neven7
diff --git a/‎google-http-client/src/main/java/com/google/api/client/http/GZipEncoding.java
Lines changed: 2 additions & 2 deletions b/‎google-http-client/src/main/java/com/google/api/client/http/GZipEncoding.java
Lines changed: 2 additions & 2 deletions
diff --git a/‎google-http-client/src/main/java/com/google/api/client/http/HttpRequest.java
Lines changed: 7 additions & 0 deletions b/‎google-http-client/src/main/java/com/google/api/client/http/HttpRequest.java
Lines changed: 7 additions & 0 deletions
diff --git a/‎google-http-client/src/main/java/com/google/api/client/http/javanet/ConnectionFactory.java
Lines changed: 21 additions & 0 deletions b/‎google-http-client/src/main/java/com/google/api/client/http/javanet/ConnectionFactory.java
Lines changed: 21 additions & 0 deletions
diff --git a/‎google-http-client/src/main/java/com/google/api/client/http/javanet/DefaultConnectionFactory.java
Lines changed: 33 additions & 0 deletions b/‎google-http-client/src/main/java/com/google/api/client/http/javanet/DefaultConnectionFactory.java
Lines changed: 33 additions & 0 deletions
diff --git a/‎google-http-client/src/main/java/com/google/api/client/http/javanet/NetHttpTransport.java
Lines changed: 43 additions & 12 deletions b/‎google-http-client/src/main/java/com/google/api/client/http/javanet/NetHttpTransport.java
Lines changed: 43 additions & 12 deletions
diff --git a/‎google-http-client/src/main/java/com/google/api/client/json/webtoken/JsonWebSignature.java
Lines changed: 141 additions & 5 deletions b/‎google-http-client/src/main/java/com/google/api/client/json/webtoken/JsonWebSignature.java
Lines changed: 141 additions & 5 deletions
@@ -16,7 +16,7 @@
 
 import com.google.api.client.util.StreamingContent;
 
-import java.io.FilterOutputStream;
+import java.io.BufferedOutputStream;
 import java.io.IOException;
 import java.io.OutputStream;
 import java.util.zip.GZIPOutputStream;
@@ -35,7 +35,7 @@ public String getName() {
 
   public void encode(StreamingContent content, OutputStream out) throws IOException {
     // must not close the underlying output stream
-    OutputStream out2 = new FilterOutputStream(out) {
+    OutputStream out2 = new BufferedOutputStream(out) {
       @Override
       public void close() throws IOException {
         // copy implementation of super.close(), except do not close the underlying output stream
 
@@ -926,6 +926,13 @@ public HttpResponse execute() throws IOException {
               curlbuf.append(" -H '" + header + "'");
             }
           }
+          if (contentEncoding != null) {
+            String header = "Content-Encoding: " + contentEncoding;
+            logbuf.append(header).append(StringUtils.LINE_SEPARATOR);
+            if (curlbuf != null) {
+              curlbuf.append(" -H '" + header + "'");
+            }
+          }
           if (contentLength >= 0) {
             String header = "Content-Length: " + contentLength;
             logbuf.append(header).append(StringUtils.LINE_SEPARATOR);
 
@@ -0,0 +1,21 @@
+package com.google.api.client.http.javanet;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URL;
+
+/**
+ * Given a {@link URL} instance, produces an {@link HttpURLConnection}.
+ */
+public interface ConnectionFactory {
+
+  /**
+   * Creates a new {@link HttpURLConnection} from the given {@code url}.
+   *
+   * @param url the URL to which the conneciton will be made
+   * @return the created connection object, which will still be in the pre-connected state
+   * @throws IOException if there was a problem producing the connection
+   * @throws ClassCastException if the URL is not for an HTTP endpoint
+   */
+  HttpURLConnection openConnection(URL url) throws IOException, ClassCastException;
+}
@@ -0,0 +1,33 @@
+package com.google.api.client.http.javanet;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.Proxy;
+import java.net.URL;
+
+/**
+ * Default implementation of {@link ConnectionFactory}, which simply attempts to open the connection
+ * with an optional {@link Proxy}.
+ */
+public class DefaultConnectionFactory implements ConnectionFactory {
+
+  private final Proxy proxy;
+
+  public DefaultConnectionFactory() {
+    this(null);
+  }
+
+  /**
+   * @param proxy HTTP proxy or {@code null} to use the proxy settings from <a
+   *        href="http://docs.oracle.com/javase/7/docs/api/java/net/doc-files/net-properties.html">
+   *        system properties</a>
+   */
+  public DefaultConnectionFactory(Proxy proxy) {
+    this.proxy = proxy;
+  }
+
+  @Override
+  public HttpURLConnection openConnection(URL url) throws IOException {
+    return (HttpURLConnection) (proxy == null ? url.openConnection() : url.openConnection(proxy));
+  }
+}
@@ -26,7 +26,6 @@
 import java.net.HttpURLConnection;
 import java.net.Proxy;
 import java.net.URL;
-import java.net.URLConnection;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 import java.security.cert.CertificateFactory;
@@ -77,12 +76,8 @@ public final class NetHttpTransport extends HttpTransport {
     Arrays.sort(SUPPORTED_METHODS);
   }
 
