msb-public
/
FairEmail
mirror of https://github.com/M66B/FairEmail.git
1
0
Code Issues Projects Releases Wiki Activity

Refactoring

Browse Source
pull/214/head
M66B 2 years ago
parent 311af85c5a
commit 71af2781cc
3 changed files with 74 additions and 66 deletions
Show Stats Download Patch File Download Diff File

23
app/src/dummy/java/eu/faircode/email/SSLHelper.java
Unescape View File

@ -1,17 +1,24 @@
package eu.faircode.email; package eu.faircode.email;
import java.security.KeyStore;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import javax.net.ssl.X509TrustManager; import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
public class SSLHelper { public class SSLHelper {
static X509TrustManager getTrustManager(X509TrustManager rtm, // https://support.google.com/faqs/answer/6346016
String server,
boolean secure, boolean cert_strict, static TrustManager[] getTrustManagers(String server, boolean secure, boolean cert_strict, String trustedFingerprint, ITrust intf) {
String trustedFingerprint, TrustManagerFactory tmf;
ITrust intf) { try {
// https://support.google.com/faqs/answer/6346016 tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
return null; tmf.init((KeyStore) null);
return tmf.getTrustManagers();
} catch (Throwable ex) {
Log.e(ex);
return null;
}
} }
static boolean customTrustManager() { static boolean customTrustManager() {

46
app/src/extra/java/eu/faircode/email/SSLHelper.java
Unescape View File

@ -6,22 +6,45 @@ import androidx.annotation.NonNull;
import java.net.InetAddress; import java.net.InetAddress;
import java.net.UnknownHostException; import java.net.UnknownHostException;
import java.security.KeyStore;
import java.security.Principal; import java.security.Principal;
import java.security.cert.CertPathValidatorException; import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.Arrays; import java.util.Arrays;
import java.util.List; import java.util.List;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager; import javax.net.ssl.X509TrustManager;
public class SSLHelper { public class SSLHelper {
static X509TrustManager getTrustManager(X509TrustManager rtm, static TrustManager[] getTrustManagers(String server, boolean secure, boolean cert_strict, String trustedFingerprint, ITrust intf) {
String server, TrustManagerFactory tmf;
boolean secure, boolean cert_strict, try {
String trustedFingerprint, tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
ITrust intf) { tmf.init((KeyStore) null);
return new X509TrustManager() { } catch (Throwable ex) {
Log.e(ex);
tmf = null;
}
TrustManager[] tms = (tmf == null ? null : tmf.getTrustManagers());
Log.i("Trust managers=" + (tms == null ? null : tms.length));
if (tms == null || tms.length == 0 || !(tms[0] instanceof X509TrustManager)) {
Log.e("Missing root trust manager");
return tms;
}
if (tms.length > 1)
for (TrustManager tm : tms)
Log.e("Trust manager " + tm.getClass());
final X509TrustManager rtm = (X509TrustManager) tms[0];
return new TrustManager[]{new X509TrustManager() {
// openssl s_client -connect <host> // openssl s_client -connect <host>
@Override @Override
@ -105,9 +128,7 @@ public class SSLHelper {
private boolean noAnchor(Throwable ex) { private boolean noAnchor(Throwable ex) {
while (ex != null) { while (ex != null) {
if (ex instanceof CertPathValidatorException && if (ex instanceof CertPathValidatorException)
"Trust anchor for certification path not found."
.equals(ex.getMessage()))
return true; return true;
ex = ex.getCause(); ex = ex.getCause();
} }
@ -116,16 +137,13 @@ public class SSLHelper {
private boolean isExpired(Throwable ex) { private boolean isExpired(Throwable ex) {
while (ex != null) { while (ex != null) {
if (ex instanceof CertPathValidatorException && if (ex instanceof CertificateExpiredException)
"timestamp check failed"
.equals(ex.getMessage()))
return true; return true;
ex = ex.getCause(); ex = ex.getCause();
} }
return false; return false;
} }
}; }};
} }
static boolean customTrustManager() { static boolean customTrustManager() {

71
app/src/main/java/eu/faircode/email/EmailService.java
Unescape View File

@ -1047,6 +1047,32 @@ public class EmailService implements AutoCloseable {
this.cert_strict = cert_strict; this.cert_strict = cert_strict;
this.trustedFingerprint = fingerprint; this.trustedFingerprint = fingerprint;
TrustManager[] tms = SSLHelper.getTrustManagers(server, secure, cert_strict, trustedFingerprint,
new SSLHelper.ITrust() {
@Override
public void checkServerTrusted(X509Certificate[] chain) {
certificate = chain[0];
}
});
KeyManager[] km = null;
if (key != null && chain != null)
try {
Log.i("Client certificate init");
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(null, new char[0]);
ks.setKeyEntry(server, key, new char[0], chain);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, new char[0]);
km = kmf.getKeyManagers();
Log.i("Client certificate initialized");
} catch (Throwable ex) {
Log.e(ex);
}
// https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext // https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
// https://stackoverflow.com/questions/69571364/sslcontext-getinstancetls-vulnerability // https://stackoverflow.com/questions/69571364/sslcontext-getinstancetls-vulnerability
// https://developer.android.com/about/versions/oreo/android-8.0-changes.html#security-all // https://developer.android.com/about/versions/oreo/android-8.0-changes.html#security-all
@ -1057,50 +1083,7 @@ public class EmailService implements AutoCloseable {
else else
sslContext = SSLContext.getInstance(protocol); sslContext = SSLContext.getInstance(protocol);
Log.i("Using protocol=" + protocol + " bc=" + bc + " FIPS=" + fips); Log.i("Using protocol=" + protocol + " bc=" + bc + " FIPS=" + fips);
sslContext.init(km, tms, null);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
TrustManager[] tms = tmf.getTrustManagers();
Log.i("Trust managers=" + (tms == null ? null : tms.length));
if (tms == null || tms.length == 0 || !(tms[0] instanceof X509TrustManager)) {
Log.e("Missing root trust manager");
sslContext.init(null, tms, null);
} else {
final X509TrustManager rtm = (X509TrustManager) tms[0];
if (tms.length > 1)
for (TrustManager tm : tms)
Log.e("Trust manager " + tm.getClass());
X509TrustManager tm = SSLHelper.getTrustManager(rtm, server, secure, cert_strict, trustedFingerprint,
new SSLHelper.ITrust() {
@Override
public void checkServerTrusted(X509Certificate[] chain) {
certificate = chain[0];
}
});
KeyManager[] km = null;
if (key != null && chain != null)
try {
Log.i("Client certificate init");
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(null, new char[0]);
ks.setKeyEntry(server, key, new char[0], chain);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, new char[0]);
km = kmf.getKeyManagers();
Log.i("Client certificate initialized");
} catch (Throwable ex) {
Log.e(ex);
}
sslContext.init(km, new TrustManager[]{tm == null ? rtm : tm}, null);
}
factory = sslContext.getSocketFactory(); factory = sslContext.getSocketFactory();
} }

Write Preview
Loading…
Cancel
Save