1 /* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.emailcommon.utility; 18 19 import android.content.ContentUris; 20 import android.content.ContentValues; 21 import android.content.Context; 22 import android.database.Cursor; 23 import android.net.SSLCertificateSocketFactory; 24 import android.security.KeyChain; 25 import android.security.KeyChainException; 26 27 import com.android.emailcommon.provider.EmailContent.HostAuthColumns; 28 import com.android.emailcommon.provider.HostAuth; 29 import com.android.mail.utils.LogUtils; 30 import com.google.common.annotations.VisibleForTesting; 31 32 import java.io.ByteArrayInputStream; 33 import java.io.IOException; 34 import java.net.InetAddress; 35 import java.net.Socket; 36 import java.security.Principal; 37 import java.security.PrivateKey; 38 import java.security.PublicKey; 39 import java.security.cert.Certificate; 40 import java.security.cert.CertificateException; 41 import java.security.cert.CertificateFactory; 42 import java.security.cert.X509Certificate; 43 import java.util.Arrays; 44 45 import javax.net.ssl.KeyManager; 46 import javax.net.ssl.TrustManager; 47 import javax.net.ssl.X509ExtendedKeyManager; 48 import javax.net.ssl.X509TrustManager; 49 50 public class SSLUtils { 51 // All secure factories are the same; all insecure factories are associated with HostAuth's 52 private static SSLCertificateSocketFactory sSecureFactory; 53 54 private static final boolean LOG_ENABLED = false; 55 private static final String TAG = "Email.Ssl"; 56 57 /** 58 * A trust manager specific to a particular HostAuth. The first time a server certificate is 59 * encountered for the HostAuth, its certificate is saved; subsequent checks determine whether 60 * the PublicKey of the certificate presented matches that of the saved certificate 61 * TODO: UI to ask user about changed certificates 62 */ 63 private static class SameCertificateCheckingTrustManager implements X509TrustManager { 64 private final HostAuth mHostAuth; 65 private final Context mContext; 66 // The public key associated with the HostAuth; we'll lazily initialize it 67 private PublicKey mPublicKey; 68 69 SameCertificateCheckingTrustManager(Context context, HostAuth hostAuth) { 70 mContext = context; 71 mHostAuth = hostAuth; 72 // We must load the server cert manually (the ContentCache won't handle blobs 73 Cursor c = context.getContentResolver().query(HostAuth.CONTENT_URI, 74 new String[] {HostAuthColumns.SERVER_CERT}, HostAuth.ID + "=?", 75 new String[] {Long.toString(hostAuth.mId)}, null); 76 if (c != null) { 77 try { 78 if (c.moveToNext()) { 79 mHostAuth.mServerCert = c.getBlob(0); 80 } 81 } finally { 82 c.close(); 83 } 84 } 85 } 86 87 @Override 88 public void checkClientTrusted(X509Certificate[] chain, String authType) 89 throws CertificateException { 90 // We don't check client certificates 91 throw new CertificateException("We don't check client certificates"); 92 } 93 94 @Override 95 public void checkServerTrusted(X509Certificate[] chain, String authType) 96 throws CertificateException { 97 if (chain.length == 0) { 98 throw new CertificateException("No certificates?"); 99 } else { 100 X509Certificate serverCert = chain[0]; 101 if (mHostAuth.mServerCert != null) { 102 // Compare with the current public key 103 if (mPublicKey == null) { 104 ByteArrayInputStream bais = new ByteArrayInputStream(mHostAuth.mServerCert); 105 Certificate storedCert = 106 CertificateFactory.getInstance("X509").generateCertificate(bais); 107 mPublicKey = storedCert.getPublicKey(); 108 try { 109 bais.close(); 110 } catch (IOException e) { 111 // Yeah, right. 112 } 113 } 114 if (!mPublicKey.equals(serverCert.getPublicKey())) { 115 throw new CertificateException( 116 "PublicKey has changed since initial connection!"); 117 } 118 } else { 119 // First time; save this away 120 byte[] encodedCert = serverCert.getEncoded(); 121 mHostAuth.mServerCert = encodedCert; 122 ContentValues values = new ContentValues(); 123 values.put(HostAuthColumns.SERVER_CERT, encodedCert); 124 mContext.getContentResolver().update( 125 ContentUris.withAppendedId(HostAuth.CONTENT_URI, mHostAuth.mId), 126 values, null, null); 127 } 128 } 129 } 130 131 @Override 132 public X509Certificate[] getAcceptedIssuers() { 133 return null; 134 } 135 } 136 137 /** 138 * Returns a {@link javax.net.ssl.SSLSocketFactory}. 139 * Optionally bypass all SSL certificate checks. 140 * 141 * @param insecure if true, bypass all SSL certificate checks 142 */ 143 public synchronized static SSLCertificateSocketFactory getSSLSocketFactory(Context context, 144 HostAuth hostAuth, boolean insecure) { 145 if (insecure) { 146 SSLCertificateSocketFactory insecureFactory = (SSLCertificateSocketFactory) 147 SSLCertificateSocketFactory.getInsecure(0, null); 148 insecureFactory.setTrustManagers( 149 new TrustManager[] { 150 new SameCertificateCheckingTrustManager(context, hostAuth)}); 151 return insecureFactory; 152 } else { 153 if (sSecureFactory == null) { 154 sSecureFactory = (SSLCertificateSocketFactory) 155 SSLCertificateSocketFactory.getDefault(0, null); 156 } 157 return sSecureFactory; 158 } 159 } 160 161 /** 162 * Returns a {@link org.apache.http.conn.ssl.SSLSocketFactory SSLSocketFactory} for use with the 163 * Apache HTTP stack. 164 */ 165 public static SSLSocketFactory getHttpSocketFactory(Context context, HostAuth hostAuth, 166 KeyManager keyManager, boolean insecure) { 167 SSLCertificateSocketFactory underlying = getSSLSocketFactory(context, hostAuth, insecure); 168 if (keyManager != null) { 169 underlying.setKeyManagers(new KeyManager[] { keyManager }); 170 } 171 SSLSocketFactory wrapped = new SSLSocketFactory(underlying); 172 if (insecure) { 173 wrapped.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); 174 } 175 return wrapped; 176 } 177 178 // Character.isLetter() is locale-specific, and will potentially return true for characters 179 // outside of ascii a-z,A-Z 180 private static boolean isAsciiLetter(char c) { 181 return ('a' <= c && c <= 'z') || ('A' <= c && c <= 'Z'); 182 } 183 184 // Character.isDigit() is locale-specific, and will potentially return true for characters 185 // outside of ascii 0-9 186 private static boolean isAsciiNumber(char c) { 187 return ('0' <= c && c <= '9'); 188 } 189 190 /** 191 * Escapes the contents a string to be used as a safe scheme name in the URI according to 192 * http://tools.ietf.org/html/rfc3986#section-3.1 193 * 194 * This does not ensure that the first character is a letter (which is required by the RFC). 195 */ 196 @VisibleForTesting 197 public static String escapeForSchemeName(String s) { 198 // According to the RFC, scheme names are case-insensitive. 199 s = s.toLowerCase(); 200 201 StringBuilder sb = new StringBuilder(); 202 for (int i = 0; i < s.length(); i++) { 203 char c = s.charAt(i); 204 if (isAsciiLetter(c) || isAsciiNumber(c) 205 || ('-' == c) || ('.' == c)) { 206 // Safe - use as is. 207 sb.append(c); 208 } else if ('+' == c) { 209 // + is used as our escape character, so double it up. 210 sb.append("++"); 211 } else { 212 // Unsafe - escape. 213 sb.append('+').append((int) c); 214 } 215 } 216 return sb.toString(); 217 } 218 219 private static abstract class StubKeyManager extends X509ExtendedKeyManager { 220 @Override public abstract String chooseClientAlias( 221 String[] keyTypes, Principal[] issuers, Socket socket); 222 223 @Override public abstract X509Certificate[] getCertificateChain(String alias); 224 225 @Override public abstract PrivateKey getPrivateKey(String alias); 226 227 228 // The following methods are unused. 229 230 @Override 231 public final String chooseServerAlias( 232 String keyType, Principal[] issuers, Socket socket) { 233 // not a client SSLSocket callback 234 throw new UnsupportedOperationException(); 235 } 236 237 @Override 238 public final String[] getClientAliases(String keyType, Principal[] issuers) { 239 // not a client SSLSocket callback 240 throw new UnsupportedOperationException(); 241 } 242 243 @Override 244 public final String[] getServerAliases(String keyType, Principal[] issuers) { 245 // not a client SSLSocket callback 246 throw new UnsupportedOperationException(); 247 } 248 } 249 250 /** 251 * A dummy {@link KeyManager} which keeps track of the last time a server has requested 252 * a client certificate. 