Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / efb4f91bdbbd274a120f100337e802e39582fd80^! / .
commitefb4f91bdbbd274a120f100337e802e39582fd80[log] [tgz]
authorChad Brubaker <cbrubaker@google.com>Tue Feb 16 14:35:41 2016 -0800
committerChad Brubaker <cbrubaker@google.com>Wed Feb 17 10:31:14 2016 -0800
tree53c0761697e914c9bfd4b9365aa2c69d9f858ab7
parent9e37a70c1d6e245d9270796325a5b4ab516f176e [diff]
Fix getAcceptedIssuers

Delegating to the TrustManagerImpl doesn't work correctly with
getAcceptedIssuers, do it in NetworkSecurityTrustManager instead.

Bug: 27124116
Change-Id: Ie527d63aaa115e6137396e07c7d134b1c42bfe87

diff --git a/core/java/android/security/net/config/NetworkSecurityTrustManager.java b/core/java/android/security/net/config/NetworkSecurityTrustManager.java
index 982ed68..81cad79 100644
--- a/core/java/android/security/net/config/NetworkSecurityTrustManager.java
+++ b/core/java/android/security/net/config/NetworkSecurityTrustManager.java

@@ -40,6 +40,9 @@
     // TODO: Replace this with a general X509TrustManager and use duck-typing.
     private final TrustManagerImpl mDelegate;
     private final NetworkSecurityConfig mNetworkSecurityConfig;
+    private final Object mIssuersLock = new Object();
+
+    private X509Certificate[] mIssuers;
 
     public NetworkSecurityTrustManager(NetworkSecurityConfig config) {
         if (config == null) {
@@ -139,6 +142,19 @@
 
     @Override
     public X509Certificate[] getAcceptedIssuers() {
-        return mDelegate.getAcceptedIssuers();
+        // TrustManagerImpl only looks at the provided KeyStore and not the TrustedCertificateStore
+        // for getAcceptedIssuers, so implement it here instead of delegating.
+        synchronized (mIssuersLock) {
+            if (mIssuers == null) {
+                Set<TrustAnchor> anchors = mNetworkSecurityConfig.getTrustAnchors();
+                X509Certificate[] issuers = new X509Certificate[anchors.size()];
+                int i = 0;
+                for (TrustAnchor anchor : anchors) {
+                    issuers[i++] = anchor.certificate;
+                }
+                mIssuers = issuers;
+            }
+            return mIssuers.clone();
+        }
     }
 }