The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2008 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package android.net; |
| 18 | |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 19 | import android.os.SystemProperties; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 20 | import android.util.Log; |
Kenny Root | 12e7522 | 2013-04-23 22:34:24 -0700 | [diff] [blame] | 21 | import com.android.org.conscrypt.OpenSSLContextImpl; |
| 22 | import com.android.org.conscrypt.OpenSSLSocketImpl; |
| 23 | import com.android.org.conscrypt.SSLClientSessionCache; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 24 | import java.io.IOException; |
| 25 | import java.net.InetAddress; |
| 26 | import java.net.Socket; |
Brian Carlstrom | 7ab7a8b | 2012-09-21 16:33:50 -0700 | [diff] [blame] | 27 | import java.net.SocketException; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 28 | import java.security.KeyManagementException; |
Alex Klyubin | ac5eb03 | 2013-03-12 10:30:59 -0700 | [diff] [blame] | 29 | import java.security.PrivateKey; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 30 | import java.security.cert.X509Certificate; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 31 | import javax.net.SocketFactory; |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 32 | import javax.net.ssl.HostnameVerifier; |
| 33 | import javax.net.ssl.HttpsURLConnection; |
Ben Komalo | 1b52806 | 2011-05-03 09:40:15 -0700 | [diff] [blame] | 34 | import javax.net.ssl.KeyManager; |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 35 | import javax.net.ssl.SSLException; |
| 36 | import javax.net.ssl.SSLPeerUnverifiedException; |
| 37 | import javax.net.ssl.SSLSession; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 38 | import javax.net.ssl.SSLSocket; |
| 39 | import javax.net.ssl.SSLSocketFactory; |
| 40 | import javax.net.ssl.TrustManager; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 41 | import javax.net.ssl.X509TrustManager; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 42 | |
| 43 | /** |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 44 | * SSLSocketFactory implementation with several extra features: |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 45 | * |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 46 | * <ul> |
| 47 | * <li>Timeout specification for SSL handshake operations |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 48 | * <li>Hostname verification in most cases (see WARNINGs below) |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 49 | * <li>Optional SSL session caching with {@link SSLSessionCache} |
Dan Egnor | 9d4b575 | 2010-02-13 20:34:51 -0800 | [diff] [blame] | 50 | * <li>Optionally bypass all SSL certificate checks |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 51 | * </ul> |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 52 | * |
| 53 | * The handshake timeout does not apply to actual TCP socket connection. |
| 54 | * If you want a connection timeout as well, use {@link #createSocket()} |
| 55 | * and {@link Socket#connect(SocketAddress, int)}, after which you |
| 56 | * must verify the identity of the server you are connected to. |
| 57 | * |
| 58 | * <p class="caution"><b>Most {@link SSLSocketFactory} implementations do not |
| 59 | * verify the server's identity, allowing man-in-the-middle attacks.</b> |
| 60 | * This implementation does check the server's certificate hostname, but only |
| 61 | * for createSocket variants that specify a hostname. When using methods that |
| 62 | * use {@link InetAddress} or which return an unconnected socket, you MUST |
| 63 | * verify the server's identity yourself to ensure a secure connection.</p> |
| 64 | * |
| 65 | * <p>One way to verify the server's identity is to use |
| 66 | * {@link HttpsURLConnection#getDefaultHostnameVerifier()} to get a |
| 67 | * {@link HostnameVerifier} to verify the certificate hostname. |
| 68 | * |
| 69 | * <p>On development devices, "setprop socket.relaxsslcheck yes" bypasses all |
| 70 | * SSL certificate and hostname checks for testing purposes. This setting |
| 71 | * requires root access. |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 72 | */ |
