I have the following kotlin code, which is executed as android application:
val expiredCertificate: X509Certificate = ...
val keyStore = KeyStore.getInstance(KeyStore.getDefaultType())
putCert(keyStore, expiredCertificate)
val trustManagerFactory = TrustManagerFactory.getInstance(algorithm).apply {
init(keyStore)
}
val trustManager = trustManagerFactory.trustManagers.firstOrNull() as? X509TrustManager
val ssoContext = SSLContext.getInstance("TLS").apply {
init(null, arrayOf(trustManager), SecureRandom())
}
In short:
- I get (no matter how) expired x509-certificate,
- put it in KeyStore,
- pass the store to SslContext as store of trusted certificates.
As a result, my ssl-engine has trustStore with expired certificate.
Next, I initiate ssl-connection with backend and receive server`s certificate chain with this exact certificate that resides in trust store.
The question is: upon validating the chain, should ssl-engine check expiration of received certificate? On the one hand, the certificate is trusted (resides in trust store thus is trust anchor), on the other hand, it is expired. Should ssl-engine trust the certificate or not?
P.S. The behaviour I actually observe is the following: the certificate is handled with android.security.net.config.RootTrustManager which delegates to com.android.org.conscrypt.TrustManagerImpl which puts my certificate to a variable with self-explanatory name trustAnchors and does not perform any checks so that my expired certificate is believed to be valid. I wonder whether this is bug or feature.
from Should TrustManager trust expired certificate from TrustStore?
No comments:
Post a Comment