/** Creates the Activity and registers a MemorizingTrustManager. */ @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); requestWindowFeature(Window.FEATURE_INDETERMINATE_PROGRESS); setContentView(R.layout.mtmexample); // set up gui elements findViewById(R.id.connect).setOnClickListener(this); content = (TextView) findViewById(R.id.content); urlinput = (EditText) findViewById(R.id.url); verifyhost = (CheckBox) findViewById(R.id.verifyhost); // register handler for background thread hdlr = new Handler(); // Here, the MemorizingTrustManager is activated for HTTPS try { // set location of the keystore MemorizingTrustManager.setKeyStoreFile("private", "sslkeys.bks"); // register MemorizingTrustManager for HTTPS SSLContext sc = SSLContext.getInstance("TLS"); sc.init(null, MemorizingTrustManager.getInstanceList(this), new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); defaultverifier = HttpsURLConnection.getDefaultHostnameVerifier(); // disable redirects to reduce possible confusion HttpsURLConnection.setFollowRedirects(false); } catch (Exception e) { e.printStackTrace(); } }
@Override public HttpDownloadResult postUrlUnsecure( final URL url, final Integer timeOut, final Map<String, String> data, final HttpHeader httpHeader) throws HttpDownloaderException { final TrustManager[] trustAllCerts = new TrustManager[] {new X509TrustManagerAllowAll()}; final SSLSocketFactory orgSSLSocketFactory = HttpsURLConnection.getDefaultSSLSocketFactory(); final HostnameVerifier orgHostnameVerifier = HttpsURLConnection.getDefaultHostnameVerifier(); try { final SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, trustAllCerts, new java.security.SecureRandom()); final HostnameVerifier hv = new HostnameVerifierAllowAll(); HttpsURLConnection.setDefaultHostnameVerifier(hv); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); return postUrlSecure(url, timeOut, data, httpHeader); } catch (final NoSuchAlgorithmException e) { logger.error("NoSuchAlgorithmException", e); throw new HttpDownloaderException("NoSuchAlgorithmException", e); } catch (final KeyManagementException e) { logger.error("KeyManagementException", e); throw new HttpDownloaderException("KeyManagementException", e); } finally { HttpsURLConnection.setDefaultHostnameVerifier(orgHostnameVerifier); HttpsURLConnection.setDefaultSSLSocketFactory(orgSSLSocketFactory); } }
@Override protected OkHttpClient newOkHttpClient(Proxy proxy) { OkHttpClient client = super.newOkHttpClient(proxy); client.setTransports(ENABLED_TRANSPORTS); HostnameVerifier verifier = HttpsURLConnection.getDefaultHostnameVerifier(); // Assume that the internal verifier is better than the // default verifier. try { if (!Class.forName("javax.net.ssl.DefaultHostnameVerifier").isInstance(verifier)) { client.setHostnameVerifier(verifier); } } catch (ClassNotFoundException e) { // if we cannot find the class than let's NOT taper with it } return client; }
/** * Verify the hostname of the certificate used by the other end of a connected socket. You MUST * call this if you did not supply a hostname to {@link #createSocket()}. It is harmless to call * this method redundantly if the hostname has already been verified. * * <p>Wildcard certificates are allowed to verify any matching hostname, so "foo.bar.example.com" * is verified if the peer has a certificate for "*.example.com". * * @param socket An SSL socket which has been connected to a server * @param hostname The expected hostname of the remote server * @throws IOException if something goes wrong handshaking with the server * @throws SSLPeerUnverifiedException if the server cannot prove its identity * @hide */ public static void verifyHostname(Socket socket, String hostname) throws IOException { if (!(socket instanceof SSLSocket)) { throw new IllegalArgumentException("Attempt to verify non-SSL socket"); } if (!isSslCheckRelaxed()) { // The code at the start of OpenSSLSocketImpl.startHandshake() // ensures that the call is idempotent, so we can safely call it. SSLSocket ssl = (SSLSocket) socket; ssl.startHandshake(); SSLSession session = ssl.getSession(); if (session == null) { throw new SSLException("Cannot verify SSL socket without session"); } if (!HttpsURLConnection.getDefaultHostnameVerifier().verify(hostname, session)) { throw new SSLPeerUnverifiedException("Cannot verify hostname: " + hostname); } } }
public DefaultX509TrustManager(KeyStore keystore) { super(); try { TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); factory.init(keystore); TrustManager[] trustManagers = factory.getTrustManagers(); if (trustManagers != null) { // Find the first X509TrustManager for (TrustManager trustManager : trustManagers) { if (trustManager instanceof X509TrustManager) { defaultManager = (X509TrustManager) trustManager; break; } } } } catch (NoSuchAlgorithmException e) { } catch (KeyStoreException e) { } defaultVerifier = HttpsURLConnection.getDefaultHostnameVerifier(); }
