android/security/net/config/NetworkSecurityTrustManager.java - platform/prebuilts/fullsdk/sources/android-29 - Git at Google

 /*
  * Copyright (C) 2015 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package android.security.net.config;

 import com.android.org.conscrypt.TrustManagerImpl;

 import android.util.ArrayMap;
 import java.io.IOException;
 import java.net.Socket;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 import java.security.MessageDigest;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;

 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.X509ExtendedTrustManager;

 /**
  * {@link X509ExtendedTrustManager} that implements the trust anchor and pinning for a
  * given {@link NetworkSecurityConfig}.
  * @hide
  */
 public class NetworkSecurityTrustManager extends X509ExtendedTrustManager {
     // TODO: Replace this with a general X509TrustManager and use duck-typing.
     private final TrustManagerImpl mDelegate;
     private final NetworkSecurityConfig mNetworkSecurityConfig;
     private final Object mIssuersLock = new Object();

     private X509Certificate[] mIssuers;

     public NetworkSecurityTrustManager(NetworkSecurityConfig config) {
         if (config == null) {
             throw new NullPointerException("config must not be null");
         }
         mNetworkSecurityConfig = config;
         try {
             TrustedCertificateStoreAdapter certStore = new TrustedCertificateStoreAdapter(config);
             // Provide an empty KeyStore since TrustManagerImpl doesn't support null KeyStores.
             // TrustManagerImpl will use certStore to lookup certificates.
             KeyStore store = KeyStore.getInstance(KeyStore.getDefaultType());
             store.load(null);
             mDelegate = new TrustManagerImpl(store, null, certStore);
         } catch (GeneralSecurityException | IOException e) {
             throw new RuntimeException(e);
         }
     }

     @Override
     public void checkClientTrusted(X509Certificate[] chain, String authType)
             throws CertificateException {
         mDelegate.checkClientTrusted(chain, authType);
     }

     @Override
     public void checkClientTrusted(X509Certificate[] certs, String authType, Socket socket)
             throws CertificateException {
         mDelegate.checkClientTrusted(certs, authType, socket);
     }

     @Override
     public void checkClientTrusted(X509Certificate[] certs, String authType, SSLEngine engine)
             throws CertificateException {
         mDelegate.checkClientTrusted(certs, authType, engine);
     }

     @Override
     public void checkServerTrusted(X509Certificate[] certs, String authType)
             throws CertificateException {
         checkServerTrusted(certs, authType, (String) null);
     }

     @Override
     public void checkServerTrusted(X509Certificate[] certs, String authType, Socket socket)
             throws CertificateException {
         List<X509Certificate> trustedChain =
                 mDelegate.getTrustedChainForServer(certs, authType, socket);
         checkPins(trustedChain);
     }

     @Override
     public void checkServerTrusted(X509Certificate[] certs, String authType, SSLEngine engine)
             throws CertificateException {
         List<X509Certificate> trustedChain =
                 mDelegate.getTrustedChainForServer(certs, authType, engine);
         checkPins(trustedChain);
     }

     /**
      * Hostname aware version of {@link #checkServerTrusted(X509Certificate[], String)}.
      * This interface is used by conscrypt and android.net.http.X509TrustManagerExtensions do not
      * modify without modifying those callers.
      */
     public List<X509Certificate> checkServerTrusted(X509Certificate[] certs, String authType,
             String host) throws CertificateException {
         List<X509Certificate> trustedChain = mDelegate.checkServerTrusted(certs, authType, host);
         checkPins(trustedChain);
         return trustedChain;
     }

     private void checkPins(List<X509Certificate> chain) throws CertificateException {
         PinSet pinSet = mNetworkSecurityConfig.getPins();
         if (pinSet.pins.isEmpty()
                 || System.currentTimeMillis() > pinSet.expirationTime
                 || !isPinningEnforced(chain)) {
             return;
         }
         Set<String> pinAlgorithms = pinSet.getPinAlgorithms();
         Map<String, MessageDigest> digestMap = new ArrayMap<String, MessageDigest>(
                 pinAlgorithms.size());
         for (int i = chain.size() - 1; i >= 0 ; i--) {
             X509Certificate cert = chain.get(i);
             byte[] encodedSPKI = cert.getPublicKey().getEncoded();
             for (String algorithm : pinAlgorithms) {
                 MessageDigest md = digestMap.get(algorithm);
                 if (md == null) {
                     try {
                         md = MessageDigest.getInstance(algorithm);
                     } catch (GeneralSecurityException e) {
                         throw new RuntimeException(e);
                     }
                     digestMap.put(algorithm, md);
                 }
                 if (pinSet.pins.contains(new Pin(algorithm, md.digest(encodedSPKI)))) {
                     return;
                 }
             }
         }

