made xmpp domain verifier verify wildcard domains where domain is a sub.sub domain
This commit is contained in:
parent
db2107c093
commit
d4b98c9aff
|
@ -32,66 +32,6 @@ public class XmppDomainVerifier implements DomainHostnameVerifier {
|
|||
private static final String SRV_NAME = "1.3.6.1.5.5.7.8.7";
|
||||
private static final String XMPP_ADDR = "1.3.6.1.5.5.7.8.5";
|
||||
|
||||
@Override
|
||||
public boolean verify(String domain, String hostname, SSLSession sslSession) {
|
||||
try {
|
||||
Certificate[] chain = sslSession.getPeerCertificates();
|
||||
if (chain.length == 0 || !(chain[0] instanceof X509Certificate)) {
|
||||
return false;
|
||||
}
|
||||
X509Certificate certificate = (X509Certificate) chain[0];
|
||||
final List<String> commonNames = getCommonNames(certificate);
|
||||
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT && isSelfSigned(certificate)) {
|
||||
if (commonNames.size() == 1 && matchDomain(domain,commonNames)) {
|
||||
Log.d(LOGTAG,"accepted CN in self signed cert as work around for "+domain);
|
||||
return true;
|
||||
}
|
||||
}
|
||||
Collection<List<?>> alternativeNames = certificate.getSubjectAlternativeNames();
|
||||
List<String> xmppAddrs = new ArrayList<>();
|
||||
List<String> srvNames = new ArrayList<>();
|
||||
List<String> domains = new ArrayList<>();
|
||||
if (alternativeNames != null) {
|
||||
for (List<?> san : alternativeNames) {
|
||||
Integer type = (Integer) san.get(0);
|
||||
if (type == 0) {
|
||||
Pair<String, String> otherName = parseOtherName((byte[]) san.get(1));
|
||||
if (otherName != null) {
|
||||
switch (otherName.first) {
|
||||
case SRV_NAME:
|
||||
srvNames.add(otherName.second);
|
||||
break;
|
||||
case XMPP_ADDR:
|
||||
xmppAddrs.add(otherName.second);
|
||||
break;
|
||||
default:
|
||||
Log.d(LOGTAG, "oid: " + otherName.first + " value: " + otherName.second);
|
||||
}
|
||||
}
|
||||
} else if (type == 2) {
|
||||
Object value = san.get(1);
|
||||
if (value instanceof String) {
|
||||
domains.add((String) value);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (srvNames.size() == 0 && xmppAddrs.size() == 0 && domains.size() == 0) {
|
||||
domains.addAll(commonNames);
|
||||
}
|
||||
Log.d(LOGTAG, "searching for " + domain + " in srvNames: " + srvNames + " xmppAddrs: " + xmppAddrs + " domains:" + domains);
|
||||
if (hostname != null) {
|
||||
Log.d(LOGTAG,"also trying to verify hostname "+hostname);
|
||||
}
|
||||
return xmppAddrs.contains(domain)
|
||||
|| srvNames.contains("_xmpp-client." + domain)
|
||||
|| matchDomain(domain, domains)
|
||||
|| (hostname != null && matchDomain(hostname,domains));
|
||||
} catch (Exception e) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
private static List<String> getCommonNames(X509Certificate certificate) {
|
||||
List<String> domains = new ArrayList<>();
|
||||
try {
|
||||
|
@ -133,12 +73,19 @@ public class XmppDomainVerifier implements DomainHostnameVerifier {
|
|||
private static boolean matchDomain(String needle, List<String> haystack) {
|
||||
for (String entry : haystack) {
|
||||
if (entry.startsWith("*.")) {
|
||||
int i = needle.indexOf('.');
|
||||
int offset = 0;
|
||||
while (offset < needle.length()) {
|
||||
int i = needle.indexOf('.', offset);
|
||||
if (i < 0) {
|
||||
break;
|
||||
}
|
||||
Log.d(LOGTAG, "comparing " + needle.substring(i) + " and " + entry.substring(1));
