[guardian-dev] Verifying Certificate Chains (Gibberbot!)

[Nathan of Guardian]

Gibberbot uses a custom TrustManager implementation mostly written by
me. This was necessary because we wanted to

One of the things I recently discovered that I implemented incorrectly
was how I was expecting the certificate chain to be presented for
verification. Namely, I thought it would be in order, from cert of the
site we were connecting to, all the way back up to the Root CA.

This has proven to not be true, with most chains of certs, especially
those using intermediate CAs, not coming in any particular order, though
usually it goes:

[0] Cert of the site/service, signed by the Intermediate CA
[1] Cert of the Root CA
[2] Cert of the Intermediate CA, signed by the Root CA

I expect this is because the server loads the Intermediate CA from a
separate file provided by the vendor, and appends it to the chain.

Our old code would expect these to be in the 0, 2, 1 order, and would
thrown a TLS/SSL verification error if not. This caused sites like
Jabber.org to not properly verify, even though they had a complete,
though not "properly" ordered chain.

I have reimplemented our chain verification process to handle any order
provided to us now, as it seems there is no actual requirement to
present them in order.

I would love some code review and feedback on this from any of you out
there with SSL/TLS experience, as I want to roll this into our v10 release:
https://github.com/guardianproject/Gibberbot/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/ServerTrustManager.java#L153

As a side note, we are planning to implement Ge0rg's
MemorizingTrustManager in some form or another as part of the next major
Gibberbot update - this will also allow manual verification/review of
certs when the automatic does not work, or as the user wishes.

Thanks in advanced!

+n8fr8