private void trustEveryone() { // TODO : this should actually not be everyone -- but only the one we accept try { if (defaultVerifier == null) { defaultVerifier = HttpsURLConnection.getDefaultHostnameVerifier(); } if (defaultSSLSocketFactory == null) { defaultSSLSocketFactory = HttpsURLConnection.getDefaultSSLSocketFactory(); } HttpsURLConnection.setDefaultHostnameVerifier( new HostnameVerifier() { @Override public boolean verify(String hostname, SSLSession session) { return true; } }); SSLContext context = SSLContext.getInstance("TLS"); context.init( null, new X509TrustManager[] { new X509TrustManager() { public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {} public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {} public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } } }, new SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory()); } catch (Exception e) { // should never happen e.printStackTrace(); } }
/** * SSLSocketFactory implementation with several extra features: * * <ul> * <li>Timeout specification for SSL handshake operations * <li>Hostname verification in most cases (see WARNINGs below) * <li>Optional SSL session caching with {@link SSLSessionCache} * <li>Optionally bypass all SSL certificate checks * </ul> * * The handshake timeout does not apply to actual TCP socket connection. If you want a connection * timeout as well, use {@link #createSocket()} and {@link Socket#connect(SocketAddress, int)}, * after which you must verify the identity of the server you are connected to. * * <p class="caution"><b>Most {@link SSLSocketFactory} implementations do not verify the server's * identity, allowing man-in-the-middle attacks.</b> This implementation does check the server's * certificate hostname, but only for createSocket variants that specify a hostname. When using * methods that use {@link InetAddress} or which return an unconnected socket, you MUST verify the * server's identity yourself to ensure a secure connection. * * <p>One way to verify the server's identity is to use {@link * HttpsURLConnection#getDefaultHostnameVerifier()} to get a {@link HostnameVerifier} to verify the * certificate hostname. * * <p>On development devices, "setprop socket.relaxsslcheck yes" bypasses all SSL certificate and * hostname checks for testing purposes. This setting requires root access. */ public class SSLCertificateSocketFactory extends SSLSocketFactory { private static final String TAG = "SSLCertificateSocketFactory"; private static final TrustManager[] INSECURE_TRUST_MANAGER = new TrustManager[] { new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted(X509Certificate[] certs, String authType) {} public void checkServerTrusted(X509Certificate[] certs, String authType) {} } }; private static final HostnameVerifier HOSTNAME_VERIFIER = HttpsURLConnection.getDefaultHostnameVerifier(); private SSLSocketFactory mInsecureFactory = null; private SSLSocketFactory mSecureFactory = null; private TrustManager[] mTrustManagers = null; private KeyManager[] mKeyManagers = null; private byte[] mNpnProtocols = null; private byte[] mAlpnProtocols = null; private PrivateKey mChannelIdPrivateKey = null; private final int mHandshakeTimeoutMillis; private final SSLClientSessionCache mSessionCache; private final boolean mSecure; /** @deprecated Use {@link #getDefault(int)} instead. */ @Deprecated public SSLCertificateSocketFactory(int handshakeTimeoutMillis) { this(handshakeTimeoutMillis, null, true); } private SSLCertificateSocketFactory( int handshakeTimeoutMillis, SSLSessionCache cache, boolean secure) { mHandshakeTimeoutMillis = handshakeTimeoutMillis; mSessionCache = cache == null ? null : cache.mSessionCache; mSecure = secure; } /** * Returns a new socket factory instance with an optional handshake timeout. * * @param handshakeTimeoutMillis to use for SSL connection handshake, or 0 for none. The socket * timeout is reset to 0 after the handshake. * @return a new SSLSocketFactory with the specified parameters */ public static SocketFactory getDefault(int handshakeTimeoutMillis) { return new SSLCertificateSocketFactory(handshakeTimeoutMillis, null, true); } /** * Returns a new socket factory instance with an optional handshake timeout and SSL session cache. * * @param handshakeTimeoutMillis to use for SSL connection handshake, or 0 for none. The socket * timeout is reset to 0 after the handshake. * @param cache The {@link SSLSessionCache} to use, or null for no cache. * @return a new SSLSocketFactory with the specified parameters */ public static SSLSocketFactory getDefault(int handshakeTimeoutMillis, SSLSessionCache cache) { return new SSLCertificateSocketFactory(handshakeTimeoutMillis, cache, true); } /** * Returns a new instance of a socket factory with all SSL security checks disabled, using an * optional handshake timeout and SSL session cache. * * <p class="caution"><b>Warning:</b> Sockets created using this factory are vulnerable to * man-in-the-middle attacks! * * @param handshakeTimeoutMillis to use for SSL connection handshake, or 0 for none. The socket * timeout is reset to 0 after the handshake. * @param cache The {@link SSLSessionCache} to use, or null for no cache. * @return an insecure SSLSocketFactory with the specified parameters */ public static SSLSocketFactory getInsecure(int handshakeTimeoutMillis, SSLSessionCache cache) { return new SSLCertificateSocketFactory(handshakeTimeoutMillis, cache, false); } /** * Returns a socket factory (also named SSLSocketFactory, but in a different namespace) for use * with the Apache HTTP stack. * * @param handshakeTimeoutMillis to use for SSL connection handshake, or 0 for none. The socket * timeout is reset to 0 after the handshake. * @param cache The {@link SSLSessionCache} to use, or null for no cache. * @return a new SocketFactory with the specified parameters */ public static org.apache.http.conn.ssl.SSLSocketFactory getHttpSocketFactory( int handshakeTimeoutMillis, SSLSessionCache cache) { return new org.apache.http.conn.ssl.SSLSocketFactory( new SSLCertificateSocketFactory(handshakeTimeoutMillis, cache, true)); } /** * Verify the hostname of the certificate used by the other end of a connected socket. You MUST * call this if you did not supply a hostname to {@link #createSocket()}. It is harmless to call * this method redundantly if the hostname has already been verified. * * <p>Wildcard certificates are allowed to verify any matching hostname, so "foo.bar.example.com" * is verified if the peer has a certificate for "*.example.com". * * @param socket An SSL socket which has been connected to a server * @param hostname The expected hostname of the remote server * @throws IOException if something goes wrong handshaking with the server * @throws SSLPeerUnverifiedException if the server cannot prove its identity * @hide */ public static void verifyHostname(Socket socket, String hostname) throws IOException { if (!(socket instanceof SSLSocket)) { throw new IllegalArgumentException("Attempt to verify non-SSL socket"); } if (!isSslCheckRelaxed()) { // The code at the start of OpenSSLSocketImpl.startHandshake() // ensures that the call is idempotent, so we can safely call it. SSLSocket ssl = (SSLSocket) socket; ssl.startHandshake(); SSLSession session = ssl.getSession(); if (session == null) { throw new SSLException("Cannot verify SSL socket without session"); } if (!HOSTNAME_VERIFIER.verify(hostname, session)) { throw new SSLPeerUnverifiedException("Cannot verify hostname: " + hostname); } } } private SSLSocketFactory makeSocketFactory( KeyManager[] keyManagers, TrustManager[] trustManagers) { try { OpenSSLContextImpl sslContext = new OpenSSLContextImpl(); sslContext.engineInit(keyManagers, trustManagers, null); sslContext.engineGetClientSessionContext().setPersistentCache(mSessionCache); return sslContext.engineGetSocketFactory(); } catch (KeyManagementException e) { Log.wtf(TAG, e); return (SSLSocketFactory) SSLSocketFactory.getDefault(); // Fallback } } private static boolean isSslCheckRelaxed() { return "1".equals(SystemProperties.get("ro.debuggable")) && "yes".equals(SystemProperties.get("socket.relaxsslcheck")); } private synchronized SSLSocketFactory getDelegate() { // Relax the SSL check if instructed (for this factory, or systemwide) if (!mSecure || isSslCheckRelaxed()) { if (mInsecureFactory == null) { if (mSecure) { Log.w(TAG, "*** BYPASSING SSL SECURITY CHECKS (socket.relaxsslcheck=yes) ***"); } else { Log.w(TAG, "Bypassing SSL security checks at caller's request"); } mInsecureFactory = makeSocketFactory(mKeyManagers, INSECURE_TRUST_MANAGER); } return mInsecureFactory; } else { if (mSecureFactory == null) { mSecureFactory = makeSocketFactory(mKeyManagers, mTrustManagers); } return mSecureFactory; } } /** Sets the {@link TrustManager}s to be used for connections made by this factory. */ public void setTrustManagers(TrustManager[] trustManager) { mTrustManagers = trustManager; // Clear out all cached secure factories since configurations have changed. mSecureFactory = null; // Note - insecure factories only ever use the INSECURE_TRUST_MANAGER so they need not // be cleared out here. } /** * Sets the <a href="http://technotes.googlecode.com/git/nextprotoneg.html">Next Protocol * Negotiation (NPN)</a> protocols that this peer is interested in. * * <p>For servers this is the sequence of protocols to advertise as supported, in order of * preference. This list is sent unencrypted to all clients that support NPN. * * <p>For clients this is a list of supported protocols to match against the server's list. If * there is no protocol supported by both client and server then the first protocol in the * client's list will be selected. The order of the client's protocols is otherwise insignificant. * * @param npnProtocols a non-empty list of protocol byte arrays. All arrays must be non-empty and * of length less than 256. */ public void setNpnProtocols(byte[][] npnProtocols) { this.mNpnProtocols = toLengthPrefixedList(npnProtocols); } /** * Sets the <a href="http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-01">Application * Layer Protocol Negotiation (ALPN)</a> protocols that this peer is interested in. * * <p>For servers this is the sequence of protocols to advertise as supported, in order of * preference. This list is sent unencrypted to all clients that support ALPN. * * <p>For clients this is a list of supported protocols to match against the server's list. If * there is no protocol supported by both client and server then the first protocol in the * client's list will be selected. The order of the client's protocols is otherwise insignificant. * * @param protocols a non-empty list of protocol byte arrays. All arrays must be non-empty and of * length less than 256. * @hide */ public void setAlpnProtocols(byte[][] protocols) { this.mAlpnProtocols = toLengthPrefixedList(protocols); } /** Returns an array containing the concatenation of length-prefixed byte strings. */ static byte[] toLengthPrefixedList(byte[]... items) { if (items.length == 0) { throw new IllegalArgumentException("items.length == 0"); } int totalLength = 0; for (byte[] s : items) { if (s.length == 0 || s.length > 255) { throw new IllegalArgumentException("s.length == 0 || s.length > 255: " + s.length); } totalLength += 1 + s.length; } byte[] result = new byte[totalLength]; int pos = 0; for (byte[] s : items) { result[pos++] = (byte) s.length; for (byte b : s) { result[pos++] = b; } } return result; } /** * Returns the <a href="http://technotes.googlecode.com/git/nextprotoneg.html">Next Protocol * Negotiation (NPN)</a> protocol selected by client and server, or null if no protocol was * negotiated. * * @param socket a socket created by this factory. * @throws IllegalArgumentException if the socket was not created by this factory. */ public byte[] getNpnSelectedProtocol(Socket socket) { return castToOpenSSLSocket(socket).getNpnSelectedProtocol(); } /** * Returns the <a href="http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-01">Application * Layer Protocol Negotiation (ALPN)</a> protocol selected by client and server, or null if no * protocol was negotiated. * * @param socket a socket created by this factory. * @throws IllegalArgumentException if the socket was not created by this factory. * @hide */ public byte[] getAlpnSelectedProtocol(Socket socket) { return castToOpenSSLSocket(socket).getAlpnSelectedProtocol(); } /** Sets the {@link KeyManager}s to be used for connections made by this factory. */ public void setKeyManagers(KeyManager[] keyManagers) { mKeyManagers = keyManagers; // Clear out any existing cached factories since configurations have changed. mSecureFactory = null; mInsecureFactory = null; } /** * Sets the private key to be used for TLS Channel ID by connections made by this factory. * * @param privateKey private key (enables TLS Channel ID) or {@code null} for no key (disables TLS * Channel ID). The private key has to be an Elliptic Curve (EC) key based on the NIST P-256 * curve (aka SECG secp256r1 or ANSI X9.62 prime256v1). * @hide */ public void setChannelIdPrivateKey(PrivateKey privateKey) { mChannelIdPrivateKey = privateKey; } /** * Enables <a href="http://tools.ietf.org/html/rfc5077#section-3.2">session ticket</a> support on * the given socket. * * @param socket a socket created by this factory * @param useSessionTickets {@code true} to enable session ticket support on this socket. * @throws IllegalArgumentException if the socket was not created by this factory. */ public void setUseSessionTickets(Socket socket, boolean useSessionTickets) { castToOpenSSLSocket(socket).setUseSessionTickets(useSessionTickets); } /** * Turns on <a href="http://tools.ietf.org/html/rfc6066#section-3">Server Name Indication * (SNI)</a> on a given socket. * * @param socket a socket created by this factory. * @param hostName the desired SNI hostname, null to disable. * @throws IllegalArgumentException if the socket was not created by this factory. */ public void setHostname(Socket socket, String hostName) { castToOpenSSLSocket(socket).setHostname(hostName); } /** * Sets this socket's SO_SNDTIMEO write timeout in milliseconds. Use 0 for no timeout. To take * effect, this option must be set before the blocking method was called. * * @param socket a socket created by this factory. * @param timeout the desired write timeout in milliseconds. * @throws IllegalArgumentException if the socket was not created by this factory. * @hide */ public void setSoWriteTimeout(Socket socket, int writeTimeoutMilliseconds) throws SocketException { castToOpenSSLSocket(socket).setSoWriteTimeout(writeTimeoutMilliseconds); } private static OpenSSLSocketImpl castToOpenSSLSocket(Socket socket) { if (!(socket instanceof OpenSSLSocketImpl)) { throw new IllegalArgumentException("Socket not created by this factory: " + socket); } return (OpenSSLSocketImpl) socket; } /** * {@inheritDoc} * * <p>This method verifies the peer's certificate hostname after connecting (unless created with * {@link #getInsecure(int, SSLSessionCache)}). */ @Override public Socket createSocket(Socket k, String host, int port, boolean close) throws IOException { OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket(k, host, port, close); s.setNpnProtocols(mNpnProtocols); s.setAlpnProtocols(mAlpnProtocols); s.setHandshakeTimeout(mHandshakeTimeoutMillis); s.setChannelIdPrivateKey(mChannelIdPrivateKey); if (mSecure) { verifyHostname(s, host); } return s; } /** * Creates a new socket which is not connected to any remote host. You must use {@link * Socket#connect} to connect the socket. * * <p class="caution"><b>Warning:</b> Hostname verification is not performed with this method. You * MUST verify the server's identity after connecting the socket to avoid man-in-the-middle * attacks. */ @Override public Socket createSocket() throws IOException { OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket(); s.setNpnProtocols(mNpnProtocols); s.setAlpnProtocols(mAlpnProtocols); s.setHandshakeTimeout(mHandshakeTimeoutMillis); s.setChannelIdPrivateKey(mChannelIdPrivateKey); return s; } /** * {@inheritDoc} * * <p class="caution"><b>Warning:</b> Hostname verification is not performed with this method. You * MUST verify the server's identity after connecting the socket to avoid man-in-the-middle * attacks. */ @Override public Socket createSocket(InetAddress addr, int port, InetAddress localAddr, int localPort) throws IOException { OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket(addr, port, localAddr, localPort); s.setNpnProtocols(mNpnProtocols); s.setAlpnProtocols(mAlpnProtocols); s.setHandshakeTimeout(mHandshakeTimeoutMillis); s.setChannelIdPrivateKey(mChannelIdPrivateKey); return