WordPress/src/main/java/org/xmlrpc/android/TrustUserSSLCertsSocketFactory.java - platform/external/gradle-perf-android-medium - Git at Google

 package org.xmlrpc.android;

 import android.annotation.SuppressLint;
 import android.net.SSLCertificateSocketFactory;
 import android.os.Build;

 import org.apache.http.conn.scheme.SocketFactory;
 import org.apache.http.conn.ssl.BrowserCompatHostnameVerifier;
 import org.apache.http.conn.ssl.SSLSocketFactory;

 import org.wordpress.android.networking.SelfSignedSSLCertsManager;
 import org.wordpress.android.networking.WPTrustManager;
 import org.wordpress.android.util.AppLog;
 import org.wordpress.android.util.AppLog.T;

 import java.io.IOException;
 import java.net.InetAddress;
 import java.net.Socket;
 import java.security.GeneralSecurityException;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;


 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.TrustManager;


 /**
  * Custom SSLSocketFactory that adds Self-Signed (trusted) certificates,
  * and SNI support.
  *
  * Loosely based on: http://blog.dev001.net/post/67082904181/android-using-sni-and-tlsv1-2-with-apache-httpclient
  *
  * Ref: https://github.com/wordpress-mobile/WordPress-Android/issues/1288
  *
  */
 public class TrustUserSSLCertsSocketFactory extends SSLSocketFactory {
     private SSLCertificateSocketFactory mFactory;
     private static final BrowserCompatHostnameVerifier mHostnameVerifier = new BrowserCompatHostnameVerifier();

     public TrustUserSSLCertsSocketFactory() throws IOException, GeneralSecurityException {
         super(null);
         // No handshake timeout used
         mFactory = (SSLCertificateSocketFactory) SSLCertificateSocketFactory.getDefault(0);
         TrustManager[] trustAllowedCerts;
         try {
             trustAllowedCerts = new TrustManager[]{
                     new WPTrustManager(SelfSignedSSLCertsManager.getInstance(null).getLocalKeyStore())
             };
             mFactory.setTrustManagers(trustAllowedCerts);
         } catch (GeneralSecurityException e1) {
             AppLog.e(T.API, "Cannot set TrustAllSSLSocketFactory on our factory. Proceding without it...", e1);
         }
     }

     public static SocketFactory getDefault() throws IOException, GeneralSecurityException {
         return new TrustUserSSLCertsSocketFactory();
     }

     public Socket createSocket() throws IOException {
         return mFactory.createSocket();
     }

     @Override
     public Socket createSocket(Socket plainSocket, String host, int port, boolean autoClose) throws IOException {
         if (autoClose) {
             // we don't need the plainSocket
             plainSocket.close();
         }

         SSLSocket ssl = (SSLSocket) mFactory.createSocket(InetAddress.getByName(host), port);
         return enableSNI(ssl, host);
     }

     @SuppressLint("NewApi")
     private Socket enableSNI(SSLSocket ssl, String host) throws SSLPeerUnverifiedException {
         // enable TLSv1.1/1.2 if available
         // (see https://github.com/rfc2822/davdroid/issues/229)
         ssl.setEnabledProtocols(ssl.getSupportedProtocols());

         // set up SNI before the handshake
         if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
             AppLog.i(T.API, "Setting SNI hostname");
             mFactory.setHostname(ssl, host);
         } else {
             AppLog.i(T.API,  "No documented SNI support on Android <4.2, trying with reflection");
             try {
                 java.lang.reflect.Method setHostnameMethod = ssl.getClass().getMethod("setHostname", String.class);
                 setHostnameMethod.invoke(ssl, host);
             } catch (Exception e) {
                 AppLog.e(T.API, "SNI not useable", e);
             }
         }

         // verify hostname and certificate
         SSLSession session = ssl.getSession();
         if (!mHostnameVerifier.verify(host, session)) {
             // the verify failed. We need to check if the current certificate is in Trusted Store.
             try {
                 Certificate[] errorChain = ssl.getSession().getPeerCertificates();
                 X509Certificate[] X509CertificateChain = new X509Certificate[errorChain.length];
                 for (int i = 0; i < errorChain.length; i++) {
                     X509Certificate x509Certificate = (X509Certificate) errorChain[0];
                     X509CertificateChain[i] = x509Certificate;
                 }

                 if (X509CertificateChain.length == 0) {
                     throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
                 }

