Add checkServerTrusted with OCSP and TlsData parameters to RootTrustManager
The default TrustManager returned on the platform is not
conscrypt.TrustManagerImpl, but RootTrustManager which relies on
NetworkSecurityTrustManager. Add checkServerTrusted for these
intermediate TrustManagers, to ensure that X509TrustManagerExtensions
can use this method.
Bug: 376139811
Test: atest CtsNetSecConfigCertificateTransparencyTestCases
Flag: android.security.certificate_transparency_configuration
Change-Id: Ie89fd855857b0ff425df4dc04c5789041bd29b54
diff --git a/core/java/android/security/net/config/NetworkSecurityTrustManager.java b/core/java/android/security/net/config/NetworkSecurityTrustManager.java
index d9cc82a..029b674 100644
--- a/core/java/android/security/net/config/NetworkSecurityTrustManager.java
+++ b/core/java/android/security/net/config/NetworkSecurityTrustManager.java
@@ -16,16 +16,17 @@
package android.security.net.config;
+import android.util.ArrayMap;
+
import com.android.org.conscrypt.TrustManagerImpl;
-import android.util.ArrayMap;
import java.io.IOException;
import java.net.Socket;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.MessageDigest;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -105,7 +106,7 @@
/**
* Hostname aware version of {@link #checkServerTrusted(X509Certificate[], String)}.
- * This interface is used by conscrypt and android.net.http.X509TrustManagerExtensions do not
+ * This interface is used by Conscrypt and android.net.http.X509TrustManagerExtensions do not
* modify without modifying those callers.
*/
public List<X509Certificate> checkServerTrusted(X509Certificate[] certs, String authType,
@@ -115,6 +116,19 @@
return trustedChain;
}
+ /**
+ * This interface is used by Conscrypt and android.net.http.X509TrustManagerExtensions do not
+ * modify without modifying those callers.
+ */
+ public List<X509Certificate> checkServerTrusted(X509Certificate[] certs,
+ byte[] ocspData, byte[] tlsSctData, String authType,
+ String host) throws CertificateException {
+ List<X509Certificate> trustedChain = mDelegate.checkServerTrusted(
+ certs, ocspData, tlsSctData, authType, host);
+ checkPins(trustedChain);
+ return trustedChain;
+ }
+
private void checkPins(List<X509Certificate> chain) throws CertificateException {
PinSet pinSet = mNetworkSecurityConfig.getPins();
if (pinSet.pins.isEmpty()
diff --git a/core/java/android/security/net/config/RootTrustManager.java b/core/java/android/security/net/config/RootTrustManager.java
index 58dc4ba..a1bdec5 100644
--- a/core/java/android/security/net/config/RootTrustManager.java
+++ b/core/java/android/security/net/config/RootTrustManager.java
@@ -120,7 +120,7 @@
/**
* Hostname aware version of {@link #checkServerTrusted(X509Certificate[], String)}.
- * This interface is used by conscrypt and android.net.http.X509TrustManagerExtensions do not
+ * This interface is used by Conscrypt and android.net.http.X509TrustManagerExtensions do not
* modify without modifying those callers.
*/
@UnsupportedAppUsage
@@ -134,6 +134,22 @@
return config.getTrustManager().checkServerTrusted(certs, authType, hostname);
}
+ /**
+ * This interface is used by Conscrypt and android.net.http.X509TrustManagerExtensions do not
+ * modify without modifying those callers.
+ */
+ public List<X509Certificate> checkServerTrusted(X509Certificate[] certs,
+ byte[] ocspData, byte[] tlsSctData, String authType,
+ String hostname) throws CertificateException {
+ if (hostname == null && mConfig.hasPerDomainConfigs()) {
+ throw new CertificateException(
+ "Domain specific configurations require that the hostname be provided");
+ }
+ NetworkSecurityConfig config = mConfig.getConfigForHostname(hostname);
+ return config.getTrustManager().checkServerTrusted(
+ certs, ocspData, tlsSctData, authType, hostname);
+ }
+
@Override
public X509Certificate[] getAcceptedIssuers() {
// getAcceptedIssuers is meant to be used to determine which trust anchors the server will