Chromium Code Reviews Chromium Code Reviews
Issue 11316210:
Implement TestRootCerts for Android (Closed)
Base URL: http://git.chromium.org/chromium/src.git@master| Index: net/android/java/src/org/chromium/net/X509Util.java |
| diff --git a/net/android/java/src/org/chromium/net/X509Util.java b/net/android/java/src/org/chromium/net/X509Util.java |
| index 0c43b29b65e9bb860b5305d9a9dc357b940c4ad3..35d7010a20c3b6eee83cefdab7d4041ff3db5b0c 100644 |
| --- a/net/android/java/src/org/chromium/net/X509Util.java |
| +++ b/net/android/java/src/org/chromium/net/X509Util.java |
| @@ -7,6 +7,7 @@ package org.chromium.net; |
| import android.util.Log; |
| import java.io.ByteArrayInputStream; |
| +import java.io.IOException; |
| import java.security.KeyStore; |
| import java.security.KeyStoreException; |
| import java.security.NoSuchAlgorithmException; |
| @@ -25,14 +26,18 @@ public class X509Util { |
| private static CertificateFactory sCertificateFactory; |
| /** |
| - * Default sources of authentication trust decisions and certificate object |
| - * creation. |
| + * Trust manager backed up by the read-only system certificate store. |
| */ |
| private static X509TrustManager sDefaultTrustManager; |
| /** |
| - * Ensures that |sCertificateFactory| and |sDefaultTrustManager| are |
| - * initialized. |
| + * Trust manager backed up by a custom certificate store. |
| + */ |
| + private static X509TrustManager sLocalTrustManager; |
| + private static KeyStore sLocalKeyStore; |
| + |
| + /** |
| + * Ensures that the trust managers and certificate factory are initialized. |
| */ |
| private static synchronized void ensureInitialized() throws CertificateException, |
| KeyStoreException, NoSuchAlgorithmException { |
| @@ -40,22 +45,30 @@ public class X509Util { |
| sCertificateFactory = CertificateFactory.getInstance("X.509"); |
| } |
| if (sDefaultTrustManager == null) { |
| - sDefaultTrustManager = X509Util.createDefaultTrustManager(); |
| + sDefaultTrustManager = X509Util.createTrustManager(null); |
| + } |
| + if (sLocalKeyStore == null) { |
| + sLocalKeyStore = KeyStore.getInstance(KeyStore.getDefaultType()); |
| + try { |
| + sLocalKeyStore.load(null); |
| + } catch(IOException e) {} // No IO operation is attempted. |
| + } |
| + if (sLocalTrustManager == null) { |
| + sLocalTrustManager = X509Util.createTrustManager(sLocalKeyStore); |
| } |
| } |
| /** |
| - * Creates a TrustManagerFactory and returns the X509TrustManager instance |
| - * if one can be found. |
| - * |
| - * @throws CertificateException,KeyStoreException,NoSuchAlgorithmException |
| - * on error initializing the TrustManager. |
| + * Creates a X509TrustManager backed up by the given key store. When null |
| + * is passed as a key store, system default trust store is used. |
| + * @throws KeyStoreException, NoSuchAlgorithmException on error |
| + * initializing the TrustManager. |
| */ |
| - private static X509TrustManager createDefaultTrustManager() |
| + private static X509TrustManager createTrustManager(KeyStore keyStore) |
| throws KeyStoreException, NoSuchAlgorithmException { |
| String algorithm = TrustManagerFactory.getDefaultAlgorithm(); |
| TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm); |
| - tmf.init((KeyStore) null); |
| + tmf.init(keyStore); |
| for (TrustManager tm : tmf.getTrustManagers()) { |
| if (tm instanceof X509TrustManager) { |
| @@ -66,7 +79,7 @@ public class X509Util { |
| } |
| /** |
| - * Convert a DER encoded certificate to an X509Certificate |
| + * Convert a DER encoded certificate to an X509Certificate. |
| */ |
| public static X509Certificate createCertificateFromBytes(byte[] derBytes) throws |
| CertificateException, KeyStoreException, NoSuchAlgorithmException { |
| @@ -75,6 +88,25 @@ public class X509Util { |
| new ByteArrayInputStream(derBytes)); |
| } |
| + public static void addLocalRootCertificate(byte[] rootCertBytes) |
| + throws CertificateException, KeyStoreException, |
| + NoSuchAlgorithmException { |
| + ensureInitialized(); |
| + X509Certificate rootCert = createCertificateFromBytes(rootCertBytes); |
| + sLocalKeyStore.setCertificateEntry( |
| + "root_cert_" + Integer.toString(sLocalKeyStore.size()), |
| + rootCert); |
| + } |
| + |
| + public static void clearLocalRootCertificates() |
| + throws NoSuchAlgorithmException, CertificateException, KeyStoreException { |
| + ensureInitialized(); |
| + try { |
| + sLocalKeyStore.load(null); |
| + } catch(IOException e) {} // No IO operation is attempted. |
| + |
| + } |
| + |
| public static boolean verifyServerCertificates(byte[][] certChain, String authType) |
| throws CertificateException, KeyStoreException, NoSuchAlgorithmException { |
| if (certChain == null || certChain.length == 0 || certChain[0] == null) { |
| @@ -92,8 +124,14 @@ public class X509Util { |
| sDefaultTrustManager.checkServerTrusted(serverCertificates, authType); |
| return true; |
| } catch (CertificateException e) { |
| - Log.i(TAG, "failed to validate the certificate chain, error: " + |
| - e.getMessage()); |
| + try { |
|
digit1
2012/11/28 10:42:34
I think it'd be preferable to separate the usage o
ppi
2012/11/28 13:37:31
Sounds right, thanks.
In patch set 2 I use additi
|
| + sLocalTrustManager.checkServerTrusted(serverCertificates, authType); |
| + return true; |
| + } |
| + catch (CertificateException eInner) { |
| + Log.i(TAG, "failed to validate the certificate chain, error: " + |
| + eInner.getMessage()); |
|
digit1
2012/11/28 10:42:34
Doesn't this lose the exception message from the d
ppi
2012/11/28 13:37:31
Thanks, n/a in patch set 2.
On 2012/11/28 10:42:3
|
| + } |
| } |
| return false; |
| } |
