Merge pull request #576 from cloudant/force-tls1.2-on-old-android

Force tls1.2 on old android

Author: ricellis

AndroidTest/app/build.gradle

@@ -124,7 +124,7 @@ task(clearDeviceLog, type: AndroidExec) {
 task(pullDeviceLog, type: AndroidExec) {
     doFirst {
         def logPrefix = System.getenv('TEST_ENV_NAME')
-        if (logPrefix == null) logPrefix = UUID.randomUUID()
+        if (logPrefix == null) logPrefix = UUID.randomUUID().toString()
         standardOutput = new FileOutputStream(new File(reportsDir, logPrefix + "_logcat.log"), false)
     }
     commandLine "adb","logcat", "-d", "-v", "threadtime"

CHANGES.md

@@ -1,3 +1,7 @@
+# Unreleased
+- [IMPROVED] Forced a TLS1.2 `SSLSocketFactory` where possible on Android API versions < 20 (it is
+  already enabled by default on newer API levels).
+
 # 2.2.0 (2018-02-14)
 - [NEW] Added API for specifying a mango selector in the filtered pull replicator
 - [IMPROVED] Improved efficiency of sub-query when picking winning

cloudant-sync-datastore-core/src/main/java/com/cloudant/sync/internal/mazha/CouchClient.java

@@ -25,6 +25,8 @@
 import com.cloudant.http.HttpConnection;
 import com.cloudant.http.HttpConnectionRequestInterceptor;
 import com.cloudant.http.HttpConnectionResponseInterceptor;
+import com.cloudant.http.internal.interceptors.SSLCustomizerInterceptor;
+import com.cloudant.http.internal.interceptors.UserAgentInterceptor;
 import com.cloudant.sync.internal.common.RetriableTask;
 import com.cloudant.sync.internal.documentstore.DocumentRevsList;
 import com.cloudant.sync.internal.documentstore.MultipartAttachmentWriter;
@@ -39,11 +41,16 @@
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.lang.reflect.Type;
+import java.net.InetAddress;
+import java.net.Socket;
 import java.net.URI;
 import java.nio.charset.Charset;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -52,8 +59,25 @@
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+
 public class CouchClient {
 
+    public static final List<HttpConnectionRequestInterceptor> DEFAULT_REQUEST_INTERCEPTORS;
+
+     // Set up the defaults
+     static {
+         HttpConnectionRequestInterceptor ua_interceptor =
+                 new UserAgentInterceptor(CouchClient.class.getClassLoader(),
+                         "META-INF/com.cloudant.sync.client.properties");
+         HttpConnectionRequestInterceptor tlsInterceptor = checkAndGetTlsInterceptor();
+         DEFAULT_REQUEST_INTERCEPTORS = (tlsInterceptor != null) ?
+                 Arrays.asList(ua_interceptor, tlsInterceptor) :
+                 Collections.singletonList(ua_interceptor);
+     }
+
     private CouchURIHelper uriHelper;
     private List<HttpConnectionRequestInterceptor> requestInterceptors;
     private List<HttpConnectionResponseInterceptor> responseInterceptors;
@@ -66,6 +90,8 @@ public CouchClient(URI rootUri,
         this.requestInterceptors = new ArrayList<HttpConnectionRequestInterceptor>();
         this.responseInterceptors = new ArrayList<HttpConnectionResponseInterceptor>();
 
+        this.requestInterceptors.addAll(DEFAULT_REQUEST_INTERCEPTORS);
+
         if (requestInterceptors != null) {
             this.requestInterceptors.addAll(requestInterceptors);
         }
@@ -75,6 +101,121 @@ public CouchClient(URI rootUri,
         }
     }
 