s; } /** * {@inheritDoc} * * <p class="caution"><b>Warning:</b> Hostname verification is not performed with this method. You * MUST verify the server's identity after connecting the socket to avoid man-in-the-middle * attacks. */ @Override public Socket createSocket(InetAddress addr, int port) throws IOException { OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket(addr, port); s.setNpnProtocols(mNpnProtocols); s.setAlpnProtocols(mAlpnProtocols); s.setHandshakeTimeout(mHandshakeTimeoutMillis); s.setChannelIdPrivateKey(mChannelIdPrivateKey); return s; } /** * {@inheritDoc} * * <p>This method verifies the peer's certificate hostname after connecting (unless created with * {@link #getInsecure(int, SSLSessionCache)}). */ @Override public Socket createSocket(String host, int port, InetAddress localAddr, int localPort) throws IOException { OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket(host, port, localAddr, localPort); s.setNpnProtocols(mNpnProtocols); s.setAlpnProtocols(mAlpnProtocols); s.setHandshakeTimeout(mHandshakeTimeoutMillis); s.setChannelIdPrivateKey(mChannelIdPrivateKey); if (mSecure) { verifyHostname(s, host); } return s; } /** * {@inheritDoc} * * <p>This method verifies the peer's certificate hostname after connecting (unless created with * {@link #getInsecure(int, SSLSessionCache)}). */ @Override public Socket createSocket(String host, int port) throws IOException { OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket(host, port); s.setNpnProtocols(mNpnProtocols); s.setAlpnProtocols(mAlpnProtocols); s.setHandshakeTimeout(mHandshakeTimeoutMillis); s.setChannelIdPrivateKey(mChannelIdPrivateKey); if (mSecure) { verifyHostname(s, host); } return s; } @Override public String[] getDefaultCipherSuites() { return getDelegate().getSupportedCipherSuites(); } @Override public String[] getSupportedCipherSuites() { return getDelegate().getSupportedCipherSuites(); } }
// 自己定制SSLSocketFactory,在createSocket时替换为HTTPDNS的IP,并进行SNI/HostNameVerify配置 class TlsSniSocketFactory extends SSLSocketFactory { private final String TAG = TlsSniSocketFactory.class.getSimpleName(); HostnameVerifier hostnameVerifier = HttpsURLConnection.getDefaultHostnameVerifier(); private HttpsURLConnection conn; public TlsSniSocketFactory(HttpsURLConnection conn) { this.conn = conn; } @Override public Socket createSocket() throws IOException { return null; } @Override public Socket createSocket(String host, int port) throws IOException, UnknownHostException { return null; } @Override public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException { return null; } @Override public Socket createSocket(InetAddress host, int port) throws IOException { return null; } @Override public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { return null; } // TLS layer @Override public String[] getDefaultCipherSuites() { return new String[0]; } @Override public String[] getSupportedCipherSuites() { return new String[0]; } @Override public Socket createSocket(Socket plainSocket, String host, int port, boolean autoClose) throws IOException { String peerHost = this.conn.getRequestProperty("Host"); if (peerHost == null) peerHost = host; Log.i(TAG, "customized createSocket. host: " + peerHost); InetAddress address = plainSocket.getInetAddress(); if (autoClose) { // we don't need the plainSocket plainSocket.close(); } // create and connect SSL socket, but don't do hostname/certificate verification yet SSLCertificateSocketFactory sslSocketFactory = (SSLCertificateSocketFactory) SSLCertificateSocketFactory.getDefault(0); SSLSocket ssl = (SSLSocket) sslSocketFactory.createSocket(address, port); // enable TLSv1.1/1.2 if available ssl.setEnabledProtocols(ssl.getSupportedProtocols()); // set up SNI before the handshake if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) { Log.i(TAG, "Setting SNI hostname"); sslSocketFactory.setHostname(ssl, peerHost); } else { Log.d(TAG, "No documented SNI support on Android <4.2, trying with reflection"); try { java.lang.reflect.Method setHostnameMethod = ssl.getClass().getMethod("setHostname", String.class); setHostnameMethod.invoke(ssl, peerHost); } catch (Exception e) { Log.w(TAG, "SNI not useable", e); } } // verify hostname and certificate SSLSession session = ssl.getSession(); if (!hostnameVerifier.verify(peerHost, session)) throw new SSLPeerUnverifiedException("Cannot verify hostname: " + peerHost); Log.i( TAG, "Established " + session.getProtocol() + " connection with " + session.getPeerHost() + " using " + session.getCipherSuite()); return ssl; } }
/** * Contacts the remote URL and returns the response. * * @param constructedUrl the url to contact. * @param encoding the encoding to use. * @return the response. */ public static String getResponseFromServer(final URL constructedUrl, final String encoding) { return getResponseFromServer( constructedUrl, HttpsURLConnection.getDefaultHostnameVerifier(), encoding); }
