(java.security.cert.X509Certificate[] certs, java.lang.String authType, javax.net.ssl.SSLEngine engine)
      Returns the full trusted certificate chain found from certs.
      void handleTrustStorageUpdate()  
      void setCTEnabledOverride​(boolean enabled)  
      void setCTPolicy​(CTPolicy policy)  
      void setCTVerifier​(CTVerifier verifier)  
      (package private) static void setDefaultHostnameVerifier​(ConscryptHostnameVerifier verifier)
      Set the default hostname verifier that will be used for HTTPS endpoint identification.
      (package private) void setHostnameVerifier​(ConscryptHostnameVerifier verifier)
      Set the hostname verifier that will be used for HTTPS endpoint identification.
      private void setOcspResponses​(java.security.cert.PKIXParameters params, java.security.cert.X509Certificate cert, byte[] ocspData)
      Sets the OCSP response data that was possibly stapled to the TLS response.
      private static java.util.Collection<java.security.cert.TrustAnchor> sortPotentialAnchors​(java.util.Set<java.security.cert.TrustAnchor> anchors)
      Sort potential anchors so that the most preferred for use come first.
      private static java.util.Set<java.security.cert.TrustAnchor> trustAnchors​(java.security.cert.X509Certificate[] certs)  
      private java.util.List<java.security.cert.X509Certificate> verifyChain​(java.util.List<java.security.cert.X509Certificate> untrustedChain, java.util.List<java.security.cert.TrustAnchor> trustAnchorChain, java.lang.String host, boolean clientAuth, byte[] ocspData, byte[] tlsSctData)  
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • logger

        private static final java.util.logging.Logger logger
      • rootKeyStore

        private final java.security.KeyStore rootKeyStore
        The AndroidCAStore if non-null, null otherwise.
      • pinManager

        private CertPinManager pinManager
        The CertPinManager, which validates the chain against a host-to-pin mapping
      • trustedCertificateStore

        private final ConscryptCertStore trustedCertificateStore
        The backing store for the AndroidCAStore if non-null. This will be null when the rootKeyStore is null, implying we are not using the AndroidCAStore.
      • validator

        private final java.security.cert.CertPathValidator validator
      • trustedCertificateIndex

        private final TrustedCertificateIndex trustedCertificateIndex
        An index of TrustAnchor instances that we've seen.
      • intermediateIndex

        private final TrustedCertificateIndex intermediateIndex
        An index of intermediate certificates that we've seen. These certificates are NOT implicitly trusted and must still form a valid chain to an anchor.
      • acceptedIssuers

        private final java.security.cert.X509Certificate[] acceptedIssuers
        This is lazily initialized in the AndroidCAStore case since it forces us to bring all the CAs into memory. In the non-AndroidCAStore, we initialize this as part of the constructor.
      • err

        private final java.lang.Exception err
      • factory

        private final java.security.cert.CertificateFactory factory
      • ctEnabledOverride

        private boolean ctEnabledOverride
    • Method Detail

      • acceptedIssuers

        private static java.security.cert.X509Certificate[] acceptedIssuers​(java.security.KeyStore ks)
      • trustAnchors

        private static java.util.Set<java.security.cert.TrustAnchor> trustAnchors​(java.security.cert.X509Certificate[] certs)
      • checkClientTrusted

        public void checkClientTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType)
                                throws java.security.cert.CertificateException
        Throws:
        java.security.cert.CertificateException
      • checkClientTrusted

        public java.util.List<java.security.cert.X509Certificate> checkClientTrusted​(java.security.cert.X509Certificate[] chain,
                                                                                     java.lang.String authType,
                                                                                     java.lang.String hostname)
                                                                              throws java.security.cert.CertificateException
        For backward compatibility with older Android API that used String for the hostname only.
        Throws:
        java.security.cert.CertificateException
      • getHandshakeSessionOrThrow

        private static javax.net.ssl.SSLSession getHandshakeSessionOrThrow​(javax.net.ssl.SSLSocket sslSocket)
                                                                    throws java.security.cert.CertificateException
        Throws:
        java.security.cert.CertificateException
      • checkClientTrusted

        public void checkClientTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType,
                                       java.net.Socket socket)
                                throws java.security.cert.CertificateException
        Specified by:
        checkClientTrusted in class javax.net.ssl.X509ExtendedTrustManager
        Throws:
        java.security.cert.CertificateException
      • checkClientTrusted

