Package org.conscrypt
Class TrustManagerImpl
java.lang.Object
javax.net.ssl.X509ExtendedTrustManager
org.conscrypt.TrustManagerImpl
- All Implemented Interfaces:
TrustManager
,X509TrustManager
TrustManager implementation. The implementation is based on CertPathValidator
PKIX and CertificateFactory X509 implementations. This implementations should
be provided by some certification provider.
- See Also:
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionprivate static class
If an EKU extension is present in the end-entity certificate, it MUST contain an appropriate key usage.private static class
Comparator for sortingTrustAnchor
s using aCertificatePriorityComparator
. -
Field Summary
FieldsModifier and TypeFieldDescriptionprivate final X509Certificate[]
This is lazily initialized in the AndroidCAStore case since it forces us to bring all the CAs into memory.private final CertBlocklist
private boolean
private CTPolicy
private CTVerifier
private static ConscryptHostnameVerifier
private final Exception
private final CertificateFactory
private ConscryptHostnameVerifier
private final TrustedCertificateIndex
An index of intermediate certificates that we've seen.private static final Logger
private CertPinManager
The CertPinManager, which validates the chain against a host-to-pin mappingprivate final KeyStore
The AndroidCAStore if non-null, null otherwise.private static final TrustManagerImpl.TrustAnchorComparator
Comparator used for ordering trust anchors during certificate path building.private final TrustedCertificateIndex
An index of TrustAnchor instances that we've seen.private final ConscryptCertStore
The backing store for the AndroidCAStore if non-null.private final CertPathValidator
-
Constructor Summary
ConstructorsConstructorDescriptionTrustManagerImpl
(KeyStore keyStore) Creates X509TrustManager based on a keystoreTrustManagerImpl
(KeyStore keyStore, CertPinManager manager) TrustManagerImpl
(KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore) TrustManagerImpl
(KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore, CertBlocklist blocklist) TrustManagerImpl
(KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore, CertBlocklist blocklist, CTLogStore ctLogStore, CTVerifier ctVerifier, CTPolicy ctPolicy) For testing only. -
Method Summary
Modifier and TypeMethodDescriptionprivate static X509Certificate[]
private void
void
checkClientTrusted
(X509Certificate[] chain, String authType) checkClientTrusted
(X509Certificate[] chain, String authType, String hostname) For backward compatibility with older Android API that used String for the hostname only.void
checkClientTrusted
(X509Certificate[] chain, String authType, Socket socket) void
checkClientTrusted
(X509Certificate[] chain, String authType, SSLEngine engine) private void
checkCT
(String host, List<X509Certificate> chain, byte[] ocspData, byte[] tlsData) void
checkServerTrusted
(X509Certificate[] chain, String authType) checkServerTrusted
(X509Certificate[] chain, String authType, String hostname) For backward compatibility with older Android API that used String for the hostname only.void
checkServerTrusted
(X509Certificate[] chain, String authType, Socket socket) void
checkServerTrusted
(X509Certificate[] chain, String authType, SSLEngine engine) checkServerTrusted
(X509Certificate[] chain, String authType, SSLSession session) Validates whether a server is trusted.private List
<X509Certificate> checkTrusted
(X509Certificate[] certs, byte[] ocspData, byte[] tlsSctData, String authType, String host, boolean clientAuth) private List
<X509Certificate> checkTrusted
(X509Certificate[] certs, String authType, SSLSession session, SSLParameters parameters, boolean clientAuth) private List
<X509Certificate> checkTrustedRecursive
(X509Certificate[] certs, byte[] ocspData, byte[] tlsSctData, String host, boolean clientAuth, ArrayList<X509Certificate> untrustedChain, ArrayList<TrustAnchor> trustAnchorChain, Set<X509Certificate> used) Recursively build certificate chains until a valid chain is found or all possible paths are exhausted.private Set
<TrustAnchor> Find all possible issuing trust anchors ofcert
.private TrustAnchor
Check the trustedCertificateIndex for the cert to see if it is already trusted and failing that check the KeyStore if it is available.(package private) static ConscryptHostnameVerifier
Returns the currently-set default hostname verifier.private static SSLSession
getHandshakeSessionOrThrow
(SSLSocket sslSocket) (package private) ConscryptHostnameVerifier
Returns the currently-set hostname verifier for this instance.private ConscryptHostnameVerifier
private static byte[]
getOcspDataFromSession
(SSLSession session) private byte[]
