Skip to content

Commit

Permalink
Merge pull request square#2446 from square/jwilson_0328_accept_trust_…
Browse files Browse the repository at this point in the history
…manager

Accept user-provided trust managers in OkHttpClient.Builder
  • Loading branch information
JakeWharton committed Mar 29, 2016
2 parents e5b7409 + 85f74e2 commit f25858c
Show file tree
Hide file tree
Showing 4 changed files with 141 additions and 76 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@
import java.util.concurrent.TimeUnit;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import okhttp3.internal.URLFilter;
import okhttp3.internal.SslContextBuilder;
import okhttp3.internal.URLFilter;
import okhttp3.internal.http.OkHeaders;
import okhttp3.internal.io.InMemoryFileSystem;
import okhttp3.mockwebserver.MockResponse;
Expand Down
29 changes: 9 additions & 20 deletions okhttp/src/main/java/okhttp3/CertificatePinner.java
Original file line number Diff line number Diff line change
Expand Up @@ -126,9 +126,9 @@ public final class CertificatePinner {
private final List<Pin> pins;
private final CertificateChainCleaner certificateChainCleaner;

private CertificatePinner(Builder builder) {
this.pins = Util.immutableList(builder.pins);
this.certificateChainCleaner = builder.certificateChainCleaner;
private CertificatePinner(List<Pin> pins, CertificateChainCleaner certificateChainCleaner) {
this.pins = pins;
this.certificateChainCleaner = certificateChainCleaner;
}

/**
Expand Down Expand Up @@ -207,8 +207,11 @@ List<Pin> findMatchingPins(String hostname) {
return result;
}

Builder newBuilder() {
return new Builder(this);
/** Returns a certificate pinner that uses {@code certificateChainCleaner}. */
CertificatePinner withCertificateChainCleaner(CertificateChainCleaner certificateChainCleaner) {
return this.certificateChainCleaner != certificateChainCleaner
? new CertificatePinner(pins, certificateChainCleaner)
: this;
}

/**
Expand Down Expand Up @@ -288,20 +291,6 @@ boolean matches(String hostname) {
/** Builds a configured certificate pinner. */
public static final class Builder {
private final List<Pin> pins = new ArrayList<>();
private CertificateChainCleaner certificateChainCleaner;

public Builder() {
}

Builder(CertificatePinner certificatePinner) {
this.pins.addAll(certificatePinner.pins);
this.certificateChainCleaner = certificatePinner.certificateChainCleaner;
}

public Builder certificateChainCleaner(CertificateChainCleaner certificateChainCleaner) {
this.certificateChainCleaner = certificateChainCleaner;
return this;
}

/**
* Pins certificates for {@code pattern}.
Expand All @@ -321,7 +310,7 @@ public Builder add(String pattern, String... pins) {
}

public CertificatePinner build() {
return new CertificatePinner(this);
return new CertificatePinner(Util.immutableList(pins), null);
}
}
}
110 changes: 87 additions & 23 deletions okhttp/src/main/java/okhttp3/OkHttpClient.java
Original file line number Diff line number Diff line change
Expand Up @@ -20,14 +20,18 @@
import java.net.ProxySelector;
import java.net.UnknownHostException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.concurrent.TimeUnit;
import javax.net.SocketFactory;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import okhttp3.internal.Internal;
import okhttp3.internal.InternalCache;
Expand Down Expand Up @@ -171,30 +175,16 @@ private OkHttpClient(Builder builder) {