                 if (!SelfSignedSSLCertsManager.getInstance(null).isCertificateTrusted(X509CertificateChain[0])) {
                     SelfSignedSSLCertsManager.getInstance(null).setLastFailureChain(X509CertificateChain);
                     throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
                 }
             } catch (GeneralSecurityException e) {
                 AppLog.e(T.API, "GeneralSecurityException occurred when trying to verify a certificate that has failed" +
                         " the host name verifier check", e);
                 throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
             } catch (IOException e) {
                 AppLog.e(T.API, "IOException occurred when trying to verify a certificate that has failed" +
                         " the host name verifier check", e);
                 throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
             } catch (Exception e) {
                 // We don't want crash the app here for an unexpected error
                 AppLog.e(T.API, "An Exception occurred when trying to verify a certificate that has failed" +
                         " the host name verifier check", e);
                 throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
             }
         }

         AppLog.i(T.API, "Established " + session.getProtocol()
                 + " connection with " + session.getPeerHost()
                 + " using " + session.getCipherSuite());

         return ssl;
     }

     public Socket createSocket(InetAddress inaddr, int i, InetAddress inaddr1, int j) throws IOException {
        SSLSocket ssl =  (SSLSocket) mFactory.createSocket(inaddr, i, inaddr1, j);
        return enableSNI(ssl, inaddr.getHostName());
     }

     public Socket createSocket(InetAddress inaddr, int i) throws IOException {
         SSLSocket ssl =  (SSLSocket) mFactory.createSocket(inaddr, i);
         return enableSNI(ssl, inaddr.getHostName());
     }

     public Socket createSocket(String s, int i, InetAddress inaddr, int j) throws IOException {
        SSLSocket ssl =  (SSLSocket) mFactory.createSocket(s, i, inaddr, j);
        return enableSNI(ssl, inaddr.getHostName());
     }

     public Socket createSocket(String s, int i) throws IOException {
         SSLSocket ssl =  (SSLSocket) mFactory.createSocket(s, i);
         return enableSNI(ssl, s);
     }

     public String[] getDefaultCipherSuites() { return mFactory.getDefaultCipherSuites(); }
     public String[] getSupportedCipherSuites() { return mFactory.getSupportedCipherSuites(); }
 }
	package org.xmlrpc.android;

	import android.annotation.SuppressLint;
	import android.net.SSLCertificateSocketFactory;
	import android.os.Build;

	import org.apache.http.conn.scheme.SocketFactory;
	import org.apache.http.conn.ssl.BrowserCompatHostnameVerifier;
	import org.apache.http.conn.ssl.SSLSocketFactory;

	import org.wordpress.android.networking.SelfSignedSSLCertsManager;
	import org.wordpress.android.networking.WPTrustManager;
	import org.wordpress.android.util.AppLog;
	import org.wordpress.android.util.AppLog.T;

	import java.io.IOException;
	import java.net.InetAddress;
	import java.net.Socket;
	import java.security.GeneralSecurityException;
	import java.security.cert.Certificate;
	import java.security.cert.X509Certificate;


	import javax.net.ssl.SSLPeerUnverifiedException;
	import javax.net.ssl.SSLSession;
	import javax.net.ssl.SSLSocket;
	import javax.net.ssl.TrustManager;


	/**
	* Custom SSLSocketFactory that adds Self-Signed (trusted) certificates,
	* and SNI support.
	*
	* Loosely based on: http://blog.dev001.net/post/67082904181/android-using-sni-and-tlsv1-2-with-apache-httpclient
	*
	* Ref: https://github.com/wordpress-mobile/WordPress-Android/issues/1288
	*
	*/
	public class TrustUserSSLCertsSocketFactory extends SSLSocketFactory {
	private SSLCertificateSocketFactory mFactory;
	private static final BrowserCompatHostnameVerifier mHostnameVerifier = new BrowserCompatHostnameVerifier();

	public TrustUserSSLCertsSocketFactory() throws IOException, GeneralSecurityException {
	super(null);
	// No handshake timeout used
	mFactory = (SSLCertificateSocketFactory) SSLCertificateSocketFactory.getDefault(0);
	TrustManager[] trustAllowedCerts;
	try {
	trustAllowedCerts = new TrustManager[]{
	new WPTrustManager(SelfSignedSSLCertsManager.getInstance(null).getLocalKeyStore())
	};
	mFactory.setTrustManagers(trustAllowedCerts);
	} catch (GeneralSecurityException e1) {
	AppLog.e(T.API, "Cannot set TrustAllSSLSocketFactory on our factory. Proceding without it...", e1);
	}
	}

	public static SocketFactory getDefault() throws IOException, GeneralSecurityException {
	return new TrustUserSSLCertsSocketFactory();
	}

	public Socket createSocket() throws IOException {
	return mFactory.createSocket();
	}

