google · eirbjo · Apr 15, 2023 · Apr 19, 2023
diff --git a/common/src/main/java/org/conscrypt/ActiveSession.java b/common/src/main/java/org/conscrypt/ActiveSession.java
@@ -41,8 +41,6 @@ final class ActiveSession implements ConscryptSession {
     private String peerHost;
     private int peerPort = -1;
     private long lastAccessedTime = 0;
-    @SuppressWarnings("deprecation")
-    private volatile javax.security.cert.X509Certificate[] peerCertificateChain;
     private X509Certificate[] localCertificates;
     private X509Certificate[] peerCertificates;
     private byte[] peerCertificateOcspData;
@@ -193,36 +191,6 @@ public Certificate[] getLocalCertificates() {
         return localCertificates == null ? null : localCertificates.clone();
     }
 
-    /**
-     * Returns the certificate(s) of the peer in this SSL session
-     * used in the handshaking phase of the connection.
-     * Please notice hat this method is superseded by
-     * <code>getPeerCertificates()</code>.
-     * @return an array of X509 certificates (the peer's one first and then
-     *         eventually that of the certification authority) or null if no
-     *         certificate were used during the SSL connection.
-     * @throws SSLPeerUnverifiedException if either a non-X.509 certificate
-     *         was used (i.e. Kerberos certificates) or the peer could not
-     *         be verified.
-     */
-    @Override
-    @SuppressWarnings("deprecation") // Public API
-    public javax.security.cert.X509Certificate[] getPeerCertificateChain()
-            throws SSLPeerUnverifiedException {
-        if (!Platform.isJavaxCertificateSupported()) {
-            throw new UnsupportedOperationException("Use getPeerCertificates() instead");
-        }
-
-        checkPeerCertificatesPresent();
-        // TODO(nathanmittler): Should we clone?
-        javax.security.cert.X509Certificate[] result = peerCertificateChain;
-        if (result == null) {
-            // single-check idiom
-            peerCertificateChain = result = SSLUtils.toCertificateChain(peerCertificates);
-        }
-        return result;
-    }
-
     @Override
     public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
         checkPeerCertificatesPresent();

diff --git a/common/src/main/java/org/conscrypt/ConscryptSession.java b/common/src/main/java/org/conscrypt/ConscryptSession.java
@@ -53,5 +53,14 @@ interface ConscryptSession extends SSLSession {
   @Override
   X509Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException;
 
+  @Override
+  @SuppressWarnings("deprecation")
+  default javax.security.cert.X509Certificate[] getPeerCertificateChain()
+          throws SSLPeerUnverifiedException {
+    throw new UnsupportedOperationException(
+            "This method is deprecated and marked for removal. Use the " +
+                    "getPeerCertificates() method instead.");
+  }
+
   String getApplicationProtocol();
 }
diff --git a/common/src/main/java/org/conscrypt/ExternalSession.java b/common/src/main/java/org/conscrypt/ExternalSession.java
@@ -110,12 +110,6 @@ public Certificate[] getLocalCertificates() {
     return provider.provideSession().getLocalCertificates();
   }
 
-  @Override
-  @SuppressWarnings("deprecation") // Public API
-  public javax.security.cert.X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
-    return provider.provideSession().getPeerCertificateChain();
-  }
-
   @Override
   public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
     return provider.provideSession().getPeerPrincipal();

diff --git a/common/src/main/java/org/conscrypt/Java7ExtendedSSLSession.java b/common/src/main/java/org/conscrypt/Java7ExtendedSSLSession.java
@@ -132,12 +132,6 @@ public final Certificate[] getLocalCertificates() {
         return delegate.getLocalCertificates();
     }
 
-    @Override
-    @SuppressWarnings("deprecation") // Public API
-    public final javax.security.cert.X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
-        return delegate.getPeerCertificateChain();
-    }
-
     @Override
     public final Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
         return delegate.getPeerPrincipal();

diff --git a/common/src/main/java/org/conscrypt/SSLNullSession.java b/common/src/main/java/org/conscrypt/SSLNullSession.java
@@ -115,13 +115,6 @@ public int getPacketBufferSize() {
         return NativeConstants.SSL3_RT_MAX_PACKET_SIZE;
     }
 
-    @Override
-    @SuppressWarnings("deprecation") // Public API
-    public javax.security.cert.X509Certificate[] getPeerCertificateChain()
-            throws SSLPeerUnverifiedException {
-        throw new SSLPeerUnverifiedException("No peer certificate");
-    }
-
     @Override
     public X509Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
         throw new SSLPeerUnverifiedException("No peer certificate");

diff --git a/common/src/main/java/org/conscrypt/SSLUtils.java b/common/src/main/java/org/conscrypt/SSLUtils.java
@@ -313,28 +313,6 @@ static byte[][] encodeSubjectX509Principals(X509Certificate[] certificates)
         return principalBytes;
     }
 
