com.undefinedlabs.scope.deps.okhttp3.internal.tls.TrustRootIndex Maven / Gradle / Ivy

Show more of this group Show more artifacts with this name
Show all versions of scope-deps Show documentation
Scope is a APM for tests to give engineering teams unprecedented visibility into their CI process to quickly identify, troubleshoot and fix failed builds. This artifact contains dependencies for Scope.
There is a newer version: 0.14.0-beta.2
Show newest version
package com.undefinedlabs.scope.deps.okhttp3.internal.tls;

import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.PublicKey;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;

public abstract class TrustRootIndex {
    /** Returns the trusted CA certificate that signed {@code cert}. */
    public abstract X509Certificate findByIssuerAndSignature(X509Certificate cert);

    public static TrustRootIndex get(X509TrustManager trustManager) {
        try {
            // From org.conscrypt.TrustManagerImpl, we want the method with this signature:
            // private TrustAnchor findTrustAnchorByIssuerAndSignature(X509Certificate lastCert);
            Method method = trustManager.getClass().getDeclaredMethod(
                    "findTrustAnchorByIssuerAndSignature", X509Certificate.class);
            method.setAccessible(true);
            return new AndroidTrustRootIndex(trustManager, method);
        } catch (NoSuchMethodException e) {
            return get(trustManager.getAcceptedIssuers());
        }
    }

    public static TrustRootIndex get(X509Certificate... caCerts) {
        return new BasicTrustRootIndex(caCerts);
    }

    /**
     * An index of trusted root certificates that exploits knowledge of Android implementation
     * details. This class is potentially much faster to initialize than {@link BasicTrustRootIndex}
     * because it doesn't need to load and index trusted CA certificates.
     *
     * This class uses APIs added to Android in API 14 (Android 4.0, released October 2011). This
     * class shouldn't be used in Android API 17 or better because those releases are better served by
     * {@link okhttp3.internal.AndroidPlatform.AndroidCertificateChainCleaner}.
     */
    static final class AndroidTrustRootIndex extends TrustRootIndex {
        private final X509TrustManager trustManager;
        private final Method findByIssuerAndSignatureMethod;

        AndroidTrustRootIndex(X509TrustManager trustManager, Method findByIssuerAndSignatureMethod) {
            this.findByIssuerAndSignatureMethod = findByIssuerAndSignatureMethod;
            this.trustManager = trustManager;
        }

        @Override public X509Certificate findByIssuerAndSignature(X509Certificate cert) {
            try {
                TrustAnchor trustAnchor = (TrustAnchor) findByIssuerAndSignatureMethod.invoke(
                        trustManager, cert);
                return trustAnchor != null
                        ? trustAnchor.getTrustedCert()
                        : null;
            } catch (IllegalAccessException e) {
                throw new AssertionError();
            } catch (InvocationTargetException e) {
                return null;
            }
        }

        @Override
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof AndroidTrustRootIndex)) {
                return false;
            }
            AndroidTrustRootIndex that = (AndroidTrustRootIndex) obj;
            return trustManager.equals(that.trustManager)
                    && findByIssuerAndSignatureMethod.equals(that.findByIssuerAndSignatureMethod);
        }

        @Override
        public int hashCode() {
            return trustManager.hashCode() + 31 * findByIssuerAndSignatureMethod.hashCode();
        }
    }

    /** A simple index that of trusted root certificates that have been loaded into memory. */
    static final class BasicTrustRootIndex extends TrustRootIndex {
        private final Map> subjectToCaCerts;

        BasicTrustRootIndex(X509Certificate... caCerts) {
            subjectToCaCerts = new LinkedHashMap<>();
            for (X509Certificate caCert : caCerts) {
                X500Principal subject = caCert.getSubjectX500Principal();
                Set subjectCaCerts = subjectToCaCerts.get(subject);
                if (subjectCaCerts == null) {
                    subjectCaCerts = new LinkedHashSet<>(1);
                    subjectToCaCerts.put(subject, subjectCaCerts);
                }
                subjectCaCerts.add(caCert);
            }
        }

        @Override public X509Certificate findByIssuerAndSignature(X509Certificate cert) {
            X500Principal issuer = cert.getIssuerX500Principal();
            Set subjectCaCerts = subjectToCaCerts.get(issuer);
            if (subjectCaCerts == null) return null;

            for (X509Certificate caCert : subjectCaCerts) {
                PublicKey publicKey = caCert.getPublicKey();
                try {
                    cert.verify(publicKey);
                    return caCert;
                } catch (Exception ignored) {
                }
            }

            return null;
        }

        @Override public boolean equals(Object other) {
            if (other == this) return true;
            return other instanceof BasicTrustRootIndex
                    && ((BasicTrustRootIndex) other).subjectToCaCerts.equals(subjectToCaCerts);
        }

        @Override public int hashCode() {
            return subjectToCaCerts.hashCode();
        }
    }
}