msb-public
/
FairEmail
mirror of https://github.com/M66B/FairEmail.git
1
0
Code Issues Projects Releases Wiki Activity

Refactoring

Browse Source
pull/214/head
M66B 2 years ago
parent 311af85c5a
commit 71af2781cc
3 changed files with 74 additions and 66 deletions
Show Stats Download Patch File Download Diff File

19
app/src/dummy/java/eu/faircode/email/SSLHelper.java
Unescape View File

@ -1,18 +1,25 @@
package eu.faircode.email; package eu.faircode.email;
import java.security.KeyStore;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import javax.net.ssl.X509TrustManager; import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
public class SSLHelper { public class SSLHelper {
static X509TrustManager getTrustManager(X509TrustManager rtm,
String server,
boolean secure, boolean cert_strict,
String trustedFingerprint,
ITrust intf) {
// https://support.google.com/faqs/answer/6346016 // https://support.google.com/faqs/answer/6346016
static TrustManager[] getTrustManagers(String server, boolean secure, boolean cert_strict, String trustedFingerprint, ITrust intf) {
TrustManagerFactory tmf;
try {
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
return tmf.getTrustManagers();
} catch (Throwable ex) {
Log.e(ex);
return null; return null;
} }
}
static boolean customTrustManager() { static boolean customTrustManager() {
return false; return false;

46
app/src/extra/java/eu/faircode/email/SSLHelper.java
Unescape View File

@ -6,22 +6,45 @@ import androidx.annotation.NonNull;
import java.net.InetAddress; import java.net.InetAddress;
import java.net.UnknownHostException; import java.net.UnknownHostException;
import java.security.KeyStore;
import java.security.Principal; import java.security.Principal;
import java.security.cert.CertPathValidatorException; import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.Arrays; import java.util.Arrays;
import java.util.List; import java.util.List;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager; import javax.net.ssl.X509TrustManager;
public class SSLHelper { public class SSLHelper {
static X509TrustManager getTrustManager(X509TrustManager rtm, static TrustManager[] getTrustManagers(String server, boolean secure, boolean cert_strict, String trustedFingerprint, ITrust intf) {
String server, TrustManagerFactory tmf;
boolean secure, boolean cert_strict, try {
String trustedFingerprint, tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
ITrust intf) { tmf.init((KeyStore) null);
return new X509TrustManager() { } catch (Throwable ex) {
Log.e(ex);
tmf = null;
}
TrustManager[] tms = (tmf == null ? null : tmf.getTrustManagers());
Log.i("Trust managers=" + (tms == null ? null : tms.length));
if (tms == null || tms.length == 0 || !(tms[0] instanceof X509TrustManager)) {
Log.e("Missing root trust manager");
return tms;
}
if (tms.length > 1)
for (TrustManager tm : tms)
Log.e("Trust manager " + tm.getClass());
final X509TrustManager rtm = (X509TrustManager) tms[0];
return new TrustManager[]{new X509TrustManager() {
// openssl s_client -connect <host> // openssl s_client -connect <host>
@Override @Override
@ -105,9 +128,7 @@ public class SSLHelper {
private boolean noAnchor(Throwable ex) { private boolean noAnchor(Throwable ex) {
while (ex != null) { while (ex != null) {
if (ex instanceof CertPathValidatorException && if (ex instanceof CertPathValidatorException)
"Trust anchor for certification path not found."
.equals(ex.getMessage()))
return true; return true;
ex = ex.getCause(); ex = ex.getCause();
} }
@ -116,16 +137,13 @@ public class SSLHelper {
private boolean isExpired(Throwable ex) { private boolean isExpired(Throwable ex) {
while (ex != null) { while (ex != null) {
if (ex instanceof CertPathValidatorException && if (ex instanceof CertificateExpiredException)
"timestamp check failed"
.equals(ex.getMessage()))
return true; return true;
ex = ex.getCause(); ex = ex.getCause();
} }
return false; return false;
} }
}; }};
} }
static boolean customTrustManager() { static boolean customTrustManager() {

43
app/src/main/java/eu/faircode/email/EmailService.java
Unescape View File

@ -1047,34 +1047,7 @@ public class EmailService implements AutoCloseable {
this.cert_strict = cert_strict; this.cert_strict = cert_strict;
this.trustedFingerprint = fingerprint; this.trustedFingerprint = fingerprint;
// https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext TrustManager[] tms = SSLHelper.getTrustManagers(server, secure, cert_strict, trustedFingerprint,
// https://stackoverflow.com/questions/69571364/sslcontext-getinstancetls-vulnerability
// https://developer.android.com/about/versions/oreo/android-8.0-changes.html#security-all
SSLContext sslContext;
String protocol = (insecure ? "SSL" : "TLS");
if (bc)
sslContext = SSLContext.getInstance(protocol, new BouncyCastleJsseProvider(fips));
else
sslContext = SSLContext.getInstance(protocol);
Log.i("Using protocol=" + protocol + " bc=" + bc + " FIPS=" + fips);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
TrustManager[] tms = tmf.getTrustManagers();
Log.i("Trust managers=" + (tms == null ? null : tms.length));
if (tms == null || tms.length == 0 || !(tms[0] instanceof X509TrustManager)) {
Log.e("Missing root trust manager");
sslContext.init(null, tms, null);
} else {
final X509TrustManager rtm = (X509TrustManager) tms[0];
if (tms.length > 1)
for (TrustManager tm : tms)
Log.e("Trust manager " + tm.getClass());
X509TrustManager tm = SSLHelper.getTrustManager(rtm, server, secure, cert_strict, trustedFingerprint,
new SSLHelper.ITrust() { new SSLHelper.ITrust() {
@Override @Override
public void checkServerTrusted(X509Certificate[] chain) { public void checkServerTrusted(X509Certificate[] chain) {
@ -1099,8 +1072,18 @@ public class EmailService implements AutoCloseable {
} catch (Throwable ex) { } catch (Throwable ex) {
Log.e(ex); Log.e(ex);
} }
sslContext.init(km, new TrustManager[]{tm == null ? rtm : tm}, null);
} // https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
// https://stackoverflow.com/questions/69571364/sslcontext-getinstancetls-vulnerability
// https://developer.android.com/about/versions/oreo/android-8.0-changes.html#security-all
SSLContext sslContext;
String protocol = (insecure ? "SSL" : "TLS");
if (bc)
sslContext = SSLContext.getInstance(protocol, new BouncyCastleJsseProvider(fips));
else
sslContext = SSLContext.getInstance(protocol);
Log.i("Using protocol=" + protocol + " bc=" + bc + " FIPS=" + fips);
sslContext.init(km, tms, null);
factory = sslContext.getSocketFactory(); factory = sslContext.getSocketFactory();
} }

Write Preview
Loading…
Cancel
Save