1 /* 2 * Copyright (C) 2009 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package org.conscrypt; 18 19 import java.security.PublicKey; 20 import java.security.cert.TrustAnchor; 21 import java.security.cert.X509Certificate; 22 import java.util.ArrayList; 23 import java.util.Arrays; 24 import java.util.Collection; 25 import java.util.Collections; 26 import java.util.HashMap; 27 import java.util.HashSet; 28 import java.util.List; 29 import java.util.Map; 30 import java.util.Set; 31 import javax.security.auth.x500.X500Principal; 32 33 /** 34 * Indexes {@code TrustAnchor} instances so they can be found in O(1) 35 * time instead of O(N). 36 * 37 * @hide 38 */ 39 @Internal 40 public final class TrustedCertificateIndex { 41 42 private final Map<X500Principal, List<TrustAnchor>> subjectToTrustAnchors 43 = new HashMap<X500Principal, List<TrustAnchor>>(); 44 45 public TrustedCertificateIndex() {} 46 47 public TrustedCertificateIndex(Set<TrustAnchor> anchors) { 48 index(anchors); 49 } 50 51 private void index(Set<TrustAnchor> anchors) { 52 for (TrustAnchor anchor : anchors) { 53 index(anchor); 54 } 55 } 56 57 public TrustAnchor index(X509Certificate cert) { 58 TrustAnchor anchor = new TrustAnchor(cert, null); 59 index(anchor); 60 return anchor; 61 } 62 63 public void index(TrustAnchor anchor) { 64 X500Principal subject; 65 X509Certificate cert = anchor.getTrustedCert(); 66 if (cert != null) { 67 subject = cert.getSubjectX500Principal(); 68 } else { 69 subject = anchor.getCA(); 70 } 71 72 synchronized (subjectToTrustAnchors) { 73 List<TrustAnchor> anchors = subjectToTrustAnchors.get(subject); 74 if (anchors == null) { 75 anchors = new ArrayList<TrustAnchor>(1); 76 subjectToTrustAnchors.put(subject, anchors); 77 } else { 78 // Avoid indexing the same certificate multiple times 79 if (cert != null) { 80 for (TrustAnchor entry : anchors) { 81 if (cert.equals(entry.getTrustedCert())) { 82 return; 83 } 84 } 85 } 86 } 87 anchors.add(anchor); 88 } 89 } 90 91 public void reset() { 92 synchronized (subjectToTrustAnchors) { 93 subjectToTrustAnchors.clear(); 94 } 95 } 96 97 public void reset(Set<TrustAnchor> anchors) { 98 synchronized (subjectToTrustAnchors) { 99 reset(); 100 index(anchors); 101 } 102 } 103 104 public TrustAnchor findByIssuerAndSignature(X509Certificate cert) { 105 X500Principal issuer = cert.getIssuerX500Principal(); 106 synchronized (subjectToTrustAnchors) { 107 List<TrustAnchor> anchors = subjectToTrustAnchors.get(issuer); 108 if (anchors == null) { 109 return null; 110 } 111 112 for (TrustAnchor anchor : anchors) { 113 PublicKey publicKey; 114 try { 115 X509Certificate caCert = anchor.getTrustedCert(); 116 if (caCert != null) { 117 publicKey = caCert.getPublicKey(); 118 } else { 119 publicKey = anchor.getCAPublicKey(); 120 } 121 cert.verify(publicKey); 122 return anchor; 123 } catch (Exception ignored) { 124 } 125 } 126 } 127 return null; 128 } 129 130 public TrustAnchor findBySubjectAndPublicKey(X509Certificate cert) { 131 X500Principal subject = cert.getSubjectX500Principal(); 132 synchronized (subjectToTrustAnchors) { 133 List<TrustAnchor> anchors = subjectToTrustAnchors.get(subject); 134 if (anchors == null) { 135 return null; 136 } 137 return findBySubjectAndPublicKey(cert, anchors); 138 } 139 } 140 141 private static TrustAnchor findBySubjectAndPublicKey(X509Certificate cert, 142 Collection<TrustAnchor> anchors) { 143 PublicKey certPublicKey = cert.getPublicKey(); 144 for (TrustAnchor anchor : anchors) { 145 PublicKey caPublicKey; 146 try { 147 X509Certificate caCert = anchor.getTrustedCert(); 148 if (caCert != null) { 149 caPublicKey = caCert.getPublicKey(); 150 } else { 151 caPublicKey = anchor.getCAPublicKey(); 152 } 153 if (caPublicKey.equals(certPublicKey)) { 154 return anchor; 155 } else { 156 // PublicKey.equals is not required to compare keys across providers. Fall back 157 // to checking using the encoded form. 158 if ("X.509".equals(caPublicKey.getFormat()) 159 && "X.509".equals(certPublicKey.getFormat())) { 160 byte[] caPublicKeyEncoded = caPublicKey.getEncoded(); 161 byte[] certPublicKeyEncoded = certPublicKey.getEncoded(); 162 if (certPublicKeyEncoded != null 163 && caPublicKeyEncoded != null 164 && Arrays.equals(caPublicKeyEncoded, certPublicKeyEncoded)) { 165 return anchor; 166 } 167 } 168 } 169 } catch (Exception e) { 170 // can happen with unsupported public key types 171 } 172 } 173 return null; 174 } 175 176 public Set<TrustAnchor> findAllByIssuerAndSignature(X509Certificate cert) { 177 X500Principal issuer = cert.getIssuerX500Principal(); 178 synchronized (subjectToTrustAnchors) { 179 List<TrustAnchor> anchors = subjectToTrustAnchors.get(issuer); 180 if (anchors == null) { 181 return Collections.<TrustAnchor>emptySet(); 182 } 183 184 Set<TrustAnchor> result = new HashSet<TrustAnchor>(); 185 for (TrustAnchor anchor : anchors) { 186 try { 187 PublicKey publicKey; 188 X509Certificate caCert = anchor.getTrustedCert(); 189 if (caCert != null) { 190 publicKey = caCert.getPublicKey(); 191 } else { 192 publicKey = anchor.getCAPublicKey(); 193 } 194 if (publicKey == null) { 195 continue; 196 } 197 cert.verify(publicKey); 198 result.add(anchor); 199 } catch (Exception ignored) { 200 } 201 } 202 return result; 203 } 204 } 205 206 } 207