From 9dabc7586670324cdcfb4dcc5cd4a91dd891f8a7 Mon Sep 17 00:00:00 2001 From: zzz Date: Sun, 13 Jul 2014 13:29:55 +0000 Subject: [PATCH] * SU3File: Disable the X.509 CN checking of local certs on Android, as the javax.naming classes are not available. Any issues with local certs will be discovered in non-Android testing. --- core/java/src/net/i2p/crypto/CertUtil.java | 10 ++++++++- core/java/src/net/i2p/crypto/DirKeyRing.java | 23 +++++++++++++++----- 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/core/java/src/net/i2p/crypto/CertUtil.java b/core/java/src/net/i2p/crypto/CertUtil.java index 359ce7aac..aa484a522 100644 --- a/core/java/src/net/i2p/crypto/CertUtil.java +++ b/core/java/src/net/i2p/crypto/CertUtil.java @@ -18,6 +18,7 @@ import net.i2p.I2PAppContext; import net.i2p.data.Base64; import net.i2p.util.Log; import net.i2p.util.SecureFileOutputStream; +import net.i2p.util.SystemVersion; /** * Java X.509 certificate utilities, consolidated from various places. @@ -65,11 +66,18 @@ public class CertUtil { } /** - * Get a value out of the subject distinguished name + * Get a value out of the subject distinguished name. + * + * Warning - unsupported in Android (no javax.naming), returns null. + * * @param type e.g. "CN" * @return value or null if not found */ public static String getSubjectValue(X509Certificate cert, String type) { + if (SystemVersion.isAndroid()) { + error("Don't call this in Android", new UnsupportedOperationException("I did it")); + return null; + } type = type.toUpperCase(Locale.US); X500Principal p = cert.getSubjectX500Principal(); String subj = p.getName(); diff --git a/core/java/src/net/i2p/crypto/DirKeyRing.java b/core/java/src/net/i2p/crypto/DirKeyRing.java index 6085694ea..38ba45bf8 100644 --- a/core/java/src/net/i2p/crypto/DirKeyRing.java +++ b/core/java/src/net/i2p/crypto/DirKeyRing.java @@ -14,9 +14,11 @@ import java.security.PublicKey; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; +import net.i2p.util.SystemVersion; + /** - * Dumb storage in a directory for testing. - * No sanitization of filenames, unsafe. + * Simple storage of each cert in a separate file in a directory. + * Limited sanitization of filenames. * * @since 0.9.9 */ @@ -30,7 +32,9 @@ class DirKeyRing implements KeyRing { /** * Cert must be in the file (escaped keyName).crt, - * and have a CN == keyName + * and have a CN == keyName. + * + * CN check unsupported on Android. */ public PublicKey getKey(String keyName, String scope, SigType type) throws GeneralSecurityException, IOException { @@ -49,14 +53,21 @@ class DirKeyRing implements KeyRing { CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509Certificate cert = (X509Certificate)cf.generateCertificate(fis); cert.checkValidity(); - String cn = CertUtil.getSubjectValue(cert, "CN"); - if (!keyName.equals(cn)) - throw new GeneralSecurityException("CN mismatch: " + cn); + if (!SystemVersion.isAndroid()) { + // getSubjectValue() unsupported on Android. + // Any cert problems will be caught in non-Android testing. + String cn = CertUtil.getSubjectValue(cert, "CN"); + if (!keyName.equals(cn)) + throw new GeneralSecurityException("CN mismatch: " + cn); + } return cert.getPublicKey(); } finally { try { if (fis != null) fis.close(); } catch (IOException foo) {} } } + /** + * Unimplemented, unused. + */ public void setKey(String keyName, String scope, PublicKey key) {} }