Add support for server certificate authenticity verification #24
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reviewer: @wlanmac
This addresses part of my concern raised in #23
I personally only have use for EAP-TTLS so I have no need to send client certificates.
In short, this performs server certificate verification upon receipt of a certificate during the handshake when a valid
X509TrustManager
can be found. In order to verify the server certificate dynamically I had to pass the key exchange algorithm into the trust manager. I extended theKeyExchange
interface and created enum values instead of static integers. This allows the enum to hold a name string as well as the integer value. The name string is what is passed to the trust manager dynamically.I also made some changes to how the
KeyUsage
object was constructed in theKeyExchange
implementations since I was getting an IllegalArgumentException during testing. I updated some of the bouncy castle classes so that I could leverageKeyUsage.fromExtensions
. This seemed to alleviate the problem.