         // TODO: Throw a subclass of CertificateException which indicates a pinning failure.
         throw new CertificateException("Pin verification failed");
     }

     private boolean isPinningEnforced(List<X509Certificate> chain) throws CertificateException {
         if (chain.isEmpty()) {
             return false;
         }
         X509Certificate anchorCert = chain.get(chain.size() - 1);
         TrustAnchor chainAnchor =
                 mNetworkSecurityConfig.findTrustAnchorBySubjectAndPublicKey(anchorCert);
         if (chainAnchor == null) {
             throw new CertificateException("Trusted chain does not end in a TrustAnchor");
         }
         return !chainAnchor.overridesPins;
     }

     @Override
     public X509Certificate[] getAcceptedIssuers() {
         // TrustManagerImpl only looks at the provided KeyStore and not the TrustedCertificateStore
         // for getAcceptedIssuers, so implement it here instead of delegating.
         synchronized (mIssuersLock) {
             if (mIssuers == null) {
                 Set<TrustAnchor> anchors = mNetworkSecurityConfig.getTrustAnchors();
                 X509Certificate[] issuers = new X509Certificate[anchors.size()];
                 int i = 0;
                 for (TrustAnchor anchor : anchors) {
                     issuers[i++] = anchor.certificate;
                 }
                 mIssuers = issuers;
             }
             return mIssuers.clone();
         }
     }

     public void handleTrustStorageUpdate() {
         synchronized (mIssuersLock) {
             mIssuers = null;
             mDelegate.handleTrustStorageUpdate();
         }
     }
 }
	/*
	* Copyright (C) 2015 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package android.security.net.config;

	import com.android.org.conscrypt.TrustManagerImpl;

	import android.util.ArrayMap;
	import java.io.IOException;
	import java.net.Socket;
	import java.security.cert.CertificateException;
	import java.security.cert.X509Certificate;
	import java.security.GeneralSecurityException;
	import java.security.KeyStore;
	import java.security.MessageDigest;
	import java.util.List;
	import java.util.Map;
	import java.util.Set;

	import javax.net.ssl.SSLEngine;
	import javax.net.ssl.X509ExtendedTrustManager;

	/**
	* {@link X509ExtendedTrustManager} that implements the trust anchor and pinning for a
	* given {@link NetworkSecurityConfig}.
	* @hide
	*/
	public class NetworkSecurityTrustManager extends X509ExtendedTrustManager {
	// TODO: Replace this with a general X509TrustManager and use duck-typing.
	private final TrustManagerImpl mDelegate;
	private final NetworkSecurityConfig mNetworkSecurityConfig;
	private final Object mIssuersLock = new Object();

	private X509Certificate[] mIssuers;

	public NetworkSecurityTrustManager(NetworkSecurityConfig config) {
	if (config == null) {
	throw new NullPointerException("config must not be null");
	}
	mNetworkSecurityConfig = config;
	try {
	TrustedCertificateStoreAdapter certStore = new TrustedCertificateStoreAdapter(config);
	// Provide an empty KeyStore since TrustManagerImpl doesn't support null KeyStores.
	// TrustManagerImpl will use certStore to lookup certificates.
	KeyStore store = KeyStore.getInstance(KeyStore.getDefaultType());
	store.load(null);
	mDelegate = new TrustManagerImpl(store, null, certStore);
	} catch (GeneralSecurityException \| IOException e) {
	throw new RuntimeException(e);
	}
	}

	@Override
	public void checkClientTrusted(X509Certificate[] chain, String authType)
	throws CertificateException {
	mDelegate.checkClientTrusted(chain, authType);
	}

	@Override
	public void checkClientTrusted(X509Certificate[] certs, String authType, Socket socket)
	throws CertificateException {
	mDelegate.checkClientTrusted(certs, authType, socket);
	}

