made xmpp domain verifier verify wildcard domains where domain is a sub.sub domain

This commit is contained in:
Daniel Gultsch 2018-10-01 17:08:23 +02:00
parent db2107c093
commit d4b98c9aff

View file

@ -27,139 +27,146 @@ import javax.net.ssl.SSLSession;
public class XmppDomainVerifier implements DomainHostnameVerifier { public class XmppDomainVerifier implements DomainHostnameVerifier {
private static final String LOGTAG = "XmppDomainVerifier"; private static final String LOGTAG = "XmppDomainVerifier";
private static final String SRV_NAME = "1.3.6.1.5.5.7.8.7"; private static final String SRV_NAME = "1.3.6.1.5.5.7.8.7";
private static final String XMPP_ADDR = "1.3.6.1.5.5.7.8.5"; private static final String XMPP_ADDR = "1.3.6.1.5.5.7.8.5";
@Override private static List<String> getCommonNames(X509Certificate certificate) {
public boolean verify(String domain, String hostname, SSLSession sslSession) { List<String> domains = new ArrayList<>();
try { try {
Certificate[] chain = sslSession.getPeerCertificates(); X500Name x500name = new JcaX509CertificateHolder(certificate).getSubject();
if (chain.length == 0 || !(chain[0] instanceof X509Certificate)) { RDN[] rdns = x500name.getRDNs(BCStyle.CN);
return false; for (int i = 0; i < rdns.length; ++i) {
} domains.add(IETFUtils.valueToString(x500name.getRDNs(BCStyle.CN)[i].getFirst().getValue()));
X509Certificate certificate = (X509Certificate) chain[0]; }
final List<String> commonNames = getCommonNames(certificate); return domains;
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT && isSelfSigned(certificate)) { } catch (CertificateEncodingException e) {
if (commonNames.size() == 1 && matchDomain(domain,commonNames)) { return domains;
Log.d(LOGTAG,"accepted CN in self signed cert as work around for "+domain); }
return true; }
}
}
Collection<List<?>> alternativeNames = certificate.getSubjectAlternativeNames();
List<String> xmppAddrs = new ArrayList<>();
List<String> srvNames = new ArrayList<>();
List<String> domains = new ArrayList<>();
if (alternativeNames != null) {
for (List<?> san : alternativeNames) {
Integer type = (Integer) san.get(0);
if (type == 0) {
Pair<String, String> otherName = parseOtherName((byte[]) san.get(1));
if (otherName != null) {
switch (otherName.first) {
case SRV_NAME:
srvNames.add(otherName.second);
break;
case XMPP_ADDR:
xmppAddrs.add(otherName.second);
break;
default:
Log.d(LOGTAG, "oid: " + otherName.first + " value: " + otherName.second);
}
}
} else if (type == 2) {
Object value = san.get(1);
if (value instanceof String) {
domains.add((String) value);
}
}
}
}
if (srvNames.size() == 0 && xmppAddrs.size() == 0 && domains.size() == 0) {
domains.addAll(commonNames);
}
Log.d(LOGTAG, "searching for " + domain + " in srvNames: " + srvNames + " xmppAddrs: " + xmppAddrs + " domains:" + domains);
if (hostname != null) {
Log.d(LOGTAG,"also trying to verify hostname "+hostname);
}
return xmppAddrs.contains(domain)
|| srvNames.contains("_xmpp-client." + domain)
|| matchDomain(domain, domains)
|| (hostname != null && matchDomain(hostname,domains));
} catch (Exception e) {
return false;
}
}
private static List<String> getCommonNames(X509Certificate certificate) { private static Pair<String, String> parseOtherName(byte[] otherName) {
List<String> domains = new ArrayList<>(); try {
try { ASN1Primitive asn1Primitive = ASN1Primitive.fromByteArray(otherName);
X500Name x500name = new JcaX509CertificateHolder(certificate).getSubject(); if (asn1Primitive instanceof DERTaggedObject) {
RDN[] rdns = x500name.getRDNs(BCStyle.CN); ASN1Primitive inner = ((DERTaggedObject) asn1Primitive).getObject();
for (int i = 0; i < rdns.length; ++i) { if (inner instanceof DLSequence) {
domains.add(IETFUtils.valueToString(x500name.getRDNs(BCStyle.CN)[i].getFirst().getValue())); DLSequence sequence = (DLSequence) inner;
} if (sequence.size() >= 2 && sequence.getObjectAt(1) instanceof DERTaggedObject) {
return domains; String oid = sequence.getObjectAt(0).toString();
} catch (CertificateEncodingException e) { ASN1Primitive value = ((DERTaggedObject) sequence.getObjectAt(1)).getObject();
return domains; if (value instanceof DERUTF8String) {
} return new Pair<>(oid, ((DERUTF8String) value).getString());
} } else if (value instanceof DERIA5String) {
return new Pair<>(oid, ((DERIA5String) value).getString());
}
}
}
}
return null;
} catch (IOException e) {
return null;
}
}
