You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have the following kotlin code, which is executed in android application (which in turn uses Conscrypt under the hood):
val expiredCertificate: X509Certificate = ...
val keyStore = KeyStore.getInstance(KeyStore.getDefaultType())
putCert(keyStore, expiredCertificate)
val trustManagerFactory = TrustManagerFactory.getInstance(algorithm).apply {
init(keyStore)
}
val trustManager = trustManagerFactory.trustManagers.firstOrNull() as? X509TrustManager
val sslContext = SSLContext.getInstance("TLS").apply {
init(null, arrayOf(trustManager), SecureRandom())
}
In short:
I get (no matter how) expired x509-certificate,
put it in KeyStore,
pass the store to SslContext as store of trusted certificates,
now my ssl-engine (or conscrypt-engine which is the same) has trustStore with expired certificate,
next, I initiate ssl-connection with backend and receive server`s certificate chain with this exact certificate that resides in trust store.
The question is: upon validating the chain, should conscrypt-engine check expiration of received certificate? On the one hand, the certificate is trusted (resides in trust store thus is trust anchor), on the other hand, it is expired. Should conscrypt-engine trust the certificate or not?
P.S. The behaviour I actually observe is the following: the certificate is handled with android.security.net.config.RootTrustManager which delegates to com.android.org.conscrypt.TrustManagerImpl which puts my certificate to a variable with self-explanatory name trustAnchors and does not perform any checks so that my expired certificate is trusted. I wonder whether this is bug or feature.
The text was updated successfully, but these errors were encountered:
I have the following kotlin code, which is executed in android application (which in turn uses Conscrypt under the hood):
In short:
The question is: upon validating the chain, should conscrypt-engine check expiration of received certificate? On the one hand, the certificate is trusted (resides in trust store thus is trust anchor), on the other hand, it is expired. Should conscrypt-engine trust the certificate or not?
P.S. The behaviour I actually observe is the following: the certificate is handled with
android.security.net.config.RootTrustManagerwhich delegates tocom.android.org.conscrypt.TrustManagerImplwhich puts my certificate to a variable with self-explanatory name trustAnchors and does not perform any checks so that my expired certificate is trusted. I wonder whether this is bug or feature.The text was updated successfully, but these errors were encountered: