SSLCertificateSocketFactory.java revision 9066cfe9886ac131c34d59ed0e2d287b0e3c0087
19066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project/* 29066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Copyright (C) 2008 The Android Open Source Project 39066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 49066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Licensed under the Apache License, Version 2.0 (the "License"); 59066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * you may not use this file except in compliance with the License. 69066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * You may obtain a copy of the License at 79066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 89066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * http://www.apache.org/licenses/LICENSE-2.0 99066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 109066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Unless required by applicable law or agreed to in writing, software 119066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * distributed under the License is distributed on an "AS IS" BASIS, 129066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 139066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * See the License for the specific language governing permissions and 149066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * limitations under the License. 159066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 169066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 179066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectpackage android.net; 189066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 199066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport android.net.http.DomainNameChecker; 209066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport android.os.SystemProperties; 219066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport android.util.Config; 229066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport android.util.Log; 239066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 249066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.io.IOException; 259066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.net.InetAddress; 269066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.net.Socket; 279066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.GeneralSecurityException; 289066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.KeyManagementException; 299066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.KeyStore; 309066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.KeyStoreException; 319066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.NoSuchAlgorithmException; 329066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.Certificate; 339066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport java.security.cert.X509Certificate; 349066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 359066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.SocketFactory; 369066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.SSLSocket; 379066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.SSLSocketFactory; 389066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.TrustManager; 399066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.TrustManagerFactory; 409066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport javax.net.ssl.X509TrustManager; 419066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 429066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport org.apache.harmony.xnet.provider.jsse.SSLClientSessionCache; 439066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectimport org.apache.harmony.xnet.provider.jsse.SSLContextImpl; 449066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 459066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project/** 469066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * SSLSocketFactory that provides optional (on debug devices, only) skipping of ssl certificfate 479066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * chain validation and custom read timeouts used just when connecting to the server/negotiating 489066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * an ssl session. 499066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 509066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * You can skip the ssl certificate checking at runtime by setting socket.relaxsslcheck=yes on 519066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * devices that do not have have ro.secure set. 529066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 539066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Projectpublic class SSLCertificateSocketFactory extends SSLSocketFactory { 549066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 559066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project private static final String LOG_TAG = "SSLCertificateSocketFactory"; 569066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 579066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project private static X509TrustManager sDefaultTrustManager; 589066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 599066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project static { 609066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project try { 619066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); 629066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project tmf.init((KeyStore)null); 639066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project TrustManager[] tms = tmf.getTrustManagers(); 649066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (tms != null) { 659066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project for (TrustManager tm : tms) { 669066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (tm instanceof X509TrustManager) { 679066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sDefaultTrustManager = (X509TrustManager)tm; 689066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project break; 699066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 709066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 719066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 729066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } catch (NoSuchAlgorithmException e) { 739066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project Log.e(LOG_TAG, "Unable to get X509 Trust Manager ", e); 749066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } catch (KeyStoreException e) { 759066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project Log.e(LOG_TAG, "Key Store exception while initializing TrustManagerFactory ", e); 769066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 779066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 789066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 799066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project private static final TrustManager[] TRUST_MANAGER = new TrustManager[] { 809066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project new X509TrustManager() { 819066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public X509Certificate[] getAcceptedIssuers() { 829066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return null; 839066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 849066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 859066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public void checkClientTrusted(X509Certificate[] certs, 869066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String authType) { } 879066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 889066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public void checkServerTrusted(X509Certificate[] certs, 899066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String authType) { } 909066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 919066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project }; 929066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 939066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project private final SSLSocketFactory mFactory; 949066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 959066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project private final int mSocketReadTimeoutForSslHandshake; 969066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 979066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 989066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Do not use this constructor (will be deprecated). Use {@link #getDefault(int)} instead. 