/*
* Copyright (C) 2016 Square, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package okhttp3.internal.tls;
import java.security.GeneralSecurityException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayDeque;
import java.util.ArrayList;
import java.util.Deque;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.SSLPeerUnverifiedException;
A certificate chain cleaner that uses a set of trusted root certificates to build the trusted chain. This class duplicates the clean chain building performed during the TLS handshake. We prefer other mechanisms where they exist, such as with okhttp3.internal.platform.AndroidPlatform.AndroidCertificateChainCleaner
. This class includes code from Conscrypt's
TrustManagerImpl
and TrustedCertificateIndex
.
/**
* A certificate chain cleaner that uses a set of trusted root certificates to build the trusted
* chain. This class duplicates the clean chain building performed during the TLS handshake. We
* prefer other mechanisms where they exist, such as with
* {@code okhttp3.internal.platform.AndroidPlatform.AndroidCertificateChainCleaner}.
*
* <p>This class includes code from <a href="https://conscrypt.org/">Conscrypt's</a> {@code
* TrustManagerImpl} and {@code TrustedCertificateIndex}.
*/
public final class BasicCertificateChainCleaner extends CertificateChainCleaner {
The maximum number of signers in a chain. We use 9 for consistency with OpenSSL. /** The maximum number of signers in a chain. We use 9 for consistency with OpenSSL. */
private static final int MAX_SIGNERS = 9;
private final TrustRootIndex trustRootIndex;
public BasicCertificateChainCleaner(TrustRootIndex trustRootIndex) {
this.trustRootIndex = trustRootIndex;
}
Returns a cleaned chain for chain
. This method throws if the complete chain to a trusted CA certificate cannot be constructed. This is unexpected unless the trust root index in this class has a different trust manager than what was used to establish chain
.
/**
* Returns a cleaned chain for {@code chain}.
*
* <p>This method throws if the complete chain to a trusted CA certificate cannot be constructed.
* This is unexpected unless the trust root index in this class has a different trust manager than
* what was used to establish {@code chain}.
*/
@Override public List<Certificate> clean(List<Certificate> chain, String hostname)
throws SSLPeerUnverifiedException {
Deque<Certificate> queue = new ArrayDeque<>(chain);
List<Certificate> result = new ArrayList<>();
result.add(queue.removeFirst());
boolean foundTrustedCertificate = false;
followIssuerChain:
for (int c = 0; c < MAX_SIGNERS; c++) {
X509Certificate toVerify = (X509Certificate) result.get(result.size() - 1);
// If this cert has been signed by a trusted cert, use that. Add the trusted certificate to
// the end of the chain unless it's already present. (That would happen if the first
// certificate in the chain is itself a self-signed and trusted CA certificate.)
X509Certificate trustedCert = trustRootIndex.findByIssuerAndSignature(toVerify);
if (trustedCert != null) {
if (result.size() > 1 || !toVerify.equals(trustedCert)) {
result.add(trustedCert);
}
if (verifySignature(trustedCert, trustedCert)) {
return result; // The self-signed cert is a root CA. We're done.
}
foundTrustedCertificate = true;
continue;
}
// Search for the certificate in the chain that signed this certificate. This is typically
// the next element in the chain, but it could be any element.
for (Iterator<Certificate> i = queue.iterator(); i.hasNext(); ) {
X509Certificate signingCert = (X509Certificate) i.next();
if (verifySignature(toVerify, signingCert)) {
i.remove();
result.add(signingCert);
continue followIssuerChain;
}
}
// We've reached the end of the chain. If any cert in the chain is trusted, we're done.
if (foundTrustedCertificate) {
return result;
}
// The last link isn't trusted. Fail.
throw new SSLPeerUnverifiedException(
"Failed to find a trusted cert that signed " + toVerify);
}
throw new SSLPeerUnverifiedException("Certificate chain too long: " + result);
}
Returns true if toVerify
was signed by signingCert
's public key. /** Returns true if {@code toVerify} was signed by {@code signingCert}'s public key. */
private boolean verifySignature(X509Certificate toVerify, X509Certificate signingCert) {
if (!toVerify.getIssuerDN().equals(signingCert.getSubjectDN())) return false;
try {
toVerify.verify(signingCert.getPublicKey());
return true;
} catch (GeneralSecurityException verifyFailed) {
return false;
}
}
@Override public int hashCode() {
return trustRootIndex.hashCode();
}
@Override public boolean equals(Object other) {
if (other == this) return true;
return other instanceof BasicCertificateChainCleaner
&& ((BasicCertificateChainCleaner) other).trustRootIndex.equals(trustRootIndex);
}
}