| 73 | public class SSLCertificateSocketFactory extends SSLSocketFactory { |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 74 | private static final String TAG = "SSLCertificateSocketFactory"; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 75 | |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 76 | private static final TrustManager[] INSECURE_TRUST_MANAGER = new TrustManager[] { |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 77 | new X509TrustManager() { |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 78 | public X509Certificate[] getAcceptedIssuers() { return null; } |
| 79 | public void checkClientTrusted(X509Certificate[] certs, String authType) { } |
| 80 | public void checkServerTrusted(X509Certificate[] certs, String authType) { } |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 81 | } |
| 82 | }; |
| 83 | |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 84 | private SSLSocketFactory mInsecureFactory = null; |
| 85 | private SSLSocketFactory mSecureFactory = null; |
Ben Komalo | 1b52806 | 2011-05-03 09:40:15 -0700 | [diff] [blame] | 86 | private TrustManager[] mTrustManagers = null; |
| 87 | private KeyManager[] mKeyManagers = null; |
Jesse Wilson | f5fb5e8 | 2012-03-23 15:55:03 -0400 | [diff] [blame] | 88 | private byte[] mNpnProtocols = null; |
Kenny Root | 100d729 | 2013-06-25 12:00:34 -0700 | [diff] [blame] | 89 | private byte[] mAlpnProtocols = null; |
Alex Klyubin | ac5eb03 | 2013-03-12 10:30:59 -0700 | [diff] [blame] | 90 | private PrivateKey mChannelIdPrivateKey = null; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 91 | |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 92 | private final int mHandshakeTimeoutMillis; |
| 93 | private final SSLClientSessionCache mSessionCache; |
Dan Egnor | 9d4b575 | 2010-02-13 20:34:51 -0800 | [diff] [blame] | 94 | private final boolean mSecure; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 95 | |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 96 | /** @deprecated Use {@link #getDefault(int)} instead. */ |
Jesse Wilson | 28c7425 | 2010-11-04 14:09:18 -0700 | [diff] [blame] | 97 | @Deprecated |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 98 | public SSLCertificateSocketFactory(int handshakeTimeoutMillis) { |
Dan Egnor | 9d4b575 | 2010-02-13 20:34:51 -0800 | [diff] [blame] | 99 | this(handshakeTimeoutMillis, null, true); |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 100 | } |
| 101 | |
Dan Egnor | 9d4b575 | 2010-02-13 20:34:51 -0800 | [diff] [blame] | 102 | private SSLCertificateSocketFactory( |
Brian Carlstrom | 992f238 | 2012-09-26 14:33:47 -0700 | [diff] [blame] | 103 | int handshakeTimeoutMillis, SSLSessionCache cache, boolean secure) { |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 104 | mHandshakeTimeoutMillis = handshakeTimeoutMillis; |
| 105 | mSessionCache = cache == null ? null : cache.mSessionCache; |
Dan Egnor | 9d4b575 | 2010-02-13 20:34:51 -0800 | [diff] [blame] | 106 | mSecure = secure; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 107 | } |
| 108 | |
| 109 | /** |
Dan Egnor | 9d4b575 | 2010-02-13 20:34:51 -0800 | [diff] [blame] | 110 | * Returns a new socket factory instance with an optional handshake timeout. |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 111 | * |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 112 | * @param handshakeTimeoutMillis to use for SSL connection handshake, or 0 |
| 113 | * for none. The socket timeout is reset to 0 after the handshake. |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 114 | * @return a new SSLSocketFactory with the specified parameters |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 115 | */ |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 116 | public static SocketFactory getDefault(int handshakeTimeoutMillis) { |
Dan Egnor | 9d4b575 | 2010-02-13 20:34:51 -0800 | [diff] [blame] | 117 | return new SSLCertificateSocketFactory(handshakeTimeoutMillis, null, true); |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 118 | } |
| 119 | |
| 120 | /** |
Dan Egnor | 9d4b575 | 2010-02-13 20:34:51 -0800 | [diff] [blame] | 121 | * Returns a new socket factory instance with an optional handshake timeout |
| 122 | * and SSL session cache. |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 123 | * |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 124 | * @param handshakeTimeoutMillis to use for SSL connection handshake, or 0 |
| 125 | * for none. The socket timeout is reset to 0 after the handshake. |
Jesse Wilson | ff55699 | 2011-03-23 16:43:39 -0700 | [diff] [blame] | 126 | * @param cache The {@link SSLSessionCache} to use, or null for no cache. |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 127 | * @return a new SSLSocketFactory with the specified parameters |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 128 | */ |
