The Tor Browser: mobile/android/thirdparty/ch/boye/httpclientandroidlib/conn/ssl/SSLSocketFactory.java@6474c204b198 (annotated)

mobile/android/thirdparty/ch/boye/httpclientandroidlib/conn/ssl/SSLSocketFactory.java@6474c204b198 (annotated)

mobile/android/thirdparty/ch/boye/httpclientandroidlib/conn/ssl/SSLSocketFactory.java

Wed, 31 Dec 2014 06:09:35 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Wed, 31 Dec 2014 06:09:35 +0100
changeset 0: 6474c204b198
permissions: -rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

 /*
  * ====================================================================
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  * ====================================================================
  *
  * This software consists of voluntary contributions made by many
  * individuals on behalf of the Apache Software Foundation.  For more
  * information on the Apache Software Foundation, please see
  * <http://www.apache.org/>.
  *
  */
 package ch.boye.httpclientandroidlib.conn.ssl;
 import ch.boye.httpclientandroidlib.annotation.ThreadSafe;
 import ch.boye.httpclientandroidlib.conn.ConnectTimeoutException;
 import ch.boye.httpclientandroidlib.conn.scheme.HostNameResolver;
 import ch.boye.httpclientandroidlib.conn.scheme.LayeredSchemeSocketFactory;
 import ch.boye.httpclientandroidlib.conn.scheme.LayeredSocketFactory;
 import ch.boye.httpclientandroidlib.params.HttpConnectionParams;
 import ch.boye.httpclientandroidlib.params.HttpParams;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
 import java.io.IOException;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.Socket;
 import java.net.SocketTimeoutException;
 import java.net.UnknownHostException;
 import java.security.KeyManagementException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.security.UnrecoverableKeyException;
 /**
  * Layered socket factory for TLS/SSL connections.
  * <p>
  * SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of
  * trusted certificates and to authenticate to the HTTPS server using a private key.
  * <p>
  * SSLSocketFactory will enable server authentication when supplied with
  * a {@link KeyStore trust-store} file containing one or several trusted certificates. The client
  * secure socket will reject the connection during the SSL session handshake if the target HTTPS
  * server attempts to authenticate itself with a non-trusted certificate.
  * <p>
  * Use JDK keytool utility to import a trusted certificate and generate a trust-store file:
  *    <pre>
  *     keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
  *    </pre>
  * <p>
  * In special cases the standard trust verification process can be bypassed by using a custom
  * {@link TrustStrategy}. This interface is primarily intended for allowing self-signed
  * certificates to be accepted as trusted without having to add them to the trust-store file.
  * <p>
  * The following parameters can be used to customize the behavior of this
  * class:
  * <ul>
  *  <li>{@link ch.boye.httpclientandroidlib.params.CoreConnectionPNames#CONNECTION_TIMEOUT}</li>
  *  <li>{@link ch.boye.httpclientandroidlib.params.CoreConnectionPNames#SO_TIMEOUT}</li>
  *  <li>{@link ch.boye.httpclientandroidlib.params.CoreConnectionPNames#SO_REUSEADDR}</li>
  * </ul>
  * <p>
  * SSLSocketFactory will enable client authentication when supplied with
  * a {@link KeyStore key-store} file containing a private key/public certificate
  * pair. The client secure socket will use the private key to authenticate
  * itself to the target HTTPS server during the SSL session handshake if
  * requested to do so by the server.
  * The target HTTPS server will in its turn verify the certificate presented
  * by the client in order to establish client's authenticity
  * <p>
  * Use the following sequence of actions to generate a key-store file
  * </p>
  *   <ul>
  *     <li>
  *      <p>
  *      Use JDK keytool utility to generate a new key
  *      <pre>keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystore</pre>
  *      For simplicity use the same password for the key as that of the key-store
  *      </p>
  *     </li>
  *     <li>
  *      <p>
  *      Issue a certificate signing request (CSR)
  *      <pre>keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore</pre>
  *     </p>
  *     </li>
  *     <li>
  *      <p>
  *      Send the certificate request to the trusted Certificate Authority for signature.
  *      One may choose to act as her own CA and sign the certificate request using a PKI
  *      tool, such as OpenSSL.
  *      </p>
  *     </li>
  *     <li>
  *      <p>
  *       Import the trusted CA root certificate
  *       <pre>keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore</pre>
  *      </p>
  *     </li>
  *     <li>
  *      <p>
