410 lines
16 KiB
Java
410 lines
16 KiB
Java
/*
|
|
* Copyright (C) 2010 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package com.android.emailcommon.utility;
|
|
|
|
import android.content.ContentUris;
|
|
import android.content.ContentValues;
|
|
import android.content.Context;
|
|
import android.database.Cursor;
|
|
import android.security.KeyChain;
|
|
import android.security.KeyChainException;
|
|
|
|
import com.android.emailcommon.provider.EmailContent.HostAuthColumns;
|
|
import com.android.emailcommon.provider.HostAuth;
|
|
import com.android.mail.utils.LogUtils;
|
|
import com.google.common.annotations.VisibleForTesting;
|
|
|
|
import java.io.ByteArrayInputStream;
|
|
import java.io.IOException;
|
|
import java.net.InetAddress;
|
|
import java.net.Socket;
|
|
import java.security.KeyManagementException;
|
|
import java.security.NoSuchAlgorithmException;
|
|
import java.security.Principal;
|
|
import java.security.PrivateKey;
|
|
import java.security.PublicKey;
|
|
import java.security.cert.Certificate;
|
|
import java.security.cert.CertificateException;
|
|
import java.security.cert.CertificateFactory;
|
|
import java.security.cert.X509Certificate;
|
|
import java.util.Arrays;
|
|
|
|
import javax.net.ssl.KeyManager;
|
|
import javax.net.ssl.TrustManager;
|
|
import javax.net.ssl.X509ExtendedKeyManager;
|
|
import javax.net.ssl.X509TrustManager;
|
|
|
|
public class SSLUtils {
|
|
// All secure factories are the same; all insecure factories are associated with HostAuth's
|
|
private static javax.net.ssl.SSLSocketFactory sSecureFactory;
|
|
|
|
private static final boolean LOG_ENABLED = false;
|
|
private static final String TAG = "Email.Ssl";
|
|
|
|
// A 30 second SSL handshake should be more than enough.
|
|
private static final int SSL_HANDSHAKE_TIMEOUT = 30000;
|
|
|
|
/**
|
|
* A trust manager specific to a particular HostAuth. The first time a server certificate is
|
|
* encountered for the HostAuth, its certificate is saved; subsequent checks determine whether
|
|
* the PublicKey of the certificate presented matches that of the saved certificate
|
|
* TODO: UI to ask user about changed certificates
|
|
*/
|
|
private static class SameCertificateCheckingTrustManager implements X509TrustManager {
|
|
private final HostAuth mHostAuth;
|
|
private final Context mContext;
|
|
// The public key associated with the HostAuth; we'll lazily initialize it
|
|
private PublicKey mPublicKey;
|
|
|
|
SameCertificateCheckingTrustManager(Context context, HostAuth hostAuth) {
|
|
mContext = context;
|
|
mHostAuth = hostAuth;
|
|
// We must load the server cert manually (the ContentCache won't handle blobs
|
|
Cursor c = context.getContentResolver().query(HostAuth.CONTENT_URI,
|
|
new String[] {HostAuthColumns.SERVER_CERT}, HostAuthColumns._ID + "=?",
|
|
new String[] {Long.toString(hostAuth.mId)}, null);
|
|
if (c != null) {
|
|
try {
|
|
if (c.moveToNext()) {
|
|
mHostAuth.mServerCert = c.getBlob(0);
|
|
}
|
|
} finally {
|
|
c.close();
|
|
}
|
|
}
|
|
}
|
|
|
|
@Override
|
|
public void checkClientTrusted(X509Certificate[] chain, String authType)
|
|
throws CertificateException {
|
|
// We don't check client certificates
|
|
throw new CertificateException("We don't check client certificates");
|
|
}
|
|
|
|
@Override
|
|
public void checkServerTrusted(X509Certificate[] chain, String authType)
|
|
throws CertificateException {
|
|
if (chain.length == 0) {
|
|
throw new CertificateException("No certificates?");
|
|
} else {
|
|
X509Certificate serverCert = chain[0];
|
|
if (mHostAuth.mServerCert != null) {
|
|
// Compare with the current public key
|
|
if (mPublicKey == null) {
|
|
ByteArrayInputStream bais = new ByteArrayInputStream(mHostAuth.mServerCert);
|
|
Certificate storedCert =
|
|
CertificateFactory.getInstance("X509").generateCertificate(bais);
|
|
mPublicKey = storedCert.getPublicKey();
|
|
try {
|
|
bais.close();
|
|
} catch (IOException e) {
|
|
// Yeah, right.