|
||||
if (i != -1 && needle.substring(i).equals(entry.substring(1))) {
|
||||
if (needle.substring(i).equals(entry.substring(1))) {
|
||||
Log.d(LOGTAG, "domain " + needle + " matched " + entry);
|
||||
return true;
|
||||
}
|
||||
offset = i + 1;
|
||||
}
|
||||
} else {
|
||||
if (entry.equals(needle)) {
|
||||
Log.d(LOGTAG, "domain " + needle + " matched " + entry);
|
||||
|
@ -149,6 +96,66 @@ public class XmppDomainVerifier implements DomainHostnameVerifier {
|
|||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean verify(String domain, String hostname, SSLSession sslSession) {
|
||||
try {
|
||||
Certificate[] chain = sslSession.getPeerCertificates();
|
||||
if (chain.length == 0 || !(chain[0] instanceof X509Certificate)) {
|
||||
return false;
|
||||
}
|
||||
X509Certificate certificate = (X509Certificate) chain[0];
|
||||
final List<String> commonNames = getCommonNames(certificate);
|
||||
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT && isSelfSigned(certificate)) {
|
||||
if (commonNames.size() == 1 && matchDomain(domain, commonNames)) {
|
||||
Log.d(LOGTAG, "accepted CN in self signed cert as work around for " + domain);
|
||||
return true;
|
||||
}
|
||||
}
|
||||
Collection<List<?>> alternativeNames = certificate.getSubjectAlternativeNames();
|
||||
List<String> xmppAddrs = new ArrayList<>();
|
||||
List<String> srvNames = new ArrayList<>();
|
||||
List<String> domains = new ArrayList<>();
|
||||
if (alternativeNames != null) {
|
||||
for (List<?> san : alternativeNames) {
|
||||
Integer type = (Integer) san.get(0);
|
||||
if (type == 0) {
|
||||
Pair<String, String> otherName = parseOtherName((byte[]) san.get(1));
|
||||
if (otherName != null) {
|
||||
switch (otherName.first) {
|
||||
case SRV_NAME:
|
||||
srvNames.add(otherName.second);
|
||||
break;
|
||||
case XMPP_ADDR:
|
||||
xmppAddrs.add(otherName.second);
|
||||
break;
|
||||
default:
|
||||
Log.d(LOGTAG, "oid: " + otherName.first + " value: " + otherName.second);
|
||||
}
|
||||
}
|
||||
} else if (type == 2) {
|
||||
Object value = san.get(1);
|
||||
if (value instanceof String) {
|
||||
domains.add((String) value);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (srvNames.size() == 0 && xmppAddrs.size() == 0 && domains.size() == 0) {
|
||||
domains.addAll(commonNames);
|
||||
}
|
||||
Log.d(LOGTAG, "searching for " + domain + " in srvNames: " + srvNames + " xmppAddrs: " + xmppAddrs + " domains:" + domains);
|
||||
if (hostname != null) {
|
||||
Log.d(LOGTAG, "also trying to verify hostname " + hostname);
|
||||
}
|
||||
return xmppAddrs.contains(domain)
|
||||
|| srvNames.contains("_xmpp-client." + domain)
|
||||
|| matchDomain(domain, domains)
|
||||
|| (hostname != null && matchDomain(hostname, domains));
|
||||
} catch (Exception e) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
private boolean isSelfSigned(X509Certificate certificate) {
|
||||
try {
|
||||
certificate.verify(certificate.getPublicKey());
|
||||
|
@ -160,6 +167,6 @@ public class XmppDomainVerifier implements DomainHostnameVerifier {
|
|||
|
||||
@Override
|
||||
public boolean verify(String domain, SSLSession sslSession) {
|
||||
return verify(domain,null,sslSession);
|
||||
return verify(domain, null, sslSession);
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue