1package eu.siacs.conversations.crypto;
2
3import android.util.Log;
4import android.util.Pair;
5
6import org.bouncycastle.asn1.ASN1Primitive;
7import org.bouncycastle.asn1.DERIA5String;
8import org.bouncycastle.asn1.DERTaggedObject;
9import org.bouncycastle.asn1.DERUTF8String;
10import org.bouncycastle.asn1.DLSequence;
11import org.bouncycastle.asn1.x500.RDN;
12import org.bouncycastle.asn1.x500.X500Name;
13import org.bouncycastle.asn1.x500.style.BCStyle;
14import org.bouncycastle.asn1.x500.style.IETFUtils;
15import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
16
17import java.io.IOException;
18import java.net.IDN;
19import java.security.cert.Certificate;
20import java.security.cert.CertificateEncodingException;
21import java.security.cert.X509Certificate;
22import java.util.ArrayList;
23import java.util.Collection;
24import java.util.List;
25import java.util.Locale;
26
27import javax.net.ssl.SSLSession;
28
29public class XmppDomainVerifier implements DomainHostnameVerifier {
30
31 private static final String LOGTAG = "XmppDomainVerifier";
32
33 private static final String SRV_NAME = "1.3.6.1.5.5.7.8.7";
34 private static final String XMPP_ADDR = "1.3.6.1.5.5.7.8.5";
35
36 private static List<String> getCommonNames(X509Certificate certificate) {
37 List<String> domains = new ArrayList<>();
38 try {
39 X500Name x500name = new JcaX509CertificateHolder(certificate).getSubject();
40 RDN[] rdns = x500name.getRDNs(BCStyle.CN);
41 for (int i = 0; i < rdns.length; ++i) {
42 domains.add(IETFUtils.valueToString(x500name.getRDNs(BCStyle.CN)[i].getFirst().getValue()));
43 }
44 return domains;
45 } catch (CertificateEncodingException e) {
46 return domains;
47 }
48 }
49
50 private static Pair<String, String> parseOtherName(byte[] otherName) {
51 try {
52 ASN1Primitive asn1Primitive = ASN1Primitive.fromByteArray(otherName);
53 if (asn1Primitive instanceof DERTaggedObject) {
54 ASN1Primitive inner = ((DERTaggedObject) asn1Primitive).getObject();
55 if (inner instanceof DLSequence) {
56 DLSequence sequence = (DLSequence) inner;
57 if (sequence.size() >= 2 && sequence.getObjectAt(1) instanceof DERTaggedObject) {
58 String oid = sequence.getObjectAt(0).toString();
59 ASN1Primitive value = ((DERTaggedObject) sequence.getObjectAt(1)).getObject();
60 if (value instanceof DERUTF8String) {
61 return new Pair<>(oid, ((DERUTF8String) value).getString());
62 } else if (value instanceof DERIA5String) {
63 return new Pair<>(oid, ((DERIA5String) value).getString());
64 }
65 }
66 }
67 }
68 return null;
69 } catch (IOException e) {
70 return null;
71 }
72 }
73
74 public static boolean matchDomain(final String needle, final List<String> haystack) {
75 for (final String entry : haystack) {
76 if (entry.startsWith("*.")) {
77 int offset = 0;
78 while (offset < needle.length()) {
79 int i = needle.indexOf('.', offset);
80 if (i < 0) {
81 break;
82 }
83 if (needle.substring(i).equalsIgnoreCase(entry.substring(1))) {
84 return true;
85 }
86 offset = i + 1;
87 }
88 } else {
89 if (entry.equalsIgnoreCase(needle)) {
90 return true;
91 }
92 }
93 }
94 return false;
95 }
96
97 @Override
98 public boolean verify(final String unicodeDomain,final String unicodeHostname, SSLSession sslSession) {
99 final String domain = IDN.toASCII(unicodeDomain);
100 final String hostname = unicodeHostname == null ? null : IDN.toASCII(unicodeHostname);
101 try {
102 final Certificate[] chain = sslSession.getPeerCertificates();
103 if (chain.length == 0 || !(chain[0] instanceof X509Certificate)) {
104 return false;
105 }
106 final X509Certificate certificate = (X509Certificate) chain[0];
107 final List<String> commonNames = getCommonNames(certificate);
108 if (isSelfSigned(certificate)) {
109 if (commonNames.size() == 1 && matchDomain(domain, commonNames)) {
110 Log.d(LOGTAG, "accepted CN in self signed cert as work around for " + domain);
111 return true;
112 }
113 }
114 final Collection<List<?>> alternativeNames = certificate.getSubjectAlternativeNames();
115 final List<String> xmppAddrs = new ArrayList<>();
116 final List<String> srvNames = new ArrayList<>();
117 final List<String> domains = new ArrayList<>();
118 if (alternativeNames != null) {
119 for (List<?> san : alternativeNames) {
120 final Integer type = (Integer) san.get(0);
121 if (type == 0) {
122 final Pair<String, String> otherName = parseOtherName((byte[]) san.get(1));
123 if (otherName != null && otherName.first != null && otherName.second != null) {
124 switch (otherName.first) {
125 case SRV_NAME:
126 srvNames.add(otherName.second.toLowerCase(Locale.US));
127 break;
128 case XMPP_ADDR:
129 xmppAddrs.add(otherName.second.toLowerCase(Locale.US));
130 break;
131 default:
132 Log.d(LOGTAG, "oid: " + otherName.first + " value: " + otherName.second);
133 }
134 }
135 } else if (type == 2) {
136 final Object value = san.get(1);
137 if (value instanceof String) {
138 domains.add(((String) value).toLowerCase(Locale.US));
139 }
140 }
141 }
142 }
143 if (srvNames.size() == 0 && xmppAddrs.size() == 0 && domains.size() == 0) {
144 domains.addAll(commonNames);
145 }
146 Log.d(LOGTAG, "searching for " + domain + " in srvNames: " + srvNames + " xmppAddrs: " + xmppAddrs + " domains:" + domains);
147 if (hostname != null) {
148 Log.d(LOGTAG, "also trying to verify hostname " + hostname);
149 }
150 return xmppAddrs.contains(domain)
151 || srvNames.contains("_xmpp-client." + domain)
152 || matchDomain(domain, domains)
153 || (hostname != null && matchDomain(hostname, domains));
154 } catch (final Exception e) {
155 return false;
156 }
157 }
158
159 private boolean isSelfSigned(X509Certificate certificate) {
160 try {
161 certificate.verify(certificate.getPublicKey());
162 return true;
163 } catch (Exception e) {
164 return false;
165 }
166 }
167
168 @Override
169 public boolean verify(String domain, SSLSession sslSession) {
170 return verify(domain, null, sslSession);
171 }
172}