EMMA Coverage Report

EMMA Coverage Report (generated Fri Aug 23 16:39:17 PDT 2013)
[all classes][org.chromium.net]

COVERAGE SUMMARY FOR SOURCE FILE [X509Util.java]

name	class, %	method, %	block, %	line, %
X509Util.java	100% (1/1)	80% (8/10)	52% (156/298)	53% (43.3/82)

COVERAGE BREAKDOWN BY CLASS AND METHOD

name	class, %	method, %	block, %	line, %

class X509Util	100% (1/1)	80% (8/10)	52% (156/298)	53% (43.3/82)
X509Util (): void		0% (0/1)	0% (0/3)	0% (0/1)
verifyServerCertificates (byte [][], String): int		0% (0/1)	0% (0/113)	0% (0/32)
clearTestRootCertificates (): void		100% (1/1)	70% (14/20)	90% (6.3/7)
addTestRootCertificate (byte []): void		100% (1/1)	84% (26/31)	98% (6.8/7)
ensureInitialized (): void		100% (1/1)	84% (32/38)	94% (12.2/13)
createTrustManager (KeyStore): X509TrustManager		100% (1/1)	88% (29/33)	85% (5.9/7)
verifyKeyUsage (X509Certificate): boolean		100% (1/1)	88% (37/42)	70% (7/10)
<static initializer>		100% (1/1)	100% (5/5)	100% (1/1)
createCertificateFromBytes (byte []): X509Certificate		100% (1/1)	100% (9/9)	100% (2/2)
reloadTestTrustManager (): void		100% (1/1)	100% (4/4)	100% (2/2)