Dan Egnor | 9d4b575 | 2010-02-13 20:34:51 -0800 | [diff] [blame] | 129 | public static SSLSocketFactory getDefault(int handshakeTimeoutMillis, SSLSessionCache cache) { |
| 130 | return new SSLCertificateSocketFactory(handshakeTimeoutMillis, cache, true); |
| 131 | } |
| 132 | |
| 133 | /** |
| 134 | * Returns a new instance of a socket factory with all SSL security checks |
| 135 | * disabled, using an optional handshake timeout and SSL session cache. |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 136 | * |
| 137 | * <p class="caution"><b>Warning:</b> Sockets created using this factory |
Costin Manolache | 007392a | 2013-10-11 11:43:33 -0700 | [diff] [blame] | 138 | * are vulnerable to man-in-the-middle attacks!</p>. The caller must implement |
| 139 | * its own verification. |
Dan Egnor | 9d4b575 | 2010-02-13 20:34:51 -0800 | [diff] [blame] | 140 | * |
| 141 | * @param handshakeTimeoutMillis to use for SSL connection handshake, or 0 |
| 142 | * for none. The socket timeout is reset to 0 after the handshake. |
Jesse Wilson | ff55699 | 2011-03-23 16:43:39 -0700 | [diff] [blame] | 143 | * @param cache The {@link SSLSessionCache} to use, or null for no cache. |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 144 | * @return an insecure SSLSocketFactory with the specified parameters |
Dan Egnor | 9d4b575 | 2010-02-13 20:34:51 -0800 | [diff] [blame] | 145 | */ |
| 146 | public static SSLSocketFactory getInsecure(int handshakeTimeoutMillis, SSLSessionCache cache) { |
| 147 | return new SSLCertificateSocketFactory(handshakeTimeoutMillis, cache, false); |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 148 | } |
| 149 | |
| 150 | /** |
| 151 | * Returns a socket factory (also named SSLSocketFactory, but in a different |
| 152 | * namespace) for use with the Apache HTTP stack. |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 153 | * |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 154 | * @param handshakeTimeoutMillis to use for SSL connection handshake, or 0 |
| 155 | * for none. The socket timeout is reset to 0 after the handshake. |
Jesse Wilson | ff55699 | 2011-03-23 16:43:39 -0700 | [diff] [blame] | 156 | * @param cache The {@link SSLSessionCache} to use, or null for no cache. |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 157 | * @return a new SocketFactory with the specified parameters |
| 158 | */ |
| 159 | public static org.apache.http.conn.ssl.SSLSocketFactory getHttpSocketFactory( |
Jesse Wilson | ff55699 | 2011-03-23 16:43:39 -0700 | [diff] [blame] | 160 | int handshakeTimeoutMillis, SSLSessionCache cache) { |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 161 | return new org.apache.http.conn.ssl.SSLSocketFactory( |
Dan Egnor | 9d4b575 | 2010-02-13 20:34:51 -0800 | [diff] [blame] | 162 | new SSLCertificateSocketFactory(handshakeTimeoutMillis, cache, true)); |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 163 | } |
| 164 | |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 165 | /** |
| 166 | * Verify the hostname of the certificate used by the other end of a |
| 167 | * connected socket. You MUST call this if you did not supply a hostname |
| 168 | * to {@link #createSocket()}. It is harmless to call this method |
| 169 | * redundantly if the hostname has already been verified. |
| 170 | * |
| 171 | * <p>Wildcard certificates are allowed to verify any matching hostname, |
| 172 | * so "foo.bar.example.com" is verified if the peer has a certificate |
| 173 | * for "*.example.com". |
| 174 | * |
| 175 | * @param socket An SSL socket which has been connected to a server |
| 176 | * @param hostname The expected hostname of the remote server |
| 177 | * @throws IOException if something goes wrong handshaking with the server |
| 178 | * @throws SSLPeerUnverifiedException if the server cannot prove its identity |
| 179 | * |
| 180 | * @hide |
| 181 | */ |
| 182 | public static void verifyHostname(Socket socket, String hostname) throws IOException { |
| 183 | if (!(socket instanceof SSLSocket)) { |
| 184 | throw new IllegalArgumentException("Attempt to verify non-SSL socket"); |
| 185 | } |
| 186 | |
| 187 | if (!isSslCheckRelaxed()) { |
| 188 | // The code at the start of OpenSSLSocketImpl.startHandshake() |
| 189 | // ensures that the call is idempotent, so we can safely call it. |
| 190 | SSLSocket ssl = (SSLSocket) socket; |
| 191 | ssl.startHandshake(); |
| 192 | |