public class MailTransport { // TODO protected eventually /*protected*/ public static final int SOCKET_CONNECT_TIMEOUT = 10000; /*protected*/ public static final int SOCKET_READ_TIMEOUT = 60000; private static final HostnameVerifier HOSTNAME_VERIFIER = HttpsURLConnection.getDefaultHostnameVerifier(); private final String mDebugLabel; private final Context mContext; protected final HostAuth mHostAuth; private Socket mSocket; private InputStream mIn; private OutputStream mOut; public MailTransport(Context context, String debugLabel, HostAuth hostAuth) { super(); mContext = context; mDebugLabel = debugLabel; mHostAuth = hostAuth; } /** * Returns a new transport, using the current transport as a model. The new transport is * configured identically (as if {@link #setSecurity(int, boolean)}, {@link #setPort(int)} and * {@link #setHost(String)} were invoked), but not opened or connected in any way. */ @Override public MailTransport clone() { return new MailTransport(mContext, mDebugLabel, mHostAuth); } public String getHost() { return mHostAuth.mAddress; } public int getPort() { return mHostAuth.mPort; } public boolean canTrySslSecurity() { return (mHostAuth.mFlags & HostAuth.FLAG_SSL) != 0; } public boolean canTryTlsSecurity() { return (mHostAuth.mFlags & HostAuth.FLAG_TLS) != 0; } public boolean canTrustAllCertificates() { return (mHostAuth.mFlags & HostAuth.FLAG_TRUST_ALL) != 0; } /** * Attempts to open a connection using the Uri supplied for connection parameters. Will attempt an * SSL connection if indicated. */ public void open() throws MessagingException, CertificateValidationException { if (MailActivityEmail.DEBUG) { LogUtils.d( Logging.LOG_TAG, "*** " + mDebugLabel + " open " + getHost() + ":" + String.valueOf(getPort())); } try { SocketAddress socketAddress = new InetSocketAddress(getHost(), getPort()); if (canTrySslSecurity()) { mSocket = SSLUtils.getSSLSocketFactory(mContext, mHostAuth, canTrustAllCertificates()) .createSocket(); } else { mSocket = new Socket(); } mSocket.connect(socketAddress, SOCKET_CONNECT_TIMEOUT); // After the socket connects to an SSL server, confirm that the hostname is as expected if (canTrySslSecurity() && !canTrustAllCertificates()) { verifyHostname(mSocket, getHost()); } mIn = new BufferedInputStream(mSocket.getInputStream(), 1024); mOut = new BufferedOutputStream(mSocket.getOutputStream(), 512); mSocket.setSoTimeout(SOCKET_READ_TIMEOUT); } catch (SSLException e) { if (MailActivityEmail.DEBUG) { LogUtils.d(Logging.LOG_TAG, e.toString()); } throw new CertificateValidationException(e.getMessage(), e); } catch (IOException ioe) { if (MailActivityEmail.DEBUG) { LogUtils.d(Logging.LOG_TAG, ioe.toString()); } throw new MessagingException(MessagingException.IOERROR, ioe.toString()); } catch (IllegalArgumentException iae) { if (MailActivityEmail.DEBUG) { LogUtils.d(Logging.LOG_TAG, iae.toString()); } throw new MessagingException(MessagingException.UNSPECIFIED_EXCEPTION, iae.toString()); } } /** * Attempts to reopen a TLS connection using the Uri supplied for connection parameters. * * <p>NOTE: No explicit hostname verification is required here, because it's handled automatically * by the call to createSocket(). * * <p>TODO should we explicitly close the old socket? This seems funky to abandon it. */ public void reopenTls() throws MessagingException { try { mSocket = SSLUtils.getSSLSocketFactory(mContext, mHostAuth, canTrustAllCertificates()) .createSocket(mSocket, getHost(), getPort(), true); mSocket.setSoTimeout(SOCKET_READ_TIMEOUT); mIn = new BufferedInputStream(mSocket.getInputStream(), 1024); mOut = new BufferedOutputStream(mSocket.getOutputStream(), 512); } catch (SSLException e) { if (MailActivityEmail.DEBUG) { LogUtils.d(Logging.LOG_TAG, e.toString()); } throw new CertificateValidationException(e.getMessage(), e); } catch (IOException ioe) { if (MailActivityEmail.DEBUG) { LogUtils.d(Logging.LOG_TAG, ioe.toString()); } throw new MessagingException(MessagingException.IOERROR, ioe.toString()); } } /** * Lightweight version of SSLCertificateSocketFactory.verifyHostname, which provides this service * but is not in the public API. * * <p>Verify the hostname of the certificate used by the other end of a connected socket. You MUST * call this if you did not supply a hostname to SSLCertificateSocketFactory.createSocket(). It is * harmless to call this method redundantly if the hostname has already been verified. * * <p>Wildcard certificates are allowed to verify any matching hostname, so "foo.bar.example.com" * is verified if the peer has a certificate for "*.example.com". * * @param socket An SSL socket which has been connected to a server * @param hostname The expected hostname of the remote server * @throws IOException if something goes wrong handshaking with the server * @throws SSLPeerUnverifiedException if the server cannot prove its identity */ private static void verifyHostname(Socket socket, String hostname) throws IOException { // The code at the start of OpenSSLSocketImpl.startHandshake() // ensures that the call is idempotent, so we can safely call it. SSLSocket ssl = (SSLSocket) socket; ssl.startHandshake(); SSLSession session = ssl.getSession(); if (session == null) { throw new SSLException("Cannot verify SSL socket without session"); } // TODO: Instead of reporting the name of the server we think we're connecting to, // we should be reporting the bad name in the certificate. Unfortunately this is buried // in the verifier code and is not available in the verifier API, and extracting the // CN & alts is beyond the scope of this patch. if (!HOSTNAME_VERIFIER.verify(hostname, session)) { throw new SSLPeerUnverifiedException( "Certificate hostname not useable for server: " + hostname); } } /** * Set the