+    private static SSLCustomizerInterceptor checkAndGetTlsInterceptor() {
+        // Some assistance for TLSv1.2 support. Two things we check before we try to force TLSv1.2
+        // so that we don't interfere with any other custom configuration that may have been
+        // provided:
+        //   i) are we running on Android, and an old version of Android (api level < 20 does not
+        //      have TLSv1.2 enabled by default)
+        //   ii) does the default SSLContext have TLSv1.2 enabled or available
+        if (Misc.isRunningOnAndroid()) {
+            // This block catches all exceptions from TLSv1.2 checks, if we get exceptions we bail
+            // with a RuntimeException
+            try {
+                // Get the API level reflectively so we don't need to import classes only available
+                // in Android
+                int androidApiLevel = Class.forName("android.os.Build$VERSION").getField
+                        ("SDK_INT").getInt(null);
+                // If we are on an old version of Android and TLSv1.2 has not been enabled already
+                // on the default context then we add a special interceptor
+                if (androidApiLevel < 20) {
+                    // Check i has passed we are on an old version of Android
+
+                    // Get the default SSLContext
+                    SSLContext defSslCtx = SSLContext.getDefault();
+
+                    // Check the default protocols for TLSv1.2
+                    if (!Arrays.asList(defSslCtx.getDefaultSSLParameters().getProtocols())
+                            .contains(TlsOnlySslSocketFactory.TLSv12) &&
+                            Arrays.asList(defSslCtx.getSupportedSSLParameters().getProtocols())
+                                    .contains(TlsOnlySslSocketFactory.TLSv12)) {
+                        // Check ii has passed TLSv1.2 is not already enabled on the default context
+                        // but is supported on the default context so we can use it
+
+                        // In an ideal world we would also check the default SSLSocketFactory that
+                        // is set on the HttpsUrlConnection to see if that has been customized from
+                        // the default, but there isn't really a way to check this, equals is not
+                        // overridden on the SSLSocketFactory and there is no route back to the
+                        // SSLContext that generated the SSLSocketFactory.
+                        SSLContext sc = SSLContext.getInstance(TlsOnlySslSocketFactory.TLSv12);
+                        sc.init(null, null, null);
+                        // We add this interceptor, but it could be overridden by a later user
+                        // provided interceptor, so this shouldn't change anyone's existing
+                        // customizations.
+                        SSLSocketFactory s = sc.getSocketFactory();
+                        return new SSLCustomizerInterceptor(new TlsOnlySslSocketFactory(s));
+                    }
+                }
+            } catch (NoSuchAlgorithmException e) {
+                throw new RuntimeException(e);
+            } catch (NoSuchFieldException e) {
+                throw new RuntimeException(e);
+            } catch (IllegalAccessException e) {
+                throw new RuntimeException(e);
+            } catch (ClassNotFoundException e) {
+                throw new RuntimeException(e);
+            } catch (KeyManagementException e) {
+                throw new RuntimeException(e);
+            }
+        }
+        return null;
+    }
+
+    private static final class TlsOnlySslSocketFactory extends SSLSocketFactory {
+
+        private static final String TLSv12 = "TLSv1.2";
+        private static final String[] TLSv12Only = new String[]{TLSv12};
+        private final SSLSocketFactory delegate;
+
+        private TlsOnlySslSocketFactory(SSLSocketFactory delegate) {
+            this.delegate = delegate;
+        }
+
+        @Override
+        public String[] getDefaultCipherSuites() {
+            return delegate.getDefaultCipherSuites();
+        }
+
+        @Override
+        public String[] getSupportedCipherSuites() {
+            return delegate.getSupportedCipherSuites();
+        }
+
+        @Override
+        public Socket createSocket(Socket socket, String s, int i, boolean b) throws IOException {
+            return tlsOnlySocket(delegate.createSocket(socket, s, i, b));
+        }
+
+        @Override
+        public Socket createSocket(String s, int i) throws IOException {
+            return tlsOnlySocket(delegate.createSocket(s, i));
+        }
+
+        @Override
+        public Socket createSocket(String s, int i, InetAddress inetAddress, int i1) throws
+                IOException {
+            return tlsOnlySocket(delegate.createSocket(s, i, inetAddress, i1));
+        }
+
+        @Override
+        public Socket createSocket(InetAddress inetAddress, int i) throws IOException {
+            return tlsOnlySocket(delegate.createSocket(inetAddress, i));
+        }
+
+        @Override
+        public Socket createSocket(InetAddress inetAddress, int i, InetAddress inetAddress1, int
+                i1) throws IOException {
+            return tlsOnlySocket(delegate.createSocket(inetAddress, i, inetAddress1, i1));
+        }
+
+        private Socket tlsOnlySocket(Socket s) {
+            if (s instanceof SSLSocket) {
+                ((SSLSocket) s).setEnabledProtocols(TLSv12Only);
+            }
+            return s;
+        }
+    }
+
     public URI getRootUri() {
         return this.uriHelper.getRootUri();
     }

