[guardian-dev] Verifying Certificate Chains (Gibberbot!)

Nathan of Guardian nathan at guardianproject.info
Thu Nov 1 11:06:05 EDT 2012


On 11/01/2012 01:55 PM, Nathan of Guardian wrote:
> I would love some code review and feedback on this from any of you out
> there with SSL/TLS experience, as I want to roll this into our v10 release:
> https://github.com/guardianproject/Gibberbot/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/ServerTrustManager.java#L153

Some changes I've made since this post, based on more thinking and
feedback from @ioerror:

- moved certificate matching to binary "byte by byte" matching, combined
with name string matching
https://github.com/guardianproject/Gibberbot/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/ServerTrustManager.java#L545

- even if issuer/root is included in chain from server, double check if
it is also in the local CA store:
https://github.com/guardianproject/Gibberbot/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/ServerTrustManager.java#L173

- ensure every issuer/signer is still valid/not expired, including Root CAs
https://github.com/guardianproject/Gibberbot/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/ServerTrustManager.java#L193

- added proper verification of self-signed certs, namely that they are
indeed signed:
https://github.com/guardianproject/Gibberbot/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/ServerTrustManager.java#L248

More to come.

+n


More information about the Guardian-dev mailing list