1 /* 2 * Copyright (C) 2011 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 18 package com.android.emailcommon.utility; 19 20 import android.content.Context; 21 import android.net.SSLCertificateSocketFactory; 22 import android.util.Log; 23 24 import com.android.emailcommon.Logging; 25 import com.android.emailcommon.provider.HostAuth; 26 import com.android.emailcommon.utility.SSLUtils.KeyChainKeyManager; 27 import com.android.emailcommon.utility.SSLUtils.TrackingKeyManager; 28 29 import org.apache.http.conn.scheme.PlainSocketFactory; 30 import org.apache.http.conn.scheme.Scheme; 31 import org.apache.http.conn.scheme.SchemeRegistry; 32 import org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager; 33 import org.apache.http.params.HttpParams; 34 35 import java.security.cert.CertificateException; 36 37 import javax.net.ssl.KeyManager; 38 39 /** 40 * A thread-safe client connection manager that manages the use of client certificates from the 41 * {@link android.security.KeyChain} for SSL connections. 42 */ 43 public class EmailClientConnectionManager extends ThreadSafeClientConnManager { 44 45 private static final boolean LOG_ENABLED = false; 46 private static final int STANDARD_PORT = 80; 47 private static final int STANDARD_SSL_PORT = 443; 48 /** 49 * A {@link KeyManager} to track client certificate requests from servers. 50 */ 51 private final TrackingKeyManager mTrackingKeyManager; 52 53 /** 54 * Not publicly instantiable except via {@link #newInstance(HttpParams)} 55 */ 56 private EmailClientConnectionManager( 57 HttpParams params, SchemeRegistry registry, TrackingKeyManager keyManager) { 58 super(params, registry); 59 mTrackingKeyManager = keyManager; 60 } 61 62 public static EmailClientConnectionManager newInstance(HttpParams params, boolean ssl, 63 int port) { 64 TrackingKeyManager keyManager = new TrackingKeyManager(); 65 66 // Create a registry for our three schemes; http and https will use built-in factories 67 SchemeRegistry registry = new SchemeRegistry(); 68 registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 69 ssl ? STANDARD_PORT : port)); 70 // Register https with the secure factory 71 registry.register(new Scheme("https", 72 SSLUtils.getHttpSocketFactory(false, keyManager), ssl ? port : STANDARD_SSL_PORT)); 73 // Register the httpts scheme with our insecure factory 74 registry.register(new Scheme("httpts", 75 SSLUtils.getHttpSocketFactory(true /*insecure*/, keyManager), 76 ssl ? port : STANDARD_SSL_PORT)); 77 78 return new EmailClientConnectionManager(params, registry, keyManager); 79 } 80 81 /** 82 * Ensures that a client SSL certificate is known to be used for the specified connection 83 * manager. 84 * A {@link SchemeRegistry} is used to denote which client certificates to use for a given 85 * connection, so clients of this connection manager should use 86 * {@link #makeSchemeForClientCert(String, boolean)}. 87 */ 88 public synchronized void registerClientCert(Context context, HostAuth hostAuth) 89 throws CertificateException { 90 SchemeRegistry registry = getSchemeRegistry(); 91 String schemeName = makeSchemeForClientCert(hostAuth.mClientCertAlias, 92 hostAuth.shouldTrustAllServerCerts()); 93 Scheme existing = registry.get(schemeName); 94 if (existing == null) { 95 if (LOG_ENABLED) { 96 Log.i(Logging.LOG_TAG, "Registering socket factory for certificate alias [" 97 + hostAuth.mClientCertAlias + "]"); 98 } 99 KeyManager keyManager = 100 KeyChainKeyManager.fromAlias(context, hostAuth.mClientCertAlias); 101 SSLCertificateSocketFactory underlying = SSLUtils.getSSLSocketFactory( 102 hostAuth.shouldTrustAllServerCerts()); 103 underlying.setKeyManagers(new KeyManager[] { keyManager }); 104 registry.register( 105 new Scheme(schemeName, new SSLSocketFactory(underlying), hostAuth.mPort)); 106 } 107 } 108 109 /** 110 * Unregisters a custom connection type that uses a client certificate on the connection 111 * manager. 112 * @see #registerClientCert(Context, String, boolean) 113 */ 114 public synchronized void unregisterClientCert( 115 String clientCertAlias, boolean trustAllServerCerts) { 116 SchemeRegistry registry = getSchemeRegistry(); 117 String schemeName = makeSchemeForClientCert(clientCertAlias, trustAllServerCerts); 118 Scheme existing = registry.get(schemeName); 119 if (existing != null) { 120 registry.unregister(schemeName); 121 } 122 } 123 124 /** 125 * Builds a custom scheme name to be used in a connection manager according to the connection 126 * parameters. 127 */ 128 public static String makeScheme( 129 boolean useSsl, boolean trustAllServerCerts, String clientCertAlias) { 130 if (clientCertAlias != null) { 131 return makeSchemeForClientCert(clientCertAlias, trustAllServerCerts); 132 } else { 133 return useSsl ? (trustAllServerCerts ? "httpts" : "https") : "http"; 134 } 135 } 136 137 /** 138 * Builds a unique scheme name for an SSL connection that uses a client user certificate. 139 */ 140 private static String makeSchemeForClientCert( 141 String clientCertAlias, boolean trustAllServerCerts) { 142 String safeAlias = SSLUtils.escapeForSchemeName(clientCertAlias); 143 return (trustAllServerCerts ? "httpts" : "https") + "+clientCert+" + safeAlias; 144 } 145 146 /** 147 * @param since A timestamp in millis from epoch from which to check 148 * @return whether or not this connection manager has detected any unsatisfied requests for 149 * a client SSL certificate by any servers 150 */ 151 public synchronized boolean hasDetectedUnsatisfiedCertReq(long since) { 152 return mTrackingKeyManager.getLastCertReqTime() >= since; 153 } 154 } 155