search

datatheorem / TrustKit-Android

Easy SSL pinning validation and reporting for Android.
MIT License
584 stars 87 forks source link

java.lang.ClassCastException: java.lang.Integer cannot be cast to java.lang.String #23

Closed fcduarte closed 6 years ago

fcduarte commented 6 years ago

Hi team,

I've seen this exception on our bug tracking for a while:

Caused by: java.lang.ClassCastException: java.lang.Integer cannot be cast to java.lang.String
        at com.datatheorem.android.trustkit.pinning.OkHostnameVerifier.getSubjectAltNames(SourceFile:126)
        at com.datatheorem.android.trustkit.pinning.OkHostnameVerifier.verifyHostname(SourceFile:80)
        at com.datatheorem.android.trustkit.pinning.OkHostnameVerifier.verify(SourceFile:62)
        at com.datatheorem.android.trustkit.pinning.PinningTrustManager.checkServerTrusted(SourceFile:99)
        at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:182)
        at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:596)
        at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(NativeCrypto.java:-2)
        at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
        at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:281)
        at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:251)
        at okhttp3.internal.connection.RealConnection.connect(SourceFile:151)
        at okhttp3.internal.connection.StreamAllocation.findConnection(SourceFile:192)
        at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(SourceFile:121)
        at okhttp3.internal.connection.StreamAllocation.newStream(SourceFile:100)
        at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:42)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)
        at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:93)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)
        at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:93)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:120)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)

Unfortunately I don't have the steps to reproduce. We're using OkHttp 3.8.0 and TrustKit 1.0.1.

Thanks,

fcduarte commented 6 years ago

On the same topic:

Caused by: java.lang.ArithmeticException: divide by zero
        at com.datatheorem.android.trustkit.pinning.OkHostnameVerifier.getSubjectAltNames(SourceFile:128)
        at com.datatheorem.android.trustkit.pinning.OkHostnameVerifier.verifyHostname(SourceFile:80)
        at com.datatheorem.android.trustkit.pinning.OkHostnameVerifier.verify(SourceFile:62)
        at com.datatheorem.android.trustkit.pinning.PinningTrustManager.checkServerTrusted(SourceFile:99)
        at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:182)
        at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:617)
        at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(NativeCrypto.java:-2)
        at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:364)
        at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:281)
        at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:251)
        at okhttp3.internal.connection.RealConnection.connect(SourceFile:151)
        at okhttp3.internal.connection.StreamAllocation.findConnection(SourceFile:192)
        at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(SourceFile:121)
        at okhttp3.internal.connection.StreamAllocation.newStream(SourceFile:100)
        at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:42)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)
        at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:93)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)
        at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:93)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:120)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)
fcduarte commented 6 years ago

More on OkHostnameVerifier:

Caused by: java.lang.NullPointerException: Null pointer exception during instruction 'invoke-super {v1}, int java.lang.Object.hashCode() // method@41'
        at com.datatheorem.android.trustkit.pinning.OkHostnameVerifier.verify(SourceFile:62)
        at com.datatheorem.android.trustkit.pinning.PinningTrustManager.checkServerTrusted(SourceFile:99)
        at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:182)
        at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:617)
        at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(NativeCrypto.java:-2)
        at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:364)
        at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:281)
        at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:251)
        at okhttp3.internal.connection.RealConnection.connect(SourceFile:151)
        at okhttp3.internal.connection.StreamAllocation.findConnection(SourceFile:192)
        at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(SourceFile:121)
        at okhttp3.internal.connection.StreamAllocation.newStream(SourceFile:100)
        at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:42)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)
        at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:93)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)
        at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:93)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:120)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
        at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)
jobot0 commented 6 years ago

Hey @fcduarte sorry for the delay of the response. I have not been able to reproduce the bug yet and still looking why that is happening. I agree it looks more a problem from the OkHostnameVerifier. Have you more inputs about the setup when this bug is happening?

fcduarte commented 6 years ago

@jobot0 unfortunately I don't have the steps but I can say it's a very common error since we have more than a 100k events on our bug tracking system.

As a side note is there any particular reason to not use OkHttp's class? https://github.com/square/okhttp/blob/master/okhttp/src/main/java/okhttp3/internal/tls/OkHostnameVerifier.java

nabla-c0d3 commented 6 years ago

Hello, It seems to be a problem with the content of the SubjAltName of a certificate. Any idea which domain is triggering this issue (or which certificate even)? TrustKit does not embed/require OkHttp 3.x so we can’t really use this HostnameVerifier directly if this is what you mean? But we might need to update the OkHostnameVerifier we have in TrustKit.

fcduarte commented 6 years ago

@nabla-c0d3 yeah I saw a few differences with latest OkHostnameVerifier from OkHttp, as you said, maybe it's worth to update.

For the errors I can't understand why I don't see those type of messages on the original OkHttp class (since we use it) so is it worth a few protection checks on OkHostnameVerifier?

jobot0 commented 6 years ago

@fcduarte @nabla-c0d3 I know we've removed some of the features of the OkHostnameVerifier for some reasons. I'll create a PR with all the files needed to support all of those, let's see if it fixes your problems.

fcduarte commented 6 years ago

@jobot0 cool thanks! You can close this for now. Is version 1.0.2 already published? I don't see it at Bintray.

jobot0 commented 6 years ago

@fcduarte Thanks ! It should be but I'm fixing a bug we have with TravisCI if it's not fixed tomorrow I'll publish it manually !

jobot0 commented 6 years ago

@fcduarte Should be good now!