| 193 | SSLSession session = ssl.getSession(); |
| 194 | if (session == null) { |
| 195 | throw new SSLException("Cannot verify SSL socket without session"); |
| 196 | } |
Kenny Root | 928ee1e | 2013-07-23 20:36:03 -0700 | [diff] [blame] | 197 | if (!HttpsURLConnection.getDefaultHostnameVerifier().verify(hostname, session)) { |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 198 | throw new SSLPeerUnverifiedException("Cannot verify hostname: " + hostname); |
| 199 | } |
| 200 | } |
| 201 | } |
| 202 | |
Ben Komalo | 1b52806 | 2011-05-03 09:40:15 -0700 | [diff] [blame] | 203 | private SSLSocketFactory makeSocketFactory( |
| 204 | KeyManager[] keyManagers, TrustManager[] trustManagers) { |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 205 | try { |
Brian Carlstrom | 3c7c351 | 2010-08-04 15:44:39 -0700 | [diff] [blame] | 206 | OpenSSLContextImpl sslContext = new OpenSSLContextImpl(); |
Ben Komalo | 1b52806 | 2011-05-03 09:40:15 -0700 | [diff] [blame] | 207 | sslContext.engineInit(keyManagers, trustManagers, null); |
Brian Carlstrom | 2c42c8f | 2010-09-14 00:11:14 -0700 | [diff] [blame] | 208 | sslContext.engineGetClientSessionContext().setPersistentCache(mSessionCache); |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 209 | return sslContext.engineGetSocketFactory(); |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 210 | } catch (KeyManagementException e) { |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 211 | Log.wtf(TAG, e); |
| 212 | return (SSLSocketFactory) SSLSocketFactory.getDefault(); // Fallback |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 213 | } |
| 214 | } |
| 215 | |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 216 | private static boolean isSslCheckRelaxed() { |
| 217 | return "1".equals(SystemProperties.get("ro.debuggable")) && |
| 218 | "yes".equals(SystemProperties.get("socket.relaxsslcheck")); |
| 219 | } |
| 220 | |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 221 | private synchronized SSLSocketFactory getDelegate() { |
Dan Egnor | 9d4b575 | 2010-02-13 20:34:51 -0800 | [diff] [blame] | 222 | // Relax the SSL check if instructed (for this factory, or systemwide) |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 223 | if (!mSecure || isSslCheckRelaxed()) { |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 224 | if (mInsecureFactory == null) { |
Dan Egnor | 9d4b575 | 2010-02-13 20:34:51 -0800 | [diff] [blame] | 225 | if (mSecure) { |
| 226 | Log.w(TAG, "*** BYPASSING SSL SECURITY CHECKS (socket.relaxsslcheck=yes) ***"); |
Dan Egnor | 9d4b575 | 2010-02-13 20:34:51 -0800 | [diff] [blame] | 227 | } |
Ben Komalo | 1b52806 | 2011-05-03 09:40:15 -0700 | [diff] [blame] | 228 | mInsecureFactory = makeSocketFactory(mKeyManagers, INSECURE_TRUST_MANAGER); |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 229 | } |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 230 | return mInsecureFactory; |
| 231 | } else { |
| 232 | if (mSecureFactory == null) { |
Ben Komalo | 1b52806 | 2011-05-03 09:40:15 -0700 | [diff] [blame] | 233 | mSecureFactory = makeSocketFactory(mKeyManagers, mTrustManagers); |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 234 | } |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 235 | return mSecureFactory; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 236 | } |
| 237 | } |
| 238 | |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 239 | /** |
Ben Komalo | 1b52806 | 2011-05-03 09:40:15 -0700 | [diff] [blame] | 240 | * Sets the {@link TrustManager}s to be used for connections made by this factory. |
Ben Komalo | 1b52806 | 2011-05-03 09:40:15 -0700 | [diff] [blame] | 241 | */ |
| 242 | public void setTrustManagers(TrustManager[] trustManager) { |
| 243 | mTrustManagers = trustManager; |
| 244 | |
| 245 | // Clear out all cached secure factories since configurations have changed. |
| 246 | mSecureFactory = null; |
| 247 | // Note - insecure factories only ever use the INSECURE_TRUST_MANAGER so they need not |
| 248 | // be cleared out here. |
| 249 | } |
| 250 | |
| 251 | /** |
Jesse Wilson | f5fb5e8 | 2012-03-23 15:55:03 -0400 | [diff] [blame] | 252 | * Sets the <a href="http://technotes.googlecode.com/git/nextprotoneg.html">Next |
| 253 | * Protocol Negotiation (NPN)</a> protocols that this peer is interested in. |
| 254 | * |
| 255 | * <p>For servers this is the sequence of protocols to advertise as |
| 256 | * supported, in order of preference. This list is sent unencrypted to |