cloudant-sync-datastore-core/src/main/java/com/cloudant/sync/replication/ReplicatorBuilder.java

@@ -18,7 +18,6 @@
 import com.cloudant.http.HttpConnectionResponseInterceptor;
 import com.cloudant.http.internal.interceptors.CookieInterceptor;
 import com.cloudant.http.internal.interceptors.IamCookieInterceptor;
-import com.cloudant.http.internal.interceptors.UserAgentInterceptor;
 import com.cloudant.sync.documentstore.DocumentStore;
 import com.cloudant.sync.internal.replication.PullStrategy;
 import com.cloudant.sync.internal.replication.PushStrategy;
@@ -40,10 +39,6 @@
 // S = Source Type, T = target Type, E = Extending class Type
 public abstract class ReplicatorBuilder<S, T, E> {
 
-    private static final UserAgentInterceptor USER_AGENT_INTERCEPTOR =
-            new UserAgentInterceptor(ReplicatorBuilder.class.getClassLoader(),
-                    "META-INF/com.cloudant.sync.client.properties");
-
     private T target;
 
     private S source;
@@ -62,10 +57,6 @@ public abstract class ReplicatorBuilder<S, T, E> {
 
     private String iamApiKey = null;
 
-    private ReplicatorBuilder() {
-        requestInterceptors.add(USER_AGENT_INTERCEPTOR);
-    }
-
     private int getDefaultPort(URI uri) {
 
         String uriProtocol = uri.getScheme();

cloudant-sync-datastore-core/src/test/java/com/cloudant/http/HttpTest.java

@@ -23,6 +23,7 @@
 import com.cloudant.sync.internal.util.JSONUtils;
 
 import org.junit.Assert;
+import org.junit.Before;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 
@@ -40,6 +41,32 @@
 public class HttpTest extends CouchTestBase {
 
     private String data = "{\"hello\":\"world\"}";
+    private ByteArrayInputStream bis;
+
+    @Before
+    public void setupDataByteStream() {
+        this.bis = new ByteArrayInputStream(data.getBytes());
+    }
+
+    private HttpConnection postAndAssertNothingReadBeforeSettingBodyGenerator(CouchConfig config)
+            throws Exception {
+        HttpConnection conn = new HttpConnection("POST", config.getRootUri().toURL(),
+                "application/json");
+
+        // nothing read from stream
+        Assert.assertEquals(bis.available(), data.getBytes().length);
+
+        conn.setRequestBody(new HttpConnection.InputStreamGenerator() {
+            @Override
+            public InputStream getInputStream() {
+                return bis;
+            }
+        });
+        // This test invokes HttpConnection directly rather than via the CouchClient, so we need to
+        // force the addition of some default interceptors
+        conn.requestInterceptors.addAll(CouchClient.DEFAULT_REQUEST_INTERCEPTORS);
+        return conn;
+    }
 
