1
0
mirror of https://github.com/moparisthebest/k-9 synced 2024-12-26 01:28:50 -05:00

Only check against the certificate stored for a server, not all of them

This commit is contained in:
cketti 2013-11-29 13:56:09 +01:00
parent 8368ba8a11
commit 4b57d79acf

View File

@ -29,7 +29,6 @@ public final class TrustManagerFactory {
private static X509TrustManager defaultTrustManager; private static X509TrustManager defaultTrustManager;
private static X509TrustManager unsecureTrustManager; private static X509TrustManager unsecureTrustManager;
private static X509TrustManager localTrustManager;
private static File keyStoreFile; private static File keyStoreFile;
private static KeyStore keyStore; private static KeyStore keyStore;
@ -81,29 +80,31 @@ public final class TrustManagerFactory {
public void checkServerTrusted(X509Certificate[] chain, String authType) public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException { throws CertificateException {
boolean foundInGlobalKeyStore = false;
try { try {
defaultTrustManager.checkServerTrusted(chain, authType); defaultTrustManager.checkServerTrusted(chain, authType);
} catch (CertificateException e) { foundInGlobalKeyStore = true;
} catch (CertificateException e) { /* ignore */ }
X509Certificate certificate = chain[0];
// Check the local key store if we couldn't verify the certificate using the global
// key store or if the host name doesn't match the certificate name
if (!foundInGlobalKeyStore || !DomainNameChecker.match(certificate, mHost)) {
try { try {
localTrustManager.checkServerTrusted( Certificate storedCert = keyStore.getCertificate(getCertKey(mHost, mPort));
new X509Certificate[] { chain[0] }, authType); if (storedCert != null && storedCert.equals(certificate)) {
} catch (CertificateException ce) {
throw new CertificateChainException(ce, chain);
}
}
if (!DomainNameChecker.match(chain[0], mHost)) {
try {
Certificate storedCert = keyStore
.getCertificate(getCertKey(mHost, mPort));
if (storedCert != null && storedCert.equals(chain[0])) {
return; return;
} }
} catch (KeyStoreException e) { } catch (KeyStoreException e) {
throw new CertificateException("Certificate cannot be verified; KeyStore Exception: " + e); throw new CertificateException("Certificate cannot be verified", e);
} }
throw new CertificateChainException(
"Certificate domain name does not match " + mHost, String message = (foundInGlobalKeyStore) ?
chain); "Certificate domain name does not match " + mHost :
"Couldn't find certificate in local key store";
throw new CertificateChainException(message, chain);
} }
} }
@ -115,21 +116,12 @@ public final class TrustManagerFactory {
static { static {
try { try {
javax.net.ssl.TrustManagerFactory tmf = javax.net.ssl.TrustManagerFactory.getInstance("X509");
loadKeyStore(); loadKeyStore();
tmf.init(keyStore);
TrustManager[] tms = tmf.getTrustManagers(); javax.net.ssl.TrustManagerFactory tmf = javax.net.ssl.TrustManagerFactory.getInstance("X509");
if (tms != null) {
for (TrustManager tm : tms) {
if (tm instanceof X509TrustManager) {
localTrustManager = (X509TrustManager)tm;
break;
}
}
}
tmf = javax.net.ssl.TrustManagerFactory.getInstance("X509");
tmf.init((KeyStore) null); tmf.init((KeyStore) null);
tms = tmf.getTrustManagers();
TrustManager[] tms = tmf.getTrustManagers();
if (tms != null) { if (tms != null) {
for (TrustManager tm : tms) { for (TrustManager tm : tms) {
if (tm instanceof X509TrustManager) { if (tm instanceof X509TrustManager) {
@ -138,7 +130,6 @@ public final class TrustManagerFactory {
} }
} }
} }
} catch (NoSuchAlgorithmException e) { } catch (NoSuchAlgorithmException e) {
Log.e(LOG_TAG, "Unable to get X509 Trust Manager ", e); Log.e(LOG_TAG, "Unable to get X509 Trust Manager ", e);
} catch (KeyStoreException e) { } catch (KeyStoreException e) {
@ -183,25 +174,10 @@ public final class TrustManagerFactory {
unsecureTrustManager; unsecureTrustManager;
} }
public static KeyStore getKeyStore() {
return keyStore;
}
public static void addCertificate(String host, int port, X509Certificate certificate) throws CertificateException { public static void addCertificate(String host, int port, X509Certificate certificate) throws CertificateException {
try { try {
javax.net.ssl.TrustManagerFactory tmf = javax.net.ssl.TrustManagerFactory.getInstance("X509");
keyStore.setCertificateEntry(getCertKey(host, port), certificate); keyStore.setCertificateEntry(getCertKey(host, port), certificate);
tmf.init(keyStore);
TrustManager[] tms = tmf.getTrustManagers();
if (tms != null) {
for (TrustManager tm : tms) {
if (tm instanceof X509TrustManager) {
localTrustManager = (X509TrustManager) tm;
break;
}
}
}
java.io.OutputStream keyStoreStream = null; java.io.OutputStream keyStoreStream = null;
try { try {
keyStoreStream = new java.io.FileOutputStream(keyStoreFile); keyStoreStream = new java.io.FileOutputStream(keyStoreFile);