	@Override
	public Socket createSocket(Socket plainSocket, String host, int port, boolean autoClose) throws IOException {
	if (autoClose) {
	// we don't need the plainSocket
	plainSocket.close();
	}

	SSLSocket ssl = (SSLSocket) mFactory.createSocket(InetAddress.getByName(host), port);
	return enableSNI(ssl, host);
	}

	@SuppressLint("NewApi")
	private Socket enableSNI(SSLSocket ssl, String host) throws SSLPeerUnverifiedException {
	// enable TLSv1.1/1.2 if available
	// (see https://github.com/rfc2822/davdroid/issues/229)
	ssl.setEnabledProtocols(ssl.getSupportedProtocols());

	// set up SNI before the handshake
	if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
	AppLog.i(T.API, "Setting SNI hostname");
	mFactory.setHostname(ssl, host);
	} else {
	AppLog.i(T.API, "No documented SNI support on Android <4.2, trying with reflection");
	try {
	java.lang.reflect.Method setHostnameMethod = ssl.getClass().getMethod("setHostname", String.class);
	setHostnameMethod.invoke(ssl, host);
	} catch (Exception e) {
	AppLog.e(T.API, "SNI not useable", e);
	}
	}

	// verify hostname and certificate
	SSLSession session = ssl.getSession();
	if (!mHostnameVerifier.verify(host, session)) {
	// the verify failed. We need to check if the current certificate is in Trusted Store.
	try {
	Certificate[] errorChain = ssl.getSession().getPeerCertificates();
	X509Certificate[] X509CertificateChain = new X509Certificate[errorChain.length];
	for (int i = 0; i < errorChain.length; i++) {
	X509Certificate x509Certificate = (X509Certificate) errorChain[0];
	X509CertificateChain[i] = x509Certificate;
	}

	if (X509CertificateChain.length == 0) {
	throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
	}

	if (!SelfSignedSSLCertsManager.getInstance(null).isCertificateTrusted(X509CertificateChain[0])) {
	SelfSignedSSLCertsManager.getInstance(null).setLastFailureChain(X509CertificateChain);
	throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
	}
	} catch (GeneralSecurityException e) {
	AppLog.e(T.API, "GeneralSecurityException occurred when trying to verify a certificate that has failed" +
	" the host name verifier check", e);
	throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
	} catch (IOException e) {
	AppLog.e(T.API, "IOException occurred when trying to verify a certificate that has failed" +
	" the host name verifier check", e);
	throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
	} catch (Exception e) {
	// We don't want crash the app here for an unexpected error
	AppLog.e(T.API, "An Exception occurred when trying to verify a certificate that has failed" +
	" the host name verifier check", e);
	throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
	}
	}

	AppLog.i(T.API, "Established " + session.getProtocol()
	+ " connection with " + session.getPeerHost()
	+ " using " + session.getCipherSuite());

	return ssl;
	}

	public Socket createSocket(InetAddress inaddr, int i, InetAddress inaddr1, int j) throws IOException {
	SSLSocket ssl = (SSLSocket) mFactory.createSocket(inaddr, i, inaddr1, j);
	return enableSNI(ssl, inaddr.getHostName());
	}

	public Socket createSocket(InetAddress inaddr, int i) throws IOException {
	SSLSocket ssl = (SSLSocket) mFactory.createSocket(inaddr, i);
	return enableSNI(ssl, inaddr.getHostName());
	}

	public Socket createSocket(String s, int i, InetAddress inaddr, int j) throws IOException {
	SSLSocket ssl = (SSLSocket) mFactory.createSocket(s, i, inaddr, j);
	return enableSNI(ssl, inaddr.getHostName());
	}

	public Socket createSocket(String s, int i) throws IOException {
	SSLSocket ssl = (SSLSocket) mFactory.createSocket(s, i);
	return enableSNI(ssl, s);
	}

	public String[] getDefaultCipherSuites() { return mFactory.getDefaultCipherSuites(); }
	public String[] getSupportedCipherSuites() { return mFactory.getSupportedCipherSuites(); }
	}