| 257 | * all clients that support NPN. |
| 258 | * |
| 259 | * <p>For clients this is a list of supported protocols to match against the |
| 260 | * server's list. If there is no protocol supported by both client and |
| 261 | * server then the first protocol in the client's list will be selected. |
| 262 | * The order of the client's protocols is otherwise insignificant. |
| 263 | * |
Jesse Wilson | 2108ead | 2012-05-17 13:46:17 -0400 | [diff] [blame] | 264 | * @param npnProtocols a non-empty list of protocol byte arrays. All arrays |
| 265 | * must be non-empty and of length less than 256. |
Jesse Wilson | f5fb5e8 | 2012-03-23 15:55:03 -0400 | [diff] [blame] | 266 | */ |
| 267 | public void setNpnProtocols(byte[][] npnProtocols) { |
Kenny Root | 100d729 | 2013-06-25 12:00:34 -0700 | [diff] [blame] | 268 | this.mNpnProtocols = toLengthPrefixedList(npnProtocols); |
| 269 | } |
| 270 | |
| 271 | /** |
| 272 | * Sets the |
| 273 | * <a href="http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-01"> |
| 274 | * Application Layer Protocol Negotiation (ALPN)</a> protocols that this peer |
| 275 | * is interested in. |
| 276 | * |
| 277 | * <p>For servers this is the sequence of protocols to advertise as |
| 278 | * supported, in order of preference. This list is sent unencrypted to |
| 279 | * all clients that support ALPN. |
| 280 | * |
| 281 | * <p>For clients this is a list of supported protocols to match against the |
| 282 | * server's list. If there is no protocol supported by both client and |
| 283 | * server then the first protocol in the client's list will be selected. |
| 284 | * The order of the client's protocols is otherwise insignificant. |
| 285 | * |
| 286 | * @param protocols a non-empty list of protocol byte arrays. All arrays |
| 287 | * must be non-empty and of length less than 256. |
| 288 | * @hide |
| 289 | */ |
| 290 | public void setAlpnProtocols(byte[][] protocols) { |
| 291 | this.mAlpnProtocols = toLengthPrefixedList(protocols); |
Jesse Wilson | f5fb5e8 | 2012-03-23 15:55:03 -0400 | [diff] [blame] | 292 | } |
| 293 | |
| 294 | /** |
| 295 | * Returns an array containing the concatenation of length-prefixed byte |
| 296 | * strings. |
| 297 | */ |
Kenny Root | 100d729 | 2013-06-25 12:00:34 -0700 | [diff] [blame] | 298 | static byte[] toLengthPrefixedList(byte[]... items) { |
| 299 | if (items.length == 0) { |
| 300 | throw new IllegalArgumentException("items.length == 0"); |
Jesse Wilson | 2108ead | 2012-05-17 13:46:17 -0400 | [diff] [blame] | 301 | } |
Jesse Wilson | f5fb5e8 | 2012-03-23 15:55:03 -0400 | [diff] [blame] | 302 | int totalLength = 0; |
Kenny Root | 100d729 | 2013-06-25 12:00:34 -0700 | [diff] [blame] | 303 | for (byte[] s : items) { |
Jesse Wilson | f5fb5e8 | 2012-03-23 15:55:03 -0400 | [diff] [blame] | 304 | if (s.length == 0 || s.length > 255) { |
| 305 | throw new IllegalArgumentException("s.length == 0 || s.length > 255: " + s.length); |
| 306 | } |
| 307 | totalLength += 1 + s.length; |
| 308 | } |
| 309 | byte[] result = new byte[totalLength]; |
| 310 | int pos = 0; |
Kenny Root | 100d729 | 2013-06-25 12:00:34 -0700 | [diff] [blame] | 311 | for (byte[] s : items) { |
Jesse Wilson | f5fb5e8 | 2012-03-23 15:55:03 -0400 | [diff] [blame] | 312 | result[pos++] = (byte) s.length; |
| 313 | for (byte b : s) { |
| 314 | result[pos++] = b; |
| 315 | } |
| 316 | } |
| 317 | return result; |
| 318 | } |
| 319 | |
| 320 | /** |
| 321 | * Returns the <a href="http://technotes.googlecode.com/git/nextprotoneg.html">Next |
| 322 | * Protocol Negotiation (NPN)</a> protocol selected by client and server, or |
| 323 | * null if no protocol was negotiated. |
| 324 | * |
| 325 | * @param socket a socket created by this factory. |
Narayan Kamath | b4db962 | 2012-09-17 17:59:00 +0100 | [diff] [blame] | 326 | * @throws IllegalArgumentException if the socket was not created by this factory. |
Jesse Wilson | f5fb5e8 | 2012-03-23 15:55:03 -0400 | [diff] [blame] | 327 | */ |
| 328 | public byte[] getNpnSelectedProtocol(Socket socket) { |
Narayan Kamath | b4db962 | 2012-09-17 17:59:00 +0100 | [diff] [blame] | 329 | return castToOpenSSLSocket(socket).getNpnSelectedProtocol(); |
Jesse Wilson | f5fb5e8 | 2012-03-23 15:55:03 -0400 | [diff] [blame] | 330 | } |
| 331 | |
| 332 | /** |
Kenny Root | 100d729 | 2013-06-25 12:00:34 -0700 | [diff] [blame] | 333 | * Returns the |
| 334 | * <a href="http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-01">Application |
