core/java/android/security/net/config/SystemCertificateSource.java - platform/frameworks/base - Gitiles

 /*
  * Copyright (C) 2015 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package android.security.net.config;

 import android.os.Environment;
 import android.os.UserHandle;
 import android.util.ArraySet;
 import java.io.BufferedInputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.InputStream;
 import java.io.IOException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Set;
 import libcore.io.IoUtils;

 /**
  * {@link CertificateSource} based on the system trusted CA store.
  * @hide
  */
 public class SystemCertificateSource implements CertificateSource {
     private static final SystemCertificateSource INSTANCE = new SystemCertificateSource();
     private Set<X509Certificate> mSystemCerts = null;
     private final Object mLock = new Object();

     private SystemCertificateSource() {
     }

     public static SystemCertificateSource getInstance() {
         return INSTANCE;
     }

     @Override
     public Set<X509Certificate> getCertificates() {
         // TODO: loading all of these is wasteful, we should instead use a keystore style API.
         synchronized (mLock) {
             if (mSystemCerts != null) {
                 return mSystemCerts;
             }
             CertificateFactory certFactory;
             try {
                 certFactory = CertificateFactory.getInstance("X.509");
             } catch (CertificateException e) {
                 throw new RuntimeException("Failed to obtain X.509 CertificateFactory", e);
             }

             final String ANDROID_ROOT = System.getenv("ANDROID_ROOT");
             final File systemCaDir = new File(ANDROID_ROOT + "/etc/security/cacerts");
             final File configDir = Environment.getUserConfigDirectory(UserHandle.myUserId());
             final File userRemovedCaDir = new File(configDir, "cacerts-removed");
             // Sanity check
             if (!systemCaDir.isDirectory()) {
                 throw new AssertionError(systemCaDir + " is not a directory");
             }

             Set<X509Certificate> systemCerts = new ArraySet<X509Certificate>();
             for (String caFile : systemCaDir.list()) {
                 // Skip any CAs in the user's deleted directory.
                 if (new File(userRemovedCaDir, caFile).exists()) {
                     continue;
                 }
                 InputStream is = null;
                 try {
                     is = new BufferedInputStream(
                             new FileInputStream(new File(systemCaDir, caFile)));
                     systemCerts.add((X509Certificate) certFactory.generateCertificate(is));
                 } catch (CertificateException | IOException e) {
                     // Don't rethrow to be consistent with conscrypt's cert loading code.
                     continue;
                 } finally {
                     IoUtils.closeQuietly(is);
                 }
             }
             mSystemCerts = systemCerts;
             return mSystemCerts;
         }
     }

     public void onCertificateStorageChange() {
         synchronized (mLock) {
             mSystemCerts = null;
         }
     }
 }
	/*
	* Copyright (C) 2015 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package android.security.net.config;

	import android.os.Environment;
	import android.os.UserHandle;
	import android.util.ArraySet;
	import java.io.BufferedInputStream;
	import java.io.File;
	import java.io.FileInputStream;
	import java.io.InputStream;
	import java.io.IOException;
	import java.security.cert.Certificate;
	import java.security.cert.CertificateException;
	import java.security.cert.CertificateFactory;
	import java.security.cert.X509Certificate;
	import java.util.Set;
	import libcore.io.IoUtils;

	/**
	* {@link CertificateSource} based on the system trusted CA store.
	* @hide
	*/
	public class SystemCertificateSource implements CertificateSource {
	private static final SystemCertificateSource INSTANCE = new SystemCertificateSource();
	private Set<X509Certificate> mSystemCerts = null;
	private final Object mLock = new Object();

	private SystemCertificateSource() {
	}

	public static SystemCertificateSource getInstance() {
	return INSTANCE;
	}

	@Override
	public Set<X509Certificate> getCertificates() {
	// TODO: loading all of these is wasteful, we should instead use a keystore style API.
	synchronized (mLock) {
	if (mSystemCerts != null) {
	return mSystemCerts;
	}
	CertificateFactory certFactory;
	try {
	certFactory = CertificateFactory.getInstance("X.509");
	} catch (CertificateException e) {
	throw new RuntimeException("Failed to obtain X.509 CertificateFactory", e);
	}

	final String ANDROID_ROOT = System.getenv("ANDROID_ROOT");
	final File systemCaDir = new File(ANDROID_ROOT + "/etc/security/cacerts");
	final File configDir = Environment.getUserConfigDirectory(UserHandle.myUserId());
	final File userRemovedCaDir = new File(configDir, "cacerts-removed");
	// Sanity check
	if (!systemCaDir.isDirectory()) {
	throw new AssertionError(systemCaDir + " is not a directory");
	}

	Set<X509Certificate> systemCerts = new ArraySet<X509Certificate>();
	for (String caFile : systemCaDir.list()) {
	// Skip any CAs in the user's deleted directory.
	if (new File(userRemovedCaDir, caFile).exists()) {
	continue;
	}
	InputStream is = null;
	try {
	is = new BufferedInputStream(
	new FileInputStream(new File(systemCaDir, caFile)));
	systemCerts.add((X509Certificate) certFactory.generateCertificate(is));
	} catch (CertificateException \| IOException e) {
	// Don't rethrow to be consistent with conscrypt's cert loading code.
	continue;
	} finally {
	IoUtils.closeQuietly(is);
	}
	}
	mSystemCerts = systemCerts;
	return mSystemCerts;
	}
	}

	public void onCertificateStorageChange() {
	synchronized (mLock) {
	mSystemCerts = null;
	}
	}
	}