Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 00a4e299 authored by Chad Brubaker's avatar Chad Brubaker
Browse files

Fix isUserAddedCertificate 

Check if the CA is in the user store directly instead of delegating to
the TrustManager. This removes one more reflection dependency between
X509TrustManagerExtensions and the default X509TrustManager.

Bug: 28138736
Change-Id: I16c17bf6230becdc0a1948b1d184212f83ee25f0
parent d92e5c31

core/java/android/net/http/X509TrustManagerExtensions.java

+5 −28
Original line number Diff line number Diff line
@@ -17,6 +17,7 @@ 
package android.net.http;



import android.annotation.SystemApi;

import android.security.net.config.UserCertificateSource;



import com.android.org.conscrypt.TrustManagerImpl;
@@ -43,7 +44,6 @@ public class X509TrustManagerExtensions { 
    // Methods to use when mDelegate is not a TrustManagerImpl and duck typing is being used.

    private final X509TrustManager mTrustManager;

    private final Method mCheckServerTrusted;

    private final Method mIsUserAddedCertificate;

    private final Method mIsSameTrustConfiguration;



    /**
@@ -57,7 +57,6 @@ public class X509TrustManagerExtensions { 
            mDelegate = (TrustManagerImpl) tm;

            mTrustManager = null;

            mCheckServerTrusted = null;

            mIsUserAddedCertificate = null;

            mIsSameTrustConfiguration = null;

            return;

        }
@@ -74,14 +73,6 @@ public class X509TrustManagerExtensions { 
            throw new IllegalArgumentException("Required method"

                    + " checkServerTrusted(X509Certificate[], String, String, String) missing");

        }

        // Check that isUserAddedCertificate is present.

        try {

            mIsUserAddedCertificate = tm.getClass().getMethod("isUserAddedCertificate",

                    X509Certificate.class);

        } catch (NoSuchMethodException e) {

            throw new IllegalArgumentException(

                    "Required method isUserAddedCertificate(X509Certificate) missing");

        }

        // Get the option isSameTrustConfiguration method.

        Method isSameTrustConfiguration = null;

        try {
@@ -128,29 +119,15 @@ public class X509TrustManagerExtensions { 
    /**

     * Checks whether a CA certificate is added by an user.

     *

     * <p>Since {@link X509TrustManager#checkServerTrusted} allows its parameter {@code chain} to

     * <p>Since {@link X509TrustManager#checkServerTrusted} may allow its parameter {@code chain} to

     * chain up to user-added CA certificates, this method can be used to perform additional

     * policies for user-added CA certificates.

     *

     * @return {@code true} to indicate that the certificate was added by the user, {@code false}

     * otherwise.

     * @return {@code true} to indicate that the certificate authority exists in the user added

     * certificate store, {@code false} otherwise.

     */

    public boolean isUserAddedCertificate(X509Certificate cert) {

        if (mDelegate != null) {

            return mDelegate.isUserAddedCertificate(cert);

        } else {

            try {

                return (Boolean) mIsUserAddedCertificate.invoke(mTrustManager, cert);

            } catch (IllegalAccessException e) {

                throw new RuntimeException("Failed to call isUserAddedCertificate", e);

            } catch (InvocationTargetException e) {

                if (e.getCause() instanceof RuntimeException) {

                    throw (RuntimeException) e.getCause();

                } else {

                    throw new RuntimeException("isUserAddedCertificate failed", e.getCause());

                }

            }

        }

        return UserCertificateSource.getInstance().findBySubjectAndPublicKey(cert) != null;

    }



    /**

core/java/android/security/net/config/NetworkSecurityTrustManager.java

+0 −9
Original line number Diff line number Diff line
@@ -115,15 +115,6 @@ public class NetworkSecurityTrustManager extends X509ExtendedTrustManager { 
        return trustedChain;

    }



    /**

     * Check if the provided certificate is a user added certificate authority.

     * This is required by android.net.http.X509TrustManagerExtensions.

     */

    public boolean isUserAddedCertificate(X509Certificate cert) {

        // TODO: Figure out the right way to handle this, and if it is still even used.

        return false;

    }



    private void checkPins(List<X509Certificate> chain) throws CertificateException {

        PinSet pinSet = mNetworkSecurityConfig.getPins();

        if (pinSet.pins.isEmpty()

core/java/android/security/net/config/RootTrustManager.java

+0 −9
Original line number Diff line number Diff line
@@ -131,15 +131,6 @@ public class RootTrustManager extends X509ExtendedTrustManager { 
        return config.getTrustManager().checkServerTrusted(certs, authType, hostname);

    }



    /**

     * Check if the provided certificate is a user added certificate authority.

     * This is required by android.net.http.X509TrustManagerExtensions.

     */

    public boolean isUserAddedCertificate(X509Certificate cert) {

        // TODO: Figure out the right way to handle this, and if it is still even used.

        return false;

    }



    @Override

    public X509Certificate[] getAcceptedIssuers() {

        // getAcceptedIssuers is meant to be used to determine which trust anchors the server will