        public void checkClientTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType,
                                       javax.net.ssl.SSLEngine engine)
                                throws java.security.cert.CertificateException
        Specified by:
        checkClientTrusted in class javax.net.ssl.X509ExtendedTrustManager
        Throws:
        java.security.cert.CertificateException
      • checkServerTrusted

        public void checkServerTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType)
                                throws java.security.cert.CertificateException
        Throws:
        java.security.cert.CertificateException
      • checkServerTrusted

        public java.util.List<java.security.cert.X509Certificate> checkServerTrusted​(java.security.cert.X509Certificate[] chain,
                                                                                     java.lang.String authType,
                                                                                     java.lang.String hostname)
                                                                              throws java.security.cert.CertificateException
        For backward compatibility with older Android API that used String for the hostname only.
        Throws:
        java.security.cert.CertificateException
      • getTrustedChainForServer

        public java.util.List<java.security.cert.X509Certificate> getTrustedChainForServer​(java.security.cert.X509Certificate[] certs,
                                                                                           java.lang.String authType,
                                                                                           java.net.Socket socket)
                                                                                    throws java.security.cert.CertificateException
        Returns the full trusted certificate chain found from certs. Throws CertificateException when no trusted chain can be found from certs.
        Throws:
        java.security.cert.CertificateException
      • getTrustedChainForServer

        public java.util.List<java.security.cert.X509Certificate> getTrustedChainForServer​(java.security.cert.X509Certificate[] certs,
                                                                                           java.lang.String authType,
                                                                                           javax.net.ssl.SSLEngine engine)
                                                                                    throws java.security.cert.CertificateException
        Returns the full trusted certificate chain found from certs. Throws CertificateException when no trusted chain can be found from certs.
        Throws:
        java.security.cert.CertificateException
      • checkServerTrusted

        public void checkServerTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType,
                                       java.net.Socket socket)
                                throws java.security.cert.CertificateException
        Specified by:
        checkServerTrusted in class javax.net.ssl.X509ExtendedTrustManager
        Throws:
        java.security.cert.CertificateException
      • checkServerTrusted

        public void checkServerTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType,
                                       javax.net.ssl.SSLEngine engine)
                                throws java.security.cert.CertificateException
        Specified by:
        checkServerTrusted in class javax.net.ssl.X509ExtendedTrustManager
        Throws:
        java.security.cert.CertificateException
      • checkServerTrusted

        public java.util.List<java.security.cert.X509Certificate> checkServerTrusted​(java.security.cert.X509Certificate[] chain,
                                                                                     java.lang.String authType,
                                                                                     javax.net.ssl.SSLSession session)
                                                                              throws java.security.cert.CertificateException
        Validates whether a server is trusted. If session is given and non-null it also checks if chain is pinned appropriately for that peer host. If null, it does not check for pinned certs. The return value is a list of the certificates used for making the trust decision.
        Throws:
        java.security.cert.CertificateException
      • handleTrustStorageUpdate

        public void handleTrustStorageUpdate()
      • checkTrusted

        private java.util.List<java.security.cert.X509Certificate> checkTrusted​(java.security.cert.X509Certificate[] certs,
                                                                                java.lang.String authType,
                                                                                javax.net.ssl.SSLSession session,
                                                                                javax.net.ssl.SSLParameters parameters,
                                                                                boolean clientAuth)
                                                                         throws java.security.cert.CertificateException
        Throws:
        java.security.cert.CertificateException
      • getOcspDataFromSession

        private static byte[] getOcspDataFromSession​(javax.net.ssl.SSLSession session)
      • getTlsSctDataFromSession

        private byte[] getTlsSctDataFromSession​(javax.net.ssl.SSLSession session)
      • checkTrusted

        private java.util.List<java.security.cert.X509Certificate> checkTrusted​(java.security.cert.X509Certificate[] certs,
                                                                                byte[] ocspData,
                                                                                byte[] tlsSctData,
                                                                                java.lang.String authType,
                                                                                java.lang.String host,
                                                                                boolean clientAuth)
                                                                         throws java.security.cert.CertificateException
        Throws:
        java.security.cert.CertificateException
      • checkTrustedRecursive