| 335 | * Layer Protocol Negotiation (ALPN)</a> protocol selected by client and server, or null |
| 336 | * if no protocol was negotiated. |
| 337 | * |
| 338 | * @param socket a socket created by this factory. |
| 339 | * @throws IllegalArgumentException if the socket was not created by this factory. |
| 340 | * @hide |
| 341 | */ |
| 342 | public byte[] getAlpnSelectedProtocol(Socket socket) { |
| 343 | return castToOpenSSLSocket(socket).getAlpnSelectedProtocol(); |
| 344 | } |
| 345 | |
| 346 | /** |
Ben Komalo | 1b52806 | 2011-05-03 09:40:15 -0700 | [diff] [blame] | 347 | * Sets the {@link KeyManager}s to be used for connections made by this factory. |
Ben Komalo | 1b52806 | 2011-05-03 09:40:15 -0700 | [diff] [blame] | 348 | */ |
| 349 | public void setKeyManagers(KeyManager[] keyManagers) { |
| 350 | mKeyManagers = keyManagers; |
| 351 | |
| 352 | // Clear out any existing cached factories since configurations have changed. |
| 353 | mSecureFactory = null; |
| 354 | mInsecureFactory = null; |
| 355 | } |
| 356 | |
Narayan Kamath | b4db962 | 2012-09-17 17:59:00 +0100 | [diff] [blame] | 357 | /** |
Alex Klyubin | ac5eb03 | 2013-03-12 10:30:59 -0700 | [diff] [blame] | 358 | * Sets the private key to be used for TLS Channel ID by connections made by this |
Alex Klyubin | 4ef6c9b | 2013-01-18 12:50:39 -0800 | [diff] [blame] | 359 | * factory. |
| 360 | * |
| 361 | * @param privateKey private key (enables TLS Channel ID) or {@code null} for no key (disables |
| 362 | * TLS Channel ID). The private key has to be an Elliptic Curve (EC) key based on the |
| 363 | * NIST P-256 curve (aka SECG secp256r1 or ANSI X9.62 prime256v1). |
| 364 | * |
| 365 | * @hide |
| 366 | */ |
Alex Klyubin | ac5eb03 | 2013-03-12 10:30:59 -0700 | [diff] [blame] | 367 | public void setChannelIdPrivateKey(PrivateKey privateKey) { |
Alex Klyubin | 4ef6c9b | 2013-01-18 12:50:39 -0800 | [diff] [blame] | 368 | mChannelIdPrivateKey = privateKey; |
| 369 | } |
| 370 | |
| 371 | /** |
Narayan Kamath | b4db962 | 2012-09-17 17:59:00 +0100 | [diff] [blame] | 372 | * Enables <a href="http://tools.ietf.org/html/rfc5077#section-3.2">session ticket</a> |
| 373 | * support on the given socket. |
| 374 | * |
| 375 | * @param socket a socket created by this factory |
| 376 | * @param useSessionTickets {@code true} to enable session ticket support on this socket. |
| 377 | * @throws IllegalArgumentException if the socket was not created by this factory. |
| 378 | */ |
| 379 | public void setUseSessionTickets(Socket socket, boolean useSessionTickets) { |
| 380 | castToOpenSSLSocket(socket).setUseSessionTickets(useSessionTickets); |
| 381 | } |
| 382 | |
| 383 | /** |
| 384 | * Turns on <a href="http://tools.ietf.org/html/rfc6066#section-3">Server |
| 385 | * Name Indication (SNI)</a> on a given socket. |
| 386 | * |
| 387 | * @param socket a socket created by this factory. |
| 388 | * @param hostName the desired SNI hostname, null to disable. |
| 389 | * @throws IllegalArgumentException if the socket was not created by this factory. |
| 390 | */ |
| 391 | public void setHostname(Socket socket, String hostName) { |
| 392 | castToOpenSSLSocket(socket).setHostname(hostName); |
| 393 | } |
| 394 | |
Brian Carlstrom | 7ab7a8b | 2012-09-21 16:33:50 -0700 | [diff] [blame] | 395 | /** |
| 396 | * Sets this socket's SO_SNDTIMEO write timeout in milliseconds. |
| 397 | * Use 0 for no timeout. |
| 398 | * To take effect, this option must be set before the blocking method was called. |
| 399 | * |
| 400 | * @param socket a socket created by this factory. |
Brian Carlstrom | 992f238 | 2012-09-26 14:33:47 -0700 | [diff] [blame] | 401 | * @param timeout the desired write timeout in milliseconds. |
Brian Carlstrom | 7ab7a8b | 2012-09-21 16:33:50 -0700 | [diff] [blame] | 402 | * @throws IllegalArgumentException if the socket was not created by this factory. |
Brian Carlstrom | 992f238 | 2012-09-26 14:33:47 -0700 | [diff] [blame] | 403 | * |
| 404 | * @hide |
Brian Carlstrom | 7ab7a8b | 2012-09-21 16:33:50 -0700 | [diff] [blame] | 405 | */ |
| 406 | public void setSoWriteTimeout(Socket socket, int writeTimeoutMilliseconds) |
| 407 | throws SocketException { |
| 408 | castToOpenSSLSocket(socket).setSoWriteTimeout(writeTimeoutMilliseconds); |
| 409 | } |
| 410 | |
Narayan Kamath | b4db962 | 2012-09-17 17:59:00 +0100 | [diff] [blame] | 411 | private static OpenSSLSocketImpl castToOpenSSLSocket(Socket socket) { |
| 412 | if (!(socket instanceof OpenSSLSocketImpl)) { |