  *       Import the PKCS#7 file containg the complete certificate chain
  *       <pre>keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore</pre>
  *      </p>
  *     </li>
  *     <li>
  *      <p>
  *       Verify the content the resultant keystore file
  *       <pre>keytool -list -v -keystore my.keystore</pre>
  *      </p>
  *     </li>
  *   </ul>
  *
  * @since 4.0
  */
 @SuppressWarnings("deprecation")
 @ThreadSafe
 public class SSLSocketFactory implements LayeredSchemeSocketFactory, LayeredSocketFactory {
     public static final String TLS   = "TLS";
     public static final String SSL   = "SSL";
     public static final String SSLV2 = "SSLv2";
     public static final X509HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER
         = new AllowAllHostnameVerifier();
     public static final X509HostnameVerifier BROWSER_COMPATIBLE_HOSTNAME_VERIFIER
         = new BrowserCompatHostnameVerifier();
     public static final X509HostnameVerifier STRICT_HOSTNAME_VERIFIER
         = new StrictHostnameVerifier();
     /**
      * Gets the default factory, which uses the default JVM settings for secure
      * connections.
      *
      * @return the default factory
      */
     public static SSLSocketFactory getSocketFactory() {
         return new SSLSocketFactory();
     }
     private final javax.net.ssl.SSLSocketFactory socketfactory;
     private final HostNameResolver nameResolver;
     // TODO: make final
     private volatile X509HostnameVerifier hostnameVerifier;
     private static SSLContext createSSLContext(
             String algorithm,
             final KeyStore keystore,
             final String keystorePassword,
             final KeyStore truststore,
             final SecureRandom random,
             final TrustStrategy trustStrategy)
                 throws NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException, KeyManagementException {
         if (algorithm == null) {
             algorithm = TLS;
         }
         KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(
                 KeyManagerFactory.getDefaultAlgorithm());
         kmfactory.init(keystore, keystorePassword != null ? keystorePassword.toCharArray(): null);
         KeyManager[] keymanagers =  kmfactory.getKeyManagers();
         TrustManagerFactory tmfactory = TrustManagerFactory.getInstance(
                 TrustManagerFactory.getDefaultAlgorithm());
         tmfactory.init(truststore);
         TrustManager[] trustmanagers = tmfactory.getTrustManagers();
         if (trustmanagers != null && trustStrategy != null) {
             for (int i = 0; i < trustmanagers.length; i++) {
                 TrustManager tm = trustmanagers[i];
                 if (tm instanceof X509TrustManager) {
                     trustmanagers[i] = new TrustManagerDecorator(
                             (X509TrustManager) tm, trustStrategy);
                 }
             }
         }
         SSLContext sslcontext = SSLContext.getInstance(algorithm);
         sslcontext.init(keymanagers, trustmanagers, random);
         return sslcontext;
     }
     private static SSLContext createDefaultSSLContext() {
         try {
             return createSSLContext(TLS, null, null, null, null, null);
         } catch (Exception ex) {
             throw new IllegalStateException("Failure initializing default SSL context", ex);
         }
     }
     /**
      * @deprecated Use {@link #SSLSocketFactory(String, KeyStore, String, KeyStore, SecureRandom, X509HostnameVerifier)}
      */
     @Deprecated
     public SSLSocketFactory(
             final String algorithm,
             final KeyStore keystore,
             final String keystorePassword,
             final KeyStore truststore,
             final SecureRandom random,
             final HostNameResolver nameResolver)
                 throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
         this(createSSLContext(
                 algorithm, keystore, keystorePassword, truststore, random, null),
                 nameResolver);
     }
     /**
      * @since 4.1
      */
     public SSLSocketFactory(
             String algorithm,
             final KeyStore keystore,
             final String keystorePassword,
             final KeyStore truststore,
             final SecureRandom random,
             final X509HostnameVerifier hostnameVerifier)
                 throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
         this(createSSLContext(
                 algorithm, keystore, keystorePassword, truststore, random, null),
                 hostnameVerifier);
     }
     /**
      * @since 4.1
      */
     public SSLSocketFactory(
             String algorithm,
             final KeyStore keystore,
             final String keystorePassword,
