Commit e19ae992 authored by rhi's avatar rhi 🐑
Browse files

Client certificates: fix occasional HTTP 400 errors

* don't catch and ignore exceptions when adding client certificates for authentication
* remove useless KeyStore usage
parent ef631657
Pipeline #282041611 passed with stage
in 9 minutes and 7 seconds
......@@ -118,6 +118,7 @@ class HttpClient private constructor(
Logger.log.log(Level.SEVERE, "Can't set proxy, ignoring", e)
}
// TODO don't instantiate CustomCertManager in .Builder (causes service leaks)
customCertManager(CustomCertManager(context, true /*BuildConfig.customCertsUI*/,
!(settings.getBoolean(Settings.DISTRUST_SYSTEM_CERTIFICATES))))
}
......@@ -181,42 +182,34 @@ class HttpClient private constructor(
var keyManager: KeyManager? = null
certificateAlias?.let { alias ->
try {
val context = requireNotNull(context)
// get provider certificate and private key
val certs = KeyChain.getCertificateChain(context, alias) ?: return@let
val key = KeyChain.getPrivateKey(context, alias) ?: return@let
logger.fine("Using provider certificate $alias for authentication (chain length: ${certs.size})")
// create Android KeyStore (performs key operations without revealing secret data to DAVx5)
val keyStore = KeyStore.getInstance("AndroidKeyStore")
keyStore.load(null)
val context = requireNotNull(context)
// create KeyManager
keyManager = object: X509ExtendedKeyManager() {
override fun getServerAliases(p0: String?, p1: Array<out Principal>?): Array<String>? = null
override fun chooseServerAlias(p0: String?, p1: Array<out Principal>?, p2: Socket?) = null
// get provider certificate and private key
val certs = KeyChain.getCertificateChain(context, alias) ?: return@let
val key = KeyChain.getPrivateKey(context, alias) ?: return@let
logger.fine("Using provider certificate $alias for authentication (chain length: ${certs.size})")
override fun getClientAliases(p0: String?, p1: Array<out Principal>?) =
arrayOf(alias)
// create KeyManager
keyManager = object : X509ExtendedKeyManager() {
override fun getServerAliases(p0: String?, p1: Array<out Principal>?): Array<String>? = null
override fun chooseServerAlias(p0: String?, p1: Array<out Principal>?, p2: Socket?) = null
override fun chooseClientAlias(p0: Array<out String>?, p1: Array<out Principal>?, p2: Socket?) =
alias
override fun getClientAliases(p0: String?, p1: Array<out Principal>?) =
arrayOf(alias)
override fun getCertificateChain(forAlias: String?) =
certs.takeIf { forAlias == alias }
override fun chooseClientAlias(p0: Array<out String>?, p1: Array<out Principal>?, p2: Socket?) =
alias
override fun getPrivateKey(forAlias: String?) =
key.takeIf { forAlias == alias }
}
override fun getCertificateChain(forAlias: String?) =
certs.takeIf { forAlias == alias }
// HTTP/2 doesn't support client certificates (yet)
// see https://tools.ietf.org/html/draft-ietf-httpbis-http2-secondary-certs-04
orig.protocols(listOf(Protocol.HTTP_1_1))
} catch (e: Exception) {
logger.log(Level.SEVERE, "Couldn't set up provider certificate authentication", e)
override fun getPrivateKey(forAlias: String?) =
key.takeIf { forAlias == alias }
}
// HTTP/2 doesn't support client certificates (yet)
// see https://tools.ietf.org/html/draft-ietf-httpbis-http2-secondary-certs-04
orig.protocols(listOf(Protocol.HTTP_1_1))
}
val sslContext = SSLContext.getInstance("TLS")
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment