commit 998c01e7af03287935da943891c8d291b9bf1f39
author Brian Carlstrom <bdc@google.com> Fri Oct 22 13:02:44 2010 -0700
committer Android (Google) Code Review <android-gerrit@google.com> Fri Oct 22 13:02:44 2010 -0700
tree 57eb3605d4508c2d95ea9f297427af35bf154ee0
parent 95fb8396cad0f947f9d666c4c6b5a9fe4a39afde
parent 02ca44b13c7aa66f99242dbcb07feac877153754

Merge "Move improved cert chain handling from CertificateChainValidator to TrustManagerImpl"

core/java/android/net/http/CertificateChainValidator.java

diff --git a/core/java/android/net/http/CertificateChainValidator.java b/core/java/android/net/http/CertificateChainValidator.java
index 503c470..218df75 100644
--- a/core/java/android/net/http/CertificateChainValidator.java
+++ b/core/java/android/net/http/CertificateChainValidator.java
@@ -129,57 +129,6 @@
             }
         }
 
-        // Clean up the certificates chain and build a new one.
-        // Theoretically, we shouldn't have to do this, but various web servers
-        // in practice are mis-configured to have out-of-order certificates or
-        // expired self-issued root certificate.
-        int chainLength = serverCertificates.length;
-        if (serverCertificates.length > 1) {
-          // 1. we clean the received certificates chain.
-          // We start from the end-entity certificate, tracing down by matching
-          // the "issuer" field and "subject" field until we can't continue.
-          // This helps when the certificates are out of order or
-          // some certificates are not related to the site.
-          int currIndex;
-          for (currIndex = 0; currIndex < serverCertificates.length; ++currIndex) {
-            boolean foundNext = false;
-            for (int nextIndex = currIndex + 1;
-                 nextIndex < serverCertificates.length;
-                 ++nextIndex) {
-              if (serverCertificates[currIndex].getIssuerDN().equals(
-                  serverCertificates[nextIndex].getSubjectDN())) {
-                foundNext = true;
-                // Exchange certificates so that 0 through currIndex + 1 are in proper order
-                if (nextIndex != currIndex + 1) {
-                  X509Certificate tempCertificate = serverCertificates[nextIndex];
-                  serverCertificates[nextIndex] = serverCertificates[currIndex + 1];
-                  serverCertificates[currIndex + 1] = tempCertificate;
-                }
-                break;
-              }
-            }
-            if (!foundNext) break;
-          }
-
-          // 2. we exam if the last traced certificate is self issued and it is expired.
-          // If so, we drop it and pass the rest to checkServerTrusted(), hoping we might
-          // have a similar but unexpired trusted root.
-          chainLength = currIndex + 1;
-          X509Certificate lastCertificate = serverCertificates[chainLength - 1];
-          Date now = new Date();
-          if (lastCertificate.getSubjectDN().equals(lastCertificate.getIssuerDN())
-              && now.after(lastCertificate.getNotAfter())) {
-            --chainLength;
-          }
-        }
-
-        // 3. Now we copy the newly built chain into an appropriately sized array.
-        X509Certificate[] newServerCertificates = null;
-        newServerCertificates = new X509Certificate[chainLength];
-        for (int i = 0; i < chainLength; ++i) {
-          newServerCertificates[i] = serverCertificates[i];
-        }
-
         // first, we validate the new chain using the standard validation
         // solution; if we do not find any errors, we are done; if we
         // fail the standard validation, we re-validate again below,
@@ -188,7 +137,7 @@
         //
         try {
             SSLParametersImpl.getDefaultTrustManager().checkServerTrusted(
-                newServerCertificates, "RSA");
+                serverCertificates, "RSA");
 
             // no errors!!!
             return null;