diff --git a/app/src/main/AndroidManifest.xml b/app/src/main/AndroidManifest.xml
index 8fdca1f..4f90ac3 100644
--- a/app/src/main/AndroidManifest.xml
+++ b/app/src/main/AndroidManifest.xml
@@ -23,7 +23,7 @@
android:hardwareAccelerated="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
- android:usesCleartextTraffic="true">
+ android:networkSecurityConfig="@xml/network_security_config">
diff --git a/app/src/main/assets/cert/purplei2p.crt b/app/src/main/assets/cert/purplei2p.crt
deleted file mode 100644
index a750237..0000000
--- a/app/src/main/assets/cert/purplei2p.crt
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID9zCCAt+gAwIBAgIUervWv7EoWkk4Gt8J34xDR9nhH50wDQYJKoZIhvcNAQEL
-BQAwgYIxCzAJBgNVBAYTAldXMRQwEgYDVQQIDAtJMlAgTmV0d29yazESMBAGA1UE
-CgwJUHVycGxlSTJQMSowKAYDVQQDDCFQdXJwbGVJMlAgQ2VydGlmaWNhdGlvbiBB
-dXRob3JpdHkxHTAbBgkqhkiG9w0BCQEWDnI0c2FzQG1haWwuaTJwMB4XDTE5MDMw
-MzE2MjcxNFoXDTI5MDIyODE2MjcxNFowgYIxCzAJBgNVBAYTAldXMRQwEgYDVQQI
-DAtJMlAgTmV0d29yazESMBAGA1UECgwJUHVycGxlSTJQMSowKAYDVQQDDCFQdXJw
-bGVJMlAgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxHTAbBgkqhkiG9w0BCQEWDnI0
-c2FzQG1haWwuaTJwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwLEy
-A0TamzrfORA+aIM/NRRGrKYkI9o5Q9UB/pTM8IFlSBREGleUfnC6LFHZeNV+Y1Tn
-jrMBOZ7PmIKjPIv+fJP7KjhHACZdk6iqVZqkiGqE0/V17kG16g1+g05Bj2lkWr94
-mp1rhzBeKJJSI8cG82824qdfDcgWZheziye+O0okENhi0o2bDhg78EnyysJiN/tu
-OuoZSGfC9ZdITbpMWgqwuQcdeBg0FNy4hEqUJWoYNgrghe5uc0WMOjTAegSntYPE
-MeaaZyzlGICZ2F+rKZgTjnzVYW60QlHqfg7sShieSPYIZmeN5l5hZ5GZk9Giaj/X
-4pz4sup2iafKclWAmQIDAQABo2MwYTAdBgNVHQ4EFgQUCARvpDaXqPaF4amObzzV
-GaDoZm4wHwYDVR0jBBgwFoAUCARvpDaXqPaF4amObzzVGaDoZm4wDwYDVR0TBAgw
-BgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAKcmGUXV
-gCw8PRHe0+XlkcSTX69e0TIPP+j5uJxMT3BHasvBdyV4FcjuUokHGjAnHal5OV4N
-yWdbRPnIge7su4yLQZzlNM1OzbcRds1wSbqTEpb68R/6E8mv3ms6Rc8AcRoXwusc
-byZvzS9tBSXTQ21wCVrltnIARAYabWlWu+URv+DFvlwMik6H8+DklHSVkPC6K3Ov
-V1aMJztMnJ/XTTsFDS/yvaTfmJFG16LABIiSsEAW5QK64sWsN4sxvpcg0D6/EjWP
-knyLM4KXuD3i08mzwzus8d97AjGxC5RCEFL5ADBpVaDU/5CpmZmZdY1daYjiHrXm
-EVNoSbqid1fAVyA=
------END CERTIFICATE-----
diff --git a/app/src/main/java/org/purplei2p/lightning/utils/Utils.java b/app/src/main/java/org/purplei2p/lightning/utils/Utils.java
index 6409bc7..8731b0b 100644
--- a/app/src/main/java/org/purplei2p/lightning/utils/Utils.java
+++ b/app/src/main/java/org/purplei2p/lightning/utils/Utils.java
@@ -174,6 +174,20 @@ public final class Utils {
*/
@Nullable
public static String getDomainName(@Nullable String url) {
+ return getDomainName(url, false);
+ }
+
+/**
+ * Extracts the domain name from a URL.
+ *
+ * @param url the URL to extract the domain from.