socket timeout. * * @param timeoutMilliseconds the read timeout value if greater than {@code 0}, or {@code 0} for * an infinite timeout. */ public void setSoTimeout(int timeoutMilliseconds) throws SocketException { mSocket.setSoTimeout(timeoutMilliseconds); } public boolean isOpen() { return (mIn != null && mOut != null && mSocket != null && mSocket.isConnected() && !mSocket.isClosed()); } /** Close the connection. MUST NOT return any exceptions - must be "best effort" and safe. */ public void close() { try { mIn.close(); } catch (Exception e) { // May fail if the connection is already closed. } try { mOut.close(); } catch (Exception e) { // May fail if the connection is already closed. } try { mSocket.close(); } catch (Exception e) { // May fail if the connection is already closed. } mIn = null; mOut = null; mSocket = null; } public InputStream getInputStream() { return mIn; } public OutputStream getOutputStream() { return mOut; } /** Writes a single line to the server using \r\n termination. */ public void writeLine(String s, String sensitiveReplacement) throws IOException { if (MailActivityEmail.DEBUG) { if (sensitiveReplacement != null && !Logging.DEBUG_SENSITIVE) { LogUtils.d(Logging.LOG_TAG, ">>> " + sensitiveReplacement); } else { LogUtils.d(Logging.LOG_TAG, ">>> " + s); } } OutputStream out = getOutputStream(); out.write(s.getBytes()); out.write('\r'); out.write('\n'); out.flush(); } /** * Reads a single line from the server, using either \r\n or \n as the delimiter. The delimiter * char(s) are not included in the result. */ public String readLine(boolean loggable) throws IOException { StringBuffer sb = new StringBuffer(); InputStream in = getInputStream(); int d; while ((d = in.read()) != -1) { if (((char) d) == '\r') { continue; } else if (((char) d) == '\n') { break; } else { sb.append((char) d); } } if (d == -1 && MailActivityEmail.DEBUG) { LogUtils.d(Logging.LOG_TAG, "End of stream reached while trying to read line."); } String ret = sb.toString(); if (loggable && MailActivityEmail.DEBUG) { LogUtils.d(Logging.LOG_TAG, "<<< " + ret); } return ret; } public InetAddress getLocalAddress() { if (isOpen()) { return mSocket.getLocalAddress(); } else { return null; } } }
/** * This class implements the common aspects of "transport", one layer below the specific wire * protocols such as POP3, IMAP, or SMTP. */ public class MailTransport implements Transport { // TODO protected eventually /*protected*/ public static final int SOCKET_CONNECT_TIMEOUT = 10000; /*protected*/ public static final int SOCKET_READ_TIMEOUT = 60000; private static final HostnameVerifier HOSTNAME_VERIFIER = HttpsURLConnection.getDefaultHostnameVerifier(); private String mDebugLabel; private String mHost; private int mPort; private String[] mUserInfoParts; private int mConnectionSecurity; private boolean mTrustCertificates; private Socket mSocket; private InputStream mIn; private OutputStream mOut; /** * Simple constructor for starting from scratch. Call setUri() and setSecurity() to complete the * configuration. * * @param debugLabel Label used for Log.d calls */ public MailTransport(String debugLabel) { super(); mDebugLabel = debugLabel; } /** * Get a new transport, using an existing one as a model. The new transport is configured as if * setUri() and setSecurity() have been called, but not opened or connected in any way. * * @return a new Transport ready to open() */ public Transport newInstanceWithConfiguration() { MailTransport newObject = new MailTransport(mDebugLabel); newObject.mDebugLabel = mDebugLabel; newObject.mHost = mHost; newObject.mPort = mPort; if (mUserInfoParts != null) { newObject.mUserInfoParts = mUserInfoParts.clone(); } newObject.mConnectionSecurity = mConnectionSecurity; newObject.mTrustCertificates = mTrustCertificates; return newObject; } public void setUri(URI uri, int defaultPort) { mHost = uri.getHost(); mPort = defaultPort; if (uri.getPort() != -1) { mPort = uri.getPort(); } if (uri.getUserInfo() != null) { mUserInfoParts = uri.getUserInfo().split(":", 2); } } public String[] getUserInfoParts() { return mUserInfoParts; } public String getHost() { return mHost; } public int getPort() { return mPort; } public void setSecurity(int connectionSecurity, boolean trustAllCertificates) { mConnectionSecurity = connectionSecurity; mTrustCertificates = trustAllCertificates; } public int getSecurity() { return mConnectionSecurity; } public boolean canTrySslSecurity() { return mConnectionSecurity == CONNECTION_SECURITY_SSL; } public boolean canTryTlsSecurity() { return mConnectionSecurity == Transport.CONNECTION_SECURITY_TLS; } public boolean canTrustAllCertificates() { return mTrustCertificates; } /** * Attempts to open a connection using the Uri supplied for connection parameters. Will attempt an * SSL connection if indicated. */ public void open() throws MessagingException, CertificateValidationException { if (Config.LOGD && Email.DEBUG) { Log.d( Email.LOG_TAG, "*** " + mDebugLabel + " open " + getHost() + ":" + String.valueOf(getPort())); } try { SocketAddress socketAddress = new InetSocketAddress(getHost(), getPort()); if (canTrySslSecurity()) { mSocket = SSLUtils.getSSLSocketFactory(canTrustAllCertificates()).createSocket(); } else { mSocket = new Socket(); } mSocket.connect(socketAddress, SOCKET_CONNECT_TIMEOUT); // After the socket connects to an SSL server, confirm that the hostname