Closed aparnavarun87 closed 1 year ago
I have the same issue. I'm using okhttp:4.10.0 and com.appmattus.certificatetransparency:certificatetransparency-android:2.1.2'
I'm instantiating the CertificateTransparencyInterceptor somewhat like this:
@JvmStatic
fun certTransparencyInterceptor(context: Context): Interceptor {
return certificateTransparencyInterceptor {
+ "myDomain1"
+ "myDomain2"
failOnError = true
logger = object : CTLogger {
override fun log(host: String, result: VerificationResult) {
XLog.v(
LOG_TAG,
"SSL Certificate verification result: %s for host: %s".format(
result.toString(),
host
)
)
}
}
diskCache = AndroidDiskCache(context)
}
}
And then adding it like:
OkHttpClient.Builder httpClientBuilder
httpClientBuilder.addNetworkInterceptor(certificateTransparencyInterceptor(context))
I'm not doing anything specific with trust managers or socket factories.
I didn't install it using your installCertificateTransparencyProvider because I needed to catch SSLPeerUnverifiedExceptions and take specific action.
Incidentally, thank you for this library and for all you're doing. You're a pretty key component in the Android ecosystem.
Please let me know if there's any other information I can provide.
For some domains, it seems to work ok, but for others, I get an error like this:
java.lang.IllegalArgumentException: toIndex: 778269429, size: 527
at com.appmattus.certificatetransparency.internal.utils.asn1.bytes.BasicByteBuffer.range(BasicByteBuffer.kt:40)
at com.appmattus.certificatetransparency.internal.utils.asn1.ASN1Sequence$values$2.invoke(ASN1Sequence.kt:35)
at com.appmattus.certificatetransparency.internal.utils.asn1.ASN1Sequence$values$2.invoke(ASN1Sequence.kt:27)
at kotlin.SynchronizedLazyImpl.getValue(LazyJVM.kt:74)
at com.appmattus.certificatetransparency.internal.utils.asn1.ASN1Sequence.getValues(ASN1Sequence.kt:27)
at com.appmattus.certificatetransparency.internal.utils.asn1.x509.Extensions$values$2.invoke(Extensions.kt:31)
at com.appmattus.certificatetransparency.internal.utils.asn1.x509.Extensions$values$2.invoke(Extensions.kt:30)
at kotlin.SynchronizedLazyImpl.getValue(LazyJVM.kt:74)
at com.appmattus.certificatetransparency.internal.utils.asn1.x509.Extensions.getValues(Extensions.kt:30)
at com.appmattus.certificatetransparency.internal.verifier.LogSignatureVerifier.hasX509AuthorityKeyIdentifier(LogSignatureVerifier.kt:244)
at com.appmattus.certificatetransparency.internal.verifier.LogSignatureVerifier.createTbsForVerification(LogSignatureVerifier.kt:185)
at com.appmattus.certificatetransparency.internal.verifier.LogSignatureVerifier.verifySCTOverPreCertificate$certificatetransparency(LogSignatureVerifier.kt:156)
at com.appmattus.certificatetransparency.internal.verifier.LogSignatureVerifier.verifySignature(LogSignatureVerifier.kt:136)
at com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyBase.hasValidSignedCertificateTimestamp(CertificateTransparencyBase.kt:139)
at com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyBase.verifyCertificateTransparency(CertificateTransparencyBase.kt:96)
at com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor.intercept(CertificateTransparencyInterceptor.kt:70)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
at com.facebook.stetho.okhttp3.StethoInterceptor.intercept(StethoInterceptor.java:54)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:34)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
<snip/>
``
Looking at the Exception its certainly something happening with parsing the extensions of the certificate. If anyone is able to share a domain that this goes wrong with it will probably speed up being able to fix this issue.
I am in the process of adding some more robust unit tests around the ASN.1 parser at the moment but this might take a while as I'm only working on the library in my spare time.
Try https://alerting-na.xmatters.com/ Thank you so much for this lib and for looking into this!
Seems to work for me :/
Wrote a simple unit test and chucked in the top 500 domains and they all pass (or rather I don't see that exception when I do see exceptions).
@RunWith(Parameterized::class)
internal class CertificateTransparencyInterceptorIntegrationTop100Test {
@Parameterized.Parameter(0)
lateinit var inputDomain: String
@Test
fun domainAllowed() {
val client = OkHttpClient.Builder().addNetworkInterceptor(networkInterceptor).build()
val request = Request.Builder()
.url(inputDomain)
.build()
client.newCall(request).execute().close()
}
companion object {
val networkInterceptor = certificateTransparencyInterceptor {
logger = object : CTLogger {
override fun log(host: String, result: VerificationResult) {
println("ct result for $host:\n $result")
}
}
}
@JvmStatic
@Parameterized.Parameters(name = "{0}")
fun data() = arrayOf(
"https://alerting-na.xmatters.com/",
)
}
}
ct result for alerting-na.xmatters.com:
Success: SCT trusted logs [6D7Q2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4=:Valid SCT, s3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZo=:Valid SCT, tz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXttJk=:Valid SCT]
ct result for alerting-na.xmatters.com:
Success: SCT trusted logs [6D7Q2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4=:Valid SCT, s3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZo=:Valid SCT, tz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXttJk=:Valid SCT]
ct result for everbridge.onelogin.com:
Success: SCT trusted logs [rfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgoo=:Valid SCT, Nc8ZG7+xbFe/D61MbULLu7YnICZR6j/hKu+oA8M71kw=:Valid SCT, s3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZo=:Valid SCT]
ct result for everbridge.onelogin.com:
Success: SCT trusted logs [rfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgoo=:Valid SCT, Nc8ZG7+xbFe/D61MbULLu7YnICZR6j/hKu+oA8M71kw=:Valid SCT, s3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZo=:Valid SCT]
ct result for everbridge.onelogin.com:
Success: SCT trusted logs [rfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgoo=:Valid SCT, Nc8ZG7+xbFe/D61MbULLu7YnICZR6j/hKu+oA8M71kw=:Valid SCT, s3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZo=:Valid SCT]
ah except my code isn't what is in the library
funnily enough @predriver mentioned a bug in the ASN.1 header which this domain must hit... I've got a fix locally just not got it into the library yet though
Currently tagging v2.2.0 which fixes this issue
The app starts crashing when I upgrade from v1.1.1 to v2. java.lang.IllegalArgumentException: toIndex: 778268654, size: 129. Any solution to resolve this?