1. 20 Jan, 2016 4 commits
  2. 19 Jan, 2016 2 commits
    • Chad Brubaker's avatar
      Prevent duplicate certificates in TrustedCertificateIndex · 4c9f9c22
      Chad Brubaker authored
      With the separate caching of intermediate certificates in
      TrustManagerImpl a given intermediate may be passed into .index multiple
      times. Avoid adding the certificate to the list each time.
      
      (cherry-picked from commit d080e064)
      Bug: 26232830
      Change-Id: I6bed2c65d9e42e052b9b1b129200a997e7dca745
      4c9f9c22
    • Chad Brubaker's avatar
      Cache intermediate CA separately · c4ab1b95
      Chad Brubaker authored
      Intermediate CAs are cached in order to support servers that fail to
      sent a complete chain to a root. These certificates should be cached to
      support these servers but these certificates must not be trusted as
      trust anchors. Store them separately to prevent confusion between
      trusted roots and cached intermediates.
      
      (cherry-picked from commit 198aca1f)
      Bug: 26232830
      Change-Id: I520f50729b55fc7412c7d133335bc9e3c190bbf6
      c4ab1b95
  3. 02 Jun, 2015 2 commits
  4. 28 May, 2015 1 commit
    • Kenny Root's avatar
      OpenSSLX509Certificate: mark mContext as transient · de55e62f
      Kenny Root authored
      Since mContext should not participate in the serialization process,
      hide it with the transient qualifier. This will prevent the field from
      initialization during the unserialization of this class. Then of course
      the instance will be in a valid state.
      
      (cherry picked from commit 8d57b9db)
      
      Bug: 21437603
      Change-Id: Ie9453c16d11820a91caff92c3f7b326d12f8a8f4
      de55e62f
  5. 07 Apr, 2015 1 commit
    • Chad Brubaker's avatar
      Add Platform adapter around unbundled conscrypt · 0d8611cf
      Chad Brubaker authored
      This wraps the conscrypt OpenSSLSocketImpl with an adapter that is a
      subclass of the platform's OpenSSLSocketImpl in order to support old
      code that does casts to the platform OpenSSLSocketImpl in order to set
      things like SNI.
      
      Until KK the platform OpenSSLSocketImpl was
      org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl, in KK it became
      com.android.org.conscrypt.OpenSSLSocketImpl. As of L MR1 the platform
      HTTP stack no longer casts to the platform OpenSSLSocketImpl and this
      work around is not needed on those devices.
      
      Change-Id: I196ad957eabfc70246d9c01aa12855a8eab036f0
      0d8611cf
  6. 17 Mar, 2015 1 commit
  7. 13 Mar, 2015 1 commit
  8. 12 Mar, 2015 2 commits
  9. 11 Mar, 2015 3 commits
  10. 27 Feb, 2015 4 commits
  11. 26 Feb, 2015 2 commits
  12. 25 Feb, 2015 2 commits
  13. 12 Feb, 2015 1 commit
  14. 11 Feb, 2015 1 commit
  15. 05 Feb, 2015 1 commit
    • Alex Klyubin's avatar
      Declare which keys Conscrypt accepts. · f2e0c381
      Alex Klyubin authored
      This declares constraints on which keys Cipher, KeyAgreement, Mac,
      and Signature instances provided by Conscrypt accept. Constraints are
      expressed using JCA's SupportedKeyClasses and SupportedKeyFormats
      attributes.
      
      Declaring these contraints will make JCA use other providers for keys
      not supported by Conscrypt. This in turn removes the need of users
      of JCA to explicitly specify which provider to use.
      
      This looks messy mostly because of how the JCA's constraining
      mechanism works. Some of the weirdness and messiness also comes from
      the inconsistencies in how Conscrypt handles different key types in
      different primitives. Once these inconsistencies are fixed, this
      change will become smaller and a bit nicer.
      
      See https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html
      
      Bug: 19284418
      Change-Id: I7e862a620d7279e4eaf6e42acd9072e7be665024
      f2e0c381
  16. 30 Jan, 2015 2 commits
  17. 23 Jan, 2015 1 commit
  18. 22 Jan, 2015 2 commits
  19. 21 Jan, 2015 2 commits
    • Alex Klyubin's avatar
      Time out TLS/SSL sessions after 8 hours by default. · 4314dcb6
      Alex Klyubin authored
      Prior to this change TLS/SSL sessions did not time out.
      
      (cherry picked from commit e5992c84)
      
      Bug: 18369043
      Bug: 18370076
      Change-Id: I596423b9c56bfc5f337a17aba02fbb9a9f2ded36
      4314dcb6
    • Adam Langley's avatar
      Use an empty BIO memory buffer with BoringSSL. · dd546216
      Adam Langley authored
      de5225d1 mistakenly switched a BIO_s_null to an empty mem-BIO in order
      to allow BoringSSL to work. That worked for BoringSSL, but OpenSSL
      treats an empty mem-BIO as an error and so that was switched back in
      2fe55c8f.
      
      This change uses an empty mem-BIO with BoringSSL again for the same
      reasons, but guards the change with the preprocessor so that it doesn't
      break OpenSSL.
      
      Change-Id: If90b7a151bf124722d91f150b441e0c9f5b96b03
      dd546216
  20. 08 Jan, 2015 5 commits