1 files changed, 162 insertions, 0 deletions

diff --git a/WordPress/src/main/java/org/xmlrpc/android/TrustUserSSLCertsSocketFactory.java b/WordPress/src/main/java/org/xmlrpc/android/TrustUserSSLCertsSocketFactory.java
new file mode 100644
index 000000000..007b218cc
--- /dev/null
+++ b/WordPress/src/main/java/org/xmlrpc/android/TrustUserSSLCertsSocketFactory.java
@@ -0,0 +1,162 @@
+package org.xmlrpc.android;
+
+import android.annotation.SuppressLint;
+import android.net.SSLCertificateSocketFactory;
+import android.os.Build;
+
+import org.apache.http.conn.scheme.SocketFactory;
+import org.apache.http.conn.ssl.BrowserCompatHostnameVerifier;
+import org.apache.http.conn.ssl.SSLSocketFactory;
+
+import org.wordpress.android.networking.SelfSignedSSLCertsManager;
+import org.wordpress.android.networking.WPTrustManager;
+import org.wordpress.android.util.AppLog;
+import org.wordpress.android.util.AppLog.T;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.security.GeneralSecurityException;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+
+
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.TrustManager;
+
+
+/**
+ * Custom SSLSocketFactory that adds Self-Signed (trusted) certificates,
+ * and SNI support.
+ *
+ * Loosely based on: http://blog.dev001.net/post/67082904181/android-using-sni-and-tlsv1-2-with-apache-httpclient
+ *
+ * Ref: https://github.com/wordpress-mobile/WordPress-Android/issues/1288
+ *
+ */
+public class TrustUserSSLCertsSocketFactory extends SSLSocketFactory {
+    private SSLCertificateSocketFactory mFactory;
+    private static final BrowserCompatHostnameVerifier mHostnameVerifier = new BrowserCompatHostnameVerifier();
+
+    public TrustUserSSLCertsSocketFactory() throws IOException, GeneralSecurityException {
+        super(null);
+        // No handshake timeout used
+        mFactory = (SSLCertificateSocketFactory) SSLCertificateSocketFactory.getDefault(0);
+        TrustManager[] trustAllowedCerts;
+        try {
+            trustAllowedCerts = new TrustManager[]{
+                    new WPTrustManager(SelfSignedSSLCertsManager.getInstance(null).getLocalKeyStore())
+            };
+            mFactory.setTrustManagers(trustAllowedCerts);
+        } catch (GeneralSecurityException e1) {
+            AppLog.e(T.API, "Cannot set TrustAllSSLSocketFactory on our factory. Proceding without it...", e1);
+        }
+    }
+
+    public static SocketFactory getDefault() throws IOException, GeneralSecurityException {
+        return new TrustUserSSLCertsSocketFactory();
+    }
+
+    public Socket createSocket() throws IOException {
+        return mFactory.createSocket();
+    }
+
+    @Override
+    public Socket createSocket(Socket plainSocket, String host, int port, boolean autoClose) throws IOException {
+        if (autoClose) {
+            // we don't need the plainSocket
+            plainSocket.close();
+        }
+
+        SSLSocket ssl = (SSLSocket) mFactory.createSocket(InetAddress.getByName(host), port);
+        return enableSNI(ssl, host);
+    }
+
+    @SuppressLint("NewApi")
+    private Socket enableSNI(SSLSocket ssl, String host) throws SSLPeerUnverifiedException {
+        // enable TLSv1.1/1.2 if available
+        // (see https://github.com/rfc2822/davdroid/issues/229)
+        ssl.setEnabledProtocols(ssl.getSupportedProtocols());
+
+        // set up SNI before the handshake
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
+            AppLog.i(T.API, "Setting SNI hostname");
+            mFactory.setHostname(ssl, host);
+        } else {
+            AppLog.i(T.API,  "No documented SNI support on Android <4.2, trying with reflection");
+            try {
+                java.lang.reflect.Method setHostnameMethod = ssl.getClass().getMethod("setHostname", String.class);
+                setHostnameMethod.invoke(ssl, host);
+            } catch (Exception e) {
+                AppLog.e(T.API, "SNI not useable", e);
+            }
+        }
+
+        // verify hostname and certificate
+        SSLSession session = ssl.getSession();
+        if (!mHostnameVerifier.verify(host, session)) {
+            // the verify failed. We need to check if the current certificate is in Trusted Store.
+            try {
+                Certificate[] errorChain = ssl.getSession().getPeerCertificates();
+                X509Certificate[] X509CertificateChain = new X509Certificate[errorChain.length];
+                for (int i = 0; i < errorChain.length; i++) {
+                    X509Certificate x509Certificate = (X509Certificate) errorChain[0];
+                    X509CertificateChain[i] = x509Certificate;
+                }
+
+                if (X509CertificateChain.length == 0) {
+                    throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
+                }
+
+                if (!SelfSignedSSLCertsManager.getInstance(null).isCertificateTrusted(X509CertificateChain[0])) {
+                    SelfSignedSSLCertsManager.getInstance(null).setLastFailureChain(X509CertificateChain);
+                    throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
+                }
+            } catch (GeneralSecurityException e) {
+                AppLog.e(T.API, "GeneralSecurityException occurred when trying to verify a certificate that has failed" +
+                        " the host name verifier check", e);
+                throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
+            } catch (IOException e) {
+                AppLog.e(T.API, "IOException occurred when trying to verify a certificate that has failed" +
+                        " the host name verifier check", e);
+                throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
+            } catch (Exception e) {
+                // We don't want crash the app here for an unexpected error
+                AppLog.e(T.API, "An Exception occurred when trying to verify a certificate that has failed" +
+                        " the host name verifier check", e);
+                throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
+            }
+        }
+
+        AppLog.i(T.API, "Established " + session.getProtocol()
+                + " connection with " + session.getPeerHost()
+                + " using " + session.getCipherSuite());
+
+        return ssl;
+    }
+
+    public Socket createSocket(InetAddress inaddr, int i, InetAddress inaddr1, int j) throws IOException {
+       SSLSocket ssl =  (SSLSocket) mFactory.createSocket(inaddr, i, inaddr1, j);
+       return enableSNI(ssl, inaddr.getHostName());
+    }
+
+    public Socket createSocket(InetAddress inaddr, int i) throws IOException {
+        SSLSocket ssl =  (SSLSocket) mFactory.createSocket(inaddr, i);
+        return enableSNI(ssl, inaddr.getHostName());
+    }
+
+    public Socket createSocket(String s, int i, InetAddress inaddr, int j) throws IOException {
+       SSLSocket ssl =  (SSLSocket) mFactory.createSocket(s, i, inaddr, j);
+       return enableSNI(ssl, inaddr.getHostName());
+    }
+
+    public Socket createSocket(String s, int i) throws IOException {
+        SSLSocket ssl =  (SSLSocket) mFactory.createSocket(s, i);
+        return enableSNI(ssl, s);
+    }
+
+    public String[] getDefaultCipherSuites() { return mFactory.getDefaultCipherSuites(); }
+    public String[] getSupportedCipherSuites() { return mFactory.getSupportedCipherSuites(); }
+}