[CBL-1748] X509TrustManager.checkServerTrusted with X509TrustManagerExtensions.checkServerTrusted - Couchbase database

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.8.0
Fix Version/s: 3.0
Component/s: Java, Java-Android
Security Level: Public
Labels:
None

Required Mobile Fields:

Hide
Mandatory:

Show
Mandatory:
Story Points:
1

Description

A forum post pointed out a StackOverflow question that highlights a bug in CBLTrustManager.java:

https://stackoverflow.com/questions/58934384/network-security-configuration-not-working-with-third-party-api

It's a new behaviour of the Android Framework. If your network config contains any <domain-config blocks, Framework throws CertificateException if you call checkServerTrusted(X509Certificate[] certs, String authType) in X509TrustManager. So instead you should use X509TrustManagerExtensions

Attachments

Issue Links

backports to

CBL-1984 [Backport] Support domain specific server authentication

Closed

is duplicated by

CBL-1955 Support domain specific server authentication

Closed

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

Ascending order - Click to sort in descending order

Blake Meike added a comment - 27/May/21 12:35 PM

Comment from ~~CBL-1955~~:

To my complete amazement, we did support domain specific server authentication, in v2.7 and broke it in 2.8.

Conscrypt, the subsystem to which OkHttp delegates for TLS authentication, attempts to call a method with the signature checkServerTrusted (X509Certificate[], String, String), by reflection. In 2.7 we used Android's default trust manager, which did have such a method. In 2.8, to support our new Listener modes, we install our own custom trust manager and proxy most calls to the default. Our custom trust manager, however, does not have the method. Conscrypt falls back to using the default method checkServerTrusted (X509Certificate[], String), which fails if the app has a network-security-config.

I believe that this fix is, simply, to add the missing signature and to proxy it to the default manager.

Pasin suggests just installing the DefaultTrustManager whe useDefaultTrustManager(). While an elegant solution, that means that Conscrypt will try two method calls by introspection, before it falls back to the normal method, when using our CBLTrustManager. That's a fair amount of overhead.

Here's relevant documentation:
https://issues.couchbase.com/browse/CBL-1955
https://developer.android.com/training/articles/security-config
https://developer.android.com/reference/android/net/http/X509TrustManagerExtensions
https://square.github.io/okhttp/4.x/okhttp/okhttp3/-ok-http-client/-builder/ssl-socket-factory/

Blake Meike added a comment - 27/May/21 12:35 PM Comment from CBL-1955 : To my complete amazement, we did support domain specific server authentication, in v2.7 and broke it in 2.8. Conscrypt, the subsystem to which OkHttp delegates for TLS authentication, attempts to call a method with the signature checkServerTrusted (X509Certificate[], String, String), by reflection. In 2.7 we used Android's default trust manager, which did have such a method. In 2.8, to support our new Listener modes, we install our own custom trust manager and proxy most calls to the default. Our custom trust manager, however, does not have the method. Conscrypt falls back to using the default method checkServerTrusted (X509Certificate[], String), which fails if the app has a network-security-config. I believe that this fix is, simply, to add the missing signature and to proxy it to the default manager. Pasin suggests just installing the DefaultTrustManager whe useDefaultTrustManager(). While an elegant solution, that means that Conscrypt will try two method calls by introspection, before it falls back to the normal method, when using our CBLTrustManager. That's a fair amount of overhead. Here's relevant documentation: https://issues.couchbase.com/browse/CBL-1955 https://developer.android.com/training/articles/security-config https://developer.android.com/reference/android/net/http/X509TrustManagerExtensions https://square.github.io/okhttp/4.x/okhttp/okhttp3/-ok-http-client/-builder/ssl-socket-factory/

Blake Meike added a comment - 28/May/21 11:21 AM

proto-solution in coucbase-lite-java-common @ 23e5eae526459ea986.

Needs extensive testing. Bugs against it to be filed separately.

Blake Meike added a comment - 28/May/21 11:21 AM proto-solution in coucbase-lite-java-common @ 23e5eae526459ea986. Needs extensive testing. Bugs against it to be filed separately.

Couchbase Build Team added a comment - 28/May/21 12:12 PM

Build couchbase-lite-android-3.0.0-118 contains couchbase-lite-java-common commit 23e5eae with commit message:
~~CBL-1748~~: Support domain-specific validation: first attempt

Couchbase Build Team added a comment - 28/May/21 12:12 PM Build couchbase-lite-android-3.0.0-118 contains couchbase-lite-java-common commit 23e5eae with commit message: CBL-1748 : Support domain-specific validation: first attempt

Couchbase Build Team added a comment - 28/May/21 12:12 PM

Build couchbase-lite-android-3.0.0-118 contains couchbase-lite-java-ee-root commit 69d8374 with commit message:
~~CBL-1748~~: Support domain-specific validation: first attempt

Couchbase Build Team added a comment - 28/May/21 12:12 PM Build couchbase-lite-android-3.0.0-118 contains couchbase-lite-java-ee-root commit 69d8374 with commit message: CBL-1748 : Support domain-specific validation: first attempt

Couchbase Build Team added a comment - 28/May/21 12:17 PM

Build couchbase-lite-java-3.0.0-118 contains couchbase-lite-java-common commit 23e5eae with commit message:
~~CBL-1748~~: Support domain-specific validation: first attempt

Couchbase Build Team added a comment - 28/May/21 12:17 PM Build couchbase-lite-java-3.0.0-118 contains couchbase-lite-java-common commit 23e5eae with commit message: CBL-1748 : Support domain-specific validation: first attempt

Couchbase Build Team added a comment - 28/May/21 12:18 PM

Build couchbase-lite-java-3.0.0-118 contains couchbase-lite-java-ee-root commit 69d8374 with commit message:
~~CBL-1748~~: Support domain-specific validation: first attempt

Couchbase Build Team added a comment - 28/May/21 12:18 PM Build couchbase-lite-java-3.0.0-118 contains couchbase-lite-java-ee-root commit 69d8374 with commit message: CBL-1748 : Support domain-specific validation: first attempt

Couchbase Build Team added a comment - 01/Jun/21 2:17 PM

Build couchbase-lite-java-3.0.0-119 contains couchbase-lite-java-ee-root commit 9ad30b6 with commit message:
~~CBL-1748~~: Support domain-specific validation: first attempt

Couchbase Build Team added a comment - 01/Jun/21 2:17 PM Build couchbase-lite-java-3.0.0-119 contains couchbase-lite-java-ee-root commit 9ad30b6 with commit message: CBL-1748 : Support domain-specific validation: first attempt

Couchbase Build Team added a comment - 01/Jun/21 3:06 PM

Build couchbase-lite-android-3.0.0-119 contains couchbase-lite-java-ee-root commit 9ad30b6 with commit message:
~~CBL-1748~~: Support domain-specific validation: first attempt

Couchbase Build Team added a comment - 01/Jun/21 3:06 PM Build couchbase-lite-android-3.0.0-119 contains couchbase-lite-java-ee-root commit 9ad30b6 with commit message: CBL-1748 : Support domain-specific validation: first attempt

People

Assignee:: The Lite

Reporter:: Blake Meike

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 11/Mar/21 12:32 PM

Updated:: 10/Aug/21 7:40 AM

Resolved:: 28/May/21 11:21 AM

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

Gerrit Reviews

There are no open Gerrit changes

PagerDuty

Couchbase Lite

Details

Description

Attachments

Issue Links

Gerrit Reviews

Activity

People

Dates

Time Tracking

Gerrit Reviews

PagerDuty