             final KeyStore truststore,
             final SecureRandom random,
             final TrustStrategy trustStrategy,
             final X509HostnameVerifier hostnameVerifier)
                 throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
         this(createSSLContext(
                 algorithm, keystore, keystorePassword, truststore, random, trustStrategy),
                 hostnameVerifier);
     }
     public SSLSocketFactory(
             final KeyStore keystore,
             final String keystorePassword,
             final KeyStore truststore)
                 throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
         this(TLS, keystore, keystorePassword, truststore, null, null, BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
     }
     public SSLSocketFactory(
             final KeyStore keystore,
             final String keystorePassword)
                 throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException{
         this(TLS, keystore, keystorePassword, null, null, null, BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
     }
     public SSLSocketFactory(
             final KeyStore truststore)
                 throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
         this(TLS, null, null, truststore, null, null, BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
     }
     /**
      * @since 4.1
      */
     public SSLSocketFactory(
             final TrustStrategy trustStrategy,
             final X509HostnameVerifier hostnameVerifier)
                 throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
         this(TLS, null, null, null, null, trustStrategy, hostnameVerifier);
     }
     /**
      * @since 4.1
      */
     public SSLSocketFactory(
             final TrustStrategy trustStrategy)
                 throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
         this(TLS, null, null, null, null, trustStrategy, BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
     }
     public SSLSocketFactory(final SSLContext sslContext) {
         this(sslContext, BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
     }
     /**
      * @deprecated Use {@link #SSLSocketFactory(SSLContext)}
      */
     @Deprecated
     public SSLSocketFactory(
             final SSLContext sslContext, final HostNameResolver nameResolver) {
         super();
         this.socketfactory = sslContext.getSocketFactory();
         this.hostnameVerifier = BROWSER_COMPATIBLE_HOSTNAME_VERIFIER;
         this.nameResolver = nameResolver;
     }
     /**
      * @since 4.1
      */
     public SSLSocketFactory(
             final SSLContext sslContext, final X509HostnameVerifier hostnameVerifier) {
         super();
         this.socketfactory = sslContext.getSocketFactory();
         this.hostnameVerifier = hostnameVerifier;
         this.nameResolver = null;
     }
     private SSLSocketFactory() {
         this(createDefaultSSLContext());
     }
     /**
      * @param params Optional parameters. Parameters passed to this method will have no effect.
      *               This method will create a unconnected instance of {@link Socket} class.
      * @since 4.1
      */
     public Socket createSocket(final HttpParams params) throws IOException {
         return this.socketfactory.createSocket();
     }
     @Deprecated
     public Socket createSocket() throws IOException {
         return this.socketfactory.createSocket();
     }
     /**
      * @since 4.1
      */
     public Socket connectSocket(
             final Socket socket,
             final InetSocketAddress remoteAddress,
             final InetSocketAddress localAddress,
             final HttpParams params) throws IOException, UnknownHostException, ConnectTimeoutException {
         if (remoteAddress == null) {
             throw new IllegalArgumentException("Remote address may not be null");
         }
         if (params == null) {
             throw new IllegalArgumentException("HTTP parameters may not be null");
         }
         Socket sock = socket != null ? socket : new Socket();
         if (localAddress != null) {
             sock.setReuseAddress(HttpConnectionParams.getSoReuseaddr(params));
             sock.bind(localAddress);
         }
         int connTimeout = HttpConnectionParams.getConnectionTimeout(params);
         int soTimeout = HttpConnectionParams.getSoTimeout(params);
         try {
             sock.setSoTimeout(soTimeout);
             sock.connect(remoteAddress, connTimeout);
         } catch (SocketTimeoutException ex) {
             throw new ConnectTimeoutException("Connect to " + remoteAddress + " timed out");
         }
         // HttpInetSocketAddress#toString() returns original hostname value of the remote address
         String hostname = remoteAddress.toString();
