package org.xmlrpc.android;
import android.annotation.SuppressLint;
import android.net.SSLCertificateSocketFactory;
import android.os.Build;
import org.apache.http.conn.scheme.SocketFactory;
import org.apache.http.conn.ssl.BrowserCompatHostnameVerifier;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.wordpress.android.networking.SelfSignedSSLCertsManager;
import org.wordpress.android.networking.WPTrustManager;
import org.wordpress.android.util.AppLog;
import org.wordpress.android.util.AppLog.T;
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
/**
* Custom SSLSocketFactory that adds Self-Signed (trusted) certificates,
* and SNI support.
*
* Loosely based on: http://blog.dev001.net/post/67082904181/android-using-sni-and-tlsv1-2-with-apache-httpclient
*
* Ref: https://github.com/wordpress-mobile/WordPress-Android/issues/1288
*
*/
public class TrustUserSSLCertsSocketFactory extends SSLSocketFactory {
private SSLCertificateSocketFactory mFactory;
private static final BrowserCompatHostnameVerifier mHostnameVerifier = new BrowserCompatHostnameVerifier();
public TrustUserSSLCertsSocketFactory() throws IOException, GeneralSecurityException {
super(null);
// No handshake timeout used
mFactory = (SSLCertificateSocketFactory) SSLCertificateSocketFactory.getDefault(0);
TrustManager[] trustAllowedCerts;
try {
trustAllowedCerts = new TrustManager[]{
new WPTrustManager(SelfSignedSSLCertsManager.getInstance(null).getLocalKeyStore())
};
mFactory.setTrustManagers(trustAllowedCerts);
} catch (GeneralSecurityException e1) {
AppLog.e(T.API, "Cannot set TrustAllSSLSocketFactory on our factory. Proceding without it...", e1);
}
}
public static SocketFactory getDefault() throws IOException, GeneralSecurityException {
return new TrustUserSSLCertsSocketFactory();
}
public Socket createSocket() throws IOException {
return mFactory.createSocket();
}
@Override
public Socket createSocket(Socket plainSocket, String host, int port, boolean autoClose) throws IOException {
if (autoClose) {
// we don't need the plainSocket
plainSocket.close();
}
SSLSocket ssl = (SSLSocket) mFactory.createSocket(InetAddress.getByName(host), port);
return enableSNI(ssl, host);
}
@SuppressLint("NewApi")
private Socket enableSNI(SSLSocket ssl, String host) throws SSLPeerUnverifiedException {
// enable TLSv1.1/1.2 if available
// (see https://github.com/rfc2822/davdroid/issues/229)
ssl.setEnabledProtocols(ssl.getSupportedProtocols());
// set up SNI before the handshake
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
AppLog.i(T.API, "Setting SNI hostname");
mFactory.setHostname(ssl, host);
} else {
AppLog.i(T.API, "No documented SNI support on Android <4.2, trying with reflection");
try {
java.lang.reflect.Method setHostnameMethod = ssl.getClass().getMethod("setHostname", String.class);
setHostnameMethod.invoke(ssl, host);
} catch (Exception e) {
AppLog.e(T.API, "SNI not useable", e);
}
}
// verify hostname and certificate
SSLSession session = ssl.getSession();
if (!mHostnameVerifier.verify(host, session)) {
// the verify failed. We need to check if the current certificate is in Trusted Store.
try {
Certificate[] errorChain = ssl.getSession().getPeerCertificates();
X509Certificate[] X509CertificateChain = new X509Certificate[errorChain.length];
for (int i = 0; i < errorChain.length; i++) {
X509Certificate x509Certificate = (X509Certificate) errorChain[0];
X509CertificateChain[i] = x509Certificate;
}
if (X509CertificateChain.length == 0) {
throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
}
if (!SelfSignedSSLCertsManager.getInstance(null).isCertificateTrusted(X509CertificateChain[0])) {
SelfSignedSSLCertsManager.getInstance(null).setLastFailureChain(X509CertificateChain);
throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
}
} catch (GeneralSecurityException e) {
AppLog.e(T.API, "GeneralSecurityException occurred when trying to verify a certificate that has failed" +
" the host name verifier check", e);
throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
} catch (IOException e) {
AppLog.e(T.API, "IOException occurred when trying to verify a certificate that has failed" +
" the host name verifier check", e);
throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
} catch (Exception e) {
// We don't want crash the app here for an unexpected error
AppLog.e(T.API, "An Exception occurred when trying to verify a certificate that has failed" +
" the host name verifier check", e);
throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
}
}
AppLog.i(T.API, "Established " + session.getProtocol()
+ " connection with " + session.getPeerHost()
+ " using " + session.getCipherSuite());
return ssl;
}
public Socket createSocket(InetAddress inaddr, int i, InetAddress inaddr1, int j) throws IOException {
SSLSocket ssl = (SSLSocket) mFactory.createSocket(inaddr, i, inaddr1, j);
return enableSNI(ssl, inaddr.getHostName());
}
public Socket createSocket(InetAddress inaddr, int i) throws IOException {
SSLSocket ssl = (SSLSocket) mFactory.createSocket(inaddr, i);
return enableSNI(ssl, inaddr.getHostName());
}
public Socket createSocket(String s, int i, InetAddress inaddr, int j) throws IOException {
SSLSocket ssl = (SSLSocket) mFactory.createSocket(s, i, inaddr, j);
return enableSNI(ssl, inaddr.getHostName());
}
public Socket createSocket(String s, int i) throws IOException {
SSLSocket ssl = (SSLSocket) mFactory.createSocket(s, i);
return enableSNI(ssl, s);
}
public String[] getDefaultCipherSuites() { return mFactory.getDefaultCipherSuites(); }
public String[] getSupportedCipherSuites() { return mFactory.getSupportedCipherSuites(); }
}