| /* |
| * Copyright (C) 2015 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package android.security.net.config; |
| |
| import android.util.ArraySet; |
| import android.util.Log; |
| |
| import libcore.io.IoUtils; |
| |
| import java.io.BufferedInputStream; |
| import java.io.File; |
| import java.io.FileInputStream; |
| import java.io.IOException; |
| import java.io.InputStream; |
| import java.security.MessageDigest; |
| import java.security.NoSuchAlgorithmException; |
| import java.security.cert.CertificateException; |
| import java.security.cert.CertificateFactory; |
| import java.security.cert.X509Certificate; |
| import java.util.Collections; |
| import java.util.Set; |
| |
| import javax.security.auth.x500.X500Principal; |
| |
| /** |
| * {@link CertificateSource} based on a directory where certificates are stored as individual files |
| * named after a hash of their SubjectName for more efficient lookups. |
| * @hide |
| */ |
| abstract class DirectoryCertificateSource implements CertificateSource { |
| private static final String LOG_TAG = "DirectoryCertificateSrc"; |
| private final File mDir; |
| private final Object mLock = new Object(); |
| private final CertificateFactory mCertFactory; |
| |
| private Set<X509Certificate> mCertificates; |
| |
| protected DirectoryCertificateSource(File caDir) { |
| mDir = caDir; |
| try { |
| mCertFactory = CertificateFactory.getInstance("X.509"); |
| } catch (CertificateException e) { |
| throw new RuntimeException("Failed to obtain X.509 CertificateFactory", e); |
| } |
| } |
| |
| protected abstract boolean isCertMarkedAsRemoved(String caFile); |
| |
| @Override |
| public Set<X509Certificate> getCertificates() { |
| // TODO: loading all of these is wasteful, we should instead use a keystore style API. |
| synchronized (mLock) { |
| if (mCertificates != null) { |
| return mCertificates; |
| } |
| |
| Set<X509Certificate> certs = new ArraySet<X509Certificate>(); |
| if (mDir.isDirectory()) { |
| for (String caFile : mDir.list()) { |
| if (isCertMarkedAsRemoved(caFile)) { |
| continue; |
| } |
| X509Certificate cert = readCertificate(caFile); |
| if (cert != null) { |
| certs.add(cert); |
| } |
| } |
| } |
| mCertificates = certs; |
| return mCertificates; |
| } |
| } |
| |
| @Override |
| public X509Certificate findBySubjectAndPublicKey(final X509Certificate cert) { |
| return findCert(cert.getSubjectX500Principal(), new CertSelector() { |
| @Override |
| public boolean match(X509Certificate ca) { |
| return ca.getPublicKey().equals(cert.getPublicKey()); |
| } |
| }); |
| } |
| |
| @Override |
| public X509Certificate findByIssuerAndSignature(final X509Certificate cert) { |
| return findCert(cert.getIssuerX500Principal(), new CertSelector() { |
| @Override |
| public boolean match(X509Certificate ca) { |
| try { |
| cert.verify(ca.getPublicKey()); |
| return true; |
| } catch (Exception e) { |
| return false; |
| } |
| } |
| }); |
| } |
| |
| @Override |
| public Set<X509Certificate> findAllByIssuerAndSignature(final X509Certificate cert) { |
| return findCerts(cert.getIssuerX500Principal(), new CertSelector() { |
| @Override |
| public boolean match(X509Certificate ca) { |
| try { |
| cert.verify(ca.getPublicKey()); |
| return true; |
| } catch (Exception e) { |
| return false; |
| } |
| } |
| }); |
| } |
| |
| @Override |
| public void handleTrustStorageUpdate() { |
| synchronized (mLock) { |
| mCertificates = null; |
| } |
| } |
| |
| private static interface CertSelector { |
| boolean match(X509Certificate cert); |
| } |
| |
| private Set<X509Certificate> findCerts(X500Principal subj, CertSelector selector) { |
| String hash = getHash(subj); |
| Set<X509Certificate> certs = null; |
| for (int index = 0; index >= 0; index++) { |
| String fileName = hash + "." + index; |
| if (!new File(mDir, fileName).exists()) { |
| break; |
| } |
| if (isCertMarkedAsRemoved(fileName)) { |
| continue; |
| } |
| X509Certificate cert = readCertificate(fileName); |
| if (cert == null) { |
| continue; |
| } |
| if (!subj.equals(cert.getSubjectX500Principal())) { |
| continue; |
| } |
| if (selector.match(cert)) { |
| if (certs == null) { |
| certs = new ArraySet<X509Certificate>(); |
| } |
| certs.add(cert); |
| } |
| } |
| return certs != null ? certs : Collections.<X509Certificate>emptySet(); |
| } |
| |
| private X509Certificate findCert(X500Principal subj, CertSelector selector) { |
| String hash = getHash(subj); |
| for (int index = 0; index >= 0; index++) { |
| String fileName = hash + "." + index; |
| if (!new File(mDir, fileName).exists()) { |
| break; |
| } |
| if (isCertMarkedAsRemoved(fileName)) { |
| continue; |
| } |
| X509Certificate cert = readCertificate(fileName); |
| if (cert == null) { |
| continue; |
| } |
| if (!subj.equals(cert.getSubjectX500Principal())) { |
| continue; |
| } |
| if (selector.match(cert)) { |
| return cert; |
| } |
| } |
| return null; |
| } |
| |
| private String getHash(X500Principal name) { |
| int hash = hashName(name); |
| return intToHexString(hash, 8); |
| } |
| |
| private static final char[] DIGITS = { |
| '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' }; |
| |
| private static String intToHexString(int i, int minWidth) { |
| int bufLen = 8; // Max number of hex digits in an int |
| char[] buf = new char[bufLen]; |
| int cursor = bufLen; |
| |
| do { |
| buf[--cursor] = DIGITS[i & 0xf]; |
| } while ((i >>>= 4) != 0 || (bufLen - cursor < minWidth)); |
| |
| return new String(buf, cursor, bufLen - cursor); |
| } |
| |
| // This code matches the code in X509_NAME_hash_old() in Conscrypt, which in turn matches |
| // the names of certificate files. It must be kept in sync. |
| private static int hashName(X500Principal principal) { |
| try { |
| byte[] digest = MessageDigest.getInstance("MD5").digest(principal.getEncoded()); |
| int offset = 0; |
| return (((digest[offset++] & 0xff) << 0) | ((digest[offset++] & 0xff) << 8) |
| | ((digest[offset++] & 0xff) << 16) | ((digest[offset] & 0xff) << 24)); |
| } catch (NoSuchAlgorithmException e) { |
| throw new AssertionError(e); |
| } |
| } |
| |
| private X509Certificate readCertificate(String file) { |
| InputStream is = null; |
| try { |
| is = new BufferedInputStream(new FileInputStream(new File(mDir, file))); |
| return (X509Certificate) mCertFactory.generateCertificate(is); |
| } catch (CertificateException | IOException e) { |
| Log.e(LOG_TAG, "Failed to read certificate from " + file, e); |
| return null; |
| } finally { |
| IoUtils.closeQuietly(is); |
| } |
| } |
| } |