Fix gpodder certificate validation

This commit is contained in:
Martin Fietz 2015-05-08 23:46:39 +02:00
parent 393e647b10
commit d715cece62
3 changed files with 3 additions and 78 deletions

View File

@ -1,8 +1,8 @@
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="de.danoeh.antennapod"
android:versionCode="51"
android:versionName="1.1.1">
android:versionCode="52"
android:versionName="1.1.2">
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>

View File

@ -41,7 +41,7 @@
<div id="header" align="center">
<img src="logo.png" alt="Logo" width="100px" height="100px"/>
<p>AntennaPod, Version 1.1</p>
<p>AntennaPod, Version 1.1.2</p>
<p>Copyright © 2014 Daniel Oeh</p>

View File

@ -72,84 +72,9 @@ public class GpodnetService {
public GpodnetService() {
httpClient = AntennapodHttpClient.getHttpClient();
if (Build.VERSION.SDK_INT <= 10) {
Log.d(TAG, "Use custom SSL factory");
SSLSocketFactory factory = getCustomSslSocketFactory();
httpClient.setSslSocketFactory(factory);
}
BASE_HOST = GpodnetPreferences.getHostname();
}
private synchronized static SSLSocketFactory getCustomSslSocketFactory() {
try {
TrustManagerFactory defaultTrustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
defaultTrustManagerFactory.init((KeyStore) null); // use system keystore
final X509TrustManager defaultTrustManager = (X509TrustManager) defaultTrustManagerFactory.getTrustManagers()[0];
TrustManager[] customTrustManagers = new TrustManager[]{new X509TrustManager() {
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
// chain may out of order - construct data structures to walk from server certificate to root certificate
Map<Principal, X509Certificate> certificates = new HashMap<Principal, X509Certificate>(chain.length - 1);
X509Certificate subject = null;
for (X509Certificate cert : chain) {
cert.checkValidity();
if (cert.getSubjectDN().toString().startsWith("CN=" + DEFAULT_BASE_HOST)) {
subject = cert;
} else {
certificates.put(cert.getSubjectDN(), cert);
}
}
if (subject == null) {
throw new CertificateException("Chain does not contain a certificate for " + DEFAULT_BASE_HOST);
}
// follow chain to root CA
while (certificates.get(subject.getIssuerDN()) != null) {
subject.checkValidity();
X509Certificate issuer = certificates.get(subject.getIssuerDN());
try {
subject.verify(issuer.getPublicKey());
} catch (Exception e) {
Log.d(TAG, "failed: " + issuer.getSubjectDN() + " -> " + subject.getSubjectDN());
throw new CertificateException("Could not verify certificate");
}
subject = issuer;
}
X500Principal rootAuthority = subject.getIssuerX500Principal();
boolean accepted = false;
for (X509Certificate cert :
defaultTrustManager.getAcceptedIssuers()) {
if (cert.getSubjectX500Principal().equals(rootAuthority)) {
try {
subject.verify(cert.getPublicKey());
accepted = true;
} catch (Exception e) {
Log.d(TAG, "failed: " + cert.getSubjectDN() + " -> " + subject.getSubjectDN());
throw new CertificateException("Could not verify root certificate");
}
}
}
if (accepted == false) {
throw new CertificateException("Could not verify root certificate");
}
}
}};
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, customTrustManagers, null);
return sslContext.getSocketFactory();
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
/**
* Returns the [count] most used tags.
*/