if (builder.sslSocketFactory != null || !isTLS) {
this.sslSocketFactory = builder.sslSocketFactory;
this.certificateChainCleaner = builder.certificateChainCleaner;
} else {
try {
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, null, null);
this.sslSocketFactory = sslContext.getSocketFactory();
} catch (GeneralSecurityException e) {
throw new AssertionError(); // The system has no TLS. Just give up.
}
}
if (sslSocketFactory != null && builder.certificateChainCleaner == null) {
X509TrustManager trustManager = Platform.get().trustManager(sslSocketFactory);
if (trustManager == null) {
throw new IllegalStateException("Unable to extract the trust manager on " + Platform.get()
+ ", sslSocketFactory is " + sslSocketFactory.getClass());
}
X509TrustManager trustManager = systemDefaultTrustManager();
this.sslSocketFactory = systemDefaultSslSocketFactory(trustManager);
this.certificateChainCleaner = CertificateChainCleaner.get(trustManager);
this.certificatePinner = builder.certificatePinner.newBuilder()
.certificateChainCleaner(certificateChainCleaner)
.build();
} else {
this.certificateChainCleaner = builder.certificateChainCleaner;
this.certificatePinner = builder.certificatePinner;
}

this.hostnameVerifier = builder.hostnameVerifier;
this.certificatePinner = builder.certificatePinner.withCertificateChainCleaner(
certificateChainCleaner);
this.proxyAuthenticator = builder.proxyAuthenticator;
this.authenticator = builder.authenticator;
this.connectionPool = builder.connectionPool;
Expand All @@ -207,6 +197,32 @@ private OkHttpClient(Builder builder) {
this.writeTimeout = builder.writeTimeout;
}

private X509TrustManager systemDefaultTrustManager() {
try {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:"
+ Arrays.toString(trustManagers));
}
return (X509TrustManager) trustManagers[0];
} catch (GeneralSecurityException e) {
throw new AssertionError(); // The system has no TLS. Just give up.
}
}

private SSLSocketFactory systemDefaultSslSocketFactory(X509TrustManager trustManager) {
try {
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[] { trustManager }, null);
return sslContext.getSocketFactory();
} catch (GeneralSecurityException e) {
throw new AssertionError(); // The system has no TLS. Just give up.
}
}

/** Default connect timeout (in milliseconds). */
public int connectTimeoutMillis() {
return connectTimeout;
Expand Down Expand Up @@ -519,14 +535,62 @@ public Builder socketFactory(SocketFactory socketFactory) {
}

/**
* Sets the socket factory used to secure HTTPS connections.
* Sets the socket factory used to secure HTTPS connections. If unset, the system default will
* be used.
*
* <p>If unset, a lazily created SSL socket factory will be used.
* @deprecated {@code SSLSocketFactory} does not expose its {@link X509TrustManager}, which is
* a field that OkHttp needs to build a clean certificate chain. This method instead must
* use reflection to extract the trust manager. Applications should prefer to call {@link
* #sslSocketFactory(SSLSocketFactory, X509TrustManager)}, which avoids such reflection.
*/
public Builder sslSocketFactory(SSLSocketFactory sslSocketFactory) {
if (sslSocketFactory == null) throw new NullPointerException("sslSocketFactory == null");
X509TrustManager trustManager = Platform.get().trustManager(sslSocketFactory);
if (trustManager == null) {
throw new IllegalStateException("Unable to extract the trust manager on " + Platform.get()
+ ", sslSocketFactory is " + sslSocketFactory.getClass());
}
this.sslSocketFactory = sslSocketFactory;
this.certificateChainCleaner = null;
this.certificateChainCleaner = CertificateChainCleaner.get(trustManager);
return this;
}

/**
* Sets the socket factory and trust manager used to secure HTTPS connections. If unset, the
* system defaults will be used.
*
* <p>Most applications should not call this method, and instead use the system defaults. Those
* classes include special optimizations that can be lost if the implementations are decorated.
*
* <p>If necessary, you can create and configure the defaults yourself with the following code:
*
* <pre> {@code
*
* TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
* TrustManagerFactory.getDefaultAlgorithm());
* trustManagerFactory.init((KeyStore) null);
* TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
* if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
* throw new IllegalStateException("Unexpected default trust managers:"
* + Arrays.toString(trustManagers));
* }
* X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
*
* SSLContext sslContext = SSLContext.getInstance("TLS");
* sslContext.init(null, new TrustManager[] { trustManager }, null);
* SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
*
* OkHttpClient client = new OkHttpClient.Builder()
* .sslSocketFactory(sslSocketFactory, trustManager);
* .build();
* }</pre>
*/
public Builder sslSocketFactory(
SSLSocketFactory sslSocketFactory, X509TrustManager trustManager) {
if (sslSocketFactory == null) throw new NullPointerException("sslSocketFactory == null");
if (trustManager == null) throw new NullPointerException("trustManager == null");
this.sslSocketFactory = sslSocketFactory;
this.certificateChainCleaner = CertificateChainCleaner.get(trustManager);
return this;
}