|
|
}
|
|
}
|
|
if (!mPublicKey.equals(serverCert.getPublicKey())) {
|
|
throw new CertificateException(
|
|
"PublicKey has changed since initial connection!");
|
|
}
|
|
} else {
|
|
// First time; save this away
|
|
byte[] encodedCert = serverCert.getEncoded();
|
|
mHostAuth.mServerCert = encodedCert;
|
|
ContentValues values = new ContentValues();
|
|
values.put(HostAuthColumns.SERVER_CERT, encodedCert);
|
|
mContext.getContentResolver().update(
|
|
ContentUris.withAppendedId(HostAuth.CONTENT_URI, mHostAuth.mId),
|
|
values, null, null);
|
|
}
|
|
}
|
|
}
|
|
|
|
@Override
|
|
public X509Certificate[] getAcceptedIssuers() {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
public static abstract class ExternalSecurityProviderInstaller {
|
|
abstract public void installIfNeeded(final Context context);
|
|
}
|
|
|
|
private static ExternalSecurityProviderInstaller sExternalSecurityProviderInstaller;
|
|
|
|
public static void setExternalSecurityProviderInstaller (
|
|
ExternalSecurityProviderInstaller installer) {
|
|
sExternalSecurityProviderInstaller = installer;
|
|
}
|
|
|
|
/**
|
|
* Returns a {@link javax.net.ssl.SSLSocketFactory}.
|
|
* Optionally bypass all SSL certificate checks.
|
|
*
|
|
* @param insecure if true, bypass all SSL certificate checks
|
|
*/
|
|
public synchronized static javax.net.ssl.SSLSocketFactory getSSLSocketFactory(
|
|
final Context context, final HostAuth hostAuth, final KeyManager keyManager,
|
|
final boolean insecure) {
|
|
// If we have an external security provider installer, then install. This will
|
|
// potentially replace the default implementation of SSLSocketFactory.
|
|
if (sExternalSecurityProviderInstaller != null) {
|
|
sExternalSecurityProviderInstaller.installIfNeeded(context);
|
|
}
|
|
try {
|
|
final KeyManager[] keyManagers = (keyManager == null ? null :
|
|
new KeyManager[]{keyManager});
|
|
if (insecure) {
|
|
final TrustManager[] trustManagers = new TrustManager[]{
|
|
new SameCertificateCheckingTrustManager(context, hostAuth)};
|
|
SSLSocketFactoryWrapper insecureFactory =
|
|
(SSLSocketFactoryWrapper) SSLSocketFactoryWrapper.getInsecure(
|
|
keyManagers, trustManagers, SSL_HANDSHAKE_TIMEOUT);
|
|
return insecureFactory;
|
|
} else {
|
|
if (sSecureFactory == null) {
|
|
SSLSocketFactoryWrapper secureFactory =
|
|
(SSLSocketFactoryWrapper) SSLSocketFactoryWrapper.getDefault(
|
|
keyManagers, SSL_HANDSHAKE_TIMEOUT);
|
|
sSecureFactory = secureFactory;
|
|
}
|
|
return sSecureFactory;
|
|
}
|
|
} catch (NoSuchAlgorithmException e) {
|
|
LogUtils.wtf(TAG, e, "Unable to acquire SSLSocketFactory");
|
|
// TODO: what can we do about this?
|
|
} catch (KeyManagementException e) {
|
|
LogUtils.wtf(TAG, e, "Unable to acquire SSLSocketFactory");
|
|
// TODO: what can we do about this?
