Enabled TLSv1.2 support on older Android versions

ricellis · ricellis · commit 4e3b35e17d87 · 2018-03-27T16:14:51.000+01:00
Added Android version and TLS support checks as well as a TLSv1.2 only
SSLSocketFactory to enable on older versions.
Moved default interceptors into CouchClient from ReplicatorBuilder.
Updated HttpTest that called HttpConnection directly to consume default
interceptors.
Refactored HttpTest slightly to simplify interceptor addition.
Updated replication tests for new assertions, due to interceptor
move to CouchClient.

Fixed up replication test base for new interceptor assertion sizes.

Added CHANGES entry.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,3 +1,7 @@
+# Unreleased
+- [IMPROVED] Forced a TLS1.2 `SSLSocketFactory` where possible on Android API versions < 20 (it is
+  already enabled by default on newer API levels).
+
 # 2.2.0 (2018-02-14)
 - [NEW] Added API for specifying a mango selector in the filtered pull replicator
 - [IMPROVED] Improved efficiency of sub-query when picking winning
diff --git a/cloudant-sync-datastore-core/src/main/java/com/cloudant/sync/internal/mazha/CouchClient.java b/cloudant-sync-datastore-core/src/main/java/com/cloudant/sync/internal/mazha/CouchClient.java
@@ -25,6 +25,8 @@
 import com.cloudant.http.HttpConnection;
 import com.cloudant.http.HttpConnectionRequestInterceptor;
 import com.cloudant.http.HttpConnectionResponseInterceptor;
+import com.cloudant.http.internal.interceptors.SSLCustomizerInterceptor;
+import com.cloudant.http.internal.interceptors.UserAgentInterceptor;
 import com.cloudant.sync.internal.common.RetriableTask;
 import com.cloudant.sync.internal.documentstore.DocumentRevsList;
 import com.cloudant.sync.internal.documentstore.MultipartAttachmentWriter;
@@ -39,11 +41,16 @@
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.lang.reflect.Type;
+import java.net.InetAddress;
+import java.net.Socket;
 import java.net.URI;
 import java.nio.charset.Charset;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -52,8 +59,25 @@
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+
 public class CouchClient {
 
+    public static final List<HttpConnectionRequestInterceptor> DEFAULT_REQUEST_INTERCEPTORS;
+
+     // Set up the defaults
+     static {
+         HttpConnectionRequestInterceptor ua_interceptor =
+                 new UserAgentInterceptor(CouchClient.class.getClassLoader(),
+                         "META-INF/com.cloudant.sync.client.properties");
+         HttpConnectionRequestInterceptor tlsInterceptor = checkAndGetTlsInterceptor();
+         DEFAULT_REQUEST_INTERCEPTORS = (tlsInterceptor != null) ?
+                 Arrays.asList(ua_interceptor, tlsInterceptor) :
+                 Collections.singletonList(ua_interceptor);
+     }
+
     private CouchURIHelper uriHelper;
     private List<HttpConnectionRequestInterceptor> requestInterceptors;
     private List<HttpConnectionResponseInterceptor> responseInterceptors;
@@ -66,6 +90,8 @@ public CouchClient(URI rootUri,
         this.requestInterceptors = new ArrayList<HttpConnectionRequestInterceptor>();
         this.responseInterceptors = new ArrayList<HttpConnectionResponseInterceptor>();
 
+        this.requestInterceptors.addAll(DEFAULT_REQUEST_INTERCEPTORS);
+
         if (requestInterceptors != null) {
             this.requestInterceptors.addAll(requestInterceptors);
         }
@@ -75,6 +101,121 @@ public CouchClient(URI rootUri,
         }
     }
 