-  /**
-   * HTTP proxy or {@code null} to use the proxy settings from <a
-   * href="http://docs.oracle.com/javase/7/docs/api/java/net/doc-files/net-properties.html">system
-   * properties</a>.
-   */
-  private final Proxy proxy;
+  /** Factory to produce connections from {@link URL}s */
+  private final ConnectionFactory connectionFactory;
 
   /** SSL socket factory or {@code null} for the default. */
   private final SSLSocketFactory sslSocketFactory;
@@ -98,7 +93,7 @@ public final class NetHttpTransport extends HttpTransport {
    * </p>
    */
   public NetHttpTransport() {
-    this(null, null, null);
+    this((ConnectionFactory) null, null, null);
   }
 
   /**
@@ -110,7 +105,20 @@ public NetHttpTransport() {
    */
   NetHttpTransport(
       Proxy proxy, SSLSocketFactory sslSocketFactory, HostnameVerifier hostnameVerifier) {
-    this.proxy = proxy;
+    this(new DefaultConnectionFactory(proxy), sslSocketFactory, hostnameVerifier);
+  }
+
+  /**
+   * @param connectionFactory factory to produce connections from {@link URL}s; if {@code null} then
+   *        {@link DefaultConnectionFactory} is used
+   * @param sslSocketFactory SSL socket factory or {@code null} for the default
+   * @param hostnameVerifier host name verifier or {@code null} for the default
+   * @since 1.20
+   */
+  NetHttpTransport(ConnectionFactory connectionFactory,
+      SSLSocketFactory sslSocketFactory, HostnameVerifier hostnameVerifier) {
+    this.connectionFactory =
+        connectionFactory == null ? new DefaultConnectionFactory() : connectionFactory;
     this.sslSocketFactory = sslSocketFactory;
     this.hostnameVerifier = hostnameVerifier;
   }
@@ -125,8 +133,7 @@ protected NetHttpRequest buildRequest(String method, String url) throws IOExcept
     Preconditions.checkArgument(supportsMethod(method), "HTTP method %s not supported", method);
     // connection with proxy settings
     URL connUrl = new URL(url);
-    URLConnection conn = proxy == null ? connUrl.openConnection() : connUrl.openConnection(proxy);
-    HttpURLConnection connection = (HttpURLConnection) conn;
+    HttpURLConnection connection = connectionFactory.openConnection(connUrl);
     connection.setRequestMethod(method);
     // SSL settings
     if (connection instanceof HttpsURLConnection) {
@@ -165,6 +172,12 @@ public static final class Builder {
      */
     private Proxy proxy;
 
+    /**
+     * {@link ConnectionFactory} or {@code null} to use a DefaultConnectionFactory. This value is
+     * only used if proxy is unset.
+     */
+    private ConnectionFactory connectionFactory;
+
     /**
      * Sets the HTTP proxy or {@code null} to use the proxy settings from <a
      * href="http://docs.oracle.com/javase/7/docs/api/java/net/doc-files/net-properties.html">system
@@ -183,6 +196,22 @@ public Builder setProxy(Proxy proxy) {
       return this;
     }
 
