Implement TestRootCerts for Android

net/android/java/src/org/chromium/net/X509Util.java

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 package org.chromium.net;
 
 import android.util.Log;
 
 import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
 
 public class X509Util {
 
     private static final String TAG = X509Util.class.getName();
 
     private static CertificateFactory sCertificateFactory;
 
     /**
-     * Default sources of authentication trust decisions and certificate object
-     * creation.
+     * Trust manager backed up by the read-only system certificate store.
      */
     private static X509TrustManager sDefaultTrustManager;
 
     /**
-     * Ensures that |sCertificateFactory| and |sDefaultTrustManager| are
-     * initialized.
+     * Trust manager backed up by a custom certificate store.
      */
-    private static synchronized void ensureInitialized() throws CertificateException,
+    private static X509TrustManager sLocalTrustManager;
+    private static KeyStore sLocalKeyStore;
+
+    /**
+     * The trust manager used to make trust decisions. If |sLocalKeyStore| is nonempty, this is
+     * |sLocalTrustManager|, otherwise this is |sDefaultTrustManager|.
+     */
+    private static X509TrustManager sTrustManager;

[Ryan Sleevi, 2012/12/03 02:29:03]

Note: On all other platforms, TestRootCerts is additive to system trust - that
is, system trust + local trust.

As I understand this class to be implemented, you've done it exclusive - EITHER
system trust OR app trust. This does not match the other platforms.

[digit1, 2012/12/03 13:44:13]

Ah, my bad, I was the one advising ppi to implement it this way. Hopefully
should be easy to fix.

+
+    /**
+     * Lock used to synchronize all calls that initialize or modify the trust managers or
+     * certificate factory.
+     */
+    private static final Object sLock = new Object();
+
+    /**
+     * Ensures that the trust managers and certificate factory are initialized.
+     */
+    private static void ensureInitialized() throws CertificateException,
             KeyStoreException, NoSuchAlgorithmException {
-        if (sCertificateFactory == null) {
-            sCertificateFactory = CertificateFactory.getInstance("X.509");
-        }
-        if (sDefaultTrustManager == null) {
-            sDefaultTrustManager = X509Util.createDefaultTrustManager();
+        synchronized(sLock) {
+            if (sCertificateFactory == null) {
+                sCertificateFactory = CertificateFactory.getInstance("X.509");
+            }
+            if (sDefaultTrustManager == null) {
+                sDefaultTrustManager = X509Util.createTrustManager(null);
+            }
+            if (sLocalKeyStore == null) {
+                sLocalKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+                try {
+                    sLocalKeyStore.load(null);
+                } catch(IOException e) {}  // No IO operation is attempted.
+            }
+            if (sLocalTrustManager == null) {
+                sLocalTrustManager = X509Util.createTrustManager(sLocalKeyStore);
+            }
+            sTrustManager = sLocalKeyStore.size() > 0 ? sLocalTrustManager : sDefaultTrustManager;
         }
     }
 
     /**
-     * Creates a TrustManagerFactory and returns the X509TrustManager instance
-     * if one can be found.
-     *
-     * @throws CertificateException,KeyStoreException,NoSuchAlgorithmException
-     *             on error initializing the TrustManager.
+     * Creates a X509TrustManager backed up by the given key store. When null is passed as a key
+     * store, system default trust store is used.
+     * @throws KeyStoreException, NoSuchAlgorithmException on error initializing the TrustManager.
      */
-    private static X509TrustManager createDefaultTrustManager()
-            throws KeyStoreException, NoSuchAlgorithmException {
+    private static X509TrustManager createTrustManager(KeyStore keyStore) throws KeyStoreException,
+            NoSuchAlgorithmException {
         String algorithm = TrustManagerFactory.getDefaultAlgorithm();
         TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm);
-        tmf.init((KeyStore) null);
+        tmf.init(keyStore);
 
         for (TrustManager tm : tmf.getTrustManagers()) {
             if (tm instanceof X509TrustManager) {
                 return (X509TrustManager) tm;
             }
         }
         return null;
     }
 
     /**
-     * Convert a DER encoded certificate to an X509Certificate
+     * Convert a DER encoded certificate to an X509Certificate.
      */
     public static X509Certificate createCertificateFromBytes(byte[] derBytes) throws
             CertificateException, KeyStoreException, NoSuchAlgorithmException {
         ensureInitialized();
         return (X509Certificate) sCertificateFactory.generateCertificate(
                 new ByteArrayInputStream(derBytes));
     }
 
+    public static void addTestRootCertificate(byte[] rootCertBytes) throws CertificateException,
+            KeyStoreException, NoSuchAlgorithmException {
+        ensureInitialized();
+        X509Certificate rootCert = createCertificateFromBytes(rootCertBytes);
+        synchronized(sLock) {
+            sLocalKeyStore.setCertificateEntry(
+                    "root_cert_" + Integer.toString(sLocalKeyStore.size()), rootCert);
+
+            sTrustManager = sLocalTrustManager;
+        }
+    }
+
+    public static void clearTestRootCertificates() throws NoSuchAlgorithmException,
+            CertificateException, KeyStoreException {
+        ensureInitialized();
+        synchronized(sLock) {
+            try {
+                sLocalKeyStore.load(null);
+            } catch(IOException e) {}  // No IO operation is attempted.
+
+            sTrustManager = sDefaultTrustManager;
+        }
+    }
+
     public static boolean verifyServerCertificates(byte[][] certChain, String authType)
             throws CertificateException, KeyStoreException, NoSuchAlgorithmException {
         if (certChain == null || certChain.length == 0 || certChain[0] == null) {
             throw new IllegalArgumentException("Expected non-null and non-empty certificate " +
                     "chain passed as |certChain|. |certChain|=" + certChain);
         }
 
         ensureInitialized();
         X509Certificate[] serverCertificates = new X509Certificate[certChain.length];
         for (int i = 0; i < certChain.length; ++i) {
             serverCertificates[i] = createCertificateFromBytes(certChain[i]);
         }
 
         try {
-            sDefaultTrustManager.checkServerTrusted(serverCertificates, authType);
+            synchronized (sLock) {
+                sTrustManager.checkServerTrusted(serverCertificates, authType);
+            }
             return true;
         } catch (CertificateException e) {
-            Log.i(TAG, "failed to validate the certificate chain, error: " +
-                    e.getMessage());
+            Log.i(TAG, "failed to validate the certificate chain, error: " + e.getMessage());
         }
         return false;
     }
-
-}
+}