+    private static SSLCustomizerInterceptor checkAndGetTlsInterceptor() {
+        // Some assistance for TLSv1.2 support. Two things we check before we try to force TLSv1.2
+        // so that we don't interfere with any other custom configuration that may have been
+        // provided:
+        //   i) are we running on Android, and an old version of Android (api level < 20 does not
+        //      have TLSv1.2 enabled by default)
+        //   ii) does the default SSLContext have TLSv1.2 enabled or available
+        if (Misc.isRunningOnAndroid()) {
+            // This block catches all exceptions from TLSv1.2 checks, if we get exceptions we bail
+            // with a RuntimeException
+            try {
+                // Get the API level reflectively so we don't need to import classes only available
+                // in Android
+                int androidApiLevel = Class.forName("android.os.Build$VERSION").getField
+                        ("SDK_INT").getInt(null);
+                // If we are on an old version of Android and TLSv1.2 has not been enabled already
+                // on the default context then we add a special interceptor
+                if (androidApiLevel < 20) {
+                    // Check i has passed we are on an old version of Android
+
+                    // Get the default SSLContext
+                    SSLContext defSslCtx = SSLContext.getDefault();
+
+                    // Check the default protocols for TLSv1.2
+                    if (!Arrays.asList(defSslCtx.getDefaultSSLParameters().getProtocols())
+                            .contains(TlsOnlySslSocketFactory.TLSv12) &&
+                            Arrays.asList(defSslCtx.getSupportedSSLParameters().getProtocols())
+                                    .contains(TlsOnlySslSocketFactory.TLSv12)) {
+                        // Check ii has passed TLSv1.2 is not already enabled on the default context
+                        // but is supported on the default context so we can use it
+
+                        // In an ideal world we would also check the default SSLSocketFactory that
+                        // is set on the HttpsUrlConnection to see if that has been customized from
+                        // the default, but there isn't really a way to check this, equals is not
+                        // overridden on the SSLSocketFactory and there is no route back to the
+                        // SSLContext that generated the SSLSocketFactory.
+                        SSLContext sc = SSLContext.getInstance(TlsOnlySslSocketFactory.TLSv12);
+                        sc.init(null, null, null);
+                        // We add this interceptor, but it could be overridden by a later user
+                        // provided interceptor, so this shouldn't change anyone's existing
+                        // customizations.
+                        SSLSocketFactory s = sc.getSocketFactory();
+                        return new SSLCustomizerInterceptor(new TlsOnlySslSocketFactory(s));
+                    }
+                }
+            } catch (NoSuchAlgorithmException e) {
+                throw new RuntimeException(e);
+            } catch (NoSuchFieldException e) {
+                throw new RuntimeException(e);
+            } catch (IllegalAccessException e) {
+                throw new RuntimeException(e);
+            } catch (ClassNotFoundException e) {
+                throw new RuntimeException(e);
+            } catch (KeyManagementException e) {
+                throw new RuntimeException(e);
+            }
+        }
+        return null;
+    }
+
+    private static final class TlsOnlySslSocketFactory extends SSLSocketFactory {
+
+        private static final String TLSv12 = "TLSv1.2";
+        private static final String[] TLSv12Only = new String[]{TLSv12};
+        private final SSLSocketFactory delegate;
+
+        private TlsOnlySslSocketFactory(SSLSocketFactory delegate) {
+            this.delegate = delegate;
+        }
+
+        @Override
+        public String[] getDefaultCipherSuites() {
+            return delegate.getDefaultCipherSuites();
+        }
+
+        @Override
+        public String[] getSupportedCipherSuites() {
+            return delegate.getSupportedCipherSuites();
+        }
+
+        @Override
+        public Socket createSocket(Socket socket, String s, int i, boolean b) throws IOException {
+            return tlsOnlySocket(delegate.createSocket(socket, s, i, b));
+        }
+
+        @Override
+        public Socket createSocket(String s, int i) throws IOException {
+            return tlsOnlySocket(delegate.createSocket(s, i));
+        }
+
+        @Override
+        public Socket createSocket(String s, int i, InetAddress inetAddress, int i1) throws
+                IOException {
+            return tlsOnlySocket(delegate.createSocket(s, i, inetAddress, i1));
+        }
+
+        @Override
+        public Socket createSocket(InetAddress inetAddress, int i) throws IOException {
+            return tlsOnlySocket(delegate.createSocket(inetAddress, i));
+        }
+
+        @Override
+        public Socket createSocket(InetAddress inetAddress, int i, InetAddress inetAddress1, int
+                i1) throws IOException {
+            return tlsOnlySocket(delegate.createSocket(inetAddress, i, inetAddress1, i1));
+        }
+
+        private Socket tlsOnlySocket(Socket s) {
+            if (s instanceof SSLSocket) {
+                ((SSLSocket) s).setEnabledProtocols(TLSv12Only);
+            }
+            return s;
+        }
+    }
+
     public URI getRootUri() {
         return this.uriHelper.getRootUri();
     }
diff --git a/cloudant-sync-datastore-core/src/main/java/com/cloudant/sync/replication/ReplicatorBuilder.java b/cloudant-sync-datastore-core/src/main/java/com/cloudant/sync/replication/ReplicatorBuilder.java
@@ -18,7 +18,6 @@
 import com.cloudant.http.HttpConnectionResponseInterceptor;
 import com.cloudant.http.internal.interceptors.CookieInterceptor;
 import com.cloudant.http.internal.interceptors.IamCookieInterceptor;
-import com.cloudant.http.internal.interceptors.UserAgentInterceptor;
 import com.cloudant.sync.documentstore.DocumentStore;
 import com.cloudant.sync.internal.replication.PullStrategy;
 import com.cloudant.sync.internal.replication.PushStrategy;
@@ -40,10 +39,6 @@
 // S = Source Type, T = target Type, E = Extending class Type
 public abstract class ReplicatorBuilder<S, T, E> {
 