+    /**
+     * Sets the {@link ConnectionFactory} or {@code null} to use a {@link DefaultConnectionFactory}.
+     * <b>This value is ignored if the {@link #setProxy} has been called with a non-null value.</b>
+     *
+     * <p>
+     * If you wish to use a {@link Proxy}, it should be included in your {@link ConnectionFactory}
+     * implementation.
+     * </p>
+     *
+     */
+    public Builder setConnectionFactory(ConnectionFactory connectionFactory) {
+      this.connectionFactory = connectionFactory;
+      return this;
+    }
+
     /**
      * Sets the SSL socket factory based on root certificates in a Java KeyStore.
      *
@@ -285,7 +314,9 @@ public Builder setHostnameVerifier(HostnameVerifier hostnameVerifier) {
 
     /** Returns a new instance of {@link NetHttpTransport} based on the options. */
     public NetHttpTransport build() {
-      return new NetHttpTransport(proxy, sslSocketFactory, hostnameVerifier);
+      return proxy == null
+          ? new NetHttpTransport(connectionFactory, sslSocketFactory, hostnameVerifier)
+          : new NetHttpTransport(proxy, sslSocketFactory, hostnameVerifier);
     }
   }
 }
@@ -16,6 +16,7 @@
 
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.util.Base64;
+import com.google.api.client.util.Beta;
 import com.google.api.client.util.Key;
 import com.google.api.client.util.Preconditions;
 import com.google.api.client.util.SecurityUtils;
@@ -24,11 +25,20 @@
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.Signature;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.List;
 
 import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+
 /**
  * <a href="http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-11">JSON Web Signature
  * (JWS)</a>.
@@ -128,9 +138,11 @@ public static class Header extends JsonWebToken.Header {
      * X.509 certificate chain header parameter contains the X.509 public key certificate or
      * certificate chain corresponding to the key used to digitally sign the JWS or {@code null} for
      * none.
+     *
+     * @since 1.19.1.
      */
     @Key("x5c")
-    private String x509Certificate;
+    private List<String> x509Certificates;
 
     /**
      * Array listing the header parameter names that define extensions that are used in the JWS
@@ -283,13 +295,50 @@ public Header setX509Thumbprint(String x509Thumbprint) {
       return this;
     }
 
+    /**
+     * Returns the X.509 certificate chain header parameter contains the X.509 public key
+     * certificate or corresponding to the key used to digitally sign the JWS or {@code null} for
+     * none.
+     *
+     * <p>@deprecated Since release 1.19.1, replaced by {@link #getX509Certificates()}.
+     */
+    @Deprecated
+    public final String getX509Certificate() {
+      if (x509Certificates == null || x509Certificates.isEmpty()) {
+        return null;
+      }
+      return x509Certificates.get(0);
+    }
+
     /**
      * Returns the X.509 certificate chain header parameter contains the X.509 public key
      * certificate or certificate chain corresponding to the key used to digitally sign the JWS or
      * {@code null} for none.
+     *
+     * @since 1.19.1.
      */
-    public final String getX509Certificate() {
-      return x509Certificate;
+    public final List<String> getX509Certificates() {
+      return x509Certificates;
+    }
+
+    /**
+     * Sets the X.509 certificate chain header parameter contains the X.509 public key certificate
+     * corresponding to the key used to digitally sign the JWS or {@code null} for none.
+     *
+     * <p>
+     * Overriding is only supported for the purpose of calling the super implementation and changing
+     * the return type, but nothing else.
+     * </p>
+     *
+     * <p>@deprecated Since release 1.19.1, replaced by
+     * {@link #setX509Certificates(List x509Certificates)}.
+     */
+    @Deprecated
+    public Header setX509Certificate(String x509Certificate) {
+      ArrayList<String> x509Certificates = new ArrayList<String>();
+      x509Certificates.add(x509Certificate);
+      this.x509Certificates = x509Certificates;
+      return this;
     }
 
     /**
@@ -301,9 +350,11 @@ public final String getX509Certificate() {
      * Overriding is only supported for the purpose of calling the super implementation and changing
      * the return type, but nothing else.
      * </p>
+     *
+     * @since 1.19.1.
      */
-    public Header setX509Certificate(String x509Certificate) {
-      this.x509Certificate = x509Certificate;
+    public Header setX509Certificates(List<String> x509Certificates) {
+      this.x509Certificates = x509Certificates;
       return this;
     }
 
