[guardian-dev] Verifying Certificate Chains (Gibberbot!)
Nathan of Guardian
nathan at guardianproject.info
Thu Nov 1 11:06:05 EDT 2012
On 11/01/2012 01:55 PM, Nathan of Guardian wrote:
> I would love some code review and feedback on this from any of you out
> there with SSL/TLS experience, as I want to roll this into our v10 release:
> https://github.com/guardianproject/Gibberbot/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/ServerTrustManager.java#L153
Some changes I've made since this post, based on more thinking and
feedback from @ioerror:
- moved certificate matching to binary "byte by byte" matching, combined
with name string matching
https://github.com/guardianproject/Gibberbot/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/ServerTrustManager.java#L545
- even if issuer/root is included in chain from server, double check if
it is also in the local CA store:
https://github.com/guardianproject/Gibberbot/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/ServerTrustManager.java#L173
- ensure every issuer/signer is still valid/not expired, including Root CAs
https://github.com/guardianproject/Gibberbot/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/ServerTrustManager.java#L193
- added proper verification of self-signed certs, namely that they are
indeed signed:
https://github.com/guardianproject/Gibberbot/blob/master/src/info/guardianproject/otr/app/im/plugin/xmpp/ServerTrustManager.java#L248
More to come.
+n
More information about the Guardian-dev
mailing list