private static Pair<String, String> parseOtherName(byte[] otherName) { private static boolean matchDomain(String needle, List<String> haystack) {
try { for (String entry : haystack) {
ASN1Primitive asn1Primitive = ASN1Primitive.fromByteArray(otherName); if (entry.startsWith("*.")) {
if (asn1Primitive instanceof DERTaggedObject) { int offset = 0;
ASN1Primitive inner = ((DERTaggedObject) asn1Primitive).getObject(); while (offset < needle.length()) {
if (inner instanceof DLSequence) { int i = needle.indexOf('.', offset);
DLSequence sequence = (DLSequence) inner; if (i < 0) {
if (sequence.size() >= 2 && sequence.getObjectAt(1) instanceof DERTaggedObject) { break;
String oid = sequence.getObjectAt(0).toString(); }
ASN1Primitive value = ((DERTaggedObject) sequence.getObjectAt(1)).getObject(); Log.d(LOGTAG, "comparing " + needle.substring(i) + " and " + entry.substring(1));
if (value instanceof DERUTF8String) { if (needle.substring(i).equals(entry.substring(1))) {
return new Pair<>(oid, ((DERUTF8String) value).getString()); Log.d(LOGTAG, "domain " + needle + " matched " + entry);
} else if (value instanceof DERIA5String) { return true;
return new Pair<>(oid, ((DERIA5String) value).getString()); }
} offset = i + 1;
} }
} } else {
} if (entry.equals(needle)) {
return null; Log.d(LOGTAG, "domain " + needle + " matched " + entry);
} catch (IOException e) { return true;
return null; }
} }
} }
return false;
}
private static boolean matchDomain(String needle, List<String> haystack) { @Override
for (String entry : haystack) { public boolean verify(String domain, String hostname, SSLSession sslSession) {
if (entry.startsWith("*.")) { try {
int i = needle.indexOf('.'); Certificate[] chain = sslSession.getPeerCertificates();
Log.d(LOGTAG, "comparing " + needle.substring(i) + " and " + entry.substring(1)); if (chain.length == 0 || !(chain[0] instanceof X509Certificate)) {
if (i != -1 && needle.substring(i).equals(entry.substring(1))) { return false;
Log.d(LOGTAG, "domain " + needle + " matched " + entry); }
return true; X509Certificate certificate = (X509Certificate) chain[0];
} final List<String> commonNames = getCommonNames(certificate);
} else { if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT && isSelfSigned(certificate)) {
if (entry.equals(needle)) { if (commonNames.size() == 1 && matchDomain(domain, commonNames)) {
Log.d(LOGTAG, "domain " + needle + " matched " + entry); Log.d(LOGTAG, "accepted CN in self signed cert as work around for " + domain);
return true; return true;
} }
} }
} Collection<List<?>> alternativeNames = certificate.getSubjectAlternativeNames();
return false; List<String> xmppAddrs = new ArrayList<>();
} List<String> srvNames = new ArrayList<>();
List<String> domains = new ArrayList<>();
if (alternativeNames != null) {
for (List<?> san : alternativeNames) {
Integer type = (Integer) san.get(0);
if (type == 0) {
Pair<String, String> otherName = parseOtherName((byte[]) san.get(1));
if (otherName != null) {
switch (otherName.first) {
case SRV_NAME:
srvNames.add(otherName.second);
break;
case XMPP_ADDR:
xmppAddrs.add(otherName.second);
break;
default:
Log.d(LOGTAG, "oid: " + otherName.first + " value: " + otherName.second);
}
}
} else if (type == 2) {
Object value = san.get(1);
if (value instanceof String) {
domains.add((String) value);
}
}
}
}
if (srvNames.size() == 0 && xmppAddrs.size() == 0 && domains.size() == 0) {
domains.addAll(commonNames);
}
Log.d(LOGTAG, "searching for " + domain + " in srvNames: " + srvNames + " xmppAddrs: " + xmppAddrs + " domains:" + domains);
if (hostname != null) {
Log.d(LOGTAG, "also trying to verify hostname " + hostname);
}
return xmppAddrs.contains(domain)
|| srvNames.contains("_xmpp-client." + domain)
|| matchDomain(domain, domains)
|| (hostname != null && matchDomain(hostname, domains));
} catch (Exception e) {
return false;
}
}
private boolean isSelfSigned(X509Certificate certificate) { private boolean isSelfSigned(X509Certificate certificate) {
try { try {
certificate.verify(certificate.getPublicKey()); certificate.verify(certificate.getPublicKey());
return true; return true;
} catch (Exception e) { } catch (Exception e) {
return false; return false;
} }
} }
@Override @Override
public boolean verify(String domain, SSLSession sslSession) { public boolean verify(String domain, SSLSession sslSession) {
return verify(domain,null,sslSession); return verify(domain, null, sslSession);
} }
} }