+ * @param domainonly flag to return only domain without scheme.
+ * @return the domain name, or the URL if the domain
+ * could not be extracted. The domain name may include
+ * HTTPS if the URL is an SSL supported URL and domainonly is false.
+ */
+ @Nullable
+ public static String getDomainName(@Nullable String url, boolean domainonly) {
if (url == null || url.isEmpty()) return "";
boolean ssl = URLUtil.isHttpsUrl(url);
@@ -195,7 +209,7 @@ public final class Utils {
if (domain == null || domain.isEmpty()) {
return url;
}
- if (ssl)
+ if (ssl && !domainonly)
return Constants.HTTPS + domain;
else
return domain.startsWith("www.") ? domain.substring(4) : domain;
diff --git a/app/src/main/java/org/purplei2p/lightning/view/LightningWebClient.java b/app/src/main/java/org/purplei2p/lightning/view/LightningWebClient.java
index 9cf5c58..3c293f1 100644
--- a/app/src/main/java/org/purplei2p/lightning/view/LightningWebClient.java
+++ b/app/src/main/java/org/purplei2p/lightning/view/LightningWebClient.java
@@ -98,23 +98,17 @@ public class LightningWebClient extends WebViewClient {
CertificateException, FileNotFoundException,
IOException, KeyStoreException, NoSuchAlgorithmException {
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ InputStream caInput = mActivity.getResources().openRawResource(R.raw.purplei2p);
+ final Certificate ca = cf.generateCertificate(caInput);
+ Log.d(TAG, "ca-root DN=" + ((X509Certificate) ca).getSubjectDN());
+ caInput.close();
+
// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore trustedKeyStore = KeyStore.getInstance(keyStoreType);
trustedKeyStore.load(null, null);
-
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
-
- InputStream caInput = new BufferedInputStream(mActivity.getResources().getAssets().open("cert/purplei2p.crt"));
- Certificate ca;
- try {
- ca = cf.generateCertificate(caInput);
- Log.d(TAG, "ca-root DN=" + ((X509Certificate) ca).getSubjectDN());
- }
- finally {
- caInput.close();
- }
- trustedKeyStore.setCertificateEntry("ca", ca);
+ trustedKeyStore.setCertificateEntry("ca", ca);
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
@@ -280,7 +274,8 @@ public class LightningWebClient extends WebViewClient {
X509TrustManager x509TrustManager = (X509TrustManager)trustManager;
try{
x509TrustManager.checkServerTrusted(chain, "generic");
- passVerify = true;break;
+ passVerify = true;
+ break;
}catch(Exception e){
Log.e(TAG, "SslError verify trustManager failed", e);
passVerify = false;
@@ -292,11 +287,24 @@ public class LightningWebClient extends WebViewClient {
Log.e(TAG, "SslError verify cert fail", e);
}
}
+
if(passVerify == true) {
handler.proceed();
return;
}
+ if(error.getPrimaryError() == SslError.SSL_IDMISMATCH){
+ // Due to strange bug in android when trust anchors used, we must revalidate that hostname in request and in certificate is not matching.
+ SslCertificate cert = error.getCertificate();
+ String TargetURL = error.getUrl();
+ String reqHost = Utils.getDomainName(TargetURL, true);
+ String subjCN = cert.getIssuedTo().getCName();
+ if(reqHost.equals(subjCN)){
+ handler.proceed();
+ return;
+ }
+ }
+
List errorCodeMessageCodes = getAllSslErrorMessageCodes(error);
StringBuilder stringBuilder = new StringBuilder();
diff --git a/app/src/main/res/raw/purplei2p.crt b/app/src/main/res/raw/purplei2p.crt
new file mode 100644
index 0000000..026afe5
Binary files /dev/null and b/app/src/main/res/raw/purplei2p.crt differ
diff --git a/app/src/main/res/xml/network_security_config.xml b/app/src/main/res/xml/network_security_config.xml
new file mode 100644
index 0000000..f01729c
--- /dev/null
+++ b/app/src/main/res/xml/network_security_config.xml
@@ -0,0 +1,10 @@
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/build.gradle b/build.gradle
index ad47ab3..36ce5b0 100644
--- a/build.gradle
+++ b/build.gradle
@@ -22,5 +22,5 @@ ext {
buildToolsVersion = '28.0.3'
versionName = '0.1.2'
- versionCode = 125
+ versionCode = 126
}