Expand Down
76 changes: 44 additions & 32 deletions samples/guide/src/main/java/okhttp3/recipes/CustomTrust.java
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,16 @@
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.util.Arrays;
import java.util.Collection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import okhttp3.CertificatePinner;
import okhttp3.Headers;
import okhttp3.OkHttpClient;
Expand All @@ -37,9 +40,19 @@ public final class CustomTrust {
private final OkHttpClient client;

public CustomTrust() {
SSLContext sslContext = sslContextForTrustedCertificates(trustedCertificatesInputStream());
X509TrustManager trustManager;
SSLSocketFactory sslSocketFactory;
try {
trustManager = trustManagerForCertificates(trustedCertificatesInputStream());
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[] { trustManager }, null);
sslSocketFactory = sslContext.getSocketFactory();
} catch (GeneralSecurityException e) {
throw new RuntimeException(e);
}

client = new OkHttpClient.Builder()
.sslSocketFactory(sslContext.getSocketFactory())
.sslSocketFactory(sslSocketFactory, trustManager)
.build();
}

Expand Down Expand Up @@ -139,7 +152,7 @@ private InputStream trustedCertificatesInputStream() {
}

/**
* Returns a SSL context that trusts {@code certificates} and none other. HTTPS services whose
* Returns a trust manager that trusts {@code certificates} and none other. HTTPS services whose
* certificates have not been signed by these certificates will fail with a {@code
* SSLHandshakeException}.
*
Expand All @@ -158,37 +171,36 @@ private InputStream trustedCertificatesInputStream() {
* not use custom trusted certificates in production without the blessing of your server's TLS
* administrator.
*/
public SSLContext sslContextForTrustedCertificates(InputStream in) {
try {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
Collection<? extends Certificate> certificates = certificateFactory.generateCertificates(in);
if (certificates.isEmpty()) {
throw new IllegalArgumentException("expected non-empty set of trusted certificates");
}
private X509TrustManager trustManagerForCertificates(InputStream in)
throws GeneralSecurityException {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
Collection<? extends Certificate> certificates = certificateFactory.generateCertificates(in);
if (certificates.isEmpty()) {
throw new IllegalArgumentException("expected non-empty set of trusted certificates");
}

// Put the certificates a key store.
char[] password = "password".toCharArray(); // Any password will work.
KeyStore keyStore = newEmptyKeyStore(password);
int index = 0;
for (Certificate certificate : certificates) {
String certificateAlias = Integer.toString(index++);
keyStore.setCertificateEntry(certificateAlias, certificate);
}
// Put the certificates a key store.
char[] password = "password".toCharArray(); // Any password will work.
KeyStore keyStore = newEmptyKeyStore(password);
int index = 0;
for (Certificate certificate : certificates) {
String certificateAlias = Integer.toString(index++);
keyStore.setCertificateEntry(certificateAlias, certificate);
}

// Wrap it up in an SSL context.
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, password);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(),
new SecureRandom());
return sslContext;
} catch (GeneralSecurityException e) {
throw new RuntimeException(e);
// Use it to build an X509 trust manager.
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, password);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:"
+ Arrays.toString(trustManagers));
}
return (X509TrustManager) trustManagers[0];
}

private KeyStore newEmptyKeyStore(char[] password) throws GeneralSecurityException {
Expand Down

0 comments on commit f25858c

Please sign in to comment.