From 00a4e299694ccf5edc07894ca46e38602e9b4a38 Mon Sep 17 00:00:00 2001 From: Chad Brubaker Date: Tue, 12 Apr 2016 13:55:52 -0700 Subject: [PATCH] Fix isUserAddedCertificate Check if the CA is in the user store directly instead of delegating to the TrustManager. This removes one more reflection dependency between X509TrustManagerExtensions and the default X509TrustManager. Bug: 28138736 Change-Id: I16c17bf6230becdc0a1948b1d184212f83ee25f0 --- .../net/http/X509TrustManagerExtensions.java | 33 +++---------------- .../config/NetworkSecurityTrustManager.java | 9 ----- .../security/net/config/RootTrustManager.java | 9 ----- 3 files changed, 5 insertions(+), 46 deletions(-) diff --git a/core/java/android/net/http/X509TrustManagerExtensions.java b/core/java/android/net/http/X509TrustManagerExtensions.java index 87a0b709d9f80..e0fa63a5977dc 100644 --- a/core/java/android/net/http/X509TrustManagerExtensions.java +++ b/core/java/android/net/http/X509TrustManagerExtensions.java @@ -17,6 +17,7 @@ package android.net.http; import android.annotation.SystemApi; +import android.security.net.config.UserCertificateSource; import com.android.org.conscrypt.TrustManagerImpl; @@ -43,7 +44,6 @@ public class X509TrustManagerExtensions { // Methods to use when mDelegate is not a TrustManagerImpl and duck typing is being used. private final X509TrustManager mTrustManager; private final Method mCheckServerTrusted; - private final Method mIsUserAddedCertificate; private final Method mIsSameTrustConfiguration; /** @@ -57,7 +57,6 @@ public class X509TrustManagerExtensions { mDelegate = (TrustManagerImpl) tm; mTrustManager = null; mCheckServerTrusted = null; - mIsUserAddedCertificate = null; mIsSameTrustConfiguration = null; return; } @@ -74,14 +73,6 @@ public class X509TrustManagerExtensions { throw new IllegalArgumentException("Required method" + " checkServerTrusted(X509Certificate[], String, String, String) missing"); } - // Check that isUserAddedCertificate is present. - try { - mIsUserAddedCertificate = tm.getClass().getMethod("isUserAddedCertificate", - X509Certificate.class); - } catch (NoSuchMethodException e) { - throw new IllegalArgumentException( - "Required method isUserAddedCertificate(X509Certificate) missing"); - } // Get the option isSameTrustConfiguration method. Method isSameTrustConfiguration = null; try { @@ -128,29 +119,15 @@ public class X509TrustManagerExtensions { /** * Checks whether a CA certificate is added by an user. * - *

Since {@link X509TrustManager#checkServerTrusted} allows its parameter {@code chain} to + *

Since {@link X509TrustManager#checkServerTrusted} may allow its parameter {@code chain} to * chain up to user-added CA certificates, this method can be used to perform additional * policies for user-added CA certificates. * - * @return {@code true} to indicate that the certificate was added by the user, {@code false} - * otherwise. + * @return {@code true} to indicate that the certificate authority exists in the user added + * certificate store, {@code false} otherwise. */ public boolean isUserAddedCertificate(X509Certificate cert) { - if (mDelegate != null) { - return mDelegate.isUserAddedCertificate(cert); - } else { - try { - return (Boolean) mIsUserAddedCertificate.invoke(mTrustManager, cert); - } catch (IllegalAccessException e) { - throw new RuntimeException("Failed to call isUserAddedCertificate", e); - } catch (InvocationTargetException e) { - if (e.getCause() instanceof RuntimeException) { - throw (RuntimeException) e.getCause(); - } else { - throw new RuntimeException("isUserAddedCertificate failed", e.getCause()); - } - } - } + return UserCertificateSource.getInstance().findBySubjectAndPublicKey(cert) != null; } /** diff --git a/core/java/android/security/net/config/NetworkSecurityTrustManager.java b/core/java/android/security/net/config/NetworkSecurityTrustManager.java index 3c292ca54578b..d9cc82a77a854 100644 --- a/core/java/android/security/net/config/NetworkSecurityTrustManager.java +++ b/core/java/android/security/net/config/NetworkSecurityTrustManager.java @@ -115,15 +115,6 @@ public class NetworkSecurityTrustManager extends X509ExtendedTrustManager { return trustedChain; } - /** - * Check if the provided certificate is a user added certificate authority. - * This is required by android.net.http.X509TrustManagerExtensions. - */ - public boolean isUserAddedCertificate(X509Certificate cert) { - // TODO: Figure out the right way to handle this, and if it is still even used. - return false; - } - private void checkPins(List chain) throws CertificateException { PinSet pinSet = mNetworkSecurityConfig.getPins(); if (pinSet.pins.isEmpty() diff --git a/core/java/android/security/net/config/RootTrustManager.java b/core/java/android/security/net/config/RootTrustManager.java index 859e022952db9..2a30f1184a478 100644 --- a/core/java/android/security/net/config/RootTrustManager.java +++ b/core/java/android/security/net/config/RootTrustManager.java @@ -131,15 +131,6 @@ public class RootTrustManager extends X509ExtendedTrustManager { return config.getTrustManager().checkServerTrusted(certs, authType, hostname); } - /** - * Check if the provided certificate is a user added certificate authority. - * This is required by android.net.http.X509TrustManagerExtensions. - */ - public boolean isUserAddedCertificate(X509Certificate cert) { - // TODO: Figure out the right way to handle this, and if it is still even used. - return false; - } - @Override public X509Certificate[] getAcceptedIssuers() { // getAcceptedIssuers is meant to be used to determine which trust anchors the server will