Mirrors/FairEmail
1
0
Fork 0
mirror of https://github.com/M66B/FairEmail.git synced 2026-03-27 19:35:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improved DANE patch

Browse Source
This commit is contained in:
M66B
2024-06-20 16:09:49 +02:00
parent d2e3a38939
commit ccf03bdf10
1 changed files with 17 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
app/src/main/java/org/minidns/dane/DaneVerifier.java
View File

@@ -17,6 +17,7 @@ import org.minidns.dnssec.DnssecQueryResult;
import org.minidns.dnssec.DnssecUnverifiedReason;
import org.minidns.record.Data;
import org.minidns.record.Record;
import org.minidns.record.CNAME;
import org.minidns.record.TLSA;
import javax.net.ssl.HttpsURLConnection;
@@ -120,18 +121,23 @@ public class DaneVerifier {
List<DaneCertificateException.CertificateMismatch> certificateMismatchExceptions = new LinkedList<>();
boolean verified = false;
for (Record<? extends Data> record : res.answerSection) {
// https://github.com/MiniDNS/minidns/issues/140
if (record.type == Record.TYPE.TLSA /*&& record.name.equals(req)*/) {
TLSA tlsa = (TLSA) record.payloadData;
try {
verified |= checkCertificateMatches(chain[0], tlsa, hostName);
} catch (DaneCertificateException.CertificateMismatch certificateMismatchException) {
// Record the mismatch and only throw an exception if no
// TLSA RR is able to verify the cert. This allows for TLSA
// certificate rollover.
certificateMismatchExceptions.add(certificateMismatchException);
if (record.name.equals(req)) {
if (record.type == Record.TYPE.TLSA) {
TLSA tlsa = (TLSA) record.payloadData;
try {
verified |= checkCertificateMatches(chain[0], tlsa, hostName);
} catch (DaneCertificateException.CertificateMismatch certificateMismatchException) {
// Record the mismatch and only throw an exception if no
// TLSA RR is able to verify the cert. This allows for TLSA
// certificate rollover.
certificateMismatchExceptions.add(certificateMismatchException);
}
if (verified) break;
}
// https://github.com/MiniDNS/minidns/issues/140
else if (record.type == Record.TYPE.CNAME) {
req = ((CNAME) record.payloadData).target;
}
if (verified) break;
}
}