k-9/net at c8f6c4d62578973ca6bc2360e333a83aae9e5edf - k-9

History

Joe Steele 21237c3720 KeyChainKeyManager modifications The constructor now saves the certificate chain, so the code to retrieve it again or to perform any additional error checking in getCertificateChain() is no longer needed. The constructor now retrieves and saves the private key so that any resulting errors are detected sooner. Methods that retrieve the alias perform checks to assure that the client cert. satisfies the requested issuers and key type. It's known that Sendmail may provide a list of issuers in its certificate request, but then may authenticate against a much larger set of CAs, but then later reject the mail because the client certificate was not acceptable. Vetting against the issuer list helps detect such certificate problems sooner (upon connection) rather than later (upon transmission of mail). Earlier error detection is necessary so that errors may be presented to the user during account setup. Portions of these modifications are based on code from KeyManagerImpl: https://android.googlesource.com/platform/external/conscrypt/+/master/src/main/java/org/conscrypt/KeyManagerImpl.java	2014-08-11 11:08:26 -04:00
..
ssl	KeyChainKeyManager modifications	2014-08-11 11:08:26 -04:00

Joe Steele 21237c3720 KeyChainKeyManager modifications

The constructor now saves the certificate chain, so the code to retrieve
it again or to perform any additional error checking in
getCertificateChain() is no longer needed.

The constructor now retrieves and saves the private key so that any
resulting errors are detected sooner.

Methods that retrieve the alias perform checks to assure that the client
cert. satisfies the requested issuers and key type.  It's known that
Sendmail may provide a list of issuers in its certificate request, but
then may authenticate against a much larger set of CAs, but then later
reject the mail because the client certificate was not acceptable.
Vetting against the issuer list helps detect such certificate problems
sooner (upon connection) rather than later (upon transmission of mail).
Earlier error detection is necessary so that errors may be presented to
the user during account setup.

Portions of these modifications are based on code from KeyManagerImpl:
https://android.googlesource.com/platform/external/conscrypt/+/master/src/main/java/org/conscrypt/KeyManagerImpl.java

2014-08-11 11:08:26 -04:00

ssl

KeyChainKeyManager modifications

2014-08-11 11:08:26 -04:00