Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fa9beebb authored by Chad Brubaker's avatar Chad Brubaker
Browse files

Expose findByIssuerAndSignature 

This will be used to create a custom conscrypt TrustedCertificateStore
to avoid loading all of the trusted certificates into memory in a
keystore.

Change-Id: Iaf54b691393ecadae6c7ff56b8adc6a2a2923d29
parent 6fea6611

core/java/android/security/net/config/CertificateSource.java

+1 −0
Original line number Diff line number Diff line
@@ -23,4 +23,5 @@ import java.security.cert.X509Certificate; 
public interface CertificateSource {

    Set<X509Certificate> getCertificates();

    X509Certificate findBySubjectAndPublicKey(X509Certificate cert);

    X509Certificate findByIssuerAndSignature(X509Certificate cert);

}

core/java/android/security/net/config/CertificatesEntryRef.java

+9 −0
Original line number Diff line number Diff line
@@ -51,4 +51,13 @@ public final class CertificatesEntryRef { 


        return new TrustAnchor(foundCert, mOverridesPins);

    }



    public TrustAnchor findByIssuerAndSignature(X509Certificate cert) {

        X509Certificate foundCert = mSource.findByIssuerAndSignature(cert);

        if (foundCert == null) {

            return null;

        }



        return new TrustAnchor(foundCert, mOverridesPins);

    }

}

core/java/android/security/net/config/DirectoryCertificateSource.java

+15 −0
Original line number Diff line number Diff line
@@ -94,6 +94,21 @@ abstract class DirectoryCertificateSource implements CertificateSource { 
        });

    }



    @Override

    public X509Certificate findByIssuerAndSignature(final X509Certificate cert) {

        return findCert(cert.getIssuerX500Principal(), new CertSelector() {

            @Override

            public boolean match(X509Certificate ca) {

                try {

                    cert.verify(ca.getPublicKey());

                    return true;

                } catch (Exception e) {

                    return false;

                }

            }

        });

    }



    private static interface CertSelector {

        boolean match(X509Certificate cert);

    }

core/java/android/security/net/config/KeyStoreCertificateSource.java

+10 −0
Original line number Diff line number Diff line
@@ -80,4 +80,14 @@ class KeyStoreCertificateSource implements CertificateSource { 
        }

        return anchor.getTrustedCert();

    }



    @Override

    public X509Certificate findByIssuerAndSignature(X509Certificate cert) {

        ensureInitialized();

        java.security.cert.TrustAnchor anchor = mIndex.findByIssuerAndSignature(cert);

        if (anchor == null) {

            return null;

        }

        return anchor.getTrustedCert();

    }

}

core/java/android/security/net/config/NetworkSecurityConfig.java

+11 −0
Original line number Diff line number Diff line
@@ -134,6 +134,17 @@ public final class NetworkSecurityConfig { 
        return null;

    }



    /** @hide */

    public TrustAnchor findTrustAnchorByIssuerAndSignature(X509Certificate cert) {

        for (CertificatesEntryRef ref : mCertificatesEntryRefs) {

            TrustAnchor anchor = ref.findByIssuerAndSignature(cert);

            if (anchor != null) {

                return anchor;

            }

        }

        return null;

    }



    /**

     * Return a {@link Builder} for the default {@code NetworkSecurityConfig}.

     *