1package eu.siacs.conversations.crypto;
2
3import android.os.Build;
4import android.util.Log;
5import android.util.Pair;
6
7import org.bouncycastle.asn1.ASN1Primitive;
8import org.bouncycastle.asn1.DERIA5String;
9import org.bouncycastle.asn1.DERTaggedObject;
10import org.bouncycastle.asn1.DERUTF8String;
11import org.bouncycastle.asn1.DLSequence;
12import org.bouncycastle.asn1.x500.RDN;
13import org.bouncycastle.asn1.x500.X500Name;
14import org.bouncycastle.asn1.x500.style.BCStyle;
15import org.bouncycastle.asn1.x500.style.IETFUtils;
16import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
17
18import java.io.IOException;
19import java.security.cert.Certificate;
20import java.security.cert.CertificateEncodingException;
21import java.security.cert.X509Certificate;
22import java.util.ArrayList;
23import java.util.Collection;
24import java.util.List;
25
26import javax.net.ssl.SSLSession;
27
28import de.duenndns.ssl.DomainHostnameVerifier;
29
30public class XmppDomainVerifier implements DomainHostnameVerifier {
31
32 private static final String LOGTAG = "XmppDomainVerifier";
33
34 private static final String SRV_NAME = "1.3.6.1.5.5.7.8.7";
35 private static final String XMPP_ADDR = "1.3.6.1.5.5.7.8.5";
36
37 @Override
38 public boolean verify(String domain, String hostname, SSLSession sslSession) {
39 try {
40 Certificate[] chain = sslSession.getPeerCertificates();
41 if (chain.length == 0 || !(chain[0] instanceof X509Certificate)) {
42 return false;
43 }
44 X509Certificate certificate = (X509Certificate) chain[0];
45 final List<String> commonNames = getCommonNames(certificate);
46 final boolean isSelfSignedCertificate = isSelfSigned(certificate);
47 if (Build.VERSION.SDK_INT < Build.VERSION_CODES.KITKAT || isSelfSignedCertificate) {
48 if (commonNames.size() == 1 && commonNames.get(0).equals(domain)) {
49 Log.d(LOGTAG,"accepted CN in cert as work around for "+domain+" isSelfSigned="+Boolean.toString(isSelfSignedCertificate)+", sdkInt="+Build.VERSION.SDK_INT);
50 return true;
51 }
52 }
53 Collection<List<?>> alternativeNames = certificate.getSubjectAlternativeNames();
54 List<String> xmppAddrs = new ArrayList<>();
55 List<String> srvNames = new ArrayList<>();
56 List<String> domains = new ArrayList<>();
57 if (alternativeNames != null) {
58 for (List<?> san : alternativeNames) {
59 Integer type = (Integer) san.get(0);
60 if (type == 0) {
61 Pair<String, String> otherName = parseOtherName((byte[]) san.get(1));
62 if (otherName != null) {
63 switch (otherName.first) {
64 case SRV_NAME:
65 srvNames.add(otherName.second);
66 break;
67 case XMPP_ADDR:
68 xmppAddrs.add(otherName.second);
69 break;
70 default:
71 Log.d(LOGTAG, "oid: " + otherName.first + " value: " + otherName.second);
72 }
73 }
74 } else if (type == 2) {
75 Object value = san.get(1);
76 if (value instanceof String) {
77 domains.add((String) value);
78 }
79 }
80 }
81 }
82 if (srvNames.size() == 0 && xmppAddrs.size() == 0 && domains.size() == 0) {
83 domains.addAll(commonNames);
84 }
85 Log.d(LOGTAG, "searching for " + domain + " in srvNames: " + srvNames + " xmppAddrs: " + xmppAddrs + " domains:" + domains);
86 if (hostname != null) {
87 Log.d(LOGTAG,"also trying to verify hostname "+hostname);
88 }
89 return xmppAddrs.contains(domain)
90 || srvNames.contains("_xmpp-client." + domain)
91 || matchDomain(domain, domains)
92 || (hostname != null && matchDomain(hostname,domains));
93 } catch (Exception e) {
94 return false;
95 }
96 }
97
98 private static List<String> getCommonNames(X509Certificate certificate) {
99 List<String> domains = new ArrayList<>();
100 try {
101 X500Name x500name = new JcaX509CertificateHolder(certificate).getSubject();
102 RDN[] rdns = x500name.getRDNs(BCStyle.CN);
103 for (int i = 0; i < rdns.length; ++i) {
104 domains.add(IETFUtils.valueToString(x500name.getRDNs(BCStyle.CN)[i].getFirst().getValue()));
105 }
106 return domains;
107 } catch (CertificateEncodingException e) {
108 return domains;
109 }
110 }
111
112 private static Pair<String, String> parseOtherName(byte[] otherName) {
113 try {
114 ASN1Primitive asn1Primitive = ASN1Primitive.fromByteArray(otherName);
115 if (asn1Primitive instanceof DERTaggedObject) {
116 ASN1Primitive inner = ((DERTaggedObject) asn1Primitive).getObject();
117 if (inner instanceof DLSequence) {
118 DLSequence sequence = (DLSequence) inner;
119 if (sequence.size() >= 2 && sequence.getObjectAt(1) instanceof DERTaggedObject) {
120 String oid = sequence.getObjectAt(0).toString();
121 ASN1Primitive value = ((DERTaggedObject) sequence.getObjectAt(1)).getObject();
122 if (value instanceof DERUTF8String) {
123 return new Pair<>(oid, ((DERUTF8String) value).getString());
124 } else if (value instanceof DERIA5String) {
125 return new Pair<>(oid, ((DERIA5String) value).getString());
126 }
127 }
128 }
129 }
130 return null;
131 } catch (IOException e) {
132 return null;
133 }
134 }
135
136 private static boolean matchDomain(String needle, List<String> haystack) {
137 for (String entry : haystack) {
138 if (entry.startsWith("*.")) {
139 int i = needle.indexOf('.');
140 Log.d(LOGTAG, "comparing " + needle.substring(i) + " and " + entry.substring(1));
141 if (i != -1 && needle.substring(i).equals(entry.substring(1))) {
142 Log.d(LOGTAG, "domain " + needle + " matched " + entry);
143 return true;
144 }
145 } else {
146 if (entry.equals(needle)) {
147 Log.d(LOGTAG, "domain " + needle + " matched " + entry);
148 return true;
149 }
150 }
151 }
152 return false;
153 }
154
155 private boolean isSelfSigned(X509Certificate certificate) {
156 try {
157 certificate.verify(certificate.getPublicKey());
158 return true;
159 } catch (Exception e) {
160 return false;
161 }
162 }
163
164 @Override
165 public boolean verify(String domain, SSLSession sslSession) {
166 return verify(domain,null,sslSession);
167 }
168}