|
|
}
|
|
return null;
|
|
}
|
|
|
|
/**
|
|
* Returns a com.android.emailcommon.utility.SSLSocketFactory
|
|
*/
|
|
public static SSLSocketFactory getHttpSocketFactory(Context context, HostAuth hostAuth,
|
|
KeyManager keyManager, boolean insecure) {
|
|
javax.net.ssl.SSLSocketFactory underlying = getSSLSocketFactory(context, hostAuth,
|
|
keyManager, insecure);
|
|
SSLSocketFactory wrapped = new SSLSocketFactory(underlying);
|
|
if (insecure) {
|
|
wrapped.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
|
|
}
|
|
return wrapped;
|
|
}
|
|
|
|
// Character.isLetter() is locale-specific, and will potentially return true for characters
|
|
// outside of ascii a-z,A-Z
|
|
private static boolean isAsciiLetter(char c) {
|
|
return ('a' <= c && c <= 'z') || ('A' <= c && c <= 'Z');
|
|
}
|
|
|
|
// Character.isDigit() is locale-specific, and will potentially return true for characters
|
|
// outside of ascii 0-9
|
|
private static boolean isAsciiNumber(char c) {
|
|
return ('0' <= c && c <= '9');
|
|
}
|
|
|
|
/**
|
|
* Escapes the contents a string to be used as a safe scheme name in the URI according to
|
|
* http://tools.ietf.org/html/rfc3986#section-3.1
|
|
*
|
|
* This does not ensure that the first character is a letter (which is required by the RFC).
|
|
*/
|
|
@VisibleForTesting
|
|
public static String escapeForSchemeName(String s) {
|
|
// According to the RFC, scheme names are case-insensitive.
|
|
s = s.toLowerCase();
|
|
|
|
StringBuilder sb = new StringBuilder();
|
|
for (int i = 0; i < s.length(); i++) {
|
|
char c = s.charAt(i);
|
|
if (isAsciiLetter(c) || isAsciiNumber(c)
|
|
|| ('-' == c) || ('.' == c)) {
|
|
// Safe - use as is.
|
|
sb.append(c);
|
|
} else if ('+' == c) {
|
|
// + is used as our escape character, so double it up.
|
|
sb.append("++");
|
|
} else {
|
|
// Unsafe - escape.
|
|
sb.append('+').append((int) c);
|
|
}
|
|
}
|
|
return sb.toString();
|
|
}
|
|
|
|
private static abstract class StubKeyManager extends X509ExtendedKeyManager {
|
|
@Override public abstract String chooseClientAlias(
|
|
String[] keyTypes, Principal[] issuers, Socket socket);
|
|
|
|
@Override public abstract X509Certificate[] getCertificateChain(String alias);
|
|
|
|
@Override public abstract PrivateKey getPrivateKey(String alias);
|
|
|
|
|
|
// The following methods are unused.
|
|
|
|
@Override
|
|
public final String chooseServerAlias(
|
|
String keyType, Principal[] issuers, Socket socket) {
|
|
// not a client SSLSocket callback
|
|
throw new UnsupportedOperationException();
|
|
}
|
|
|
|
@Override
|
|
public final String[] getClientAliases(String keyType, Principal[] issuers) {
|
|
// not a client SSLSocket callback
|
|
throw new UnsupportedOperationException();
|
|
}
|
|
|
|
@Override
|
|
public final String[] getServerAliases(String keyType, Principal[] issuers) {
|
|
// not a client SSLSocket callback
|
|
throw new UnsupportedOperationException();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A dummy {@link KeyManager} which keeps track of the last time a server has requested
|
|
* a client certificate.
|
|
*/
|
|
public static class TrackingKeyManager extends StubKeyManager {
|
|
private volatile long mLastTimeCertRequested = 0L;
|
|
|
|
@Override
|
|
public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {
|
|
if (LOG_ENABLED) {
|
|
InetAddress address = socket.getInetAddress();
|
|
LogUtils.i(TAG, "TrackingKeyManager: requesting a client cert alias for "
|
|
+ address.getCanonicalHostName());
|
|
}
|
|
mLastTimeCertRequested = System.currentTimeMillis();
|
|
return null;
|
|
}
|
|
|
|
@Override
|
|
public X509Certificate[] getCertificateChain(String alias) {
|
|
if (LOG_ENABLED) {
|
|
LogUtils.i(TAG, "TrackingKeyManager: returning a null cert chain");
|
|
}
|
|
return null;
|
|
}
|
|
|
|
@Override
|
|
public PrivateKey getPrivateKey(String alias) {
|
|
if (LOG_ENABLED) {
|
|
LogUtils.i(TAG, "TrackingKeyManager: returning a null private key");
|
|
}
|
|
return null;
|
|
}
|
|
|
|
/**
|
|
* @return the last time that this {@link KeyManager} detected a request by a server
|
|
* for a client certificate (in millis since epoch).
