diff options
3 files changed, 41 insertions, 7 deletions
diff --git a/core/java/android/security/net/config/NetworkSecurityConfig.java b/core/java/android/security/net/config/NetworkSecurityConfig.java index 503854ed64ff..8906f9b670d4 100644 --- a/core/java/android/security/net/config/NetworkSecurityConfig.java +++ b/core/java/android/security/net/config/NetworkSecurityConfig.java @@ -41,7 +41,7 @@ public final class NetworkSecurityConfig { private final List<CertificatesEntryRef> mCertificatesEntryRefs; private Set<TrustAnchor> mAnchors; private final Object mAnchorsLock = new Object(); - private X509TrustManager mTrustManager; + private NetworkSecurityTrustManager mTrustManager; private final Object mTrustManagerLock = new Object(); private NetworkSecurityConfig(boolean cleartextTrafficPermitted, boolean hstsEnforced, @@ -78,7 +78,7 @@ public final class NetworkSecurityConfig { return mPins; } - public X509TrustManager getTrustManager() { + public NetworkSecurityTrustManager getTrustManager() { synchronized(mTrustManagerLock) { if (mTrustManager == null) { mTrustManager = new NetworkSecurityTrustManager(this); diff --git a/core/java/android/security/net/config/NetworkSecurityTrustManager.java b/core/java/android/security/net/config/NetworkSecurityTrustManager.java index e69082d3deec..7f5b3ca27bf4 100644 --- a/core/java/android/security/net/config/NetworkSecurityTrustManager.java +++ b/core/java/android/security/net/config/NetworkSecurityTrustManager.java @@ -71,9 +71,28 @@ public class NetworkSecurityTrustManager implements X509TrustManager { @Override public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException { - List<X509Certificate> trustedChain = - mDelegate.checkServerTrusted(certs, authType, (String) null); + checkServerTrusted(certs, authType, null); + } + + /** + * Hostname aware version of {@link #checkServerTrusted(X509Certificate[], String)}. + * This interface is used by conscrypt and android.net.http.X509TrustManagerExtensions do not + * modify without modifying those callers. + */ + public List<X509Certificate> checkServerTrusted(X509Certificate[] certs, String authType, + String host) throws CertificateException { + List<X509Certificate> trustedChain = mDelegate.checkServerTrusted(certs, authType, host); checkPins(trustedChain); + return trustedChain; + } + + /** + * Check if the provided certificate is a user added certificate authority. + * This is required by android.net.http.X509TrustManagerExtensions. + */ + public boolean isUserAddedCertificate(X509Certificate cert) { + // TODO: Figure out the right way to handle this, and if it is still even used. + return false; } private void checkPins(List<X509Certificate> chain) throws CertificateException { diff --git a/core/java/android/security/net/config/RootTrustManager.java b/core/java/android/security/net/config/RootTrustManager.java index 1338b9ff97d4..b87bf1fe0695 100644 --- a/core/java/android/security/net/config/RootTrustManager.java +++ b/core/java/android/security/net/config/RootTrustManager.java @@ -18,6 +18,7 @@ package android.security.net.config; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; +import java.util.List; import javax.net.ssl.X509TrustManager; @@ -61,10 +62,24 @@ public class RootTrustManager implements X509TrustManager { config.getTrustManager().checkServerTrusted(certs, authType); } - public void checkServerTrusted(X509Certificate[] certs, String authType, String hostname) - throws CertificateException { + /** + * Hostname aware version of {@link #checkServerTrusted(X509Certificate[], String)}. + * This interface is used by conscrypt and android.net.http.X509TrustManagerExtensions do not + * modify without modifying those callers. + */ + public List<X509Certificate> checkServerTrusted(X509Certificate[] certs, String authType, + String hostname) throws CertificateException { NetworkSecurityConfig config = mConfig.getConfigForHostname(hostname); - config.getTrustManager().checkServerTrusted(certs, authType); + return config.getTrustManager().checkServerTrusted(certs, authType, hostname); + } + + /** + * Check if the provided certificate is a user added certificate authority. + * This is required by android.net.http.X509TrustManagerExtensions. + */ + public boolean isUserAddedCertificate(X509Certificate cert) { + // TODO: Figure out the right way to handle this, and if it is still even used. + return false; } @Override |