@@ -372,6 +423,91 @@ public final boolean verifySignature(PublicKey publicKey) throws GeneralSecurity
     return SecurityUtils.verify(signatureAlg, publicKey, signatureBytes, signedContentBytes);
   }
 
+  /**
+   * {@link Beta} <br/>
+   * Verifies the signature of the content using the certificate chain embedded in the signature.
+   *
+   * <p>
+   * Currently only {@code "RS256"} algorithm is verified, but others may be added in the future.
+   * For any other algorithm it returns {@code null}.
+   * </p>
+   *
+   * <p>
+   * The leaf certificate of the certificate chain must be an SSL server certificate.
+   * </p>
+   *
+   * @param trustManager Trust manager used to verify the X509 certificate chain embedded in this
+   *        message.
+   * @return The signature certificate if the signature could be verified, null otherwise.
+   * @throws GeneralSecurityException
+   * @since 1.19.1.
+   */
+  @Beta
+  public final X509Certificate verifySignature(X509TrustManager trustManager)
+      throws GeneralSecurityException {
+    List<String> x509Certificates = getHeader().getX509Certificates();
+    if (x509Certificates == null || x509Certificates.isEmpty()) {
+      return null;
+    }
+    String algorithm = getHeader().getAlgorithm();
+    Signature signatureAlg = null;
+    if ("RS256".equals(algorithm)) {
+      signatureAlg = SecurityUtils.getSha256WithRsaSignatureAlgorithm();
+    } else {
+      return null;
+    }
+    return SecurityUtils.verify(signatureAlg, trustManager, x509Certificates, signatureBytes,
+        signedContentBytes);
+  }
+
+  /**
+   * {@link Beta} <br/>
+   * Verifies the signature of the content using the certificate chain embedded in the signature.
+   *
+   * <p>
+   * Currently only {@code "RS256"} algorithm is verified, but others may be added in the future.
+   * For any other algorithm it returns {@code null}.
+   * </p>
+   *
+   * <p>
+   * The certificate chain is verified using the system default trust manager.
+   * </p>
+   *
+   * <p>
+   * The leaf certificate of the certificate chain must be an SSL server certificate.
+   * </p>
+   *
+   * @return The signature certificate if the signature could be verified, null otherwise.
+   * @throws GeneralSecurityException
+   * @since 1.19.1.
+   */
+  @Beta
+  public final X509Certificate verifySignature() throws GeneralSecurityException {
+    X509TrustManager trustManager = getDefaultX509TrustManager();
+    if (trustManager == null) {
+      return null;
+    }
+    return verifySignature(trustManager);
+  }
+
+  private static X509TrustManager getDefaultX509TrustManager() {
+    try {
+      TrustManagerFactory factory =
+          TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+      factory.init((KeyStore) null);
+      for (TrustManager manager : factory.getTrustManagers()) {
+        if (manager instanceof X509TrustManager) {
+          return (X509TrustManager) manager;
+        }
+      }
+      return null;
+    } catch (NoSuchAlgorithmException e) {
+      return null;
+    } catch (KeyStoreException e) {
+      return null;
+    }
+  }
+
   /** Returns the modifiable array of bytes of the signature. */
   public final byte[] getSignatureBytes() {
     return signatureBytes;
Original file line number	Diff line number	Diff line change
`@@ -926,6 +926,13 @@ public HttpResponse execute() throws IOException {`
`926`	`926`	`curlbuf.append(" -H '" + header + "'");`
`927`	`927`	`}`
`928`	`928`	`}`
	`929`	`+ if (contentEncoding != null) {`
	`930`	`+ String header = "Content-Encoding: " + contentEncoding;`
	`931`	`+ logbuf.append(header).append(StringUtils.LINE_SEPARATOR);`
	`932`	`+ if (curlbuf != null) {`
	`933`	`+ curlbuf.append(" -H '" + header + "'");`
	`934`	`+ }`
	`935`	`+ }`
`929`	`936`	`if (contentLength >= 0) {`
`930`	`937`	`String header = "Content-Length: " + contentLength;`
`931`	`938`	`logbuf.append(header).append(StringUtils.LINE_SEPARATOR);`