Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dd586a46 authored by Chad Brubaker's avatar Chad Brubaker
Browse files

Check for null hostnames in RootTrustManager 

Even if the hostname aware method is called if the hostname is null then
the destination is unknown and the configuration can be ambiguous.

Change-Id: I7cacbd57a42604933fdc882371f143dc0a20902d
parent 9613157d

core/java/android/security/net/config/RootTrustManager.java

+4 −0
Original line number Diff line number Diff line
@@ -71,6 +71,10 @@ public class RootTrustManager implements X509TrustManager { 
     */

    public List<X509Certificate> checkServerTrusted(X509Certificate[] certs, String authType,

            String hostname) throws CertificateException {

        if (hostname == null && mConfig.hasPerDomainConfigs()) {

            throw new CertificateException(

                    "Domain specific configurations require that the hostname be provided");

        }

        NetworkSecurityConfig config = mConfig.getConfigForHostname(hostname);

        return config.getTrustManager().checkServerTrusted(certs, authType, hostname);

    }

tests/NetworkSecurityConfigTest/src/android/security/net/config/XmlConfigTests.java

+11 −0
Original line number Diff line number Diff line
@@ -22,6 +22,7 @@ import android.test.MoreAsserts; 
import android.util.ArraySet;

import android.util.Pair;

import java.io.IOException;

import java.net.InetAddress;

import java.net.Socket;

import java.net.URL;

import java.security.KeyStore;
@@ -34,6 +35,7 @@ import java.util.Set; 
import javax.net.ssl.HttpsURLConnection;

import javax.net.ssl.SSLContext;

import javax.net.ssl.SSLHandshakeException;

import javax.net.ssl.SSLSocket;

import javax.net.ssl.TrustManager;

import javax.net.ssl.TrustManagerFactory;
@@ -103,6 +105,15 @@ public class XmlConfigTests extends AndroidTestCase { 
        TestUtils.assertConnectionFails(context, "developer.android.com", 443);

        TestUtils.assertUrlConnectionFails(context, "google.com", 443);

        TestUtils.assertUrlConnectionSucceeds(context, "android.com", 443);

        // Check that sockets created without the hostname fail with per-domain configs

        SSLSocket socket = (SSLSocket) context.getSocketFactory()

                .createSocket(InetAddress.getByName("android.com"), 443);

        try {

        socket.startHandshake();

        socket.getInputStream();

        fail();

        } catch (IOException expected) {

        }

    }



    public void testBasicPinning() throws Exception {