| 413 | throw new IllegalArgumentException("Socket not created by this factory: " |
| 414 | + socket); |
| 415 | } |
| 416 | |
| 417 | return (OpenSSLSocketImpl) socket; |
| 418 | } |
Ben Komalo | 1b52806 | 2011-05-03 09:40:15 -0700 | [diff] [blame] | 419 | |
| 420 | /** |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 421 | * {@inheritDoc} |
| 422 | * |
Andrew Stadler | df27c0c | 2010-07-12 15:31:40 -0700 | [diff] [blame] | 423 | * <p>This method verifies the peer's certificate hostname after connecting |
| 424 | * (unless created with {@link #getInsecure(int, SSLSessionCache)}). |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 425 | */ |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 426 | @Override |
| 427 | public Socket createSocket(Socket k, String host, int port, boolean close) throws IOException { |
| 428 | OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket(k, host, port, close); |
Jesse Wilson | f5fb5e8 | 2012-03-23 15:55:03 -0400 | [diff] [blame] | 429 | s.setNpnProtocols(mNpnProtocols); |
Kenny Root | 100d729 | 2013-06-25 12:00:34 -0700 | [diff] [blame] | 430 | s.setAlpnProtocols(mAlpnProtocols); |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 431 | s.setHandshakeTimeout(mHandshakeTimeoutMillis); |
Alex Klyubin | 4ef6c9b | 2013-01-18 12:50:39 -0800 | [diff] [blame] | 432 | s.setChannelIdPrivateKey(mChannelIdPrivateKey); |
Costin Manolache | 007392a | 2013-10-11 11:43:33 -0700 | [diff] [blame] | 433 | s.setHostname(host); |
Andrew Stadler | df27c0c | 2010-07-12 15:31:40 -0700 | [diff] [blame] | 434 | if (mSecure) { |
| 435 | verifyHostname(s, host); |
| 436 | } |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 437 | return s; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 438 | } |
| 439 | |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 440 | /** |
| 441 | * Creates a new socket which is not connected to any remote host. |
| 442 | * You must use {@link Socket#connect} to connect the socket. |
| 443 | * |
| 444 | * <p class="caution"><b>Warning:</b> Hostname verification is not performed |
| 445 | * with this method. You MUST verify the server's identity after connecting |
| 446 | * the socket to avoid man-in-the-middle attacks.</p> |
| 447 | */ |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 448 | @Override |
| 449 | public Socket createSocket() throws IOException { |
| 450 | OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket(); |
Jesse Wilson | f5fb5e8 | 2012-03-23 15:55:03 -0400 | [diff] [blame] | 451 | s.setNpnProtocols(mNpnProtocols); |
Kenny Root | 100d729 | 2013-06-25 12:00:34 -0700 | [diff] [blame] | 452 | s.setAlpnProtocols(mAlpnProtocols); |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 453 | s.setHandshakeTimeout(mHandshakeTimeoutMillis); |
Alex Klyubin | 4ef6c9b | 2013-01-18 12:50:39 -0800 | [diff] [blame] | 454 | s.setChannelIdPrivateKey(mChannelIdPrivateKey); |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 455 | return s; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 456 | } |
| 457 | |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 458 | /** |
| 459 | * {@inheritDoc} |
| 460 | * |
| 461 | * <p class="caution"><b>Warning:</b> Hostname verification is not performed |
| 462 | * with this method. You MUST verify the server's identity after connecting |
| 463 | * the socket to avoid man-in-the-middle attacks.</p> |
| 464 | */ |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 465 | @Override |
| 466 | public Socket createSocket(InetAddress addr, int port, InetAddress localAddr, int localPort) |
| 467 | throws IOException { |
| 468 | OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket( |
| 469 | addr, port, localAddr, localPort); |
Jesse Wilson | f5fb5e8 | 2012-03-23 15:55:03 -0400 | [diff] [blame] | 470 | s.setNpnProtocols(mNpnProtocols); |
Kenny Root | 100d729 | 2013-06-25 12:00:34 -0700 | [diff] [blame] | 471 | s.setAlpnProtocols(mAlpnProtocols); |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 472 | s.setHandshakeTimeout(mHandshakeTimeoutMillis); |
Alex Klyubin | 4ef6c9b | 2013-01-18 12:50:39 -0800 | [diff] [blame] | 473 | s.setChannelIdPrivateKey(mChannelIdPrivateKey); |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 474 | return s; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 475 | } |
| 476 | |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 477 | /** |
| 478 | * {@inheritDoc} |
| 479 | * |
| 480 | * <p class="caution"><b>Warning:</b> Hostname verification is not performed |