         int port = remoteAddress.getPort();
         String s = ":" + port;
         if (hostname.endsWith(s)) {
             hostname = hostname.substring(0, hostname.length() - s.length());
         }
         SSLSocket sslsock;
         // Setup SSL layering if necessary
         if (sock instanceof SSLSocket) {
             sslsock = (SSLSocket) sock;
         } else {
             sslsock = (SSLSocket) this.socketfactory.createSocket(sock, hostname, port, true);
         }
         if (this.hostnameVerifier != null) {
             try {
                 this.hostnameVerifier.verify(hostname, sslsock);
                 // verifyHostName() didn't blowup - good!
             } catch (IOException iox) {
                 // close the socket before re-throwing the exception
                 try { sslsock.close(); } catch (Exception x) { /*ignore*/ }
                 throw iox;
             }
         }
         return sslsock;
     }
     /**
      * Checks whether a socket connection is secure.
      * This factory creates TLS/SSL socket connections
      * which, by default, are considered secure.
      * <br/>
      * Derived classes may override this method to perform
      * runtime checks, for example based on the cypher suite.
      *
      * @param sock      the connected socket
      *
      * @return  <code>true</code>
      *
      * @throws IllegalArgumentException if the argument is invalid
      */
     public boolean isSecure(final Socket sock) throws IllegalArgumentException {
         if (sock == null) {
             throw new IllegalArgumentException("Socket may not be null");
         }
         // This instanceof check is in line with createSocket() above.
         if (!(sock instanceof SSLSocket)) {
             throw new IllegalArgumentException("Socket not created by this factory");
         }
         // This check is performed last since it calls the argument object.
         if (sock.isClosed()) {
             throw new IllegalArgumentException("Socket is closed");
         }
         return true;
     }
     /**
      * @since 4.1
      */
     public Socket createLayeredSocket(
         final Socket socket,
         final String host,
         final int port,
         final boolean autoClose) throws IOException, UnknownHostException {
         SSLSocket sslSocket = (SSLSocket) this.socketfactory.createSocket(
               socket,
               host,
               port,
               autoClose
         );
         if (this.hostnameVerifier != null) {
             this.hostnameVerifier.verify(host, sslSocket);
         }
         // verifyHostName() didn't blowup - good!
         return sslSocket;
     }
     @Deprecated
     public void setHostnameVerifier(X509HostnameVerifier hostnameVerifier) {
         if ( hostnameVerifier == null ) {
             throw new IllegalArgumentException("Hostname verifier may not be null");
         }
         this.hostnameVerifier = hostnameVerifier;
     }
     public X509HostnameVerifier getHostnameVerifier() {
         return this.hostnameVerifier;
     }
     /**
      * @deprecated Use {@link #connectSocket(Socket, InetSocketAddress, InetSocketAddress, HttpParams)}
      */
     @Deprecated
     public Socket connectSocket(
             final Socket socket,
             final String host, int port,
             final InetAddress localAddress, int localPort,
             final HttpParams params) throws IOException, UnknownHostException, ConnectTimeoutException {
         InetSocketAddress local = null;
         if (localAddress != null || localPort > 0) {
             // we need to bind explicitly
             if (localPort < 0) {
                 localPort = 0; // indicates "any"
             }
             local = new InetSocketAddress(localAddress, localPort);
         }
         InetAddress remoteAddress;
         if (this.nameResolver != null) {
             remoteAddress = this.nameResolver.resolve(host);
         } else {
             remoteAddress = InetAddress.getByName(host);
         }
         InetSocketAddress remote = new InetSocketAddress(remoteAddress, port);
         return connectSocket(socket, remote, local, params);
     }
     /**
      * @deprecated Use {@link #createLayeredSocket(Socket, String, int, boolean)}
      */
     @Deprecated
     public Socket createSocket(
             final Socket socket,
             final String host, int port,
             boolean autoClose) throws IOException, UnknownHostException {
         return createLayeredSocket(socket, host, port, autoClose);
     }
 }

The Tor Browser / annotate

mobile/android/thirdparty/ch/boye/httpclientandroidlib/conn/ssl/SSLSocketFactory.java@6474c204b198 (annotated)

mobile/android/thirdparty/ch/boye/httpclientandroidlib/conn/ssl/SSLSocketFactory.java