253 */ 254 public static class TrackingKeyManager extends StubKeyManager { 255 private volatile long mLastTimeCertRequested = 0L; 256 257 @Override 258 public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) { 259 if (LOG_ENABLED) { 260 InetAddress address = socket.getInetAddress(); 261 LogUtils.i(TAG, "TrackingKeyManager: requesting a client cert alias for " 262 + address.getCanonicalHostName()); 263 } 264 mLastTimeCertRequested = System.currentTimeMillis(); 265 return null; 266 } 267 268 @Override 269 public X509Certificate[] getCertificateChain(String alias) { 270 if (LOG_ENABLED) { 271 LogUtils.i(TAG, "TrackingKeyManager: returning a null cert chain"); 272 } 273 return null; 274 } 275 276 @Override 277 public PrivateKey getPrivateKey(String alias) { 278 if (LOG_ENABLED) { 279 LogUtils.i(TAG, "TrackingKeyManager: returning a null private key"); 280 } 281 return null; 282 } 283 284 /** 285 * @return the last time that this {@link KeyManager} detected a request by a server 286 * for a client certificate (in millis since epoch). 287 */ 288 public long getLastCertReqTime() { 289 return mLastTimeCertRequested; 290 } 291 } 292 293 /** 294 * A {@link KeyManager} that reads uses credentials stored in the system {@link KeyChain}. 295 */ 296 public static class KeyChainKeyManager extends StubKeyManager { 297 private final String mClientAlias; 298 private final X509Certificate[] mCertificateChain; 299 private final PrivateKey mPrivateKey; 300 301 /** 302 * Builds an instance of a KeyChainKeyManager using the given certificate alias. 303 * If for any reason retrieval of the credentials from the system {@link KeyChain} fails, 304 * a {@code null} value will be returned. 305 */ 306 public static KeyChainKeyManager fromAlias(Context context, String alias) 307 throws CertificateException { 308 X509Certificate[] certificateChain; 309 try { 310 certificateChain = KeyChain.getCertificateChain(context, alias); 311 } catch (KeyChainException e) { 312 logError(alias, "certificate chain", e); 313 throw new CertificateException(e); 314 } catch (InterruptedException e) { 315 logError(alias, "certificate chain", e); 316 throw new CertificateException(e); 317 } 318 319 PrivateKey privateKey; 320 try { 321 privateKey = KeyChain.getPrivateKey(context, alias); 322 } catch (KeyChainException e) { 323 logError(alias, "private key", e); 324 throw new CertificateException(e); 325 } catch (InterruptedException e) { 326 logError(alias, "private key", e); 327 throw new CertificateException(e); 328 } 329 330 if (certificateChain == null || privateKey == null) { 331 throw new CertificateException("Can't access certificate from keystore"); 332 } 333 334 return new KeyChainKeyManager(alias, certificateChain, privateKey); 335 } 336 337 private static void logError(String alias, String type, Exception ex) { 338 // Avoid logging PII when explicit logging is not on. 339 if (LOG_ENABLED) { 340 LogUtils.e(TAG, "Unable to retrieve " + type + " for [" + alias + "] due to " + ex); 341 } else { 342 LogUtils.e(TAG, "Unable to retrieve " + type + " due to " + ex); 343 } 344 } 345 346 private KeyChainKeyManager( 347 String clientAlias, X509Certificate[] certificateChain, PrivateKey privateKey) { 348 mClientAlias = clientAlias; 349 mCertificateChain = certificateChain; 350 mPrivateKey = privateKey; 351 } 352 353 354 @Override 355 public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) { 356 if (LOG_ENABLED) { 357 LogUtils.i(TAG, "Requesting a client cert alias for " + Arrays.toString(keyTypes)); 358 } 359 return mClientAlias; 360 } 361 362 @Override 363 public X509Certificate[] getCertificateChain(String alias) { 364 if (LOG_ENABLED) { 365 LogUtils.i(TAG, "Requesting a client certificate chain for alias [" + alias + "]"); 366 } 367 return mCertificateChain; 368 } 369 370 @Override 371 public PrivateKey getPrivateKey(String alias) { 372 if (LOG_ENABLED) { 373 LogUtils.i(TAG, "Requesting a client private key for alias [" + alias + "]"); 374 } 375 return mPrivateKey; 376 } 377 } 378 } 379
