Add checkServerTrusted with OCSP and TlsData parameters to RootTrustManager (6d3abaec) · Commits · e / os / android_frameworks_base

core/java/android/security/net/config/NetworkSecurityTrustManager.java

+18 −4

Original line number	Diff line number	Diff line
		@@ -16,16 +16,17 @@

		package android.security.net.config;

		import android.util.ArrayMap;

		import com.android.org.conscrypt.TrustManagerImpl;

		import android.util.ArrayMap;
		import java.io.IOException;
		import java.net.Socket;
		import java.security.cert.CertificateException;
		import java.security.cert.X509Certificate;
		import java.security.GeneralSecurityException;
		import java.security.KeyStore;
		import java.security.MessageDigest;
		import java.security.cert.CertificateException;
		import java.security.cert.X509Certificate;
		import java.util.List;
		import java.util.Map;
		import java.util.Set;
		@@ -105,7 +106,7 @@ public class NetworkSecurityTrustManager extends X509ExtendedTrustManager {

		/**
		* Hostname aware version of {@link #checkServerTrusted(X509Certificate[], String)}.
		* This interface is used by conscrypt and android.net.http.X509TrustManagerExtensions do not
		* This interface is used by Conscrypt and android.net.http.X509TrustManagerExtensions do not
		* modify without modifying those callers.
		*/
		public List<X509Certificate> checkServerTrusted(X509Certificate[] certs, String authType,
		@@ -115,6 +116,19 @@ public class NetworkSecurityTrustManager extends X509ExtendedTrustManager {
		return trustedChain;
		}

		/**
		* This interface is used by Conscrypt and android.net.http.X509TrustManagerExtensions do not
		* modify without modifying those callers.
		*/
		public List<X509Certificate> checkServerTrusted(X509Certificate[] certs,
		byte[] ocspData, byte[] tlsSctData, String authType,
		String host) throws CertificateException {
		List<X509Certificate> trustedChain = mDelegate.checkServerTrusted(
		certs, ocspData, tlsSctData, authType, host);
		checkPins(trustedChain);
		return trustedChain;
		}

		private void checkPins(List<X509Certificate> chain) throws CertificateException {
		PinSet pinSet = mNetworkSecurityConfig.getPins();
		if (pinSet.pins.isEmpty()

core/java/android/security/net/config/RootTrustManager.java

+17 −1

Original line number	Diff line number	Diff line
		@@ -120,7 +120,7 @@ public class RootTrustManager extends X509ExtendedTrustManager {

		/**
		* Hostname aware version of {@link #checkServerTrusted(X509Certificate[], String)}.
		* This interface is used by conscrypt and android.net.http.X509TrustManagerExtensions do not
		* This interface is used by Conscrypt and android.net.http.X509TrustManagerExtensions do not
		* modify without modifying those callers.
		*/
		@UnsupportedAppUsage
		@@ -134,6 +134,22 @@ public class RootTrustManager extends X509ExtendedTrustManager {
		return config.getTrustManager().checkServerTrusted(certs, authType, hostname);
		}

		/**
		* This interface is used by Conscrypt and android.net.http.X509TrustManagerExtensions do not
		* modify without modifying those callers.
		*/
		public List<X509Certificate> checkServerTrusted(X509Certificate[] certs,
		byte[] ocspData, byte[] tlsSctData, String authType,
		String hostname) throws CertificateException {
		if (hostname == null && mConfig.hasPerDomainConfigs()) {
		throw new CertificateException(
		"Domain specific configurations require that the hostname be provided");
		}
		NetworkSecurityConfig config = mConfig.getConfigForHostname(hostname);
		return config.getTrustManager().checkServerTrusted(
		certs, ocspData, tlsSctData, authType, hostname);
		}

		@Override
		public X509Certificate[] getAcceptedIssuers() {
		// getAcceptedIssuers is meant to be used to determine which trust anchors the server will