diff options
Diffstat (limited to 'WordPress/src/main/java/org/xmlrpc/android/TrustUserSSLCertsSocketFactory.java')
-rw-r--r-- | WordPress/src/main/java/org/xmlrpc/android/TrustUserSSLCertsSocketFactory.java | 162 |
1 files changed, 162 insertions, 0 deletions
diff --git a/WordPress/src/main/java/org/xmlrpc/android/TrustUserSSLCertsSocketFactory.java b/WordPress/src/main/java/org/xmlrpc/android/TrustUserSSLCertsSocketFactory.java new file mode 100644 index 000000000..007b218cc --- /dev/null +++ b/WordPress/src/main/java/org/xmlrpc/android/TrustUserSSLCertsSocketFactory.java @@ -0,0 +1,162 @@ +package org.xmlrpc.android; + +import android.annotation.SuppressLint; +import android.net.SSLCertificateSocketFactory; +import android.os.Build; + +import org.apache.http.conn.scheme.SocketFactory; +import org.apache.http.conn.ssl.BrowserCompatHostnameVerifier; +import org.apache.http.conn.ssl.SSLSocketFactory; + +import org.wordpress.android.networking.SelfSignedSSLCertsManager; +import org.wordpress.android.networking.WPTrustManager; +import org.wordpress.android.util.AppLog; +import org.wordpress.android.util.AppLog.T; + +import java.io.IOException; +import java.net.InetAddress; +import java.net.Socket; +import java.security.GeneralSecurityException; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; + + +import javax.net.ssl.SSLPeerUnverifiedException; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.TrustManager; + + +/** + * Custom SSLSocketFactory that adds Self-Signed (trusted) certificates, + * and SNI support. + * + * Loosely based on: http://blog.dev001.net/post/67082904181/android-using-sni-and-tlsv1-2-with-apache-httpclient + * + * Ref: https://github.com/wordpress-mobile/WordPress-Android/issues/1288 + * + */ +public class TrustUserSSLCertsSocketFactory extends SSLSocketFactory { + private SSLCertificateSocketFactory mFactory; + private static final BrowserCompatHostnameVerifier mHostnameVerifier = new BrowserCompatHostnameVerifier(); + + public TrustUserSSLCertsSocketFactory() throws IOException, GeneralSecurityException { + super(null); + // No handshake timeout used + mFactory = (SSLCertificateSocketFactory) SSLCertificateSocketFactory.getDefault(0); + TrustManager[] trustAllowedCerts; + try { + trustAllowedCerts = new TrustManager[]{ + new WPTrustManager(SelfSignedSSLCertsManager.getInstance(null).getLocalKeyStore()) + }; + mFactory.setTrustManagers(trustAllowedCerts); + } catch (GeneralSecurityException e1) { + AppLog.e(T.API, "Cannot set TrustAllSSLSocketFactory on our factory. Proceding without it...", e1); + } + } + + public static SocketFactory getDefault() throws IOException, GeneralSecurityException { + return new TrustUserSSLCertsSocketFactory(); + } + + public Socket createSocket() throws IOException { + return mFactory.createSocket(); + } + + @Override + public Socket createSocket(Socket plainSocket, String host, int port, boolean autoClose) throws IOException { + if (autoClose) { + // we don't need the plainSocket + plainSocket.close(); + } + + SSLSocket ssl = (SSLSocket) mFactory.createSocket(InetAddress.getByName(host), port); + return enableSNI(ssl, host); + } + + @SuppressLint("NewApi") + private Socket enableSNI(SSLSocket ssl, String host) throws SSLPeerUnverifiedException { + // enable TLSv1.1/1.2 if available + // (see https://github.com/rfc2822/davdroid/issues/229) + ssl.setEnabledProtocols(ssl.getSupportedProtocols()); + + // set up SNI before the handshake + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) { + AppLog.i(T.API, "Setting SNI hostname"); + mFactory.setHostname(ssl, host); + } else { + AppLog.i(T.API, "No documented SNI support on Android <4.2, trying with reflection"); + try { + java.lang.reflect.Method setHostnameMethod = ssl.getClass().getMethod("setHostname", String.class); + setHostnameMethod.invoke(ssl, host); + } catch (Exception e) { + AppLog.e(T.API, "SNI not useable", e); + } + } + + // verify hostname and certificate + SSLSession session = ssl.getSession(); + if (!mHostnameVerifier.verify(host, session)) { + // the verify failed. We need to check if the current certificate is in Trusted Store. + try { + Certificate[] errorChain = ssl.getSession().getPeerCertificates(); + X509Certificate[] X509CertificateChain = new X509Certificate[errorChain.length]; + for (int i = 0; i < errorChain.length; i++) { + X509Certificate x509Certificate = (X509Certificate) errorChain[0]; + X509CertificateChain[i] = x509Certificate; + } + + if (X509CertificateChain.length == 0) { + throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host); + } + + if (!SelfSignedSSLCertsManager.getInstance(null).isCertificateTrusted(X509CertificateChain[0])) { + SelfSignedSSLCertsManager.getInstance(null).setLastFailureChain(X509CertificateChain); + throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host); + } + } catch (GeneralSecurityException e) { + AppLog.e(T.API, "GeneralSecurityException occurred when trying to verify a certificate that has failed" + + " the host name verifier check", e); + throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host); + } catch (IOException e) { + AppLog.e(T.API, "IOException occurred when trying to verify a certificate that has failed" + + " the host name verifier check", e); + throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host); + } catch (Exception e) { + // We don't want crash the app here for an unexpected error + AppLog.e(T.API, "An Exception occurred when trying to verify a certificate that has failed" + + " the host name verifier check", e); + throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host); + } + } + + AppLog.i(T.API, "Established " + session.getProtocol() + + " connection with " + session.getPeerHost() + + " using " + session.getCipherSuite()); + + return ssl; + } + + public Socket createSocket(InetAddress inaddr, int i, InetAddress inaddr1, int j) throws IOException { + SSLSocket ssl = (SSLSocket) mFactory.createSocket(inaddr, i, inaddr1, j); + return enableSNI(ssl, inaddr.getHostName()); + } + + public Socket createSocket(InetAddress inaddr, int i) throws IOException { + SSLSocket ssl = (SSLSocket) mFactory.createSocket(inaddr, i); + return enableSNI(ssl, inaddr.getHostName()); + } + + public Socket createSocket(String s, int i, InetAddress inaddr, int j) throws IOException { + SSLSocket ssl = (SSLSocket) mFactory.createSocket(s, i, inaddr, j); + return enableSNI(ssl, inaddr.getHostName()); + } + + public Socket createSocket(String s, int i) throws IOException { + SSLSocket ssl = (SSLSocket) mFactory.createSocket(s, i); + return enableSNI(ssl, s); + } + + public String[] getDefaultCipherSuites() { return mFactory.getDefaultCipherSuites(); } + public String[] getSupportedCipherSuites() { return mFactory.getSupportedCipherSuites(); } +} |