diff --git a/app/src/main/kotlin/com/github/gotify/GotifyApplication.kt b/app/src/main/kotlin/com/github/gotify/GotifyApplication.kt index 8f75c2b..1155371 100644 --- a/app/src/main/kotlin/com/github/gotify/GotifyApplication.kt +++ b/app/src/main/kotlin/com/github/gotify/GotifyApplication.kt @@ -33,9 +33,8 @@ class GotifyApplication : Application() { val settings = Settings(this) if (settings.legacyCert != null) { Logger.info("Migrating legacy CA cert to new location") - var legacyCert: String? = null try { - legacyCert = settings.legacyCert + val legacyCert = settings.legacyCert settings.legacyCert = null val caCertFile = File(settings.filesDir, CertUtils.CA_CERT_NAME) FileOutputStream(caCertFile).use { diff --git a/app/src/main/kotlin/com/github/gotify/api/CertUtils.kt b/app/src/main/kotlin/com/github/gotify/api/CertUtils.kt index d9739e1..3d15a9d 100644 --- a/app/src/main/kotlin/com/github/gotify/api/CertUtils.kt +++ b/app/src/main/kotlin/com/github/gotify/api/CertUtils.kt @@ -49,40 +49,33 @@ internal object CertUtils { fun applySslSettings(builder: OkHttpClient.Builder, settings: SSLSettings) { // Modified from ApiClient.applySslSettings in the client package. try { - var customManagers = false - var trustManagers: Array? = null - var keyManagers: Array? = null - if (settings.caCertPath != null) { - val tempTrustManagers = certToTrustManager(settings.caCertPath) - if (tempTrustManagers.isNotEmpty()) { - trustManagers = tempTrustManagers - customManagers = true - } - } - if (settings.clientCertPath != null) { - val tempKeyManagers = certToKeyManager( - settings.clientCertPath, - settings.clientCertPassword - ) - if (tempKeyManagers.isNotEmpty()) { - keyManagers = tempKeyManagers - customManagers = true - } - } - if (!settings.validateSSL) { - trustManagers = arrayOf(trustAll) + val trustManagers = mutableSetOf() + val keyManagers = mutableSetOf() + if (settings.validateSSL) { + // Custom SSL validation + settings.caCertPath?.let { trustManagers.addAll(certToTrustManager(it)) } + } else { + // Disable SSL validation + trustManagers.add(trustAll) builder.hostnameVerifier { _, _ -> true } } - if (customManagers || !settings.validateSSL) { - val context = SSLContext.getInstance("TLS") - context.init(keyManagers, trustManagers, SecureRandom()) - if (trustManagers == null) { + settings.clientCertPath?.let { + keyManagers.addAll(certToKeyManager(it, settings.clientCertPassword)) + } + if (trustManagers.isNotEmpty() || keyManagers.isNotEmpty()) { + if (trustManagers.isEmpty()) { // Fall back to system trust managers - trustManagers = defaultSystemTrustManager() + trustManagers.addAll(defaultSystemTrustManager()) } + val context = SSLContext.getInstance("TLS") + context.init( + keyManagers.toTypedArray(), + trustManagers.toTypedArray(), + SecureRandom() + ) builder.sslSocketFactory( context.socketFactory, - trustManagers[0] as X509TrustManager + trustManagers.elementAt(0) as X509TrustManager ) } } catch (e: Exception) { @@ -114,8 +107,9 @@ internal object CertUtils { require(certPassword != null) { "empty client certificate password" } val keyStore = KeyStore.getInstance("PKCS12") - val inputStream = FileInputStream(File(certPath)) - keyStore.load(inputStream, certPassword.toCharArray()) + FileInputStream(File(certPath)).use { + keyStore.load(it, certPassword.toCharArray()) + } val keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()) keyManagerFactory.init(keyStore, certPassword.toCharArray())