sum7/Conversations
sum7
/
Conversations
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

more checks for xmppdomainverifier and better wildcard handling

This commit is contained in:
Daniel Gultsch 2015-10-15 18:06:26 +02:00
parent e75c2cd731
commit 5b271e1ed8
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/main/java/eu/siacs/conversations/crypto/XmppDomainVerifier.java
View File

@ -14,6 +14,7 @@ import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import java.io.IOException; import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
@ -29,8 +30,12 @@ public class XmppDomainVerifier implements HostnameVerifier {
@Override @Override
public boolean verify(String domain, SSLSession sslSession) { public boolean verify(String domain, SSLSession sslSession) {
try { try {
X509Certificate[] chain = (X509Certificate[]) sslSession.getPeerCertificates(); Certificate[] chain = sslSession.getPeerCertificates();
Collection<List<?>> alternativeNames = chain[0].getSubjectAlternativeNames(); if (chain.length == 0 || !(chain[0] instanceof X509Certificate)) {
return false;
}
X509Certificate certificate = (X509Certificate) chain[0];
Collection<List<?>> alternativeNames = certificate.getSubjectAlternativeNames();
List<String> xmppAddrs = new ArrayList<>(); List<String> xmppAddrs = new ArrayList<>();
List<String> srvNames = new ArrayList<>(); List<String> srvNames = new ArrayList<>();
List<String> domains = new ArrayList<>(); List<String> domains = new ArrayList<>();
@ -80,7 +85,7 @@ public class XmppDomainVerifier implements HostnameVerifier {
} }
} }
if (srvNames.size() == 0 && xmppAddrs.size() == 0 && domains.size() == 0) { if (srvNames.size() == 0 && xmppAddrs.size() == 0 && domains.size() == 0) {
X500Name x500name = new JcaX509CertificateHolder(chain[0]).getSubject(); X500Name x500name = new JcaX509CertificateHolder(certificate).getSubject();
RDN[] rdns = x500name.getRDNs(BCStyle.CN); RDN[] rdns = x500name.getRDNs(BCStyle.CN);
for(int i = 0; i < rdns.length; ++i) { for(int i = 0; i < rdns.length; ++i) {
domains.add(IETFUtils.valueToString(x500name.getRDNs(BCStyle.CN)[i].getFirst().getValue())); domains.add(IETFUtils.valueToString(x500name.getRDNs(BCStyle.CN)[i].getFirst().getValue()));
@ -97,7 +102,8 @@ public class XmppDomainVerifier implements HostnameVerifier {
for(String entry : haystack) { for(String entry : haystack) {
if (entry.startsWith("*.")) { if (entry.startsWith("*.")) {
int i = needle.indexOf('.'); int i = needle.indexOf('.');
if (i != -1 && needle.substring(i).equals(entry.substring(2))) { Log.d(LOGTAG,"comparing "+needle.substring(i)+ " and "+entry.substring(1));
if (i != -1 && needle.substring(i).equals(entry.substring(1))) {
Log.d(LOGTAG,"domain "+needle+" matched "+entry); Log.d(LOGTAG,"domain "+needle+" matched "+entry);
return true; return true;
} }