ADHOC
/
replicant-packages_apps_Email
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
replicant-packages_apps_Email/emailcommon/src/com/android/emailcommon/utility/SSLUtils.java

367 lines
14 KiB
Java
Raw Blame History

/*
* Copyright (C) 2010 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.android.emailcommon.utility;
import android.content.ContentUris;
import android.content.ContentValues;
import android.content.Context;
import android.database.Cursor;
import android.net.SSLCertificateSocketFactory;
import android.security.KeyChain;
import android.security.KeyChainException;
import com.android.emailcommon.provider.EmailContent.HostAuthColumns;
import com.android.emailcommon.provider.HostAuth;
import com.android.mail.utils.LogUtils;
import com.google.common.annotations.VisibleForTesting;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import javax.net.ssl.KeyManager;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509TrustManager;
public class SSLUtils {
// All secure factories are the same; all insecure factories are associated with HostAuth's
private static SSLCertificateSocketFactory sSecureFactory;
private static final boolean LOG_ENABLED = false;
private static final String TAG = "Email.Ssl";
/**
* A trust manager specific to a particular HostAuth. The first time a server certificate is
* encountered for the HostAuth, its certificate is saved; subsequent checks determine whether
* the PublicKey of the certificate presented matches that of the saved certificate
* TODO: UI to ask user about changed certificates
*/
private static class SameCertificateCheckingTrustManager implements X509TrustManager {
private final HostAuth mHostAuth;
private final Context mContext;
// The public key associated with the HostAuth; we'll lazily initialize it
private PublicKey mPublicKey;
SameCertificateCheckingTrustManager(Context context, HostAuth hostAuth) {
mContext = context;
mHostAuth = hostAuth;
// We must load the server cert manually (the ContentCache won't handle blobs
Cursor c = context.getContentResolver().query(HostAuth.CONTENT_URI,
new String[] {HostAuthColumns.SERVER_CERT}, HostAuth.ID + "=?",
new String[] {Long.toString(hostAuth.mId)}, null);
if (c != null) {
try {
if (c.moveToNext()) {
mHostAuth.mServerCert = c.getBlob(0);
}
} finally {
c.close();
}
}
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
// We don't check client certificates
throw new CertificateException("We don't check client certificates");
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
if (chain.length == 0) {
throw new CertificateException("No certificates?");
} else {
X509Certificate serverCert = chain[0];
if (mHostAuth.mServerCert != null) {
// Compare with the current public key
if (mPublicKey == null) {
ByteArrayInputStream bais = new ByteArrayInputStream(mHostAuth.mServerCert);
Certificate storedCert =
CertificateFactory.getInstance("X509").generateCertificate(bais);
mPublicKey = storedCert.getPublicKey();
try {
bais.close();
} catch (IOException e) {
// Yeah, right.
}
}
if (!mPublicKey.equals(serverCert.getPublicKey())) {
throw new CertificateException(
"PublicKey has changed since initial connection!");
}
} else {
// First time; save this away
byte[] encodedCert = serverCert.getEncoded();
mHostAuth.mServerCert = encodedCert;
ContentValues values = new ContentValues();
values.put(HostAuthColumns.SERVER_CERT, encodedCert);
mContext.getContentResolver().update(
ContentUris.withAppendedId(HostAuth.CONTENT_URI, mHostAuth.mId),
values, null, null);
}
}
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
}
/**
* Returns a {@link javax.net.ssl.SSLSocketFactory}.
* Optionally bypass all SSL certificate checks.
*
* @param insecure if true, bypass all SSL certificate checks
*/
public synchronized static SSLCertificateSocketFactory getSSLSocketFactory(Context context,
HostAuth hostAuth, boolean insecure) {
if (insecure) {
SSLCertificateSocketFactory insecureFactory = (SSLCertificateSocketFactory)
SSLCertificateSocketFactory.getDefault(0, null);
insecureFactory.setTrustManagers(
new TrustManager[] {
new SameCertificateCheckingTrustManager(context, hostAuth)});
return insecureFactory;
} else {
if (sSecureFactory == null) {
sSecureFactory = (SSLCertificateSocketFactory)
SSLCertificateSocketFactory.getDefault(0, null);
}
return sSecureFactory;
}
}
/**
* Returns a {@link org.apache.http.conn.ssl.SSLSocketFactory SSLSocketFactory} for use with the
* Apache HTTP stack.
*/
public static SSLSocketFactory getHttpSocketFactory(Context context, HostAuth hostAuth,
KeyManager keyManager, boolean insecure) {
SSLCertificateSocketFactory underlying = getSSLSocketFactory(context, hostAuth, insecure);
if (keyManager != null) {
underlying.setKeyManagers(new KeyManager[] { keyManager });
}
SSLSocketFactory wrapped = new SSLSocketFactory(underlying);
if (insecure) {
wrapped.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
}
return wrapped;
}
/**
* Escapes the contents a string to be used as a safe scheme name in the URI according to
* http://tools.ietf.org/html/rfc3986#section-3.1
*
* This does not ensure that the first character is a letter (which is required by the RFC).