is as expected if (canTrySslSecurity() && !canTrustAllCertificates()) { verifyHostname(mSocket, getHost()); } mIn = new BufferedInputStream(mSocket.getInputStream(), 1024); mOut = new BufferedOutputStream(mSocket.getOutputStream(), 512); } catch (SSLException e) { if (Config.LOGD && Email.DEBUG) { Log.d(Email.LOG_TAG, e.toString()); } throw new CertificateValidationException(e.getMessage(), e); } catch (IOException ioe) { if (Config.LOGD && Email.DEBUG) { Log.d(Email.LOG_TAG, ioe.toString()); } throw new MessagingException(MessagingException.IOERROR, ioe.toString()); } } /** * Attempts to reopen a TLS connection using the Uri supplied for connection parameters. * * <p>NOTE: No explicit hostname verification is required here, because it's handled automatically * by the call to createSocket(). * * <p>TODO should we explicitly close the old socket? This seems funky to abandon it. */ public void reopenTls() throws MessagingException { try { mSocket = SSLUtils.getSSLSocketFactory(canTrustAllCertificates()) .createSocket(mSocket, getHost(), getPort(), true); mSocket.setSoTimeout(SOCKET_READ_TIMEOUT); mIn = new BufferedInputStream(mSocket.getInputStream(), 1024); mOut = new BufferedOutputStream(mSocket.getOutputStream(), 512); } catch (SSLException e) { if (Config.LOGD && Email.DEBUG) { Log.d(Email.LOG_TAG, e.toString()); } throw new CertificateValidationException(e.getMessage(), e); } catch (IOException ioe) { if (Config.LOGD && Email.DEBUG) { Log.d(Email.LOG_TAG, ioe.toString()); } throw new MessagingException(MessagingException.IOERROR, ioe.toString()); } } /** * Lightweight version of SSLCertificateSocketFactory.verifyHostname, which provides this service * but is not in the public API. * * <p>Verify the hostname of the certificate used by the other end of a connected socket. You MUST * call this if you did not supply a hostname to SSLCertificateSocketFactory.createSocket(). It is * harmless to call this method redundantly if the hostname has already been verified. * * <p>Wildcard certificates are allowed to verify any matching hostname, so "foo.bar.example.com" * is verified if the peer has a certificate for "*.example.com". * * @param socket An SSL socket which has been connected to a server * @param hostname The expected hostname of the remote server * @throws IOException if something goes wrong handshaking with the server * @throws SSLPeerUnverifiedException if the server cannot prove its identity */ private void verifyHostname(Socket socket, String hostname) throws IOException { // The code at the start of OpenSSLSocketImpl.startHandshake() // ensures that the call is idempotent, so we can safely call it. SSLSocket ssl = (SSLSocket) socket; ssl.startHandshake(); SSLSession session = ssl.getSession(); if (session == null) { throw new SSLException("Cannot verify SSL socket without session"); } // TODO: Instead of reporting the name of the server we think we're connecting to, // we should be reporting the bad name in the certificate. Unfortunately this is buried // in the verifier code and is not available in the verifier API, and extracting the // CN & alts is beyond the scope of this patch. if (!HOSTNAME_VERIFIER.verify(hostname, session)) { throw new SSLPeerUnverifiedException( "Certificate hostname not useable for server: " + hostname); } } /** * Set the socket timeout. * * @param timeoutMilliseconds the read timeout value if greater than {@code 0}, or {@code 0} for * an infinite timeout. */ public void setSoTimeout(int timeoutMilliseconds) throws SocketException { mSocket.setSoTimeout(timeoutMilliseconds); } public boolean isOpen() { return (mIn != null && mOut != null && mSocket != null && mSocket.isConnected() && !mSocket.isClosed()); } /** Close the connection. MUST NOT return any exceptions - must be "best effort" and safe. */ public void close() { try { mIn.close(); } catch (Exception e) { // May fail if the connection is already closed. } try { mOut.close(); } catch (Exception e) { // May fail if the connection is already closed. } try { mSocket.close(); } catch (Exception e) { // May fail if the connection is already closed. } mIn = null; mOut = null; mSocket = null; } public InputStream getInputStream() { return mIn; } public OutputStream getOutputStream() { return mOut; } /** Writes a single line to the server using \r\n termination. */ public void writeLine(String s, String sensitiveReplacement) throws IOException { if (Config.LOGD && Email.DEBUG) { if (sensitiveReplacement != null && !Email.DEBUG_SENSITIVE) { Log.d(Email.LOG_TAG, ">>> " + sensitiveReplacement); } else { Log.d(Email.LOG_TAG, ">>> " + s); } } OutputStream out = getOutputStream(); out.write(s.getBytes()); out.write('\r'); out.write('\n'); out.flush(); } /** * Reads a single line from the server, using either \r\n or \n as the delimiter. The delimiter * char(s) are not included in the result. */ public String readLine() throws IOException { StringBuffer sb = new StringBuffer(); InputStream in = getInputStream(); int d; while ((d = in.read()) != -1) { if (((char) d) == '\r') { continue; } else if (((char) d) == '\n') { break; } else { sb.append((char) d); } } if (d == -1 && Config.LOGD && Email.DEBUG) { Log.d(Email.LOG_TAG, "End of stream reached while trying to read line."); } String ret = sb.toString(); if (Config.LOGD) { if (Email.DEBUG) { Log.d(Email.LOG_TAG, "<<< " + ret); } } return ret; } }