New SSL certificate verification method.

0ade32d8 · Martin Strbacka · c3b4f4a1 · 0ade32d8 · c3b4f4a1 · c3b4f4a1
Commit 0ade32d8 authored 10 years ago by Martin Strbacka
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
 <manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="cz.nic.datovka"
-    android:versionCode="15"
+    android:versionCode="16"
    android:versionName="1.1.1" >
    <uses-permission android:name="android.permission.INTERNET" >

--- a/res/raw/key_store_production_env.ks
+++ b/res/raw/key_store_production_env.ks
--- a/res/raw/key_store_test_env.ks
+++ b/res/raw/key_store_test_env.ks
--- a/res/raw/mytruststore.bks
+++ b/res/raw/mytruststore.bks
--- a/src/cz/nic/datovka/tinyDB/DataBoxManager.java
+++ b/src/cz/nic/datovka/tinyDB/DataBoxManager.java
@@ -34,10 +34,7 @@ import java.io.OutputStream;
 import java.net.ProtocolException;
 import java.net.URL;
 import java.security.KeyManagementException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
-import java.security.cert.CertificateException;
 import java.util.Arrays;
 import java.util.Date;
 import java.util.EnumSet;
@@ -57,6 +54,7 @@ import javax.xml.parsers.SAXParserFactory;
 import org.kobjects.base64.Base64;
 import org.xml.sax.SAXException;
+import android.content.res.Resources.NotFoundException;
 import cz.abclinuxu.datoveschranky.common.entities.Hash;
 import cz.abclinuxu.datoveschranky.common.entities.MessageEnvelope;
 import cz.abclinuxu.datoveschranky.common.entities.MessageState;
@@ -69,8 +67,6 @@ import cz.abclinuxu.datoveschranky.common.impl.DataBoxEnvironment;
 import cz.abclinuxu.datoveschranky.common.impl.DataBoxException;
 import cz.abclinuxu.datoveschranky.common.impl.Utils;
 import cz.abclinuxu.datoveschranky.common.interfaces.AttachmentStorer;
-import cz.nic.datovka.R.raw;
-import cz.nic.datovka.activities.AppUtils;
 import cz.nic.datovka.tinyDB.exceptions.DSException;
 import cz.nic.datovka.tinyDB.exceptions.HttpException;
 import cz.nic.datovka.tinyDB.exceptions.SSLCertificateException;
@@ -108,10 +104,8 @@ public class DataBoxManager {
 	private static final int PRODUCTION = 0;
 	//private static final int TESTING = 1;
-	private int environment;
 	private DataBoxManager(int environment) {
-		this.environment = environment;
 		if(environment == PRODUCTION){
 			this.config = new Config(DataBoxEnvironment.PRODUCTION);
 		} else {
@@ -308,33 +302,18 @@ public class DataBoxManager {
 		authorization = "Basic " + new String(Base64.encode(userPassword.getBytes()));
 		try {
-			KeyStore keyStore = KeyStore.getInstance("BKS");
 			SSLContext sslcontext = SSLContext.getInstance("TLS");
-			InputStream keyStoreStream;
+			sslcontext.init(null, new TrustManager[] { new MyAndroidTrustManager() }, null);
-			if(environment == PRODUCTION){
-				keyStoreStream = AppUtils.ctx.getResources().openRawResource(raw.key_store_production_env);
-			} else {
-				keyStoreStream = AppUtils.ctx.getResources().openRawResource(raw.key_store_test_env);
-			}
-			keyStore.load(keyStoreStream, "kiasdhkjsdh@$@R%.S1257".toCharArray());
-			sslcontext.init(null, new TrustManager[] { new MyAndroidTrustManager(keyStore) }, null);
 			this.socketFactory = sslcontext.getSocketFactory();
-		} catch (KeyStoreException e) {
-			e.printStackTrace();
-			throw new SSLCertificateException(e.getMessage());
 		}catch (NoSuchAlgorithmException e) {
 			e.printStackTrace();
 			throw new SSLCertificateException(e.getMessage());
-		} catch (CertificateException e) {
+		} catch (KeyManagementException e) {
-			e.printStackTrace();
-			throw new SSLCertificateException(e.getMessage());
-		} catch (IOException e) {
 			e.printStackTrace();
 			throw new SSLCertificateException(e.getMessage());
-		} catch (KeyManagementException e) {
+		} catch (NotFoundException e) {
 			e.printStackTrace();
 			throw new SSLCertificateException(e.getMessage());
 		}