|
|
*/
|
|
public long getLastCertReqTime() {
|
|
return mLastTimeCertRequested;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A {@link KeyManager} that reads uses credentials stored in the system {@link KeyChain}.
|
|
*/
|
|
public static class KeyChainKeyManager extends StubKeyManager {
|
|
private final String mClientAlias;
|
|
private final X509Certificate[] mCertificateChain;
|
|
private final PrivateKey mPrivateKey;
|
|
|
|
/**
|
|
* Builds an instance of a KeyChainKeyManager using the given certificate alias.
|
|
* If for any reason retrieval of the credentials from the system {@link KeyChain} fails,
|
|
* a {@code null} value will be returned.
|
|
*/
|
|
public static KeyChainKeyManager fromAlias(Context context, String alias)
|
|
throws CertificateException {
|
|
X509Certificate[] certificateChain;
|
|
try {
|
|
certificateChain = KeyChain.getCertificateChain(context, alias);
|
|
} catch (KeyChainException e) {
|
|
logError(alias, "certificate chain", e);
|
|
throw new CertificateException(e);
|
|
} catch (InterruptedException e) {
|
|
logError(alias, "certificate chain", e);
|
|
throw new CertificateException(e);
|
|
}
|
|
|
|
PrivateKey privateKey;
|
|
try {
|
|
privateKey = KeyChain.getPrivateKey(context, alias);
|
|
} catch (KeyChainException e) {
|
|
logError(alias, "private key", e);
|
|
throw new CertificateException(e);
|
|
} catch (InterruptedException e) {
|
|
logError(alias, "private key", e);
|
|
throw new CertificateException(e);
|
|
}
|
|
|
|
if (certificateChain == null || privateKey == null) {
|
|
throw new CertificateException("Can't access certificate from keystore");
|
|
}
|
|
|
|
return new KeyChainKeyManager(alias, certificateChain, privateKey);
|
|
}
|
|
|
|
private static void logError(String alias, String type, Exception ex) {
|
|
// Avoid logging PII when explicit logging is not on.
|
|
if (LOG_ENABLED) {
|
|
LogUtils.e(TAG, "Unable to retrieve " + type + " for [" + alias + "] due to " + ex);
|
|
} else {
|
|
LogUtils.e(TAG, "Unable to retrieve " + type + " due to " + ex);
|
|
}
|
|
}
|
|
|
|
private KeyChainKeyManager(
|
|
String clientAlias, X509Certificate[] certificateChain, PrivateKey privateKey) {
|
|
mClientAlias = clientAlias;
|
|
mCertificateChain = certificateChain;
|
|
mPrivateKey = privateKey;
|
|
}
|
|
|
|
|
|
@Override
|
|
public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {
|
|
if (LOG_ENABLED) {
|
|
LogUtils.i(TAG, "Requesting a client cert alias for " + Arrays.toString(keyTypes));
|
|
}
|
|
return mClientAlias;
|
|
}
|
|
|
|
@Override
|
|
public X509Certificate[] getCertificateChain(String alias) {
|
|
if (LOG_ENABLED) {
|
|
LogUtils.i(TAG, "Requesting a client certificate chain for alias [" + alias + "]");
|
|
}
|
|
return mCertificateChain;
|
|
}
|
|
|
|
@Override
|
|
public PrivateKey getPrivateKey(String alias) {
|
|
if (LOG_ENABLED) {
|
|
LogUtils.i(TAG, "Requesting a client private key for alias [" + alias + "]");
|
|
}
|
|
return mPrivateKey;
|
|
}
|
|
}
|
|
}
|