999066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 1009066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public SSLCertificateSocketFactory(int socketReadTimeoutForSslHandshake) 1019066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throws NoSuchAlgorithmException, KeyManagementException { 1029066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project this(socketReadTimeoutForSslHandshake, null /* cache */); 1039066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1049066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1059066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project private SSLCertificateSocketFactory(int socketReadTimeoutForSslHandshake, 1069066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SSLClientSessionCache cache) throws NoSuchAlgorithmException, KeyManagementException { 1079066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SSLContextImpl sslContext = new SSLContextImpl(); 1089066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslContext.engineInit(null /* kms */, 1099066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project TRUST_MANAGER, new java.security.SecureRandom(), 1109066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project cache /* client cache */, null /* server cache */); 1119066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project this.mFactory = sslContext.engineGetSocketFactory(); 1129066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project this.mSocketReadTimeoutForSslHandshake = socketReadTimeoutForSslHandshake; 1139066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1149066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1159066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 1169066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Returns a new instance of a socket factory using the specified socket read 1179066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * timeout while connecting with the server/negotiating an ssl session. 1189066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 1199066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @param socketReadTimeoutForSslHandshake the socket read timeout used for performing 1209066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * ssl handshake. The socket read timeout is set back to 0 after the handshake. 1219066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @return a new SocketFactory, or null on error 1229066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 1239066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public static SocketFactory getDefault(int socketReadTimeoutForSslHandshake) { 1249066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return getDefault(socketReadTimeoutForSslHandshake, null /* cache */); 1259066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1269066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1279066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project /** 1289066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Returns a new instance of a socket factory using the specified socket read 1299066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * timeout while connecting with the server/negotiating an ssl session. 1309066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * Persists ssl sessions using the provided {@link SSLClientSessionCache}. 1319066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 1329066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @param socketReadTimeoutForSslHandshake the socket read timeout used for performing 1339066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * ssl handshake. The socket read timeout is set back to 0 after the handshake. 1349066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @param cache The {@link SSLClientSessionCache} to use, if any. 1359066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @return a new SocketFactory, or null on error 1369066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * 1379066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project * @hide 1389066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project */ 1399066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public static SocketFactory getDefault(int socketReadTimeoutForSslHandshake, 1409066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SSLClientSessionCache cache) { 1419066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project try { 1429066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return new SSLCertificateSocketFactory(socketReadTimeoutForSslHandshake, cache); 1439066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } catch (NoSuchAlgorithmException e) { 1449066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project Log.e(LOG_TAG, 1459066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project "SSLCertifcateSocketFactory.getDefault" + 1469066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project " NoSuchAlgorithmException " , e); 1479066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return null; 1489066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } catch (KeyManagementException e) { 1499066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project Log.e(LOG_TAG, 1509066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project "SSLCertifcateSocketFactory.getDefault" + 1519066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project " KeyManagementException " , e); 1529066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return null; 1539066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1549066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1559066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1569066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project private boolean hasValidCertificateChain(Certificate[] certs) 1579066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throws IOException { 1589066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (sDefaultTrustManager == null) { 1599066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (Config.LOGD) { 1609066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project Log.d(LOG_TAG,"hasValidCertificateChain():" + 1619066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project " null default trust manager!"); 1629066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1639066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throw new IOException("null default trust manager"); 1649066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1659066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1669066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project boolean trusted = (certs != null && (certs.length > 0)); 1679066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1689066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (trusted) { 1699066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project try { 1709066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // the authtype we pass in doesn't actually matter 1719066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sDefaultTrustManager.checkServerTrusted((X509Certificate[]) certs, "RSA"); 1729066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } catch (GeneralSecurityException e) { 1739066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String exceptionMessage = e != null ? e.getMessage() : "none"; 1749066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (Config.LOGD) { 1759066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project Log.d(LOG_TAG,"hasValidCertificateChain(): sec. exception: " 1769066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project + exceptionMessage); 1779066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1789066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project trusted = false; 1799066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1809066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1819066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1829066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return trusted; 1839066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1849066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1859066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project private void validateSocket(SSLSocket sslSock, String destHost) 1869066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throws IOException 1879066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project { 1889066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (Config.LOGV) { 1899066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project Log.v(LOG_TAG,"validateSocket() to host "+destHost); 1909066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 1919066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1929066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String relaxSslCheck = SystemProperties.get("socket.relaxsslcheck"); 1939066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project String secure = SystemProperties.get("ro.secure"); 1949066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 1959066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // only allow relaxing the ssl check on non-secure builds where the relaxation is 1969066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // specifically requested. 