Package org.conscrypt
Class TrustManagerImpl
java.lang.Object
javax.net.ssl.X509ExtendedTrustManager
org.conscrypt.TrustManagerImpl
- All Implemented Interfaces:
TrustManager,X509TrustManager
TrustManager implementation. The implementation is based on CertPathValidator
PKIX and CertificateFactory X509 implementations. This implementations should
be provided by some certification provider.
- See Also:
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionprivate static classIf an EKU extension is present in the end-entity certificate, it MUST contain an appropriate key usage.private static classComparator for sortingTrustAnchors using aCertificatePriorityComparator. -
Field Summary
FieldsModifier and TypeFieldDescriptionprivate final X509Certificate[]This is lazily initialized in the AndroidCAStore case since it forces us to bring all the CAs into memory.private final CertBlocklistprivate booleanprivate CTPolicyprivate CTVerifierprivate static ConscryptHostnameVerifierprivate final Exceptionprivate final CertificateFactoryprivate ConscryptHostnameVerifierprivate final TrustedCertificateIndexAn index of intermediate certificates that we've seen.private static final Loggerprivate CertPinManagerThe CertPinManager, which validates the chain against a host-to-pin mappingprivate final KeyStoreThe AndroidCAStore if non-null, null otherwise.private static final TrustManagerImpl.TrustAnchorComparatorComparator used for ordering trust anchors during certificate path building.private final TrustedCertificateIndexAn index of TrustAnchor instances that we've seen.private final ConscryptCertStoreThe backing store for the AndroidCAStore if non-null.private final CertPathValidator -
Constructor Summary
ConstructorsConstructorDescriptionTrustManagerImpl(KeyStore keyStore) Creates X509TrustManager based on a keystoreTrustManagerImpl(KeyStore keyStore, CertPinManager manager) TrustManagerImpl(KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore) TrustManagerImpl(KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore, CertBlocklist blocklist) TrustManagerImpl(KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore, CertBlocklist blocklist, CTLogStore ctLogStore, CTVerifier ctVerifier, CTPolicy ctPolicy) For testing only. -
Method Summary
Modifier and TypeMethodDescriptionprivate static X509Certificate[]private voidvoidcheckClientTrusted(X509Certificate[] chain, String authType) checkClientTrusted(X509Certificate[] chain, String authType, String hostname) For backward compatibility with older Android API that used String for the hostname only.voidcheckClientTrusted(X509Certificate[] chain, String authType, Socket socket) voidcheckClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) private voidcheckCT(String host, List<X509Certificate> chain, byte[] ocspData, byte[] tlsData) voidcheckServerTrusted(X509Certificate[] chain, String authType) checkServerTrusted(X509Certificate[] chain, String authType, String hostname) For backward compatibility with older Android API that used String for the hostname only.voidcheckServerTrusted(X509Certificate[] chain, String authType, Socket socket) voidcheckServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) checkServerTrusted(X509Certificate[] chain, String authType, SSLSession session) Validates whether a server is trusted.private List<X509Certificate> checkTrusted(X509Certificate[] certs, byte[] ocspData, byte[] tlsSctData, String authType, String host, boolean clientAuth) private List<X509Certificate> checkTrusted(X509Certificate[] certs, String authType, SSLSession session, SSLParameters parameters, boolean clientAuth) private List<X509Certificate> checkTrustedRecursive(X509Certificate[] certs, byte[] ocspData, byte[] tlsSctData, String host, boolean clientAuth, ArrayList<X509Certificate> untrustedChain, ArrayList<TrustAnchor> trustAnchorChain, Set<X509Certificate> used) Recursively build certificate chains until a valid chain is found or all possible paths are exhausted.private Set<TrustAnchor> Find all possible issuing trust anchors ofcert.private TrustAnchorCheck the trustedCertificateIndex for the cert to see if it is already trusted and failing that check the KeyStore if it is available.