getTlsSctDataFromSession
(SSLSession session) getTrustedChainForServer
(X509Certificate[] certs, String authType, Socket socket) Returns the full trusted certificate chain found fromcerts
.getTrustedChainForServer
(X509Certificate[] certs, String authType, SSLEngine engine) Returns the full trusted certificate chain found fromcerts
.void
void
setCTEnabledOverride
(boolean enabled) void
setCTPolicy
(CTPolicy policy) void
setCTVerifier
(CTVerifier verifier) (package private) static void
Set the default hostname verifier that will be used for HTTPS endpoint identification.(package private) void
setHostnameVerifier
(ConscryptHostnameVerifier verifier) Set the hostname verifier that will be used for HTTPS endpoint identification.private void
setOcspResponses
(PKIXParameters params, X509Certificate cert, byte[] ocspData) Sets the OCSP response data that was possibly stapled to the TLS response.private static Collection
<TrustAnchor> sortPotentialAnchors
(Set<TrustAnchor> anchors) Sort potential anchors so that the most preferred for use come first.private static Set
<TrustAnchor> trustAnchors
(X509Certificate[] certs) private List
<X509Certificate> verifyChain
(List<X509Certificate> untrustedChain, List<TrustAnchor> trustAnchorChain, String host, boolean clientAuth, byte[] ocspData, byte[] tlsSctData)
-
Field Details
-
logger
-
TRUST_ANCHOR_COMPARATOR
Comparator used for ordering trust anchors during certificate path building. -
defaultHostnameVerifier
-
rootKeyStore
The AndroidCAStore if non-null, null otherwise. -
pinManager
The CertPinManager, which validates the chain against a host-to-pin mapping -
trustedCertificateStore
The backing store for the AndroidCAStore if non-null. This will be null when the rootKeyStore is null, implying we are not using the AndroidCAStore. -
validator
-
trustedCertificateIndex
An index of TrustAnchor instances that we've seen. -
intermediateIndex
An index of intermediate certificates that we've seen. These certificates are NOT implicitly trusted and must still form a valid chain to an anchor. -
acceptedIssuers
This is lazily initialized in the AndroidCAStore case since it forces us to bring all the CAs into memory. In the non-AndroidCAStore, we initialize this as part of the constructor. -
err
-
factory
-
blocklist
-
ctVerifier
-
ctPolicy
-
hostnameVerifier
-
ctEnabledOverride
private boolean ctEnabledOverride
-
-
Constructor Details
-
TrustManagerImpl
Creates X509TrustManager based on a keystore- Parameters:
keyStore
-
-
TrustManagerImpl
-
TrustManagerImpl
-
TrustManagerImpl
public TrustManagerImpl(KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore, CertBlocklist blocklist) -
TrustManagerImpl
public TrustManagerImpl(KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore, CertBlocklist blocklist, CTLogStore ctLogStore, CTVerifier ctVerifier, CTPolicy ctPolicy) For testing only.
-
-
Method Details
-
acceptedIssuers
-
trustAnchors
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException - Throws:
CertificateException
-
checkClientTrusted
public List<X509Certificate> checkClientTrusted(X509Certificate[] chain, String authType, String hostname) throws CertificateException For backward compatibility with older Android API that used String for the hostname only.- Throws:
CertificateException
-
getHandshakeSessionOrThrow
private static SSLSession getHandshakeSessionOrThrow(SSLSocket sslSocket) throws CertificateException - Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException - Specified by:
checkClientTrusted
in classX509ExtendedTrustManager
- Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException - Specified by:
checkClientTrusted
in classX509ExtendedTrustManager
- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException - Throws:
CertificateException
-
checkServerTrusted
public List<X509Certificate> checkServerTrusted(X509Certificate[] chain, String authType, String hostname) throws CertificateException For backward compatibility with older Android API that used String for the hostname only.- Throws:
CertificateException
-
getTrustedChainForServer
public List<X509Certificate> getTrustedChainForServer(X509Certificate[] certs, String authType, Socket socket) throws CertificateException Returns the full trusted certificate chain found fromcerts
. ThrowsCertificateException
when no trusted chain can be found fromcerts
.- Throws:
CertificateException
-
getTrustedChainForServer
public List<X509Certificate> getTrustedChainForServer(X509Certificate[] certs, String authType, SSLEngine engine) throws CertificateException Returns the full trusted certificate chain found fromcerts
. ThrowsCertificateException
when no trusted chain can be found fromcerts
.- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException - Specified by:
checkServerTrusted
in classX509ExtendedTrustManager
- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException - Specified by:
checkServerTrusted
in classX509ExtendedTrustManager
- Throws:
CertificateException
-
checkServerTrusted
public List<X509Certificate> checkServerTrusted(X509Certificate[] chain, String authType, SSLSession session) throws CertificateException Validates whether a server is trusted. If session is given and non-null it also checks if chain is pinned appropriately for that peer host. If null, it does not check for pinned certs. The return value is a list of the certificates used for making the trust decision.- Throws:
CertificateException
-
handleTrustStorageUpdate
public void handleTrustStorageUpdate() -
checkTrusted
private List<X509Certificate> checkTrusted(X509Certificate[] certs, String authType, SSLSession session, SSLParameters parameters, boolean clientAuth) throws CertificateException - Throws:
CertificateException
-
getOcspDataFromSession
-
getTlsSctDataFromSession
-
checkTrusted
private List<X509Certificate> checkTrusted(X509Certificate[] certs, byte[] ocspData, byte[] tlsSctData, String authType, String host, boolean clientAuth) throws CertificateException - Throws:
CertificateException
-
checkTrustedRecursive
private List<X509Certificate> checkTrustedRecursive(X509Certificate[] certs, byte[] ocspData, byte[] tlsSctData, String host, boolean clientAuth, ArrayList<X509Certificate> untrustedChain, ArrayList<TrustAnchor> trustAnchorChain, Set<X509Certificate> used) throws CertificateException Recursively build certificate chains until a valid chain is found or all possible paths are exhausted. The chain is built in two sections, the complete trusted path is the the combination ofuntrustedChain
andtrustAnchorChain
. The chain begins at the leaf certificate and ends in the final trusted root certificate.- Parameters:
certs
- the bag of certs provided by the peer. No order is assumed.host
- the host being connected to.clientAuth
- if a client is being authorized instead of a server.untrustedChain
- the untrusted section of the chain built so far. Must be mutable.trustAnchorChain
- the trusted section of the chain built so far. Must be mutable.used
- the set certificates used so far in path building. Must be mutable.- Returns:
- The entire valid chain starting with the leaf certificate. This is the concatenation of untrustedChain and trustAnchorChain.
- Throws:
CertificateException
- If no valid chain could be constructed. Note that there may be multiple reasons why no valid chain exists and there is no guarantee that the most severe is reported in this exception. As such applications MUST NOT use the specifics of this error for trust decisions (e.g. showing the user a click through page based on the specific error).
-
verifyChain
private List<X509Certificate> verifyChain(List<X509Certificate> untrustedChain, List<TrustAnchor> trustAnchorChain, String host, boolean clientAuth, byte[] ocspData, byte[] tlsSctData) throws CertificateException - Throws:
CertificateException
-
checkBlocklist
- Throws:
CertificateException
-
checkCT
private void checkCT(String host, List<X509Certificate> chain, byte[] ocspData, byte[] tlsData) throws CertificateException - Throws:
CertificateException
-
setOcspResponses
Sets the OCSP response data that was possibly stapled to the TLS response. -
sortPotentialAnchors
Sort potential anchors so that the most preferred for use come first.- See Also:
-
findAllTrustAnchorsByIssuerAndSignature
Find all possible issuing trust anchors ofcert
. -
findTrustAnchorBySubjectAndPublicKey
Check the trustedCertificateIndex for the cert to see if it is already trusted and failing that check the KeyStore if it is available. -
getAcceptedIssuers
-
setDefaultHostnameVerifier
Set the default hostname verifier that will be used for HTTPS endpoint identification. Ifnull
(the default), endpoint identification will use the default hostname verifier set inHttpsURLConnection.setDefaultHostnameVerifier(javax.net.ssl.HostnameVerifier)
. -
getDefaultHostnameVerifier
Returns the currently-set default hostname verifier.- See Also:
-
setHostnameVerifier
Set the hostname verifier that will be used for HTTPS endpoint identification. Ifnull
(the default), endpoint identification will use the default hostname verifier set insetDefaultHostnameVerifier(ConscryptHostnameVerifier)
. -
getHostnameVerifier
ConscryptHostnameVerifier getHostnameVerifier()Returns the currently-set hostname verifier for this instance.- See Also:
-
getHttpsVerifier
-
setCTEnabledOverride
public void setCTEnabledOverride(boolean enabled) -
setCTVerifier
-
setCTPolicy
-