Merge pull request square#2307 from square/jwilson_0201_enable_certif…

…icate_authority_council

Start using CertificateAuthorityCouncil in CertificatePinner.

okhttp/src/main/java/okhttp3/CertificatePinner.java

@@ -25,6 +25,7 @@
 import java.util.Set;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import okhttp3.internal.Util;
+import okhttp3.internal.tls.CertificateAuthorityCouncil;
 import okio.ByteString;
 
 import static java.util.Collections.unmodifiableSet;
@@ -128,9 +129,11 @@ public final class CertificatePinner {
   public static final CertificatePinner DEFAULT = new Builder().build();
 
   private final Map<String, Set<ByteString>> hostnameToPins;
+  private final CertificateAuthorityCouncil certificateAuthorityCouncil;
 
   private CertificatePinner(Builder builder) {
-    hostnameToPins = Util.immutableMap(builder.hostnameToPins);
+    this.hostnameToPins = Util.immutableMap(builder.hostnameToPins);
+    this.certificateAuthorityCouncil = builder.certificateAuthorityCouncil;
   }
 
   /**
@@ -143,6 +146,9 @@ private CertificatePinner(Builder builder) {
    */
   public void check(String hostname, List<Certificate> peerCertificates)
       throws SSLPeerUnverifiedException {
+    if (certificateAuthorityCouncil != null) {
+      peerCertificates = certificateAuthorityCouncil.normalizeCertificateChain(peerCertificates);
+    }
 
     Set<ByteString> pins = findMatchingPins(hostname);
 
@@ -208,6 +214,10 @@ Set<ByteString> findMatchingPins(String hostname) {
     return wildcardPins;
   }
 
+  Builder newBuilder() {
+    return new Builder(this);
+  }
+
   /**
    * Returns the SHA-1 of {@code certificate}'s public key. This uses the mechanism Moxie
    * Marlinspike describes in <a href="https://github.com/moxie0/AndroidPinning">Android
@@ -227,6 +237,20 @@ private static ByteString sha1(X509Certificate x509Certificate) {
   /** Builds a configured certificate pinner. */
   public static final class Builder {
     private final Map<String, Set<ByteString>> hostnameToPins = new LinkedHashMap<>();
+    private CertificateAuthorityCouncil certificateAuthorityCouncil;
+
+    public Builder() {
+    }
+
+    Builder(CertificatePinner certificatePinner) {
+      this.hostnameToPins.putAll(certificatePinner.hostnameToPins);
+      this.certificateAuthorityCouncil = certificatePinner.certificateAuthorityCouncil;
+    }
+
+    Builder certificateAuthorityCouncil(CertificateAuthorityCouncil certificateAuthorityCouncil) {
+      this.certificateAuthorityCouncil = certificateAuthorityCouncil;
+      return this;
+    }
 
     /**
      * Pins certificates for {@code hostname}.

okhttp/src/main/java/okhttp3/OkHttpClient.java

@@ -36,6 +36,7 @@
 import okhttp3.internal.Util;
 import okhttp3.internal.http.StreamAllocation;
 import okhttp3.internal.io.RealConnection;
+import okhttp3.internal.tls.CertificateAuthorityCouncil;
 import okhttp3.internal.tls.OkHostnameVerifier;
 
 /**
@@ -132,7 +133,7 @@ public void apply(ConnectionSpec tlsConfiguration, SSLSocket sslSocket, boolean
   final InternalCache internalCache;
   final SocketFactory socketFactory;
   final SSLSocketFactory sslSocketFactory;
-  final X509TrustManager trustManager;
+  final CertificateAuthorityCouncil certificateAuthorityCouncil;
   final HostnameVerifier hostnameVerifier;
   final CertificatePinner certificatePinner;
   final Authenticator proxyAuthenticator;
@@ -179,18 +180,22 @@ private OkHttpClient(Builder builder) {
         throw new AssertionError(); // The system has no TLS. Just give up.
       }
     }
-    if (this.sslSocketFactory != null) {
-      this.trustManager = Platform.get().trustManager(sslSocketFactory);
+    if (sslSocketFactory != null && builder.certificateAuthorityCouncil == null) {
+      X509TrustManager trustManager = Platform.get().trustManager(sslSocketFactory);
       if (trustManager == null) {
         throw new IllegalStateException("Unable to extract the trust manager on " + Platform.get()
             + ", sslSocketFactory is " + sslSocketFactory.getClass());
       }
+      this.certificateAuthorityCouncil
+          = new CertificateAuthorityCouncil(trustManager.getAcceptedIssuers());
+      this.certificatePinner = builder.certificatePinner.newBuilder()
+          .certificateAuthorityCouncil(certificateAuthorityCouncil)
+          .build();
     } else {
-      this.trustManager = null;
+      this.certificateAuthorityCouncil = builder.certificateAuthorityCouncil;
+      this.certificatePinner = builder.certificatePinner;
     }
-
     this.hostnameVerifier = builder.hostnameVerifier;
-    this.certificatePinner = builder.certificatePinner;
     this.proxyAuthenticator = builder.proxyAuthenticator;
     this.authenticator = builder.authenticator;
     this.connectionPool = builder.connectionPool;
@@ -336,6 +341,7 @@ public static final class Builder {
     InternalCache internalCache;
     SocketFactory socketFactory;
     SSLSocketFactory sslSocketFactory;
+    CertificateAuthorityCouncil certificateAuthorityCouncil;
     HostnameVerifier hostnameVerifier;
     CertificatePinner certificatePinner;
     Authenticator proxyAuthenticator;
@@ -383,6 +389,7 @@ public Builder() {
       this.cache = okHttpClient.cache;
       this.socketFactory = okHttpClient.socketFactory;
       this.sslSocketFactory = okHttpClient.sslSocketFactory;
+      this.certificateAuthorityCouncil = okHttpClient.certificateAuthorityCouncil;
       this.hostnameVerifier = okHttpClient.hostnameVerifier;
       this.certificatePinner = okHttpClient.certificatePinner;
       this.proxyAuthenticator = okHttpClient.proxyAuthenticator;
@@ -520,6 +527,7 @@ public Builder socketFactory(SocketFactory socketFactory) {
     public Builder sslSocketFactory(SSLSocketFactory sslSocketFactory) {
       if (sslSocketFactory == null) throw new NullPointerException("sslSocketFactory == null");
       this.sslSocketFactory = sslSocketFactory;
+      this.certificateAuthorityCouncil = null;
       return this;
     }