From b76b60df5cf5c530087431744bf9c8c3d4cdb635 Mon Sep 17 00:00:00 2001 From: Daniel Gultsch Date: Thu, 4 Feb 2021 11:15:59 +0100 Subject: [PATCH] verify against IDN variant of domain --- .../crypto/XmppDomainVerifier.java | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/src/main/java/eu/siacs/conversations/crypto/XmppDomainVerifier.java b/src/main/java/eu/siacs/conversations/crypto/XmppDomainVerifier.java index 1b618c5ad..b344ac55c 100644 --- a/src/main/java/eu/siacs/conversations/crypto/XmppDomainVerifier.java +++ b/src/main/java/eu/siacs/conversations/crypto/XmppDomainVerifier.java @@ -16,6 +16,7 @@ import org.bouncycastle.asn1.x500.style.IETFUtils; import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; import java.io.IOException; +import java.net.IDN; import java.security.cert.Certificate; import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; @@ -98,24 +99,26 @@ public class XmppDomainVerifier implements DomainHostnameVerifier { } @Override - public boolean verify(String domain, String hostname, SSLSession sslSession) { + public boolean verify(final String unicodeDomain,final String unicodeHostname, SSLSession sslSession) { + final String domain = IDN.toASCII(unicodeDomain); + final String hostname = unicodeHostname == null ? null : IDN.toASCII(unicodeHostname); try { - Certificate[] chain = sslSession.getPeerCertificates(); + final Certificate[] chain = sslSession.getPeerCertificates(); if (chain.length == 0 || !(chain[0] instanceof X509Certificate)) { return false; } - X509Certificate certificate = (X509Certificate) chain[0]; + final X509Certificate certificate = (X509Certificate) chain[0]; final List commonNames = getCommonNames(certificate); - if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT && isSelfSigned(certificate)) { + if (isSelfSigned(certificate)) { if (commonNames.size() == 1 && matchDomain(domain, commonNames)) { Log.d(LOGTAG, "accepted CN in self signed cert as work around for " + domain); return true; } } - Collection> alternativeNames = certificate.getSubjectAlternativeNames(); - List xmppAddrs = new ArrayList<>(); - List srvNames = new ArrayList<>(); - List domains = new ArrayList<>(); + final Collection> alternativeNames = certificate.getSubjectAlternativeNames(); + final List xmppAddrs = new ArrayList<>(); + final List srvNames = new ArrayList<>(); + final List domains = new ArrayList<>(); if (alternativeNames != null) { for (List san : alternativeNames) { final Integer type = (Integer) san.get(0); @@ -152,7 +155,7 @@ public class XmppDomainVerifier implements DomainHostnameVerifier { || srvNames.contains("_xmpp-client." + domain) || matchDomain(domain, domains) || (hostname != null && matchDomain(hostname, domains)); - } catch (Exception e) { + } catch (final Exception e) { return false; } }