diff options
| author | Ricki Hirner <hirner@bitfire.at> | 2022-05-27 15:09:45 +0300 |
|---|---|---|
| committer | Ricki Hirner <hirner@bitfire.at> | 2022-05-27 15:09:45 +0300 |
| commit | 7814052eaf3072ad2c8ed29606cc9f18c3b7921d (patch) | |
| tree | e9d8eec4cd15062ebf145cf5252dcc475322d57a | |
| parent | b3e28100d7b349c360f3537f5856fc486bf73148 (diff) | |
Use Conscrypt system trust manager
| -rw-r--r-- | src/main/java/at/bitfire/cert4android/CertUtils.kt | 6 | ||||
| -rw-r--r-- | src/main/java/at/bitfire/cert4android/CustomCertManager.kt | 17 |
2 files changed, 13 insertions, 10 deletions
diff --git a/src/main/java/at/bitfire/cert4android/CertUtils.kt b/src/main/java/at/bitfire/cert4android/CertUtils.kt index 5f8b6e3..516895f 100644 --- a/src/main/java/at/bitfire/cert4android/CertUtils.kt +++ b/src/main/java/at/bitfire/cert4android/CertUtils.kt @@ -22,11 +22,11 @@ object CertUtils { fun getTrustManager(keyStore: KeyStore?): X509TrustManager? { try { - val tmf = TrustManagerFactory.getInstance("X509") + val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()) tmf.init(keyStore) tmf.trustManagers - .filterIsInstance<X509TrustManager>() - .forEach { return it } + .filterIsInstance<X509TrustManager>() + .forEach { return it } } catch(e: GeneralSecurityException) { Constants.log.log(Level.SEVERE, "Couldn't initialize trust manager", e) } diff --git a/src/main/java/at/bitfire/cert4android/CustomCertManager.kt b/src/main/java/at/bitfire/cert4android/CustomCertManager.kt index 6e15571..40cc621 100644 --- a/src/main/java/at/bitfire/cert4android/CustomCertManager.kt +++ b/src/main/java/at/bitfire/cert4android/CustomCertManager.kt @@ -11,6 +11,7 @@ import android.content.Intent import android.content.ServiceConnection import android.os.IBinder import android.os.Looper +import org.conscrypt.Conscrypt import java.io.Closeable import java.security.cert.CertificateException import java.security.cert.X509Certificate @@ -69,7 +70,7 @@ class CustomCertManager @JvmOverloads constructor( /** system-default trust store */ private val systemTrustManager: X509TrustManager? = - if (trustSystemCerts) CertUtils.getTrustManager(null) else null + if (trustSystemCerts) Conscrypt.getDefaultX509TrustManager() else null init { @@ -127,24 +128,26 @@ class CustomCertManager @JvmOverloads constructor( } /** - * Checks whether a certificate is trusted. If {@link #systemTrustManager} is null (because + * Checks whether a certificate is trusted. If [systemTrustManager] is null (because * system certificates are not being trusted or available), the first certificate in the chain * (which is the lowest one, i.e. the actual server certificate) is passed to - * {@link CustomCertService} for further decision. + * [CustomCertService] for further decision. + * * @param chain certificate chain to check * @param authType authentication type (ignored) + * * @throws CertificateException in case of an untrusted or questionable certificate */ @Throws(CertificateException::class) override fun checkServerTrusted(chain: Array<X509Certificate>, authType: String) { var trusted = false - systemTrustManager?.let { + systemTrustManager?.let { trustManager -> try { - it.checkServerTrusted(chain, authType) + trustManager.checkServerTrusted(chain, authType) trusted = true - } catch(ignored: CertificateException) { - Constants.log.fine("Certificate not trusted by system") + } catch(e: CertificateException) { + Constants.log.log(Level.INFO, "Certificate not trusted by system, checking ourselves", e) } } |