*/
@VisibleForTesting
public static String escapeForSchemeName(String s) {
// According to the RFC, scheme names are case-insensitive.
s = s.toLowerCase();
StringBuilder sb = new StringBuilder();
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
if (Character.isLetter(c) || Character.isDigit(c)
|| ('-' == c) || ('.' == c)) {
// Safe - use as is.
sb.append(c);
} else if ('+' == c) {
// + is used as our escape character, so double it up.
sb.append("++");
} else {
// Unsafe - escape.
sb.append('+').append((int) c);
}
}
return sb.toString();
}
private static abstract class StubKeyManager extends X509ExtendedKeyManager {
@Override public abstract String chooseClientAlias(
String[] keyTypes, Principal[] issuers, Socket socket);
@Override public abstract X509Certificate[] getCertificateChain(String alias);
@Override public abstract PrivateKey getPrivateKey(String alias);
// The following methods are unused.
@Override
public final String chooseServerAlias(
String keyType, Principal[] issuers, Socket socket) {
// not a client SSLSocket callback
throw new UnsupportedOperationException();
}
@Override
public final String[] getClientAliases(String keyType, Principal[] issuers) {
// not a client SSLSocket callback
throw new UnsupportedOperationException();
}
@Override
public final String[] getServerAliases(String keyType, Principal[] issuers) {
// not a client SSLSocket callback
throw new UnsupportedOperationException();
}
}
/**
* A dummy {@link KeyManager} which keeps track of the last time a server has requested
* a client certificate.
*/
public static class TrackingKeyManager extends StubKeyManager {
private volatile long mLastTimeCertRequested = 0L;
@Override
public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {
if (LOG_ENABLED) {
InetAddress address = socket.getInetAddress();
LogUtils.i(TAG, "TrackingKeyManager: requesting a client cert alias for "
+ address.getCanonicalHostName());
}
mLastTimeCertRequested = System.currentTimeMillis();
return null;
}
@Override
public X509Certificate[] getCertificateChain(String alias) {
if (LOG_ENABLED) {
LogUtils.i(TAG, "TrackingKeyManager: returning a null cert chain");
}
return null;
}
@Override
public PrivateKey getPrivateKey(String alias) {
if (LOG_ENABLED) {
LogUtils.i(TAG, "TrackingKeyManager: returning a null private key");
}
return null;
}
/**
* @return the last time that this {@link KeyManager} detected a request by a server
* for a client certificate (in millis since epoch).
*/
public long getLastCertReqTime() {
return mLastTimeCertRequested;
}
}
/**
* A {@link KeyManager} that reads uses credentials stored in the system {@link KeyChain}.
*/
public static class KeyChainKeyManager extends StubKeyManager {
private final String mClientAlias;
private final X509Certificate[] mCertificateChain;
private final PrivateKey mPrivateKey;
/**
* Builds an instance of a KeyChainKeyManager using the given certificate alias.
* If for any reason retrieval of the credentials from the system {@link KeyChain} fails,
* a {@code null} value will be returned.
*/
public static KeyChainKeyManager fromAlias(Context context, String alias)
throws CertificateException {
X509Certificate[] certificateChain;
try {
certificateChain = KeyChain.getCertificateChain(context, alias);
} catch (KeyChainException e) {
logError(alias, "certificate chain", e);
throw new CertificateException(e);
} catch (InterruptedException e) {
logError(alias, "certificate chain", e);
throw new CertificateException(e);
}
PrivateKey privateKey;
try {
privateKey = KeyChain.getPrivateKey(context, alias);
} catch (KeyChainException e) {
logError(alias, "private key", e);
throw new CertificateException(e);
} catch (InterruptedException e) {
logError(alias, "private key", e);
throw new CertificateException(e);
}
if (certificateChain == null || privateKey == null) {
throw new CertificateException("Can't access certificate from keystore");
}
return new KeyChainKeyManager(alias, certificateChain, privateKey);
}
private static void logError(String alias, String type, Exception ex) {
// Avoid logging PII when explicit logging is not on.
if (LOG_ENABLED) {
LogUtils.e(TAG, "Unable to retrieve " + type + " for [" + alias + "] due to " + ex);
} else {
LogUtils.e(TAG, "Unable to retrieve " + type + " due to " + ex);
}
}
private KeyChainKeyManager(
String clientAlias, X509Certificate[] certificateChain, PrivateKey privateKey) {
mClientAlias = clientAlias;
mCertificateChain = certificateChain;
mPrivateKey = privateKey;
}
@Override
public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {
if (LOG_ENABLED) {
LogUtils.i(TAG, "Requesting a client cert alias for " + Arrays.toString(keyTypes));
}
return mClientAlias;
}
@Override
public X509Certificate[] getCertificateChain(String alias) {
if (LOG_ENABLED) {
LogUtils.i(TAG, "Requesting a client certificate chain for alias [" + alias + "]");
}
return mCertificateChain;
}
@Override
public PrivateKey getPrivateKey(String alias) {
if (LOG_ENABLED) {
LogUtils.i(TAG, "Requesting a client private key for alias [" + alias + "]");
}
return mPrivateKey;
}
}
}
Reference in New Issue View Git Blame Copy Permalink