--- a/src/cz/nic/datovka/tinyDB/MyAndroidTrustManager.java
+++ b/src/cz/nic/datovka/tinyDB/MyAndroidTrustManager.java
 /*
- *  Datove schranky (http://github.com/b00lean/datoveschranky)
+Datovka - An Android client for Datove schranky
- *  Copyright (C) 2010  Karel Kyovsky <karel.kyovsky at apksoft.eu>
+    Copyright (C) 2014  CZ NIC z.s.p.o. <podpora at nic dot cz>
- *  Modification: 09/2012 CZ NIC z.s.p.o. <podpora at nic dot cz>
- *
+    This program is free software: you can redistribute it and/or modify
- *  This file is part of Datove schranky (http://github.com/b00lean/datoveschranky).
+    it under the terms of the GNU General Public License as published by
- *
+    the Free Software Foundation, either version 3 of the License, or
- *  Datove schranky is free software: you can redistribute it and/or modify
+    (at your option) any later version.
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation, either version 3 of the License
+    This program is distributed in the hope that it will be useful,
- *  
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  Datove schranky is distributed in the hope that it will be useful,
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+    GNU General Public License for more details.
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
+    You should have received a copy of the GNU General Public License
- *
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *  You should have received a copy of the GNU General Public License
+*/
- *  along with Datove schranky.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
 package cz.nic.datovka.tinyDB;
+import java.io.IOException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
-public class MyAndroidTrustManager implements X509TrustManager {
+import android.content.res.Resources.NotFoundException;
-	private KeyStore ks;
+import android.util.Log;
+import cz.nic.datovka.R.raw;
+import cz.nic.datovka.activities.AppUtils;
-	public MyAndroidTrustManager(KeyStore ks) {
+public class MyAndroidTrustManager implements X509TrustManager {
-		super();
-		this.ks = ks;
-	}
-	public void checkClientTrusted(X509Certificate[] cert, String authType) throws CertificateException {
-		//System.out.println("=============== checkClientTrusted " + cert + "  " + authType); //used just for debuging
+	public void checkClientTrusted(X509Certificate[] cert, String authType)
+			throws CertificateException {
 	}
 	public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException {
-		//  Debug Code for saving certificates, used when www.mojedatovaschranka.cz changes certificates
+		TrustManager[] tms = getTrustManagersFromBKS();
+		Log.i("Datovka", "Number of trust managers: " + tms.length);
-/*
-		try{
+		if(tms.length < 1)
-		  KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+			throw new CertificateException("Empty BKS");
-			ks.load(null, null);
-			for (int i = 0; i < certs.length; i++) {
+		try {
-				X509Certificate certificate = certs[i];
+			for (TrustManager tm : getTrustManagersFromBKS()) {
-				ks.setCertificateEntry(i + "", certificate);
+				((X509TrustManager) tm).checkServerTrusted(certs, authType);
 			}
-			ByteArrayOutputStream bos = new ByteArrayOutputStream();
+		} catch (Exception e) {
-			ks.store(bos, "kiasdhkjsdh@$@R%.S1257".toCharArray());
+			e.printStackTrace();
+			throw new CertificateException(e.getMessage());
+		}
-			File root = Environment.getExternalStorageDirectory();
+		Log.i("Datovka", "Certificate verified");
-			System.out.println(root.getAbsolutePath());
+	}
-			if (root.canWrite()) {
-				File file = new File(root, "key_store.ks");
+	private TrustManager[] getTrustManagersFromBKS() {
-				FileOutputStream fos = new FileOutputStream(file);
-				fos.write(bos.toByteArray());
+		try {
-				fos.close();
+			KeyStore keyStore = KeyStore.getInstance("BKS");
-			}
+			keyStore.load(AppUtils.ctx.getResources().openRawResource(raw.mytruststore), "secret".toCharArray());
+			return getTrustManagers(keyStore);
 		} catch (KeyStoreException e) {
 			e.printStackTrace();
 		} catch (NoSuchAlgorithmException e) {
 			e.printStackTrace();
+		} catch (CertificateException e) {
+			e.printStackTrace();
+		} catch (NotFoundException e) {
+			e.printStackTrace();
 		} catch (IOException e) {
 			e.printStackTrace();
 		}
-*/
-		//show me better solution how to trust someone on non-rooted android phone and i buy you a beer. 
+		return new TrustManager[0];
-		int numberOfHits = 0;
+	}
-		for (int i = 0; i < certs.length; i++) {
-			X509Certificate cert = certs[i];
+	private TrustManager[] getTrustManagers(KeyStore keystore) {
-			//System.out.println("IDN: " + cert.getIssuerDN());
+		try {
-			//System.out.println("SDN: " + cert.getSubjectDN());
+			TrustManagerFactory tmf =
-			try {
+					TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-				String alias = ks.getCertificateAlias(cert);
+			tmf.init((KeyStore) keystore);
-				//System.out.println("alias: " + alias);
+			return tmf.getTrustManagers();
-				if (alias != null) {
+		} catch (NoSuchAlgorithmException e) {
-					numberOfHits++;
+			e.printStackTrace();
-				}
+		} catch (KeyStoreException e) {
-			} catch (KeyStoreException e) {
+			e.printStackTrace();
-				e.printStackTrace();
-			}
-		}
-		if (numberOfHits != certs.length) {
-			throw new CertificateException("Not trusting this server. Number of hits: " + numberOfHits + " Number of certs: " + certs.length);
 		}
-		//System.out.println("=============== checkServerTrusted " + certs + "  " + authType);
+		return new TrustManager[0];
 	}
 	public X509Certificate[] getAcceptedIssuers() {
-		//System.out.println("=============== getAcceptedIssuers");
 		return null;
 	}
 }
\ No newline at end of file