diff --git a/src/main/java/eu/siacs/conversations/crypto/XmppDomainVerifier.java b/src/main/java/eu/siacs/conversations/crypto/XmppDomainVerifier.java index 263aa479f..f4ca658d4 100644 --- a/src/main/java/eu/siacs/conversations/crypto/XmppDomainVerifier.java +++ b/src/main/java/eu/siacs/conversations/crypto/XmppDomainVerifier.java @@ -27,139 +27,146 @@ import javax.net.ssl.SSLSession; public class XmppDomainVerifier implements DomainHostnameVerifier { - private static final String LOGTAG = "XmppDomainVerifier"; + private static final String LOGTAG = "XmppDomainVerifier"; - private static final String SRV_NAME = "1.3.6.1.5.5.7.8.7"; - private static final String XMPP_ADDR = "1.3.6.1.5.5.7.8.5"; + private static final String SRV_NAME = "1.3.6.1.5.5.7.8.7"; + private static final String XMPP_ADDR = "1.3.6.1.5.5.7.8.5"; - @Override - public boolean verify(String domain, String hostname, SSLSession sslSession) { - try { - Certificate[] chain = sslSession.getPeerCertificates(); - if (chain.length == 0 || !(chain[0] instanceof X509Certificate)) { - return false; - } - X509Certificate certificate = (X509Certificate) chain[0]; - final List commonNames = getCommonNames(certificate); - if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT && isSelfSigned(certificate)) { - if (commonNames.size() == 1 && matchDomain(domain,commonNames)) { - Log.d(LOGTAG,"accepted CN in self signed cert as work around for "+domain); - return true; - } - } - Collection> alternativeNames = certificate.getSubjectAlternativeNames(); - List xmppAddrs = new ArrayList<>(); - List srvNames = new ArrayList<>(); - List domains = new ArrayList<>(); - if (alternativeNames != null) { - for (List san : alternativeNames) { - Integer type = (Integer) san.get(0); - if (type == 0) { - Pair otherName = parseOtherName((byte[]) san.get(1)); - if (otherName != null) { - switch (otherName.first) { - case SRV_NAME: - srvNames.add(otherName.second); - break; - case XMPP_ADDR: - xmppAddrs.add(otherName.second); - break; - default: - Log.d(LOGTAG, "oid: " + otherName.first + " value: " + otherName.second); - } - } - } else if (type == 2) { - Object value = san.get(1); - if (value instanceof String) { - domains.add((String) value); - } - } - } - } - if (srvNames.size() == 0 && xmppAddrs.size() == 0 && domains.size() == 0) { - domains.addAll(commonNames); - } - Log.d(LOGTAG, "searching for " + domain + " in srvNames: " + srvNames + " xmppAddrs: " + xmppAddrs + " domains:" + domains); - if (hostname != null) { - Log.d(LOGTAG,"also trying to verify hostname "+hostname); - } - return xmppAddrs.contains(domain) - || srvNames.contains("_xmpp-client." + domain) - || matchDomain(domain, domains) - || (hostname != null && matchDomain(hostname,domains)); - } catch (Exception e) { - return false; - } - } + private static List getCommonNames(X509Certificate certificate) { + List domains = new ArrayList<>(); + try { + X500Name x500name = new JcaX509CertificateHolder(certificate).getSubject(); + RDN[] rdns = x500name.getRDNs(BCStyle.CN); + for (int i = 0; i < rdns.length; ++i) { + domains.add(IETFUtils.valueToString(x500name.getRDNs(BCStyle.CN)[i].getFirst().getValue())); + } + return domains; + } catch (CertificateEncodingException e) { + return domains; + } + } - private static List getCommonNames(X509Certificate certificate) { - List domains = new ArrayList<>(); - try { - X500Name x500name = new JcaX509CertificateHolder(certificate).getSubject(); - RDN[] rdns = x500name.getRDNs(BCStyle.CN); - for (int i = 0; i < rdns.length; ++i) { - domains.add(IETFUtils.valueToString(x500name.getRDNs(BCStyle.CN)[i].getFirst().getValue())); - } - return domains; - } catch (CertificateEncodingException e) { - return domains; - } - } + private static Pair parseOtherName(byte[] otherName) { + try { + ASN1Primitive asn1Primitive = ASN1Primitive.fromByteArray(otherName); + if (asn1Primitive instanceof DERTaggedObject) { + ASN1Primitive inner = ((DERTaggedObject) asn1Primitive).getObject(); + if (inner instanceof DLSequence) { + DLSequence sequence = (DLSequence) inner; + if (sequence.size() >= 2 && sequence.getObjectAt(1) instanceof DERTaggedObject) { + String oid = sequence.getObjectAt(0).toString(); + ASN1Primitive value = ((DERTaggedObject) sequence.getObjectAt(1)).getObject(); + if (value instanceof DERUTF8String) { + return new Pair<>(oid, ((DERUTF8String) value).getString()); + } else if (value instanceof DERIA5String) { + return new Pair<>(oid, ((DERIA5String) value).getString()); + } + } + } + } + return null; + } catch (IOException e) { + return null; + } + } - private static Pair