1	// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2	// Use of this source code is governed by a BSD-style license that can be
3	// found in the LICENSE file.
4
5	package org.chromium.net;
6
7	import android.util.Log;
8
9	import org.chromium.net.CertVerifyResultAndroid;
10
11	import java.io.ByteArrayInputStream;
12	import java.io.IOException;
13	import java.security.KeyStore;
14	import java.security.KeyStoreException;
15	import java.security.NoSuchAlgorithmException;
16	import java.security.cert.CertificateException;
17	import java.security.cert.CertificateExpiredException;
18	import java.security.cert.CertificateNotYetValidException;
19	import java.security.cert.CertificateFactory;
20	import java.security.cert.CertificateParsingException;
21	import java.security.cert.X509Certificate;
22	import java.util.List;
23
24	import javax.net.ssl.TrustManager;
25	import javax.net.ssl.TrustManagerFactory;
26	import javax.net.ssl.X509TrustManager;
27
28	public class X509Util {
29
30	private static final String TAG = "X509Util";
31
32	private static CertificateFactory sCertificateFactory;
33
34	private static final String OID_TLS_SERVER_AUTH = "1.3.6.1.5.5.7.3.1";
35	private static final String OID_ANY_EKU = "2.5.29.37.0";
36	// Server-Gated Cryptography (necessary to support a few legacy issuers):
37	// Netscape:
38	private static final String OID_SERVER_GATED_NETSCAPE = "2.16.840.1.113730.4.1";
39	// Microsoft:
40	private static final String OID_SERVER_GATED_MICROSOFT = "1.3.6.1.4.1.311.10.3.3";
41
42	/**
43	* Trust manager backed up by the read-only system certificate store.
44	*/
45	private static X509TrustManager sDefaultTrustManager;
46
47	/**
48	* Trust manager backed up by a custom certificate store. We need such manager to plant test
49	* root CA to the trust store in testing.
50	*/
51	private static X509TrustManager sTestTrustManager;
52	private static KeyStore sTestKeyStore;
53
54	/**
55	* Lock object used to synchronize all calls that modify or depend on the trust managers.
56	*/
57	private static final Object sLock = new Object();
58
59	/**
60	* Ensures that the trust managers and certificate factory are initialized.
61	*/
62	private static void ensureInitialized() throws CertificateException,
63	KeyStoreException, NoSuchAlgorithmException {
64	synchronized(sLock) {
65	if (sCertificateFactory == null) {
66	sCertificateFactory = CertificateFactory.getInstance("X.509");
67	}
68	if (sDefaultTrustManager == null) {
69	sDefaultTrustManager = X509Util.createTrustManager(null);
70	}
71	if (sTestKeyStore == null) {
72	sTestKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
73	try {
74	sTestKeyStore.load(null);
75	} catch(IOException e) {} // No IO operation is attempted.
76	}
77	if (sTestTrustManager == null) {
78	sTestTrustManager = X509Util.createTrustManager(sTestKeyStore);
79	}
80	}
81	}
82
83	/**
84	* Creates a X509TrustManager backed up by the given key store. When null is passed as a key
85	* store, system default trust store is used.
86	* @throws KeyStoreException, NoSuchAlgorithmException on error initializing the TrustManager.
87	*/
88	private static X509TrustManager createTrustManager(KeyStore keyStore) throws KeyStoreException,
89	NoSuchAlgorithmException {
90	String algorithm = TrustManagerFactory.getDefaultAlgorithm();
91	TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm);
92	tmf.init(keyStore);
93
94	for (TrustManager tm : tmf.getTrustManagers()) {
95	if (tm instanceof X509TrustManager) {
96	return (X509TrustManager) tm;
97	}
98	}
99	return null;
100	}
101
102	/**
103	* After each modification of test key store, trust manager has to be generated again.
104	*/
105	private static void reloadTestTrustManager() throws KeyStoreException,
106	NoSuchAlgorithmException {
107	sTestTrustManager = X509Util.createTrustManager(sTestKeyStore);
108	}
109
110	/**
111	* Convert a DER encoded certificate to an X509Certificate.
112	*/
113	public static X509Certificate createCertificateFromBytes(byte[] derBytes) throws
114	CertificateException, KeyStoreException, NoSuchAlgorithmException {
115	ensureInitialized();
116	return (X509Certificate) sCertificateFactory.generateCertificate(
117	new ByteArrayInputStream(derBytes));
118	}
119
120	public static void addTestRootCertificate(byte[] rootCertBytes) throws CertificateException,
121	KeyStoreException, NoSuchAlgorithmException {
122	ensureInitialized();
123	X509Certificate rootCert = createCertificateFromBytes(rootCertBytes);
124	synchronized (sLock) {
125	sTestKeyStore.setCertificateEntry(
126	"root_cert_" + Integer.toString(sTestKeyStore.size()), rootCert);
127	reloadTestTrustManager();
128	}
129	}
130
131	public static void clearTestRootCertificates() throws NoSuchAlgorithmException,
132	CertificateException, KeyStoreException {
133	ensureInitialized();
134	synchronized (sLock) {
135	try {
136	sTestKeyStore.load(null);
137	reloadTestTrustManager();
138	} catch (IOException e) {} // No IO operation is attempted.
139	}
140	}
141
142	/**
143	* If an EKU extension is present in the end-entity certificate, it MUST contain either the
144	* anyEKU or serverAuth or netscapeSGC or Microsoft SGC EKUs.
145	*
146	* @return true if there is no EKU extension or if any of the EKU extensions is one of the valid
147	* OIDs for web server certificates.
148	*
149	* TODO(palmer): This can be removed after the equivalent change is made to the Android default
150	* TrustManager and that change is shipped to a large majority of Android users.
151	*/
152	static boolean verifyKeyUsage(X509Certificate certificate) throws CertificateException {
153	List<String> ekuOids;
154	try {
155	ekuOids = certificate.getExtendedKeyUsage();
156	} catch (NullPointerException e) {
157	// getExtendedKeyUsage() can crash due to an Android platform bug. This probably
158	// happens when the EKU extension data is malformed so return false here.
159	// See http://crbug.com/233610
160	return false;
161	}
162	if (ekuOids == null)
163	return true;
164
165	for (String ekuOid : ekuOids) {
166	if (ekuOid.equals(OID_TLS_SERVER_AUTH) \|\|
167	ekuOid.equals(OID_ANY_EKU) \|\|
168	ekuOid.equals(OID_SERVER_GATED_NETSCAPE) \|\|
169	ekuOid.equals(OID_SERVER_GATED_MICROSOFT)) {
170	return true;
171	}
172	}
173
174	return false;
175	}
176
177	public static int verifyServerCertificates(byte[][] certChain, String authType)
178	throws KeyStoreException, NoSuchAlgorithmException {
179	if (certChain == null \|\| certChain.length == 0 \|\| certChain[0] == null) {
180	throw new IllegalArgumentException("Expected non-null and non-empty certificate " +
181	"chain passed as \|certChain\|. \|certChain\|=" + certChain);
182	}
183
184	try {
185	ensureInitialized();
186	} catch (CertificateException e) {
187	return CertVerifyResultAndroid.VERIFY_FAILED;
188	}
189
190	X509Certificate[] serverCertificates = new X509Certificate[certChain.length];
191	try {
192	for (int i = 0; i < certChain.length; ++i) {
193	serverCertificates[i] = createCertificateFromBytes(certChain[i]);
194	}
195	} catch (CertificateException e) {
196	return CertVerifyResultAndroid.VERIFY_UNABLE_TO_PARSE;
197	}
198
199	// Expired and not yet valid certificates would be rejected by the trust managers, but the
200	// trust managers report all certificate errors using the general CertificateException. In
201	// order to get more granular error information, cert validity time range is being checked
202	// separately.
203	try {
204	serverCertificates[0].checkValidity();
205	if (!verifyKeyUsage(serverCertificates[0]))
206	return CertVerifyResultAndroid.VERIFY_INCORRECT_KEY_USAGE;
207	} catch (CertificateExpiredException e) {
208	return CertVerifyResultAndroid.VERIFY_EXPIRED;
209	} catch (CertificateNotYetValidException e) {
210	return CertVerifyResultAndroid.VERIFY_NOT_YET_VALID;
211	} catch (CertificateException e) {
212	return CertVerifyResultAndroid.VERIFY_FAILED;
213	}
214
215	synchronized (sLock) {
216	try {
217	sDefaultTrustManager.checkServerTrusted(serverCertificates, authType);
218	return CertVerifyResultAndroid.VERIFY_OK;
219	} catch (CertificateException eDefaultManager) {
220	try {
221	sTestTrustManager.checkServerTrusted(serverCertificates, authType);
222	return CertVerifyResultAndroid.VERIFY_OK;
223	} catch (CertificateException eTestManager) {
224	// Neither of the trust managers confirms the validity of the certificate chain,
225	// log the error message returned by the system trust manager.
226	Log.i(TAG, "Failed to validate the certificate chain, error: " +
227	eDefaultManager.getMessage());
228	return CertVerifyResultAndroid.VERIFY_NO_TRUSTED_ROOT;
229	}
230	}
231	}
232	}
233	}

[all classes][org.chromium.net]

EMMA 2.0.5312 (C) Vladimir Roubtsov