        private java.util.List<java.security.cert.X509Certificate> checkTrustedRecursive​(java.security.cert.X509Certificate[] certs,
                                                                                         byte[] ocspData,
                                                                                         byte[] tlsSctData,
                                                                                         java.lang.String host,
                                                                                         boolean clientAuth,
                                                                                         java.util.ArrayList<java.security.cert.X509Certificate> untrustedChain,
                                                                                         java.util.ArrayList<java.security.cert.TrustAnchor> trustAnchorChain,
                                                                                         java.util.Set<java.security.cert.X509Certificate> used)
                                                                                  throws java.security.cert.CertificateException
        Recursively build certificate chains until a valid chain is found or all possible paths are exhausted. The chain is built in two sections, the complete trusted path is the the combination of untrustedChain and trustAnchorChain. The chain begins at the leaf certificate and ends in the final trusted root certificate.
        Parameters:
        certs - the bag of certs provided by the peer. No order is assumed.
        host - the host being connected to.
        clientAuth - if a client is being authorized instead of a server.
        untrustedChain - the untrusted section of the chain built so far. Must be mutable.
        trustAnchorChain - the trusted section of the chain built so far. Must be mutable.
        used - the set certificates used so far in path building. Must be mutable.
        Returns:
        The entire valid chain starting with the leaf certificate. This is the concatenation of untrustedChain and trustAnchorChain.
        Throws:
        java.security.cert.CertificateException - If no valid chain could be constructed. Note that there may be multiple reasons why no valid chain exists and there is no guarantee that the most severe is reported in this exception. As such applications MUST NOT use the specifics of this error for trust decisions (e.g. showing the user a click through page based on the specific error).
      • verifyChain

        private java.util.List<java.security.cert.X509Certificate> verifyChain​(java.util.List<java.security.cert.X509Certificate> untrustedChain,
                                                                               java.util.List<java.security.cert.TrustAnchor> trustAnchorChain,
                                                                               java.lang.String host,
                                                                               boolean clientAuth,
                                                                               byte[] ocspData,
                                                                               byte[] tlsSctData)
                                                                        throws java.security.cert.CertificateException
        Throws:
        java.security.cert.CertificateException
      • checkBlocklist

        private void checkBlocklist​(java.security.cert.X509Certificate cert)
                             throws java.security.cert.CertificateException
        Throws:
        java.security.cert.CertificateException
      • checkCT

        private void checkCT​(java.lang.String host,
                             java.util.List<java.security.cert.X509Certificate> chain,
                             byte[] ocspData,
                             byte[] tlsData)
                      throws java.security.cert.CertificateException
        Throws:
        java.security.cert.CertificateException
      • setOcspResponses

        private void setOcspResponses​(java.security.cert.PKIXParameters params,
                                      java.security.cert.X509Certificate cert,
                                      byte[] ocspData)
        Sets the OCSP response data that was possibly stapled to the TLS response.
      • sortPotentialAnchors

        private static java.util.Collection<java.security.cert.TrustAnchor> sortPotentialAnchors​(java.util.Set<java.security.cert.TrustAnchor> anchors)
        Sort potential anchors so that the most preferred for use come first.
        See Also:
        CertificatePriorityComparator
      • findAllTrustAnchorsByIssuerAndSignature

        private java.util.Set<java.security.cert.TrustAnchor> findAllTrustAnchorsByIssuerAndSignature​(java.security.cert.X509Certificate cert)
        Find all possible issuing trust anchors of cert.
      • findTrustAnchorBySubjectAndPublicKey

        private java.security.cert.TrustAnchor findTrustAnchorBySubjectAndPublicKey​(java.security.cert.X509Certificate cert)
        Check the trustedCertificateIndex for the cert to see if it is already trusted and failing that check the KeyStore if it is available.
      • getAcceptedIssuers

        public java.security.cert.X509Certificate[] getAcceptedIssuers()
      • setDefaultHostnameVerifier

        static void setDefaultHostnameVerifier​(ConscryptHostnameVerifier verifier)
        Set the default hostname verifier that will be used for HTTPS endpoint identification. If null (the default), endpoint identification will use the default hostname verifier set in HttpsURLConnection.setDefaultHostnameVerifier(javax.net.ssl.HostnameVerifier).
      • setCTEnabledOverride

        public void setCTEnabledOverride​(boolean enabled)
      • setCTVerifier

        public void setCTVerifier​(CTVerifier verifier)
      • setCTPolicy

        public void setCTPolicy​(CTPolicy policy)