	@Override
	public void checkClientTrusted(X509Certificate[] certs, String authType, SSLEngine engine)
	throws CertificateException {
	mDelegate.checkClientTrusted(certs, authType, engine);
	}

	@Override
	public void checkServerTrusted(X509Certificate[] certs, String authType)
	throws CertificateException {
	checkServerTrusted(certs, authType, (String) null);
	}

	@Override
	public void checkServerTrusted(X509Certificate[] certs, String authType, Socket socket)
	throws CertificateException {
	List<X509Certificate> trustedChain =
	mDelegate.getTrustedChainForServer(certs, authType, socket);
	checkPins(trustedChain);
	}

	@Override
	public void checkServerTrusted(X509Certificate[] certs, String authType, SSLEngine engine)
	throws CertificateException {
	List<X509Certificate> trustedChain =
	mDelegate.getTrustedChainForServer(certs, authType, engine);
	checkPins(trustedChain);
	}

	/**
	* Hostname aware version of {@link #checkServerTrusted(X509Certificate[], String)}.
	* This interface is used by conscrypt and android.net.http.X509TrustManagerExtensions do not
	* modify without modifying those callers.
	*/
	public List<X509Certificate> checkServerTrusted(X509Certificate[] certs, String authType,
	String host) throws CertificateException {
	List<X509Certificate> trustedChain = mDelegate.checkServerTrusted(certs, authType, host);
	checkPins(trustedChain);
	return trustedChain;
	}

	private void checkPins(List<X509Certificate> chain) throws CertificateException {
	PinSet pinSet = mNetworkSecurityConfig.getPins();
	if (pinSet.pins.isEmpty()
	\|\| System.currentTimeMillis() > pinSet.expirationTime
	\|\| !isPinningEnforced(chain)) {
	return;
	}
	Set<String> pinAlgorithms = pinSet.getPinAlgorithms();
	Map<String, MessageDigest> digestMap = new ArrayMap<String, MessageDigest>(
	pinAlgorithms.size());
	for (int i = chain.size() - 1; i >= 0 ; i--) {
	X509Certificate cert = chain.get(i);
	byte[] encodedSPKI = cert.getPublicKey().getEncoded();
	for (String algorithm : pinAlgorithms) {
	MessageDigest md = digestMap.get(algorithm);
	if (md == null) {
	try {
	md = MessageDigest.getInstance(algorithm);
	} catch (GeneralSecurityException e) {
	throw new RuntimeException(e);
	}
	digestMap.put(algorithm, md);
	}
	if (pinSet.pins.contains(new Pin(algorithm, md.digest(encodedSPKI)))) {
	return;
	}
	}
	}

	// TODO: Throw a subclass of CertificateException which indicates a pinning failure.
	throw new CertificateException("Pin verification failed");
	}

	private boolean isPinningEnforced(List<X509Certificate> chain) throws CertificateException {
	if (chain.isEmpty()) {
	return false;
	}
	X509Certificate anchorCert = chain.get(chain.size() - 1);
	TrustAnchor chainAnchor =
	mNetworkSecurityConfig.findTrustAnchorBySubjectAndPublicKey(anchorCert);
	if (chainAnchor == null) {
	throw new CertificateException("Trusted chain does not end in a TrustAnchor");
	}
	return !chainAnchor.overridesPins;
	}

	@Override
	public X509Certificate[] getAcceptedIssuers() {
	// TrustManagerImpl only looks at the provided KeyStore and not the TrustedCertificateStore
	// for getAcceptedIssuers, so implement it here instead of delegating.
	synchronized (mIssuersLock) {
	if (mIssuers == null) {
	Set<TrustAnchor> anchors = mNetworkSecurityConfig.getTrustAnchors();
	X509Certificate[] issuers = new X509Certificate[anchors.size()];
	int i = 0;
	for (TrustAnchor anchor : anchors) {
	issuers[i++] = anchor.certificate;
	}
	mIssuers = issuers;
	}
	return mIssuers.clone();
	}
	}

	public void handleTrustStorageUpdate() {
	synchronized (mIssuersLock) {
	mIssuers = null;
	mDelegate.handleTrustStorageUpdate();
	}
	}
	}