mirror of
https://github.com/moparisthebest/k-9
synced 2025-01-09 20:58:07 -05:00
Only check against the certificate stored for a server, not all of them
This commit is contained in:
parent
07e4eb9042
commit
0c96c799eb
@ -29,7 +29,6 @@ public final class TrustManagerFactory {
|
|||||||
|
|
||||||
private static X509TrustManager defaultTrustManager;
|
private static X509TrustManager defaultTrustManager;
|
||||||
private static X509TrustManager unsecureTrustManager;
|
private static X509TrustManager unsecureTrustManager;
|
||||||
private static X509TrustManager localTrustManager;
|
|
||||||
|
|
||||||
private static File keyStoreFile;
|
private static File keyStoreFile;
|
||||||
private static KeyStore keyStore;
|
private static KeyStore keyStore;
|
||||||
@ -81,29 +80,31 @@ public final class TrustManagerFactory {
|
|||||||
|
|
||||||
public void checkServerTrusted(X509Certificate[] chain, String authType)
|
public void checkServerTrusted(X509Certificate[] chain, String authType)
|
||||||
throws CertificateException {
|
throws CertificateException {
|
||||||
|
boolean foundInGlobalKeyStore = false;
|
||||||
try {
|
try {
|
||||||
defaultTrustManager.checkServerTrusted(chain, authType);
|
defaultTrustManager.checkServerTrusted(chain, authType);
|
||||||
} catch (CertificateException e) {
|
foundInGlobalKeyStore = true;
|
||||||
|
} catch (CertificateException e) { /* ignore */ }
|
||||||
|
|
||||||
|
X509Certificate certificate = chain[0];
|
||||||
|
|
||||||
|
// Check the local key store if we couldn't verify the certificate using the global
|
||||||
|
// key store or if the host name doesn't match the certificate name
|
||||||
|
if (!foundInGlobalKeyStore || !DomainNameChecker.match(certificate, mHost)) {
|
||||||
try {
|
try {
|
||||||
localTrustManager.checkServerTrusted(
|
Certificate storedCert = keyStore.getCertificate(getCertKey(mHost, mPort));
|
||||||
new X509Certificate[] { chain[0] }, authType);
|
if (storedCert != null && storedCert.equals(certificate)) {
|
||||||
} catch (CertificateException ce) {
|
|
||||||
throw new CertificateChainException(ce, chain);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (!DomainNameChecker.match(chain[0], mHost)) {
|
|
||||||
try {
|
|
||||||
Certificate storedCert = keyStore
|
|
||||||
.getCertificate(getCertKey(mHost, mPort));
|
|
||||||
if (storedCert != null && storedCert.equals(chain[0])) {
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
} catch (KeyStoreException e) {
|
} catch (KeyStoreException e) {
|
||||||
throw new CertificateException("Certificate cannot be verified; KeyStore Exception: " + e);
|
throw new CertificateException("Certificate cannot be verified", e);
|
||||||
}
|
}
|
||||||
throw new CertificateChainException(
|
|
||||||
"Certificate domain name does not match " + mHost,
|
String message = (foundInGlobalKeyStore) ?
|
||||||
chain);
|
"Certificate domain name does not match " + mHost :
|
||||||
|
"Couldn't find certificate in local key store";
|
||||||
|
|
||||||
|
throw new CertificateChainException(message, chain);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -115,21 +116,12 @@ public final class TrustManagerFactory {
|
|||||||
|
|
||||||
static {
|
static {
|
||||||
try {
|
try {
|
||||||
javax.net.ssl.TrustManagerFactory tmf = javax.net.ssl.TrustManagerFactory.getInstance("X509");
|
|
||||||
loadKeyStore();
|
loadKeyStore();
|
||||||
tmf.init(keyStore);
|
|
||||||
|
javax.net.ssl.TrustManagerFactory tmf = javax.net.ssl.TrustManagerFactory.getInstance("X509");
|
||||||
|
tmf.init((KeyStore) null);
|
||||||
|
|
||||||
TrustManager[] tms = tmf.getTrustManagers();
|
TrustManager[] tms = tmf.getTrustManagers();
|
||||||
if (tms != null) {
|
|
||||||
for (TrustManager tm : tms) {
|
|
||||||
if (tm instanceof X509TrustManager) {
|
|
||||||
localTrustManager = (X509TrustManager)tm;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
tmf = javax.net.ssl.TrustManagerFactory.getInstance("X509");
|
|
||||||
tmf.init((KeyStore)null);
|
|
||||||
tms = tmf.getTrustManagers();
|
|
||||||
if (tms != null) {
|
if (tms != null) {
|
||||||
for (TrustManager tm : tms) {
|
for (TrustManager tm : tms) {
|
||||||
if (tm instanceof X509TrustManager) {
|
if (tm instanceof X509TrustManager) {
|
||||||
@ -138,7 +130,6 @@ public final class TrustManagerFactory {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
} catch (NoSuchAlgorithmException e) {
|
} catch (NoSuchAlgorithmException e) {
|
||||||
Log.e(LOG_TAG, "Unable to get X509 Trust Manager ", e);
|
Log.e(LOG_TAG, "Unable to get X509 Trust Manager ", e);
|
||||||
} catch (KeyStoreException e) {
|
} catch (KeyStoreException e) {
|
||||||
@ -183,25 +174,10 @@ public final class TrustManagerFactory {
|
|||||||
unsecureTrustManager;
|
unsecureTrustManager;
|
||||||
}
|
}
|
||||||
|
|
||||||
public static KeyStore getKeyStore() {
|
|
||||||
return keyStore;
|
|
||||||
}
|
|
||||||
|
|
||||||
public static void addCertificate(String host, int port, X509Certificate certificate) throws CertificateException {
|
public static void addCertificate(String host, int port, X509Certificate certificate) throws CertificateException {
|
||||||
try {
|
try {
|
||||||
javax.net.ssl.TrustManagerFactory tmf = javax.net.ssl.TrustManagerFactory.getInstance("X509");
|
|
||||||
keyStore.setCertificateEntry(getCertKey(host, port), certificate);
|
keyStore.setCertificateEntry(getCertKey(host, port), certificate);
|
||||||
|
|
||||||
tmf.init(keyStore);
|
|
||||||
TrustManager[] tms = tmf.getTrustManagers();
|
|
||||||
if (tms != null) {
|
|
||||||
for (TrustManager tm : tms) {
|
|
||||||
if (tm instanceof X509TrustManager) {
|
|
||||||
localTrustManager = (X509TrustManager) tm;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
java.io.OutputStream keyStoreStream = null;
|
java.io.OutputStream keyStoreStream = null;
|
||||||
try {
|
try {
|
||||||
keyStoreStream = new java.io.FileOutputStream(keyStoreFile);
|
keyStoreStream = new java.io.FileOutputStream(keyStoreFile);
|
||||||
|
Loading…
Reference in New Issue
Block a user