Merge "Dedupe trust anchors" am: 690b5f6c0a

am: e2caaea951 * commit 'e2caaea951e62a21bb1d30450e8085f3286ea538': Dedupe trust anchors
author: Chad Brubaker <cbrubaker@google.com> 2015-11-17 19:05:17 +0000
committer: android-build-merger <android-build-merger@google.com> 2015-11-17 19:05:17 +0000
commit: d2347a89fb1a01f550a1b17c68ee234958c1be42 (patch)
tree: fabfcf2cafc08cdfbb35d768707bd69d6e8e1216
parent: 4b60d12ef99a31508be8aed18a53446255f94fc8 (diff)
parent: e2caaea951e62a21bb1d30450e8085f3286ea538 (diff)
1 files changed, 18 insertions, 3 deletions
diff --git a/core/java/android/security/net/config/NetworkSecurityConfig.java b/core/java/android/security/net/config/NetworkSecurityConfig.java
index 8906f9b670d4..9eab80ca0771 100644
--- a/core/java/android/security/net/config/NetworkSecurityConfig.java
+++ b/core/java/android/security/net/config/NetworkSecurityConfig.java
@@ -16,11 +16,14 @@
 
 package android.security.net.config;
 
+import android.util.ArrayMap;
 import android.util.ArraySet;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
 import javax.net.ssl.X509TrustManager;
@@ -57,12 +60,24 @@ public final class NetworkSecurityConfig {
             if (mAnchors != null) {
                 return mAnchors;
             }
-            Set<TrustAnchor> anchors = new ArraySet<TrustAnchor>();
+            // Merge trust anchors based on the X509Certificate.
+            // If we see the same certificate in two TrustAnchors, one with overridesPins and one
+            // without, the one with overridesPins wins.
+            Map<X509Certificate, TrustAnchor> anchorMap = new ArrayMap<>();
             for (CertificatesEntryRef ref : mCertificatesEntryRefs) {
-                anchors.addAll(ref.getTrustAnchors());
+                Set<TrustAnchor> anchors = ref.getTrustAnchors();
+                for (TrustAnchor anchor : anchors) {
+                    if (anchor.overridesPins) {
+                        anchorMap.put(anchor.certificate, anchor);
+                    } else if (!anchorMap.containsKey(anchor.certificate)) {
+                        anchorMap.put(anchor.certificate, anchor);
+                    }
+                }
             }
+            ArraySet<TrustAnchor> anchors = new ArraySet<TrustAnchor>(anchorMap.size());
+            anchors.addAll(anchorMap.values());
             mAnchors = anchors;
-            return anchors;
+            return mAnchors;
         }
     }
author	Chad Brubaker <cbrubaker@google.com>	2015-11-17 19:05:17 +0000
committer	android-build-merger <android-build-merger@google.com>	2015-11-17 19:05:17 +0000
commit	d2347a89fb1a01f550a1b17c68ee234958c1be42 (patch)
tree	fabfcf2cafc08cdfbb35d768707bd69d6e8e1216
parent	4b60d12ef99a31508be8aed18a53446255f94fc8 (diff)
parent	e2caaea951e62a21bb1d30450e8085f3286ea538 (diff)