1 /*
2  * Copyright (C) 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.security.net.config;
18 
19 import android.content.Context;
20 import android.util.ArraySet;
21 import libcore.io.IoUtils;
22 import java.io.InputStream;
23 import java.security.cert.Certificate;
24 import java.security.cert.CertificateException;
25 import java.security.cert.CertificateFactory;
26 import java.security.cert.X509Certificate;
27 import java.util.Collection;
28 import java.util.Collections;
29 import java.util.Set;
30 
31 import com.android.org.conscrypt.TrustedCertificateIndex;
32 
33 /**
34  * {@link CertificateSource} based on certificates contained in an application resource file.
35  * @hide
36  */
37 public class ResourceCertificateSource implements CertificateSource {
38     private final Object mLock = new Object();
39     private final int  mResourceId;
40 
41     private Set<X509Certificate> mCertificates;
42     private Context mContext;
43     private TrustedCertificateIndex mIndex;
44 
ResourceCertificateSource(int resourceId, Context context)45     public ResourceCertificateSource(int resourceId, Context context) {
46         mResourceId = resourceId;
47         mContext = context;
48     }
49 
ensureInitialized()50     private void ensureInitialized() {
51         synchronized (mLock) {
52             if (mCertificates != null) {
53                 return;
54             }
55             Set<X509Certificate> certificates = new ArraySet<X509Certificate>();
56             Collection<? extends Certificate> certs;
57             InputStream in = null;
58             try {
59                 CertificateFactory factory = CertificateFactory.getInstance("X.509");
60                 in = mContext.getResources().openRawResource(mResourceId);
61                 certs = factory.generateCertificates(in);
62             } catch (CertificateException e) {
63                 throw new RuntimeException("Failed to load trust anchors from id " + mResourceId,
64                         e);
65             } finally {
66                 IoUtils.closeQuietly(in);
67             }
68             TrustedCertificateIndex indexLocal = new TrustedCertificateIndex();
69             for (Certificate cert : certs) {
70                 certificates.add((X509Certificate) cert);
71                 indexLocal.index((X509Certificate) cert);
72             }
73             mCertificates = certificates;
74             mIndex = indexLocal;
75             mContext = null;
76         }
77     }
78 
79     @Override
getCertificates()80     public Set<X509Certificate> getCertificates() {
81         ensureInitialized();
82         return mCertificates;
83     }
84 
85     @Override
findBySubjectAndPublicKey(X509Certificate cert)86     public X509Certificate findBySubjectAndPublicKey(X509Certificate cert) {
87         ensureInitialized();
88         java.security.cert.TrustAnchor anchor = mIndex.findBySubjectAndPublicKey(cert);
89         if (anchor == null) {
90             return null;
91         }
92         return anchor.getTrustedCert();
93     }
94 
95     @Override
findByIssuerAndSignature(X509Certificate cert)96     public X509Certificate findByIssuerAndSignature(X509Certificate cert) {
97         ensureInitialized();
98         java.security.cert.TrustAnchor anchor = mIndex.findByIssuerAndSignature(cert);
99         if (anchor == null) {
100             return null;
101         }
102         return anchor.getTrustedCert();
103     }
104 
105     @Override
findAllByIssuerAndSignature(X509Certificate cert)106     public Set<X509Certificate> findAllByIssuerAndSignature(X509Certificate cert) {
107         ensureInitialized();
108         Set<java.security.cert.TrustAnchor> anchors = mIndex.findAllByIssuerAndSignature(cert);
109         if (anchors.isEmpty()) {
110             return Collections.<X509Certificate>emptySet();
111         }
112         Set<X509Certificate> certs = new ArraySet<X509Certificate>(anchors.size());
113         for (java.security.cert.TrustAnchor anchor : anchors) {
114             certs.add(anchor.getTrustedCert());
115         }
116         return certs;
117     }
118 
119     @Override
handleTrustStorageUpdate()120     public void handleTrustStorageUpdate() {
121         // Nothing to do, resource sources never change.
122     }
123 }
124