FileDocCategorySizeDatePackage
TrustManagerImpl.javaAPI DocAndroid 1.5 API7793Wed May 06 22:41:06 BST 2009org.apache.harmony.xnet.provider.jsse

TrustManagerImpl

public class TrustManagerImpl extends Object implements X509TrustManager
TrustManager implementation. The implementation is based on CertPathValidator PKIX and CertificateFactory X509 implementations. This implementations should be provided by some certification provider.
see
javax.net.ssl.X509TrustManager

Fields Summary
private CertPathValidator
validator
private PKIXParameters
params
private Exception
err
private CertificateFactory
factory
Constructors Summary
public TrustManagerImpl(KeyStore ks)
Creates trust manager implementation

param
ks


                
       
        try {
            validator = CertPathValidator.getInstance("PKIX");
            factory = CertificateFactory.getInstance("X509");
            String alias;
            X509Certificate cert;
            byte[] nameConstrains = null;
            Set trusted = new HashSet();
            for (Enumeration en = ks.aliases(); en.hasMoreElements();) {
                alias = (String) en.nextElement();
                cert = (X509Certificate) ks.getCertificate(alias);
                if (cert != null) {
                    trusted.add(new TrustAnchor(cert, nameConstrains));
                }
            }
            params = new PKIXParameters(trusted);
            params.setRevocationEnabled(false);
        } catch (Exception e) {
            err = e;
        }
Methods Summary
public voidcheckClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType)

see
javax.net.ssl.X509TrustManager#checkClientTrusted(X509Certificate[], String)

        if (chain == null || chain.length == 0 || authType == null
                || authType.length() == 0) {
            throw new IllegalArgumentException("null or zero-length parameter");
        }
        if (err != null) {
            throw new CertificateException(err);
        }
        // BEGIN android-added
        // Cater for degenerate special case where we can't
        // establish an actual certificate chain the usual way,
        // but have the peer certificate in our trust store.
        if (isDirectlyTrustedCert(chain)) {
            return;
        }
        // END android-added
        try {
            // BEGIN android-changed
            CertPath certPath = factory.generateCertPath(Arrays.asList(chain));
            if (!Arrays.equals(chain[0].getEncoded(),
                    ((X509Certificate)certPath.getCertificates().get(0))
                    .getEncoded())) {
                // sanity check failed (shouldn't ever happen, but we are using pretty remote code)
                throw new CertificateException("Certificate chain error");
            }
            validator.validate(certPath, params);
            // END android-changed
        } catch (InvalidAlgorithmParameterException e) {
            throw new CertificateException(e);
        } catch (CertPathValidatorException e) {
            throw new CertificateException(e);
        }
public voidcheckServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType)

see
javax.net.ssl.X509TrustManager#checkServerTrusted(X509Certificate[], String)

        if (chain == null || chain.length == 0 || authType == null
                || authType.length() == 0) {
            throw new IllegalArgumentException("null or zero-length parameter");
        }
        if (err != null) {
            throw new CertificateException(err);
        }
        // BEGIN android-added
        // Cater for degenerate special case where we can't
        // establish an actual certificate chain the usual way,
        // but have the peer certificate in our trust store.
        if (isDirectlyTrustedCert(chain)) {
            return;
        }
        // END android-added
        try {
            // BEGIN android-changed
            CertPath certPath = factory.generateCertPath(Arrays.asList(chain));
            if (!Arrays.equals(chain[0].getEncoded(),
                    ((X509Certificate)certPath.getCertificates().get(0))
                    .getEncoded())) {
                // sanity check failed (shouldn't ever happen, but we are using pretty remote code)
                throw new CertificateException("Certificate chain error");
            }
            validator.validate(certPath, params);
            // END android-changed
        } catch (InvalidAlgorithmParameterException e) {
            throw new CertificateException(e);
        } catch (CertPathValidatorException e) {
            throw new CertificateException(e);
        }
public java.security.cert.X509Certificate[]getAcceptedIssuers()

see
javax.net.ssl.X509TrustManager#getAcceptedIssuers()

        if (params == null) {
            return new X509Certificate[0];
        }
        Set anchors = params.getTrustAnchors();
        X509Certificate[] certs = new X509Certificate[anchors.size()];
        int i = 0;
        for (Iterator it = anchors.iterator(); it.hasNext();) {
            certs[i++] = ((TrustAnchor) it.next()).getTrustedCert();
        }
        return certs;
private booleanisDirectlyTrustedCert(java.security.cert.X509Certificate[] chain)
Checks whether the given chain is just a certificate that we have in our trust store.

param
chain The certificate chain.
return
True if the certificate is in our trust store, false otherwise.

        byte[] questionable;

        if (chain.length == 1) {
          try {
            questionable = chain[0].getEncoded();
            Set<TrustAnchor> anchors = params.getTrustAnchors();

            for (TrustAnchor trustAnchor : anchors) {
              byte[] trusted = trustAnchor.getTrustedCert().getEncoded();

              if (Arrays.equals(questionable, trusted)) {
                return true;
              }
            }
          } catch (CertificateEncodingException e) {
            // Ignore.
          }
        }

        return false;