Remove Android Jelly Bean reflection-based client certificate hack |
||
Issue descriptionAndroid Jelly Bean lacks the APIs we need to implement client certificates in TLS 1.0 and TLS 1.1. We instead have this horrendous logic to use reflection to reach into Conscrypt's internals, grab an OpenSSL pointer, and call into it. https://cs.chromium.org/chromium/src/net/ssl/ssl_platform_key_android.cc?rcl=6d1fb85d01882236ade0cf0d2029608c3acae174&l=203 With JB support gone, we can remove that code! This is in //net, so it is reachable from Cronet, but Cronet does not support client certificates, per the code below (+mef to confirm). https://cs.chromium.org/chromium/src/components/cronet/cronet_url_request.cc?rcl=4d13f0f57596b2d4fdafc3cfa21675498dc3203f&l=202 If Cronet, in the future, tries to add client certificates, they can always reimplement this mess in components/cronet as a custom SSLPrivateKey implementation. However, it only affects TLS 1.0 and 1.1, which are 10 years obsolete and is being disabled by default in the future, so just saying that it only works for TLS 1.2+ in Jelly Bean seems a pretty solid solution to this hypothetical. https://security.googleblog.com/2018/10/modernizing-transport-security.html
,
Jan 18
(4 days ago)
Great! For other bits (dependency on X509TrustManagerExtensions), should we add a bug or something to track Cronet's JB support? The email said we should mark those with a comment. If that comment had a pointer to a bug, then we'd know where to look to see if support's since been dropped.
,
Jan 18
(4 days ago)
(To that end, even dropping 4.1 (JB) while keeping 4.2 (JB MR1) support would let us clean up the X509Util.java code.)
,
Jan 18
(4 days ago)
I think we should add comment like this to places where we keep JellyBean support for Cronet: // TODO(https://crbug.com/922656): Remove only after Cronet support for JellyBean is deprecated.
,
Today
(12 hours ago)
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/54d1ef7c66366649d50161a76a3dbc92fb8ba436 commit 54d1ef7c66366649d50161a76a3dbc92fb8ba436 Author: David Benjamin <davidben@chromium.org> Date: Tue Jan 22 17:51:36 2019 Remove JB reflection-based client certificate hack. Bug: 923487 Change-Id: I3f24df501ed0e91a9d3df174bf6367a839fa9386 Reviewed-on: https://chromium-review.googlesource.com/c/1423157 Auto-Submit: David Benjamin <davidben@chromium.org> Commit-Queue: Steven Valdez <svaldez@chromium.org> Reviewed-by: Steven Valdez <svaldez@chromium.org> Cr-Commit-Position: refs/heads/master@{#624823} [modify] https://crrev.com/54d1ef7c66366649d50161a76a3dbc92fb8ba436/net/BUILD.gn [modify] https://crrev.com/54d1ef7c66366649d50161a76a3dbc92fb8ba436/net/android/java/src/org/chromium/net/AndroidKeyStore.java [modify] https://crrev.com/54d1ef7c66366649d50161a76a3dbc92fb8ba436/net/android/keystore.cc [modify] https://crrev.com/54d1ef7c66366649d50161a76a3dbc92fb8ba436/net/android/keystore.h [delete] https://crrev.com/601e1a883e2d2163657a18b0422a55e7a3ac8300/net/android/legacy_openssl.h [modify] https://crrev.com/54d1ef7c66366649d50161a76a3dbc92fb8ba436/net/ssl/ssl_platform_key_android.cc
,
Today
(11 hours ago)
|
||
►
Sign in to add a comment |
||
Comment 1 by mef@chromium.org
, Jan 18 (4 days ago)