1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
/* -*- Mode: Java; c-basic-offset: 4; tab-width: 4; indent-tabs-mode: nil; -*-
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
package org.mozilla.gecko;
import android.util.Log;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Enumeration;
import org.mozilla.gecko.annotation.WrapForJNI;
// This class implements the functionality needed to find third-party root
// certificates that have been added to the android CA store.
public class EnterpriseRoots {
private static final String LOGTAG = "EnterpriseRoots";
// Gecko calls this function from C++ to find third-party root certificates
// it can use as trust anchors for TLS connections.
@WrapForJNI
private static byte[][] gatherEnterpriseRoots() {
// The KeyStore "AndroidCAStore" contains the certificates we're
// interested in.
final KeyStore ks;
try {
ks = KeyStore.getInstance("AndroidCAStore");
} catch (final KeyStoreException kse) {
Log.e(LOGTAG, "getInstance() failed", kse);
return new byte[0][0];
}
try {
ks.load(null);
} catch (final CertificateException ce) {
Log.e(LOGTAG, "load() failed", ce);
return new byte[0][0];
} catch (final IOException ioe) {
Log.e(LOGTAG, "load() failed", ioe);
return new byte[0][0];
} catch (final NoSuchAlgorithmException nsae) {
Log.e(LOGTAG, "load() failed", nsae);
return new byte[0][0];
}
// Given the KeyStore, we get an identifier for each object in it. For
// each one that is a Certificate, we try to distinguish between
// entries that shipped with the OS and entries that were added by the
// user or an administrator. The former we ignore and the latter we
// collect in an array of byte arrays and return.
final Enumeration<String> aliases;
try {
aliases = ks.aliases();
} catch (final KeyStoreException kse) {
Log.e(LOGTAG, "aliases() failed", kse);
return new byte[0][0];
}
final ArrayList<byte[]> roots = new ArrayList<byte[]>();
while (aliases.hasMoreElements()) {
final String alias = aliases.nextElement();
final boolean isCertificate;
try {
isCertificate = ks.isCertificateEntry(alias);
} catch (final KeyStoreException kse) {
Log.e(LOGTAG, "isCertificateEntry() failed", kse);
continue;
}
// Built-in certificate aliases start with "system:", whereas
// 3rd-party certificate aliases start with "user:". It's
// unfortunate to be relying on this implementation detail, but
// there appears to be no other way to differentiate between the
// two.
if (isCertificate && alias.startsWith("user:")) {
final Certificate certificate;
try {
certificate = ks.getCertificate(alias);
} catch (final KeyStoreException kse) {
Log.e(LOGTAG, "getCertificate() failed", kse);
continue;
}
try {
roots.add(certificate.getEncoded());
} catch (final CertificateEncodingException cee) {
Log.e(LOGTAG, "getEncoded() failed", cee);
}
}
}
Log.d(LOGTAG, "found " + roots.size() + " enterprise roots");
return roots.toArray(new byte[0][0]);
}
}
|
