Package org.conscrypt

Class TrustManagerImpl

java.lang.Object

javax.net.ssl.X509ExtendedTrustManager

org.conscrypt.TrustManagerImpl

All Implemented Interfaces:

TrustManager, X509TrustManager

@Internal
public final class TrustManagerImpl
extends X509ExtendedTrustManager

TrustManager implementation. The implementation is based on CertPathValidator PKIX and CertificateFactory X509 implementations. This implementations should be provided by some certification provider.

See Also:

X509ExtendedTrustManager

Constructor Summary

Constructors

Constructor	Description
TrustManagerImpl(KeyStore keyStore)	Creates X509TrustManager based on a keystore
TrustManagerImpl(KeyStore keyStore, CertPinManager manager)
TrustManagerImpl(KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore)
TrustManagerImpl(KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore, CertBlocklist blocklist)
TrustManagerImpl(KeyStore keyStore, CertPinManager manager, ConscryptCertStore certStore, CertBlocklist blocklist, CTLogStore ctLogStore, CTVerifier ctVerifier, CTPolicy ctPolicy)	For testing only.

Method Summary

Modifier and Type	Method	Description
void	checkClientTrusted(X509Certificate[] chain, String authType)
List<X509Certificate>	checkClientTrusted(X509Certificate[] chain, String authType, String hostname)	For backward compatibility with older Android API that used String for the hostname only.
void	checkClientTrusted(X509Certificate[] chain, String authType, Socket socket)
void	checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
void	checkServerTrusted(X509Certificate[] chain, String authType)
List<X509Certificate>	checkServerTrusted(X509Certificate[] chain, String authType, String hostname)	For backward compatibility with older Android API that used String for the hostname only.
void	checkServerTrusted(X509Certificate[] chain, String authType, Socket socket)
void	checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
List<X509Certificate>	checkServerTrusted(X509Certificate[] chain, String authType, SSLSession session)	Validates whether a server is trusted.
X509Certificate[]	getAcceptedIssuers()
List<X509Certificate>	getTrustedChainForServer(X509Certificate[] certs, String authType, Socket socket)	Returns the full trusted certificate chain found from certs.
List<X509Certificate>	getTrustedChainForServer(X509Certificate[] certs, String authType, SSLEngine engine)	Returns the full trusted certificate chain found from certs.
void	handleTrustStorageUpdate()
void	setCTEnabledOverride(boolean enabled)
void	setCTPolicy(CTPolicy policy)
void	setCTVerifier(CTVerifier verifier)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

TrustManagerImpl

public TrustManagerImpl(KeyStore keyStore)

Creates X509TrustManager based on a keystore

Parameters:

keyStore -

TrustManagerImpl

public TrustManagerImpl(KeyStore keyStore,
                        CertPinManager manager)

TrustManagerImpl

public TrustManagerImpl(KeyStore keyStore,
                        CertPinManager manager,
                        ConscryptCertStore certStore)

TrustManagerImpl

public TrustManagerImpl(KeyStore keyStore,
                        CertPinManager manager,
                        ConscryptCertStore certStore,
                        CertBlocklist blocklist)

TrustManagerImpl

public TrustManagerImpl(KeyStore keyStore,
                        CertPinManager manager,
                        ConscryptCertStore certStore,
                        CertBlocklist blocklist,
                        CTLogStore ctLogStore,
                        CTVerifier ctVerifier,
                        CTPolicy ctPolicy)

For testing only.

Method Detail

checkClientTrusted

public void checkClientTrusted(X509Certificate[] chain,
                               String authType)
                        throws CertificateException

Throws:

CertificateException

checkClientTrusted

public List<X509Certificate> checkClientTrusted(X509Certificate[] chain,
                                                String authType,
                                                String hostname)
                                         throws CertificateException

For backward compatibility with older Android API that used String for the hostname only.

Throws:

CertificateException

checkClientTrusted

public void checkClientTrusted(X509Certificate[] chain,
                               String authType,
                               Socket socket)
                        throws CertificateException

Specified by:

checkClientTrusted in class X509ExtendedTrustManager

Throws:

CertificateException

checkClientTrusted

public void checkClientTrusted(X509Certificate[] chain,
                               String authType,
                               SSLEngine engine)
                        throws CertificateException

Specified by:

checkClientTrusted in class X509ExtendedTrustManager

Throws:

CertificateException

checkServerTrusted

public void checkServerTrusted(X509Certificate[] chain,
                               String authType)
                        throws CertificateException

Throws:

CertificateException

checkServerTrusted

public List<X509Certificate> checkServerTrusted(X509Certificate[] chain,
                                                String authType,
                                                String hostname)
                                         throws CertificateException

For backward compatibility with older Android API that used String for the hostname only.

Throws:

CertificateException

getTrustedChainForServer

public List<X509Certificate> getTrustedChainForServer(X509Certificate[] certs,
                                                      String authType,
                                                      Socket socket)
                                               throws CertificateException

Returns the full trusted certificate chain found from certs. Throws CertificateException when no trusted chain can be found from certs.

Throws:

CertificateException

getTrustedChainForServer

public List<X509Certificate> getTrustedChainForServer(X509Certificate[] certs,
                                                      String authType,
                                                      SSLEngine engine)
                                               throws CertificateException

Returns the full trusted certificate chain found from certs. Throws CertificateException when no trusted chain can be found from certs.

Throws:

CertificateException

checkServerTrusted

public void checkServerTrusted(X509Certificate[] chain,
                               String authType,
                               Socket socket)
                        throws CertificateException

Specified by:

checkServerTrusted in class X509ExtendedTrustManager

Throws:

CertificateException

checkServerTrusted

public void checkServerTrusted(X509Certificate[] chain,
                               String authType,
                               SSLEngine engine)
                        throws CertificateException

Specified by:

checkServerTrusted in class X509ExtendedTrustManager

Throws:

CertificateException

checkServerTrusted

public List<X509Certificate> checkServerTrusted(X509Certificate[] chain,
                                                String authType,
                                                SSLSession session)
                                         throws CertificateException

Validates whether a server is trusted. If session is given and non-null it also checks if chain is pinned appropriately for that peer host. If null, it does not check for pinned certs. The return value is a list of the certificates used for making the trust decision.

Throws:

CertificateException

handleTrustStorageUpdate

public void handleTrustStorageUpdate()

getAcceptedIssuers

public X509Certificate[] getAcceptedIssuers()

setCTEnabledOverride

public void setCTEnabledOverride(boolean enabled)

setCTVerifier

public void setCTVerifier(CTVerifier verifier)

setCTPolicy

public void setCTPolicy(CTPolicy policy)