Merge pull request #2330 from square/jwilson_0209_dont_pay

Don't pay to clean certificates if we aren't pinning.
square · Feb 9, 2016 · 3ccb46d · 3ccb46d
2 parents c2e5cc4 + 456a745
commit 3ccb46d
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/okhttp/src/main/java/okhttp3/CertificatePinner.java b/okhttp/src/main/java/okhttp3/CertificatePinner.java
@@ -147,14 +147,14 @@ private CertificatePinner(Builder builder) {
    */
   public void check(String hostname, List<Certificate> peerCertificates)
       throws SSLPeerUnverifiedException {
-    if (trustRootIndex != null) {
-      peerCertificates = new CertificateChainCleaner(trustRootIndex).clean(peerCertificates);
-    }
-
     Set<ByteString> pins = findMatchingPins(hostname);
 
     if (pins == null) return;
 
+    if (trustRootIndex != null) {
+      peerCertificates = new CertificateChainCleaner(trustRootIndex).clean(peerCertificates);
+    }
+
     for (int i = 0, size = peerCertificates.size(); i < size; i++) {
       X509Certificate x509Certificate = (X509Certificate) peerCertificates.get(i);
       if (pins.contains(sha1(x509Certificate))) return; // Success!