(package private) static ConscryptHostnameVerifierReturns the currently-set default hostname verifier.private static SSLSessiongetHandshakeSessionOrThrow(SSLSocket sslSocket) (package private) ConscryptHostnameVerifierReturns the currently-set hostname verifier for this instance.private ConscryptHostnameVerifierprivate static byte[]getOcspDataFromSession(SSLSession session) private byte[]getTlsSctDataFromSession(SSLSession session) getTrustedChainForServer(X509Certificate[] certs, String authType, Socket socket) Returns the full trusted certificate chain found fromcerts.getTrustedChainForServer(X509Certificate[] certs, String authType, SSLEngine engine) Returns the full trusted certificate chain found fromcerts.voidvoidsetCTEnabledOverride(boolean enabled) voidsetCTPolicy(CTPolicy policy) voidsetCTVerifier(CTVerifier verifier) (package private) static voidSet the default hostname verifier that will be used for HTTPS endpoint identification.(package private) voidsetHostnameVerifier(ConscryptHostnameVerifier verifier) Set the hostname verifier that will be used for HTTPS endpoint identification.private voidsetOcspResponses(PKIXParameters params, X509Certificate cert, byte[] ocspData) Sets the OCSP response data that was possibly stapled to the TLS response.private static Collection<TrustAnchor> sortPotentialAnchors(Set<TrustAnchor> anchors) Sort potential anchors so that the most preferred for use come first.private static Set<TrustAnchor> trustAnchors(X509Certificate[] certs) private List<X509Certificate> verifyChain(List<X509Certificate> untrustedChain, List<TrustAnchor> trustAnchorChain, String host, boolean clientAuth, byte[] ocspData, byte[] tlsSctData)
-
Field Details
-
logger
-
TRUST_ANCHOR_COMPARATOR
Comparator used for ordering trust anchors during certificate path building. -
defaultHostnameVerifier
-
rootKeyStore
The AndroidCAStore if non-null, null otherwise. -
pinManager
The CertPinManager, which validates the chain against a host-to-pin mapping -
trustedCertificateStore
The backing store for the AndroidCAStore if non-null. This will be null when the rootKeyStore is null, implying we are not using the AndroidCAStore. -
validator
-
trustedCertificateIndex
An index of TrustAnchor instances that we've seen. -
intermediateIndex
An index of intermediate certificates that we've seen. These certificates are NOT implicitly trusted and must still form a valid chain to an anchor. -
acceptedIssuers
This is lazily initialized in the AndroidCAStore case since it forces us to bring all the CAs into memory. In the non-AndroidCAStore, we initialize this as part of the constructor. -
err
-
factory
-
blocklist
-
ctVerifier
-
ctPolicy
-
hostnameVerifier
-
ctEnabledOverride
private boolean ctEnabledOverride
-
-
Constructor Details
-
TrustManagerImpl
Creates X509TrustManager based on a keystore- Parameters:
keyStore-
-
TrustManagerImpl
-
TrustManagerImpl
-
TrustManagerImpl
public TrustManagerImpl(KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore, CertBlocklist blocklist) -
TrustManagerImpl
public TrustManagerImpl(KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore, CertBlocklist blocklist, CTLogStore ctLogStore, CTVerifier ctVerifier, CTPolicy ctPolicy) For testing only.
-
-
Method Details
-
acceptedIssuers
-
trustAnchors
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException - Throws:
CertificateException
-
checkClientTrusted
public List<X509Certificate> checkClientTrusted(X509Certificate[] chain, String authType, String hostname) throws CertificateException For backward compatibility with older Android API that used String for the hostname only.- Throws:
CertificateException
-
getHandshakeSessionOrThrow
private static SSLSession getHandshakeSessionOrThrow(SSLSocket sslSocket) throws CertificateException - Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException - Specified by:
checkClientTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException - Specified by:
checkClientTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException - Throws:
CertificateException
-
checkServerTrusted
public List<X509Certificate> checkServerTrusted(X509Certificate[] chain, String authType, String hostname) throws CertificateException For backward compatibility with older Android API that used String for the hostname only.- Throws:
CertificateException
-
getTrustedChainForServer
public List<X509Certificate> getTrustedChainForServer(X509Certificate[] certs, String authType, Socket socket) throws CertificateException Returns the full trusted certificate chain found fromcerts. ThrowsCertificateExceptionwhen no trusted chain can be found fromcerts.- Throws:
CertificateException
-
getTrustedChainForServer
public List<X509Certificate> getTrustedChainForServer(X509Certificate[] certs, String authType, SSLEngine engine) throws CertificateException Returns the full trusted certificate chain found fromcerts. ThrowsCertificateExceptionwhen no trusted chain can be found fromcerts.- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException - Specified by:
checkServerTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException - Specified by:
checkServerTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkServerTrusted
public List<X509Certificate> checkServerTrusted(X509Certificate[] chain, String authType, SSLSession session) throws CertificateException Validates whether a server is trusted. If session is given and non-null it also checks if chain is pinned appropriately for that peer host. If null, it does not check for pinned certs. The return value is a list of the certificates used for making the trust decision.- Throws:
CertificateException
-
handleTrustStorageUpdate
public void handleTrustStorageUpdate() -
checkTrusted
private List<X509Certificate> checkTrusted(X509Certificate[] certs, String authType, SSLSession session, SSLParameters parameters, boolean clientAuth) throws CertificateException - Throws:
CertificateException
-
getOcspDataFromSession
-
getTlsSctDataFromSession
-
checkTrusted
private List<X509Certificate> checkTrusted(X509Certificate[] certs, byte[] ocspData, byte[] tlsSctData, String authType, String host, boolean clientAuth) throws CertificateException - Throws:
CertificateException
-
checkTrustedRecursive
private List<X509Certificate> checkTrustedRecursive(X509Certificate[] certs, byte[] ocspData, byte[] tlsSctData, String host, boolean clientAuth, ArrayList<X509Certificate> untrustedChain, ArrayList<TrustAnchor> trustAnchorChain, Set<X509Certificate> used) throws CertificateException Recursively build certificate chains until a valid chain is found or all possible paths are exhausted. The chain is built in two sections, the complete trusted path is the the combination ofuntrustedChainandtrustAnchorChain. The chain begins at the leaf certificate and ends in the final trusted root certificate.- Parameters:
certs- the bag of certs provided by the peer. No order is assumed.host- the host being connected to.clientAuth- if a client is being authorized instead of a server.untrustedChain- the untrusted section of the chain built so far. Must be mutable.trustAnchorChain- the trusted section of the chain built so far. Must be mutable.used- the set certificates used so far in path building. Must be mutable.- Returns:
- The entire valid chain starting with the leaf certificate. This is the concatenation of untrustedChain and trustAnchorChain.
- Throws:
CertificateException- If no valid chain could be constructed. Note that there may be multiple reasons why no valid chain exists and there is no guarantee that the most severe is reported in this exception. As such applications MUST NOT use the specifics of this error for trust decisions (e.g. showing the user a click through page based on the specific error).
-
verifyChain
private List<X509Certificate> verifyChain(List<X509Certificate> untrustedChain, List<TrustAnchor> trustAnchorChain, String host, boolean clientAuth, byte[] ocspData, byte[] tlsSctData) throws CertificateException - Throws:
CertificateException
-
checkBlocklist
- Throws:
CertificateException
-
checkCT
private void checkCT(String host, List<X509Certificate> chain, byte[] ocspData, byte[] tlsData) throws CertificateException - Throws:
CertificateException
-
setOcspResponses
Sets the OCSP response data that was possibly stapled to the TLS response. -
sortPotentialAnchors
Sort potential anchors so that the most preferred for use come first.- See Also:
-
findAllTrustAnchorsByIssuerAndSignature
Find all possible issuing trust anchors ofcert. -
findTrustAnchorBySubjectAndPublicKey
Check the trustedCertificateIndex for the cert to see if it is already trusted and failing that check the KeyStore if it is available. -
getAcceptedIssuers
-
setDefaultHostnameVerifier
Set the default hostname verifier that will be used for HTTPS endpoint identification. Ifnull(the default), endpoint identification will use the default hostname verifier set inHttpsURLConnection.setDefaultHostnameVerifier(javax.net.ssl.HostnameVerifier). -
getDefaultHostnameVerifier
Returns the currently-set default hostname verifier.- See Also:
-
setHostnameVerifier
Set the hostname verifier that will be used for HTTPS endpoint identification. Ifnull(the default), endpoint identification will use the default hostname verifier set insetDefaultHostnameVerifier(ConscryptHostnameVerifier). -
getHostnameVerifier
ConscryptHostnameVerifier getHostnameVerifier()Returns the currently-set hostname verifier for this instance.- See Also:
-
getHttpsVerifier
-
setCTEnabledOverride
public void setCTEnabledOverride(boolean enabled) -
setCTVerifier
-
setCTPolicy
-