-    /**
-     * Converts the peer certificates into a cert chain.
-     */
-    @SuppressWarnings("deprecation") // Used in public Conscrypt APIs
-    static javax.security.cert.X509Certificate[] toCertificateChain(X509Certificate[] certificates)
-            throws SSLPeerUnverifiedException {
-        try {
-            javax.security.cert.X509Certificate[] chain =
-                    new javax.security.cert.X509Certificate[certificates.length];
-
-            for (int i = 0; i < certificates.length; i++) {
-                byte[] encoded = certificates[i].getEncoded();
-                chain[i] = javax.security.cert.X509Certificate.getInstance(encoded);
-            }
-            return chain;
-        } catch (CertificateEncodingException | javax.security.cert.CertificateException e) {
-            SSLPeerUnverifiedException exception = new SSLPeerUnverifiedException(e.getMessage());
-            exception.initCause(e);
-            throw exception;
-        }
-    }
-
     /**
      * Calculates the minimum bytes required in the encrypted output buffer for the given number of
      * plaintext source bytes.

diff --git a/common/src/main/java/org/conscrypt/SessionSnapshot.java b/common/src/main/java/org/conscrypt/SessionSnapshot.java
@@ -140,17 +140,6 @@ public Certificate[] getLocalCertificates() {
         return null;
     }
 
-    @Override
-    @SuppressWarnings("deprecation") // Public API
-    public javax.security.cert.X509Certificate[] getPeerCertificateChain()
-        throws SSLPeerUnverifiedException {
-        if (!Platform.isJavaxCertificateSupported()) {
-            throw new UnsupportedOperationException("Use getPeerCertificates() instead");
-        }
-
-        throw new SSLPeerUnverifiedException("No peer certificates");
-    }
-
     @Override
     public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
         throw new SSLPeerUnverifiedException("No peer certificates");

diff --git a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSessionTest.java b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSessionTest.java
@@ -190,34 +190,6 @@ public void test_SSLSession_getPacketBufferSize() {
         s.close();
     }
 
-    @Test
-    public void test_SSLSession_getPeerCertificateChain() throws Exception {
-        TestSSLSessions s = TestSSLSessions.create();
-        try {
-            s.invalid.getPeerCertificateChain();
-            fail();
-        } catch (SSLPeerUnverifiedException expected) {
-            // Ignored.
-        } catch (UnsupportedOperationException e) {
-            if (!StandardNames.IS_15_OR_UP) {
-                fail("Should only throw UnsupportedOperationException on OpenJDK 15 or up");
-            }
-        }
-        assertNotNull(s.client.getPeerCertificates());
-        TestKeyStore.assertChainLength(s.client.getPeerCertificates());
-        try {
-            assertNull(s.server.getPeerCertificateChain());
-            fail();
-        } catch (SSLPeerUnverifiedException expected) {
-            // Ignored.
-        } catch (UnsupportedOperationException e) {
-            if (!StandardNames.IS_15_OR_UP) {
-                fail("Should only throw UnsupportedOperationException on OpenJDK 15 or up");
-            }
-        }
-        s.close();
-    }
-
     @Test
     public void test_SSLSession_getPeerCertificates() throws Exception {
         TestSSLSessions s = TestSSLSessions.create();

diff --git a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java
@@ -371,8 +371,6 @@ public void handshakeCompleted(HandshakeCompletedEvent event) {
                     String cipherSuite = event.getCipherSuite();
                     Certificate[] localCertificates = event.getLocalCertificates();
                     Certificate[] peerCertificates = event.getPeerCertificates();
-                    javax.security.cert.X509Certificate[] peerCertificateChain =
-                        event.getPeerCertificateChain();
                     Principal peerPrincipal = event.getPeerPrincipal();
                     Principal localPrincipal = event.getLocalPrincipal();
                     socket = event.getSocket();
@@ -401,11 +399,6 @@ public void handshakeCompleted(HandshakeCompletedEvent event) {
                         .assertServerCertificateChain(c.clientTrustManager, peerCertificates);
                     TestSSLContext
                         .assertCertificateInKeyStore(peerCertificates[0], c.serverKeyStore);
-                    assertNotNull(peerCertificateChain);
-                    TestKeyStore.assertChainLength(peerCertificateChain);
-                    assertNotNull(peerCertificateChain[0]);
-                    TestSSLContext.assertCertificateInKeyStore(
-                        peerCertificateChain[0].getSubjectDN(), c.serverKeyStore);
                     assertNotNull(peerPrincipal);
                     TestSSLContext.assertCertificateInKeyStore(peerPrincipal, c.serverKeyStore);
                     assertNull(localPrincipal);