1979066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if ("0".equals(secure) && "yes".equals(relaxSslCheck)) { 1989066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (Config.LOGD) { 1999066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project Log.d(LOG_TAG,"sys prop socket.relaxsslcheck is set," + 2009066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project " ignoring invalid certs"); 2019066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2029066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return; 2039066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2049066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2059066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project Certificate[] certs = null; 2069066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSock.setUseClientMode(true); 2079066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSock.startHandshake(); 2089066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project certs = sslSock.getSession().getPeerCertificates(); 2099066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2109066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // check that the root certificate in the chain belongs to 2119066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project // a CA we trust 2129066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (certs == null) { 2139066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project Log.e(LOG_TAG, 2149066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project "[SSLCertificateSocketFactory] no trusted root CA"); 2159066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throw new IOException("no trusted root CA"); 2169066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2179066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2189066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (Config.LOGV) { 2199066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project Log.v(LOG_TAG,"validateSocket # certs = " +certs.length); 2209066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2219066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2229066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (!hasValidCertificateChain(certs)) { 2239066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (Config.LOGD) { 2249066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project Log.d(LOG_TAG,"validateSocket(): certificate untrusted!"); 2259066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2269066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throw new IOException("Certificate untrusted"); 2279066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2289066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2299066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project X509Certificate lastChainCert = (X509Certificate) certs[0]; 2309066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2319066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (!DomainNameChecker.match(lastChainCert, destHost)) { 2329066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (Config.LOGD) { 2339066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project Log.d(LOG_TAG,"validateSocket(): domain name check failed"); 2349066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2359066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throw new IOException("Domain Name check failed"); 2369066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2379066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2389066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2399066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public Socket createSocket(Socket socket, String s, int i, boolean flag) 2409066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throws IOException 2419066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project { 2429066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throw new IOException("Cannot validate certification without a hostname"); 2439066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2449066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2459066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public Socket createSocket(InetAddress inaddr, int i, InetAddress inaddr2, int j) 2469066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throws IOException 2479066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project { 2489066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throw new IOException("Cannot validate certification without a hostname"); 2499066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2509066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2519066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public Socket createSocket(InetAddress inaddr, int i) throws IOException { 2529066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project throw new IOException("Cannot validate certification without a hostname"); 2539066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2549066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2559066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public Socket createSocket(String s, int i, InetAddress inaddr, int j) throws IOException { 2569066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SSLSocket sslSock = (SSLSocket) mFactory.createSocket(s, i, inaddr, j); 2579066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2589066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (mSocketReadTimeoutForSslHandshake >= 0) { 2599066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSock.setSoTimeout(mSocketReadTimeoutForSslHandshake); 2609066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2619066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2629066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project validateSocket(sslSock,s); 2639066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSock.setSoTimeout(0); 2649066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2659066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return sslSock; 2669066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2679066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2689066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public Socket createSocket(String s, int i) throws IOException { 2699066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project SSLSocket sslSock = (SSLSocket) mFactory.createSocket(s, i); 2709066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2719066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project if (mSocketReadTimeoutForSslHandshake >= 0) { 2729066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSock.setSoTimeout(mSocketReadTimeoutForSslHandshake); 2739066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2749066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2759066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project validateSocket(sslSock,s); 2769066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project sslSock.setSoTimeout(0); 2779066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2789066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return sslSock; 2799066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2809066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2819066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public String[] getDefaultCipherSuites() { 2829066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return mFactory.getSupportedCipherSuites(); 2839066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2849066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2859066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project public String[] getSupportedCipherSuites() { 2869066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project return mFactory.getSupportedCipherSuites(); 2879066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project } 2889066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project} 2899066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 2909066cfe9886ac131c34d59ed0e2d287b0e3c0087The Android Open Source Project 291