use own XmppDomainVerifier instead of deprecated StrictHostnameVerifier. fixes #1189

This commit is contained in:
Daniel Gultsch 2015-10-15 17:08:38 +02:00
parent 1738673c53
commit e75c2cd731
2 changed files with 116 additions and 2 deletions

View file

@ -0,0 +1,113 @@
package eu.siacs.conversations.crypto;
import android.util.Log;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.DLSequence;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;
public class XmppDomainVerifier implements HostnameVerifier {
private final String LOGTAG = "XmppDomainVerifier";
@Override
public boolean verify(String domain, SSLSession sslSession) {
try {
X509Certificate[] chain = (X509Certificate[]) sslSession.getPeerCertificates();
Collection<List<?>> alternativeNames = chain[0].getSubjectAlternativeNames();
List<String> xmppAddrs = new ArrayList<>();
List<String> srvNames = new ArrayList<>();
List<String> domains = new ArrayList<>();
if (alternativeNames != null) {
for(List<?> san : alternativeNames) {
Integer type = (Integer) san.get(0);
if (type == 0) {
try {
ASN1Primitive asn1Primitive = ASN1Primitive.fromByteArray((byte[]) san.get(1));
if (asn1Primitive instanceof DERTaggedObject) {
ASN1Primitive inner = ((DERTaggedObject) asn1Primitive).getObject();
if (inner instanceof DLSequence) {
DLSequence sequence = (DLSequence) inner;
if (sequence.size() >= 2 && sequence.getObjectAt(1) instanceof DERTaggedObject) {
String oid = sequence.getObjectAt(0).toString();
ASN1Primitive value = ((DERTaggedObject) sequence.getObjectAt(1)).getObject();
switch (oid) {
case "1.3.6.1.5.5.7.8.5":
if (value instanceof DERUTF8String) {
xmppAddrs.add(((DERUTF8String) value).getString());
} else if (value instanceof DERIA5String) {
xmppAddrs.add(((DERIA5String) value).getString());
}
break;
case "1.3.6.1.5.5.7.8.7":
if (value instanceof DERUTF8String) {
srvNames.add(((DERUTF8String) value).getString());
} else if (value instanceof DERIA5String) {
srvNames.add(((DERIA5String) value).getString());
}
break;
default:
Log.d(LOGTAG,"value was of type:"+value.getClass().getName()+ " oid was:"+oid);
}
}
}
}
} catch (IOException e) {
//ignored
}
} else if (type == 2) {
Object value = san.get(1);
if (value instanceof String) {
domains.add((String) value);
}
}
}
}
if (srvNames.size() == 0 && xmppAddrs.size() == 0 && domains.size() == 0) {
X500Name x500name = new JcaX509CertificateHolder(chain[0]).getSubject();
RDN[] rdns = x500name.getRDNs(BCStyle.CN);
for(int i = 0; i < rdns.length; ++i) {
domains.add(IETFUtils.valueToString(x500name.getRDNs(BCStyle.CN)[i].getFirst().getValue()));
}
}
Log.d(LOGTAG, "searching for " + domain + " in srvNames: " + srvNames + " xmppAddrs: " + xmppAddrs + " domains:" + domains);
return xmppAddrs.contains(domain) || srvNames.contains("_xmpp-client."+domain) || matchDomain(domain, domains);
} catch (Exception e) {
return false;
}
}
private boolean matchDomain(String needle, List<String> haystack) {
for(String entry : haystack) {
if (entry.startsWith("*.")) {
int i = needle.indexOf('.');
if (i != -1 && needle.substring(i).equals(entry.substring(2))) {
Log.d(LOGTAG,"domain "+needle+" matched "+entry);
return true;
}
} else {
if (entry.equals(needle)) {
Log.d(LOGTAG,"domain "+needle+" matched "+entry);
return true;
}
}
}
return false;
}
}

View file

@ -55,6 +55,7 @@ import javax.net.ssl.X509TrustManager;
import de.duenndns.ssl.MemorizingTrustManager; import de.duenndns.ssl.MemorizingTrustManager;
import eu.siacs.conversations.Config; import eu.siacs.conversations.Config;
import eu.siacs.conversations.crypto.XmppDomainVerifier;
import eu.siacs.conversations.crypto.sasl.DigestMd5; import eu.siacs.conversations.crypto.sasl.DigestMd5;
import eu.siacs.conversations.crypto.sasl.External; import eu.siacs.conversations.crypto.sasl.External;
import eu.siacs.conversations.crypto.sasl.Plain; import eu.siacs.conversations.crypto.sasl.Plain;
@ -606,9 +607,9 @@ public class XmppConnection implements Runnable {
final SSLSocketFactory factory = sc.getSocketFactory(); final SSLSocketFactory factory = sc.getSocketFactory();
final HostnameVerifier verifier; final HostnameVerifier verifier;
if (mInteractive) { if (mInteractive) {
verifier = trustManager.wrapHostnameVerifier(new StrictHostnameVerifier()); verifier = trustManager.wrapHostnameVerifier(new XmppDomainVerifier());
} else { } else {
verifier = trustManager.wrapHostnameVerifierNonInteractive(new StrictHostnameVerifier()); verifier = trustManager.wrapHostnameVerifierNonInteractive(new XmppDomainVerifier());
} }
final InetAddress address = socket == null ? null : socket.getInetAddress(); final InetAddress address = socket == null ? null : socket.getInetAddress();