Added Mozilla CA email certificates

Refs thunderbird/thunderbird-android#1003
2026-03-26 02:45:31 +01:00 · 2025-04-30 14:51:43 +02:00
parent 5b7bafd60c
commit a765735850
5 changed files with 2535 additions and 4 deletions
--- a/app/build.gradle
+++ b/app/build.gradle
@@ -462,6 +462,13 @@ tasks.register('downloadBrave') {
    dependsOn("downloadBraveClean", "downloadBraveDebouce")
 }

+tasks.register('downloadSmime', Download) {
+    // https://wiki.mozilla.org/CA/Included_Certificates
+    src "https://ccadb.my.salesforce-sites.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Email"
+    dest new File(new File("${rootDir}", "app/src/main/assets"), "IncludedRootsPEM.txt")
+    overwrite true
+}
+
 tasks.register('extractSignature', Exec) {
    workingDir "${rootDir}"
    // sudo apt install apksigcopier
--- a/app/src/main/assets/IncludedRootsPEM.txt
+++ b/app/src/main/assets/IncludedRootsPEM.txt
--- a/app/src/main/java/eu/faircode/email/FragmentMessages.java
+++ b/app/src/main/java/eu/faircode/email/FragmentMessages.java
@@ -10244,8 +10244,7 @@ public class FragmentMessages extends FragmentBase
                                    KeyStore ks = null;
                                    try {
                                        // https://tools.ietf.org/html/rfc3852#section-10.2.3
-                                        ks = KeyStore.getInstance("AndroidCAStore");
-                                        ks.load(null, null);
+                                        ks = SmimeHelper.getCAStore(context);

                                        // https://docs.oracle.com/javase/7/docs/technotes/guides/security/certpath/CertPathProgGuide.html
                                        X509CertSelector target = new X509CertSelector();
--- a/app/src/main/java/eu/faircode/email/FragmentOptionsEncryption.java
+++ b/app/src/main/java/eu/faircode/email/FragmentOptionsEncryption.java
@@ -453,8 +453,7 @@ public class FragmentOptionsEncryption extends FragmentBase
                new SimpleTask<List<String>>() {
                    @Override
                    protected List<String> onExecute(Context context, Bundle args) throws Throwable {
-                        KeyStore ks = KeyStore.getInstance("AndroidCAStore");
-                        ks.load(null, null);
+                        KeyStore ks = SmimeHelper.getCAStore(context);

                        List<String> issuers = new ArrayList<>();
                        Enumeration<String> aliases = ks.aliases();
--- a/app/src/main/java/eu/faircode/email/SmimeHelper.java
+++ b/app/src/main/java/eu/faircode/email/SmimeHelper.java
@@ -21,9 +21,23 @@ package eu.faircode.email;

 import android.content.Context;

+import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemReader;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Enumeration;
 import java.util.List;
 import java.util.Objects;

@@ -31,6 +45,8 @@ import javax.mail.Address;
 import javax.mail.internet.InternetAddress;

 public class SmimeHelper {
+    private static final String CA_LIST_NAME = "IncludedRootsPEM.txt";
+
    static boolean hasSmimeKey(Context context, List<Address> recipients, boolean all) {
        if (recipients == null || recipients.size() == 0)
            return false;
@@ -55,4 +71,47 @@ public class SmimeHelper {
            return false;
        return Objects.equals(privkey.getAlgorithm(), pubkey.getAlgorithm());
    }
+
+    private static List<X509Certificate> readCACertificates(Context context) throws CertificateException, IOException {
+        List<X509Certificate> result = new ArrayList<>();
+        Log.i("Reading " + CA_LIST_NAME);
+        CertificateFactory fact = CertificateFactory.getInstance("X.509");
+        try (InputStream is = context.getAssets().open(CA_LIST_NAME)) {
+            try (PemReader reader = new PemReader(new InputStreamReader(is))) {
+                PemObject pem = reader.readPemObject();
+                while (pem != null) {
+                    ByteArrayInputStream bis = new ByteArrayInputStream(pem.getContent());
+                    X509Certificate cert = (X509Certificate) fact.generateCertificate(bis);
+                    Log.i("S/MIME cert=" + cert.getSubjectDN().getName());
+                    result.add(cert);
+                    pem = reader.readPemObject();
+                }
+            }
+        }
+        Log.i("S/MIME root certs=" + result.size());
+        return result;
+    }
+
+    static KeyStore getCAStore(Context context) throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException {
+        KeyStore aks = KeyStore.getInstance("AndroidCAStore");
+        aks.load(null, null);
+
+        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+        ks.load(null, null);
+
+        Enumeration<String> aliases = aks.aliases();
+        while (aliases.hasMoreElements()) {
+            String alias = aliases.nextElement();
+            if (aks.isCertificateEntry(alias))
+                ks.setCertificateEntry(alias, aks.getCertificate(alias));
+        }
+
+        int idx = 1;
+        for (X509Certificate ca : SmimeHelper.readCACertificates(context)) {
+            String alias = "Mozilla:" + idx++ + ":" + ca.getSubjectDN().getName();
+            ks.setCertificateEntry(alias, ca);
+        }
+
+        return ks;
+    }
 }