-    private static final UserAgentInterceptor USER_AGENT_INTERCEPTOR =
-            new UserAgentInterceptor(ReplicatorBuilder.class.getClassLoader(),
-                    "META-INF/com.cloudant.sync.client.properties");
-
     private T target;
 
     private S source;
@@ -62,10 +57,6 @@ public abstract class ReplicatorBuilder<S, T, E> {
 
     private String iamApiKey = null;
 
-    private ReplicatorBuilder() {
-        requestInterceptors.add(USER_AGENT_INTERCEPTOR);
-    }
-
     private int getDefaultPort(URI uri) {
 
         String uriProtocol = uri.getScheme();
diff --git a/cloudant-sync-datastore-core/src/test/java/com/cloudant/http/HttpTest.java b/cloudant-sync-datastore-core/src/test/java/com/cloudant/http/HttpTest.java
@@ -23,6 +23,7 @@
 import com.cloudant.sync.internal.util.JSONUtils;
 
 import org.junit.Assert;
+import org.junit.Before;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 
@@ -40,6 +41,32 @@
 public class HttpTest extends CouchTestBase {
 
     private String data = "{\"hello\":\"world\"}";
+    private ByteArrayInputStream bis;
+
+    @Before
+    public void setupDataByteStream() {
+        this.bis = new ByteArrayInputStream(data.getBytes());
+    }
+
+    private HttpConnection postAndAssertNothingReadBeforeSettingBodyGenerator(CouchConfig config)
+            throws Exception {
+        HttpConnection conn = new HttpConnection("POST", config.getRootUri().toURL(),
+                "application/json");
+
+        // nothing read from stream
+        Assert.assertEquals(bis.available(), data.getBytes().length);
+
+        conn.setRequestBody(new HttpConnection.InputStreamGenerator() {
+            @Override
+            public InputStream getInputStream() {
+                return bis;
+            }
+        });
+        // This test invokes HttpConnection directly rather than via the CouchClient, so we need to
+        // force the addition of some default interceptors
+        conn.requestInterceptors.addAll(CouchClient.DEFAULT_REQUEST_INTERCEPTORS);
+        return conn;
+    }
 
