1package eu.siacs.conversations.crypto;
2
3import android.util.Log;
4import android.util.Pair;
5
6import org.bouncycastle.asn1.ASN1Primitive;
7import org.bouncycastle.asn1.DERIA5String;
8import org.bouncycastle.asn1.DERTaggedObject;
9import org.bouncycastle.asn1.DERUTF8String;
10import org.bouncycastle.asn1.DLSequence;
11import org.bouncycastle.asn1.x500.RDN;
12import org.bouncycastle.asn1.x500.X500Name;
13import org.bouncycastle.asn1.x500.style.BCStyle;
14import org.bouncycastle.asn1.x500.style.IETFUtils;
15import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
16
17import java.io.IOException;
18import java.security.cert.Certificate;
19import java.security.cert.CertificateEncodingException;
20import java.security.cert.X509Certificate;
21import java.util.ArrayList;
22import java.util.Collection;
23import java.util.List;
24
25import javax.net.ssl.SSLSession;
26
27import de.duenndns.ssl.DomainHostnameVerifier;
28
29public class XmppDomainVerifier implements DomainHostnameVerifier {
30
31 private static final String LOGTAG = "XmppDomainVerifier";
32
33 private final String SRVName = "1.3.6.1.5.5.7.8.7";
34 private final String xmppAddr = "1.3.6.1.5.5.7.8.5";
35
36 @Override
37 public boolean verify(String domain, String hostname, SSLSession sslSession) {
38 try {
39 Certificate[] chain = sslSession.getPeerCertificates();
40 if (chain.length == 0 || !(chain[0] instanceof X509Certificate)) {
41 return false;
42 }
43 X509Certificate certificate = (X509Certificate) chain[0];
44 if (isSelfSigned(certificate)) {
45 List<String> domains = getCommonNames(certificate);
46 if (domains.size() == 1 && domains.get(0).equals(domain)) {
47 Log.d(LOGTAG,"accepted CN in cert self signed cert for "+domain);
48 return true;
49 }
50 }
51 Collection<List<?>> alternativeNames = certificate.getSubjectAlternativeNames();
52 List<String> xmppAddrs = new ArrayList<>();
53 List<String> srvNames = new ArrayList<>();
54 List<String> domains = new ArrayList<>();
55 if (alternativeNames != null) {
56 for (List<?> san : alternativeNames) {
57 Integer type = (Integer) san.get(0);
58 if (type == 0) {
59 Pair<String, String> otherName = parseOtherName((byte[]) san.get(1));
60 if (otherName != null) {
61 switch (otherName.first) {
62 case SRVName:
63 srvNames.add(otherName.second);
64 break;
65 case xmppAddr:
66 xmppAddrs.add(otherName.second);
67 break;
68 default:
69 Log.d(LOGTAG, "oid: " + otherName.first + " value: " + otherName.second);
70 }
71 }
72 } else if (type == 2) {
73 Object value = san.get(1);
74 if (value instanceof String) {
75 domains.add((String) value);
76 }
77 }
78 }
79 }
80 if (srvNames.size() == 0 && xmppAddrs.size() == 0 && domains.size() == 0) {
81 domains.addAll(domains);
82 }
83 Log.d(LOGTAG, "searching for " + domain + " in srvNames: " + srvNames + " xmppAddrs: " + xmppAddrs + " domains:" + domains);
84 if (hostname != null) {
85 Log.d(LOGTAG,"also trying to verify hostname "+hostname);
86 }
87 return xmppAddrs.contains(domain)
88 || srvNames.contains("_xmpp-client." + domain)
89 || matchDomain(domain, domains)
90 || (hostname != null && matchDomain(hostname,domains));
91 } catch (Exception e) {
92 return false;
93 }
94 }
95
96 private static List<String> getCommonNames(X509Certificate certificate) {
97 List<String> domains = new ArrayList<>();
98 try {
99 X500Name x500name = new JcaX509CertificateHolder(certificate).getSubject();
100 RDN[] rdns = x500name.getRDNs(BCStyle.CN);
101 for (int i = 0; i < rdns.length; ++i) {
102 domains.add(IETFUtils.valueToString(x500name.getRDNs(BCStyle.CN)[i].getFirst().getValue()));
103 }
104 return domains;
105 } catch (CertificateEncodingException e) {
106 return domains;
107 }
108 }
109
110 private static Pair<String, String> parseOtherName(byte[] otherName) {
111 try {
112 ASN1Primitive asn1Primitive = ASN1Primitive.fromByteArray(otherName);
113 if (asn1Primitive instanceof DERTaggedObject) {
114 ASN1Primitive inner = ((DERTaggedObject) asn1Primitive).getObject();
115 if (inner instanceof DLSequence) {
116 DLSequence sequence = (DLSequence) inner;
117 if (sequence.size() >= 2 && sequence.getObjectAt(1) instanceof DERTaggedObject) {
118 String oid = sequence.getObjectAt(0).toString();
119 ASN1Primitive value = ((DERTaggedObject) sequence.getObjectAt(1)).getObject();
120 if (value instanceof DERUTF8String) {
121 return new Pair<>(oid, ((DERUTF8String) value).getString());
122 } else if (value instanceof DERIA5String) {
123 return new Pair<>(oid, ((DERIA5String) value).getString());
124 }
125 }
126 }
127 }
128 return null;
129 } catch (IOException e) {
130 return null;
131 }
132 }
133
134 private static boolean matchDomain(String needle, List<String> haystack) {
135 for (String entry : haystack) {
136 if (entry.startsWith("*.")) {
137 int i = needle.indexOf('.');
138 Log.d(LOGTAG, "comparing " + needle.substring(i) + " and " + entry.substring(1));
139 if (i != -1 && needle.substring(i).equals(entry.substring(1))) {
140 Log.d(LOGTAG, "domain " + needle + " matched " + entry);
141 return true;
142 }
143 } else {
144 if (entry.equals(needle)) {
145 Log.d(LOGTAG, "domain " + needle + " matched " + entry);
146 return true;
147 }
148 }
149 }
150 return false;
151 }
152
153 private boolean isSelfSigned(X509Certificate certificate) {
154 try {
155 certificate.verify(certificate.getPublicKey());
156 return true;
157 } catch (Exception e) {
158 return false;
159 }
160 }
161
162 @Override
163 public boolean verify(String domain, SSLSession sslSession) {
164 return verify(domain,null,sslSession);
165 }
166}