| package org.xmlrpc.android; |
| |
| import android.annotation.SuppressLint; |
| import android.net.SSLCertificateSocketFactory; |
| import android.os.Build; |
| |
| import org.apache.http.conn.scheme.SocketFactory; |
| import org.apache.http.conn.ssl.BrowserCompatHostnameVerifier; |
| import org.apache.http.conn.ssl.SSLSocketFactory; |
| |
| import org.wordpress.android.networking.SelfSignedSSLCertsManager; |
| import org.wordpress.android.networking.WPTrustManager; |
| import org.wordpress.android.util.AppLog; |
| import org.wordpress.android.util.AppLog.T; |
| |
| import java.io.IOException; |
| import java.net.InetAddress; |
| import java.net.Socket; |
| import java.security.GeneralSecurityException; |
| import java.security.cert.Certificate; |
| import java.security.cert.X509Certificate; |
| |
| |
| import javax.net.ssl.SSLPeerUnverifiedException; |
| import javax.net.ssl.SSLSession; |
| import javax.net.ssl.SSLSocket; |
| import javax.net.ssl.TrustManager; |
| |
| |
| /** |
| * Custom SSLSocketFactory that adds Self-Signed (trusted) certificates, |
| * and SNI support. |
| * |
| * Loosely based on: http://blog.dev001.net/post/67082904181/android-using-sni-and-tlsv1-2-with-apache-httpclient |
| * |
| * Ref: https://github.com/wordpress-mobile/WordPress-Android/issues/1288 |
| * |
| */ |
| public class TrustUserSSLCertsSocketFactory extends SSLSocketFactory { |
| private SSLCertificateSocketFactory mFactory; |
| private static final BrowserCompatHostnameVerifier mHostnameVerifier = new BrowserCompatHostnameVerifier(); |
| |
| public TrustUserSSLCertsSocketFactory() throws IOException, GeneralSecurityException { |
| super(null); |
| // No handshake timeout used |
| mFactory = (SSLCertificateSocketFactory) SSLCertificateSocketFactory.getDefault(0); |
| TrustManager[] trustAllowedCerts; |
| try { |
| trustAllowedCerts = new TrustManager[]{ |
| new WPTrustManager(SelfSignedSSLCertsManager.getInstance(null).getLocalKeyStore()) |
| }; |
| mFactory.setTrustManagers(trustAllowedCerts); |
| } catch (GeneralSecurityException e1) { |
| AppLog.e(T.API, "Cannot set TrustAllSSLSocketFactory on our factory. Proceding without it...", e1); |
| } |
| } |
| |
| public static SocketFactory getDefault() throws IOException, GeneralSecurityException { |
| return new TrustUserSSLCertsSocketFactory(); |
| } |
| |
| public Socket createSocket() throws IOException { |
| return mFactory.createSocket(); |
| } |
| |
| @Override |
| public Socket createSocket(Socket plainSocket, String host, int port, boolean autoClose) throws IOException { |
| if (autoClose) { |
| // we don't need the plainSocket |
| plainSocket.close(); |
| } |
| |
| SSLSocket ssl = (SSLSocket) mFactory.createSocket(InetAddress.getByName(host), port); |
| return enableSNI(ssl, host); |
| } |
| |
| @SuppressLint("NewApi") |
| private Socket enableSNI(SSLSocket ssl, String host) throws SSLPeerUnverifiedException { |
| // enable TLSv1.1/1.2 if available |
| // (see https://github.com/rfc2822/davdroid/issues/229) |
| ssl.setEnabledProtocols(ssl.getSupportedProtocols()); |
| |
| // set up SNI before the handshake |
| if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) { |
| AppLog.i(T.API, "Setting SNI hostname"); |
| mFactory.setHostname(ssl, host); |
| } else { |
| AppLog.i(T.API, "No documented SNI support on Android <4.2, trying with reflection"); |
| try { |
| java.lang.reflect.Method setHostnameMethod = ssl.getClass().getMethod("setHostname", String.class); |
| setHostnameMethod.invoke(ssl, host); |
| } catch (Exception e) { |
| AppLog.e(T.API, "SNI not useable", e); |
| } |
| } |
| |
| // verify hostname and certificate |
| SSLSession session = ssl.getSession(); |
| if (!mHostnameVerifier.verify(host, session)) { |
| // the verify failed. We need to check if the current certificate is in Trusted Store. |
| try { |
| Certificate[] errorChain = ssl.getSession().getPeerCertificates(); |
| X509Certificate[] X509CertificateChain = new X509Certificate[errorChain.length]; |
| for (int i = 0; i < errorChain.length; i++) { |
| X509Certificate x509Certificate = (X509Certificate) errorChain[0]; |
| X509CertificateChain[i] = x509Certificate; |
| } |
| |
| if (X509CertificateChain.length == 0) { |
| throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host); |
| } |
| |
| if (!SelfSignedSSLCertsManager.getInstance(null).isCertificateTrusted(X509CertificateChain[0])) { |
| SelfSignedSSLCertsManager.getInstance(null).setLastFailureChain(X509CertificateChain); |
| throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host); |
| } |
| } catch (GeneralSecurityException e) { |
| AppLog.e(T.API, "GeneralSecurityException occurred when trying to verify a certificate that has failed" + |
| " the host name verifier check", e); |
| throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host); |
| } catch (IOException e) { |
| AppLog.e(T.API, "IOException occurred when trying to verify a certificate that has failed" + |
| " the host name verifier check", e); |
| throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host); |
| } catch (Exception e) { |
| // We don't want crash the app here for an unexpected error |
| AppLog.e(T.API, "An Exception occurred when trying to verify a certificate that has failed" + |
| " the host name verifier check", e); |
| throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host); |
| } |
| } |
| |
| AppLog.i(T.API, "Established " + session.getProtocol() |
| + " connection with " + session.getPeerHost() |
| + " using " + session.getCipherSuite()); |
| |
| return ssl; |
| } |
| |
| public Socket createSocket(InetAddress inaddr, int i, InetAddress inaddr1, int j) throws IOException { |
| SSLSocket ssl = (SSLSocket) mFactory.createSocket(inaddr, i, inaddr1, j); |
| return enableSNI(ssl, inaddr.getHostName()); |
| } |
| |
| public Socket createSocket(InetAddress inaddr, int i) throws IOException { |
| SSLSocket ssl = (SSLSocket) mFactory.createSocket(inaddr, i); |
| return enableSNI(ssl, inaddr.getHostName()); |
| } |
| |
| public Socket createSocket(String s, int i, InetAddress inaddr, int j) throws IOException { |
| SSLSocket ssl = (SSLSocket) mFactory.createSocket(s, i, inaddr, j); |
| return enableSNI(ssl, inaddr.getHostName()); |
| } |
| |
| public Socket createSocket(String s, int i) throws IOException { |
| SSLSocket ssl = (SSLSocket) mFactory.createSocket(s, i); |
| return enableSNI(ssl, s); |
| } |
| |
| public String[] getDefaultCipherSuites() { return mFactory.getDefaultCipherSuites(); } |
| public String[] getSupportedCipherSuites() { return mFactory.getSupportedCipherSuites(); } |
| } |