     /*
      * Test "Expect: 100-Continue" header works as expected
@@ -54,21 +81,9 @@ public class HttpTest extends CouchTestBase {
      * whilst we are still writing).
      */
     @Test
-    public void testExpect100Continue() throws IOException {
+    public void testExpect100Continue() throws Exception {
         CouchConfig config = getCouchConfig("no_such_database");
-        HttpConnection conn = new HttpConnection("POST", config.getRootUri().toURL(),
-                "application/json");
-        final ByteArrayInputStream bis = new ByteArrayInputStream(data.getBytes());
-
-        // nothing read from stream
-        Assert.assertEquals(bis.available(), data.getBytes().length);
-
-        conn.setRequestBody(new HttpConnection.InputStreamGenerator() {
-            @Override
-            public InputStream getInputStream() {
-                return bis;
-            }
-        });
+        HttpConnection conn = postAndAssertNothingReadBeforeSettingBodyGenerator(config);
         boolean thrown = false;
         try {
             conn.execute();
@@ -87,24 +102,12 @@ public InputStream getInputStream() {
      * Basic test that we can write a document body by POSTing to a known database
      */
     @Test
-    public void testWriteToServerOk() throws IOException {
+    public void testWriteToServerOk() throws Exception {
         CouchConfig config = getCouchConfig("httptest" + System.currentTimeMillis());
         CouchClient client = new CouchClient(config.getRootUri(), config.getRequestInterceptors()
                 , config.getResponseInterceptors());
         client.createDb();
-        HttpConnection conn = new HttpConnection("POST", config.getRootUri().toURL(),
-                "application/json");
-        final ByteArrayInputStream bis = new ByteArrayInputStream(data.getBytes());
-
-        // nothing read from stream
-        Assert.assertEquals(bis.available(), data.getBytes().length);
-
-        conn.setRequestBody(new HttpConnection.InputStreamGenerator() {
-            @Override
-            public InputStream getInputStream() {
-                return bis;
-            }
-        });
+        HttpConnection conn = postAndAssertNothingReadBeforeSettingBodyGenerator(config);
         conn.execute();
 
         // stream was read to end
@@ -117,24 +120,12 @@ public InputStream getInputStream() {
      * without first calling execute()
      */
     @Test
-    public void testReadBeforeExecute() throws IOException {
+    public void testReadBeforeExecute() throws Exception {
         CouchConfig config = getCouchConfig("httptest" + System.currentTimeMillis());
         CouchClient client = new CouchClient(config.getRootUri(), config.getRequestInterceptors()
                 , config.getResponseInterceptors());
         client.createDb();
-        HttpConnection conn = new HttpConnection("POST", config.getRootUri().toURL(),
-                "application/json");
-        final ByteArrayInputStream bis = new ByteArrayInputStream(data.getBytes());
-
-        // nothing read from stream
-        Assert.assertEquals(bis.available(), data.getBytes().length);
-
-        conn.setRequestBody(new HttpConnection.InputStreamGenerator() {
-            @Override
-            public InputStream getInputStream() {
-                return bis;
-            }
-        });
+        HttpConnection conn = postAndAssertNothingReadBeforeSettingBodyGenerator(config);
         try {
             conn.responseAsString();
             Assert.fail("IOException not thrown as expected");
@@ -156,7 +147,7 @@ public InputStream getInputStream() {
     // be named cookie_test
     //
     @Test
-    public void testCookieAuthWithoutRetry() throws IOException {
+    public void testCookieAuthWithoutRetry() throws Exception {
 
         if (TestOptions.IGNORE_AUTH_HEADERS) {
             return;
@@ -168,21 +159,9 @@ public void testCookieAuthWithoutRetry() throws IOException {
                         .currentTimeMillis()).getRootUri().toString());
 
         CouchConfig config = getCouchConfig("cookie_test");
-        HttpConnection conn = new HttpConnection("POST", config.getRootUri().toURL(),
-                "application/json");
+        HttpConnection conn = postAndAssertNothingReadBeforeSettingBodyGenerator(config);
         conn.responseInterceptors.add(interceptor);
         conn.requestInterceptors.add(interceptor);
-        final ByteArrayInputStream bis = new ByteArrayInputStream(data.getBytes());
-
-        // nothing read from stream
-        Assert.assertEquals(bis.available(), data.getBytes().length);
-
-        conn.setRequestBody(new HttpConnection.InputStreamGenerator() {
-            @Override
-            public InputStream getInputStream() {
-                return bis;
-            }
-        });
         conn.execute();
 
         // stream was read to end
diff --git a/cloudant-sync-datastore-core/src/test/java/com/cloudant/sync/internal/replication/ReplicationTestBase.java b/cloudant-sync-datastore-core/src/test/java/com/cloudant/sync/internal/replication/ReplicationTestBase.java
