Remove known root detection logic on Android.

The implementation has a high startup overhead. Remove it for now and default
the value to false; this disables the intranet name detector since we cannot
distinguish private CAs from public ones.

BUG=361166

Review URL: https://codereview.chromium.org/228883003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@262521 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 5 insertions, 80 deletions

diff --git a/net/android/java/src/org/chromium/net/X509Util.java b/net/android/java/src/org/chromium/net/X509Util.java
index 90012a4..5c478a2 100644
--- a/net/android/java/src/org/chromium/net/X509Util.java
+++ b/net/android/java/src/org/chromium/net/X509Util.java
@@ -13,7 +13,6 @@ import android.net.http.X509TrustManagerExtensions;
 import android.os.Build;
 import android.security.KeyChain;
 import android.util.Log;
-import android.util.Pair;
 
 import org.chromium.base.JNINamespace;
 
@@ -22,8 +21,6 @@ import java.io.IOException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
-import java.security.PublicKey;
-import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateExpiredException;
 import java.security.cert.CertificateFactory;
@@ -31,15 +28,11 @@ import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Collections;
-import java.util.Enumeration;
-import java.util.HashSet;
 import java.util.List;
-import java.util.Set;
 
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
-import javax.security.auth.x500.X500Principal;
 
 /**
  * Utility functions for verifying X.509 certificates.
@@ -141,26 +134,6 @@ public class X509Util {
     private static KeyStore sTestKeyStore;
 
     /**
-     * Hash set of the subject and public key of system roots. This is used to
-     * determine whether a chain ends at a well-known root or not.
-     *
-     * Querying the system KeyStore for the root directly doesn't work as the
-     * root of the verified chain may be the server's version of a root rather
-     * than the system one. For instance, the server may send a certificate
-     * signed by another CA, while the system store contains a self-signed root
-     * with the same subject and SPKI.  The chain will terminate at that root
-     * but X509TrustManagerExtensions will return the server's version.
-     */
-    private static Set<Pair<X500Principal, PublicKey>> sSystemTrustRoots;
-
-    /**
-     * True if the system trust roots were initialized. (sSystemTrustRoots may
-     * still be null if system trust roots cannot be distinguished from
-     * user-installed ones.)
-     */
-    private static boolean sLoadedSystemTrustRoots;
-
-    /**
      * Lock object used to synchronize all calls that modify or depend on the trust managers.
      */
     private static final Object sLock = new Object();
@@ -184,19 +157,6 @@ public class X509Util {
             if (sDefaultTrustManager == null) {
                 sDefaultTrustManager = X509Util.createTrustManager(null);
             }
-            if (!sLoadedSystemTrustRoots) {
-                try {
-                    sSystemTrustRoots = buildSystemTrustRootSet();
-                } catch (KeyStoreException e) {
-                    // If the device does not have an "AndroidCAStore" KeyStore, don't make the
-                    // failure fatal. Instead default conservatively to setting isIssuedByKnownRoot
-                    // to false everywhere.
-                    Log.w(TAG, "Could not load system trust root set", e);
-                }
-                if (!sDisableNativeCodeForTest)
-                    nativeRecordCertVerifyCapabilitiesHistogram(sSystemTrustRoots != null);
-                sLoadedSystemTrustRoots = true;
-            }
             if (sTestKeyStore == null) {
                 sTestKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                 try {
@@ -216,33 +176,6 @@ public class X509Util {
         }
     }
 
-    private static Set<Pair<X500Principal, PublicKey>> buildSystemTrustRootSet() throws
-            CertificateException, KeyStoreException, NoSuchAlgorithmException {
-        // Load the Android CA store.
-        KeyStore systemKeyStore = KeyStore.getInstance("AndroidCAStore");
-        try {
-            systemKeyStore.load(null);
-        } catch (IOException e) {
-            // No IO operation is attempted.
-        }
-
-        // System trust roots have prefix of "system:".
-        Set<Pair<X500Principal, PublicKey>> roots = new HashSet<Pair<X500Principal, PublicKey>>();
-        Enumeration<String> aliases = systemKeyStore.aliases();
-        while (aliases.hasMoreElements()) {
-            String alias = aliases.nextElement();
-            if (!alias.startsWith("system:"))
-                continue;
-            Certificate cert = systemKeyStore.getCertificate(alias);
-            if (cert != null && cert instanceof X509Certificate) {
-                X509Certificate x509Cert = (X509Certificate)cert;
-                roots.add(new Pair<X500Principal, PublicKey>(x509Cert.getSubjectX500Principal(),
-                                                             x509Cert.getPublicKey()));
-            }
-        }
-        return roots;
-    }
-
     /**
      * Creates a X509TrustManagerImplementation backed up by the given key
      * store. When null is passed as a key store, system default trust store is
@@ -285,8 +218,6 @@ public class X509Util {
     private static void reloadDefaultTrustManager() throws KeyStoreException,
             NoSuchAlgorithmException, CertificateException {
         sDefaultTrustManager = null;
-        sSystemTrustRoots = null;
-        sLoadedSystemTrustRoots = false;
         nativeNotifyKeyChainChanged();
         ensureInitialized();
     }
@@ -422,14 +353,10 @@ public class X509Util {
                 }
             }
 
+            // TODO(davidben): This code was removed for
+            // http://crbug.com/361166. Fix the performance regression and
+            // export it again.
             boolean isIssuedByKnownRoot = false;
-            if (sSystemTrustRoots != null && verifiedChain.size() > 0) {
-                X509Certificate root = verifiedChain.get(verifiedChain.size() - 1);
-                isIssuedByKnownRoot = sSystemTrustRoots.contains(
-                        new Pair<X500Principal, PublicKey>(root.getSubjectX500Principal(),
-                                                           root.getPublicKey()));
-            }
-
             return new AndroidCertVerifyResult(CertVerifyStatusAndroid.VERIFY_OK,
                                                isIssuedByKnownRoot, verifiedChain);
         }
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index 6567d16..8f5156b 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -97,10 +97,8 @@ bool SupportsReturningVerifiedChain() {
 
 bool SupportsDetectingKnownRoots() {
 #if defined(OS_ANDROID)
-  // Before API level 17, Android does not expose the APIs necessary to get at
-  // the verified certificate chain and detect known roots.
-  if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
-    return false;
+  // http://crbug.com/361166
+  return false;
 #endif
   return true;
 }