parseOtherName(byte[] otherName) { - try { - ASN1Primitive asn1Primitive = ASN1Primitive.fromByteArray(otherName); - if (asn1Primitive instanceof DERTaggedObject) { - ASN1Primitive inner = ((DERTaggedObject) asn1Primitive).getObject(); - if (inner instanceof DLSequence) { - DLSequence sequence = (DLSequence) inner; - if (sequence.size() >= 2 && sequence.getObjectAt(1) instanceof DERTaggedObject) { - String oid = sequence.getObjectAt(0).toString(); - ASN1Primitive value = ((DERTaggedObject) sequence.getObjectAt(1)).getObject(); - if (value instanceof DERUTF8String) { - return new Pair<>(oid, ((DERUTF8String) value).getString()); - } else if (value instanceof DERIA5String) { - return new Pair<>(oid, ((DERIA5String) value).getString()); - } - } - } - } - return null; - } catch (IOException e) { - return null; - } - } + private static boolean matchDomain(String needle, List haystack) { + for (String entry : haystack) { + if (entry.startsWith("*.")) { + int offset = 0; + while (offset < needle.length()) { + int i = needle.indexOf('.', offset); + if (i < 0) { + break; + } + Log.d(LOGTAG, "comparing " + needle.substring(i) + " and " + entry.substring(1)); + if (needle.substring(i).equals(entry.substring(1))) { + Log.d(LOGTAG, "domain " + needle + " matched " + entry); + return true; + } + offset = i + 1; + } + } else { + if (entry.equals(needle)) { + Log.d(LOGTAG, "domain " + needle + " matched " + entry); + return true; + } + } + } + return false; + } - private static boolean matchDomain(String needle, List haystack) { - for (String entry : haystack) { - if (entry.startsWith("*.")) { - int i = needle.indexOf('.'); - Log.d(LOGTAG, "comparing " + needle.substring(i) + " and " + entry.substring(1)); - if (i != -1 && needle.substring(i).equals(entry.substring(1))) { - Log.d(LOGTAG, "domain " + needle + " matched " + entry); - return true; - } - } else { - if (entry.equals(needle)) { - Log.d(LOGTAG, "domain " + needle + " matched " + entry); - return true; - } - } - } - return false; - } + @Override + public boolean verify(String domain, String hostname, SSLSession sslSession) { + try { + Certificate[] chain = sslSession.getPeerCertificates(); + if (chain.length == 0 || !(chain[0] instanceof X509Certificate)) { + return false; + } + X509Certificate certificate = (X509Certificate) chain[0]; + final List commonNames = getCommonNames(certificate); + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT && isSelfSigned(certificate)) { + if (commonNames.size() == 1 && matchDomain(domain, commonNames)) { + Log.d(LOGTAG, "accepted CN in self signed cert as work around for " + domain); + return true; + } + } + Collection> alternativeNames = certificate.getSubjectAlternativeNames(); + List xmppAddrs = new ArrayList<>(); + List srvNames = new ArrayList<>(); + List domains = new ArrayList<>(); + if (alternativeNames != null) { + for (List san : alternativeNames) { + Integer type = (Integer) san.get(0); + if (type == 0) { + Pair otherName = parseOtherName((byte[]) san.get(1)); + if (otherName != null) { + switch (otherName.first) { + case SRV_NAME: + srvNames.add(otherName.second); + break; + case XMPP_ADDR: + xmppAddrs.add(otherName.second); + break; + default: + Log.d(LOGTAG, "oid: " + otherName.first + " value: " + otherName.second); + } + } + } else if (type == 2) { + Object value = san.get(1); + if (value instanceof String) { + domains.add((String) value); + } + } + } + } + if (srvNames.size() == 0 && xmppAddrs.size() == 0 && domains.size() == 0) { + domains.addAll(commonNames); + } + Log.d(LOGTAG, "searching for " + domain + " in srvNames: " + srvNames + " xmppAddrs: " + xmppAddrs + " domains:" + domains); + if (hostname != null) { + Log.d(LOGTAG, "also trying to verify hostname " + hostname); + } + return xmppAddrs.contains(domain) + || srvNames.contains("_xmpp-client." + domain) + || matchDomain(domain, domains) + || (hostname != null && matchDomain(hostname, domains)); + } catch (Exception e) { + return false; + } + } - private boolean isSelfSigned(X509Certificate certificate) { - try { - certificate.verify(certificate.getPublicKey()); - return true; - } catch (Exception e) { - return false; - } - } + private boolean isSelfSigned(X509Certificate certificate) { + try { + certificate.verify(certificate.getPublicKey()); + return true; + } catch (Exception e) { + return false; + } + } - @Override - public boolean verify(String domain, SSLSession sslSession) { - return verify(domain,null,sslSession); - } + @Override + public boolean verify(String domain, SSLSession sslSession) { + return verify(domain, null, sslSession); + } }