     /*
      * Test "Expect: 100-Continue" header works as expected
@@ -54,21 +81,9 @@ public class HttpTest extends CouchTestBase {
      * whilst we are still writing).
      */
     @Test
-    public void testExpect100Continue() throws IOException {
+    public void testExpect100Continue() throws Exception {
         CouchConfig config = getCouchConfig("no_such_database");
-        HttpConnection conn = new HttpConnection("POST", config.getRootUri().toURL(),
-                "application/json");
-        final ByteArrayInputStream bis = new ByteArrayInputStream(data.getBytes());
-
-        // nothing read from stream
-        Assert.assertEquals(bis.available(), data.getBytes().length);
-
-        conn.setRequestBody(new HttpConnection.InputStreamGenerator() {
-            @Override
-            public InputStream getInputStream() {
-                return bis;
-            }
-        });
+        HttpConnection conn = postAndAssertNothingReadBeforeSettingBodyGenerator(config);
         boolean thrown = false;
         try {
             conn.execute();
@@ -87,24 +102,12 @@ public InputStream getInputStream() {
      * Basic test that we can write a document body by POSTing to a known database
      */
     @Test
-    public void testWriteToServerOk() throws IOException {
+    public void testWriteToServerOk() throws Exception {
         CouchConfig config = getCouchConfig("httptest" + System.currentTimeMillis());
         CouchClient client = new CouchClient(config.getRootUri(), config.getRequestInterceptors()
                 , config.getResponseInterceptors());
         client.createDb();
-        HttpConnection conn = new HttpConnection("POST", config.getRootUri().toURL(),
-                "application/json");
-        final ByteArrayInputStream bis = new ByteArrayInputStream(data.getBytes());
-
-        // nothing read from stream
-        Assert.assertEquals(bis.available(), data.getBytes().length);
-
-        conn.setRequestBody(new HttpConnection.InputStreamGenerator() {
-            @Override
-            public InputStream getInputStream() {
-                return bis;
-            }
-        });
+        HttpConnection conn = postAndAssertNothingReadBeforeSettingBodyGenerator(config);
         conn.execute();
 
         // stream was read to end
@@ -117,24 +120,12 @@ public InputStream getInputStream() {
      * without first calling execute()
      */
     @Test
-    public void testReadBeforeExecute() throws IOException {
+    public void testReadBeforeExecute() throws Exception {
         CouchConfig config = getCouchConfig("httptest" + System.currentTimeMillis());
         CouchClient client = new CouchClient(config.getRootUri(), config.getRequestInterceptors()
                 , config.getResponseInterceptors());
         client.createDb();
-        HttpConnection conn = new HttpConnection("POST", config.getRootUri().toURL(),
-                "application/json");
-        final ByteArrayInputStream bis = new ByteArrayInputStream(data.getBytes());
-
-        // nothing read from stream
-        Assert.assertEquals(bis.available(), data.getBytes().length);
-
-        conn.setRequestBody(new HttpConnection.InputStreamGenerator() {
-            @Override
-            public InputStream getInputStream() {
-                return bis;
-            }
-        });
+        HttpConnection conn = postAndAssertNothingReadBeforeSettingBodyGenerator(config);
         try {
             conn.responseAsString();
             Assert.fail("IOException not thrown as expected");
@@ -156,7 +147,7 @@ public InputStream getInputStream() {
     // be named cookie_test
     //
     @Test
-    public void testCookieAuthWithoutRetry() throws IOException {
+    public void testCookieAuthWithoutRetry() throws Exception {
 
         if (TestOptions.IGNORE_AUTH_HEADERS) {
             return;
@@ -168,21 +159,9 @@ public void testCookieAuthWithoutRetry() throws IOException {
                         .currentTimeMillis()).getRootUri().toString());
 
         CouchConfig config = getCouchConfig("cookie_test");
-        HttpConnection conn = new HttpConnection("POST", config.getRootUri().toURL(),
-                "application/json");
+        HttpConnection conn = postAndAssertNothingReadBeforeSettingBodyGenerator(config);
         conn.responseInterceptors.add(interceptor);
         conn.requestInterceptors.add(interceptor);
-        final ByteArrayInputStream bis = new ByteArrayInputStream(data.getBytes());
-
-        // nothing read from stream
-        Assert.assertEquals(bis.available(), data.getBytes().length);
-
-        conn.setRequestBody(new HttpConnection.InputStreamGenerator() {
-            @Override
-            public InputStream getInputStream() {
-                return bis;
-            }
-        });
         conn.execute();
 
         // stream was read to end