| 481 | * with this method. You MUST verify the server's identity after connecting |
| 482 | * the socket to avoid man-in-the-middle attacks.</p> |
| 483 | */ |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 484 | @Override |
| 485 | public Socket createSocket(InetAddress addr, int port) throws IOException { |
| 486 | OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket(addr, port); |
Jesse Wilson | f5fb5e8 | 2012-03-23 15:55:03 -0400 | [diff] [blame] | 487 | s.setNpnProtocols(mNpnProtocols); |
Kenny Root | 100d729 | 2013-06-25 12:00:34 -0700 | [diff] [blame] | 488 | s.setAlpnProtocols(mAlpnProtocols); |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 489 | s.setHandshakeTimeout(mHandshakeTimeoutMillis); |
Alex Klyubin | 4ef6c9b | 2013-01-18 12:50:39 -0800 | [diff] [blame] | 490 | s.setChannelIdPrivateKey(mChannelIdPrivateKey); |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 491 | return s; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 492 | } |
| 493 | |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 494 | /** |
| 495 | * {@inheritDoc} |
| 496 | * |
Andrew Stadler | df27c0c | 2010-07-12 15:31:40 -0700 | [diff] [blame] | 497 | * <p>This method verifies the peer's certificate hostname after connecting |
| 498 | * (unless created with {@link #getInsecure(int, SSLSessionCache)}). |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 499 | */ |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 500 | @Override |
| 501 | public Socket createSocket(String host, int port, InetAddress localAddr, int localPort) |
| 502 | throws IOException { |
| 503 | OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket( |
| 504 | host, port, localAddr, localPort); |
Jesse Wilson | f5fb5e8 | 2012-03-23 15:55:03 -0400 | [diff] [blame] | 505 | s.setNpnProtocols(mNpnProtocols); |
Kenny Root | 100d729 | 2013-06-25 12:00:34 -0700 | [diff] [blame] | 506 | s.setAlpnProtocols(mAlpnProtocols); |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 507 | s.setHandshakeTimeout(mHandshakeTimeoutMillis); |
Alex Klyubin | 4ef6c9b | 2013-01-18 12:50:39 -0800 | [diff] [blame] | 508 | s.setChannelIdPrivateKey(mChannelIdPrivateKey); |
Andrew Stadler | df27c0c | 2010-07-12 15:31:40 -0700 | [diff] [blame] | 509 | if (mSecure) { |
| 510 | verifyHostname(s, host); |
| 511 | } |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 512 | return s; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 513 | } |
| 514 | |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 515 | /** |
| 516 | * {@inheritDoc} |
| 517 | * |
Andrew Stadler | df27c0c | 2010-07-12 15:31:40 -0700 | [diff] [blame] | 518 | * <p>This method verifies the peer's certificate hostname after connecting |
| 519 | * (unless created with {@link #getInsecure(int, SSLSessionCache)}). |
Dan Egnor | 7fc93c3 | 2010-06-29 17:51:28 -0700 | [diff] [blame] | 520 | */ |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 521 | @Override |
| 522 | public Socket createSocket(String host, int port) throws IOException { |
| 523 | OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket(host, port); |
Jesse Wilson | f5fb5e8 | 2012-03-23 15:55:03 -0400 | [diff] [blame] | 524 | s.setNpnProtocols(mNpnProtocols); |
Kenny Root | 100d729 | 2013-06-25 12:00:34 -0700 | [diff] [blame] | 525 | s.setAlpnProtocols(mAlpnProtocols); |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 526 | s.setHandshakeTimeout(mHandshakeTimeoutMillis); |
Alex Klyubin | 4ef6c9b | 2013-01-18 12:50:39 -0800 | [diff] [blame] | 527 | s.setChannelIdPrivateKey(mChannelIdPrivateKey); |
Andrew Stadler | df27c0c | 2010-07-12 15:31:40 -0700 | [diff] [blame] | 528 | if (mSecure) { |
| 529 | verifyHostname(s, host); |
| 530 | } |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 531 | return s; |
| 532 | } |
| 533 | |
| 534 | @Override |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 535 | public String[] getDefaultCipherSuites() { |
Alex Klyubin | 019118a | 2013-10-28 16:16:38 -0700 | [diff] [blame] | 536 | return getDelegate().getDefaultCipherSuites(); |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 537 | } |
| 538 | |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 539 | @Override |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 540 | public String[] getSupportedCipherSuites() { |
Dan Egnor | 60586f2 | 2010-02-08 21:56:38 -0800 | [diff] [blame] | 541 | return getDelegate().getSupportedCipherSuites(); |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 542 | } |
| 543 | } |