feature silkimen#103: implement HTTP SSL cert modes

Author: Sefa Ilkimen

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 2.0.0
+
+- Feature #103: implement HTTP SSL cert modes
+
+- :warning: **Breaking Change**: Removed "enableSSLPinning" and "acceptAllCerts", use "setSSLCertMode" instead.
+
 ## 1.11.1
 
 - Fixed #92: headers not deserialized on platform "browser"

README.md

@@ -141,32 +141,46 @@ cordova.plugin.http.clearCookies();
 ## Asynchronous Functions
 These functions all take success and error callbacks as their last 2 arguments.
 
-### enableSSLPinning
-Enable or disable SSL pinning.  This defaults to false.
+### setSSLCertMode<a name="setSSLCertMode"></a>
+Set SSL Cert handling mode, being one of the following values:
+
+* `default`: default SSL cert handling using system's CA certs
+* `nocheck`: disable SSL cert checking, trusting all certs (meant to be used only for testing purposes)
+* `pinned`: trust only provided certs
 
 To use SSL pinning you must include at least one .cer SSL certificate in your app project.  You can pin to your server certificate or to one of the issuing CA certificates. For ios include your certificate in the root level of your bundle (just add the .cer file to your project/target at the root level).  For android include your certificate in your project's platforms/android/assets folder.  In both cases all .cer files found will be loaded automatically.  If you only have a .pem certificate see this [stackoverflow answer](http://stackoverflow.com/a/16583429/3182729).  You want to convert it to a DER encoded certificate with a .cer extension.
 
 As an alternative, you can store your .cer files in the www/certificates folder.
 
 ```js
-cordova.plugin.http.enableSSLPinning(true, function() {
+// enable SSL pinning
+cordova.plugin.http.setSSLCertMode('pinned', function() {
   console.log('success!');
 }, function() {
   console.log('error :(');
 });
-```
 
-### acceptAllCerts
-Accept all SSL certificates.  Or disable accepting all certificates.  This defaults to false.
+// use system's default CA certs
+cordova.plugin.http.setSSLCertMode('default', function() {
+  console.log('success!');
+}, function() {
+  console.log('error :(');
+});
 
-```js
-cordova.plugin.http.acceptAllCerts(true, function() {
+// disable SSL cert checking, only meant for testing purposes, do NOT use in production!
+cordova.plugin.http.setSSLCertMode('nocheck', function() {
   console.log('success!');
 }, function() {
   console.log('error :(');
 });
 ```
 
+### enableSSLPinning
+This function was removed in 2.0.0. Use ["setSSLCertMode"](#setSSLCertMode) to enable SSL pinning (mode "pinned").
+
+### acceptAllCerts
+This function was removed in 2.0.0. Use ["setSSLCertMode"](#setSSLCertMode) to disable checking certs (mode "nocheck").
+
 ### disableRedirect
 If set to `true`, it won't follow redirects automatically. This defaults to false.
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "cordova-plugin-advanced-http",
-  "version": "1.11.1",
+  "version": "2.0.0",
   "description": "Cordova / Phonegap plugin for communicating with HTTP servers using SSL pinning",
   "scripts": {
     "buildbrowser": "./scripts/build-test-app.sh --browser",

src/android/com/synconset/cordovahttp/CordovaHttpPlugin.java

@@ -86,25 +86,25 @@ else if (action.equals("delete")) {
             CordovaHttpHead head = new CordovaHttpHead(urlString, params, headers, timeoutInMilliseconds, callbackContext);
 
             cordova.getThreadPool().execute(head);
-        } else if (action.equals("enableSSLPinning")) {
-            try {
-                boolean enable = args.getBoolean(0);
-                this.enableSSLPinning(enable);
-                callbackContext.success();
-            } catch(Exception e) {
-                e.printStackTrace();
-                callbackContext.error("There was an error setting up ssl pinning");
-            }
-        } else if (action.equals("acceptAllCerts")) {
-            boolean accept = args.getBoolean(0);
+        } else if (action.equals("setSSLCertMode")) {
+            String mode = args.getString(0);
 
-            if (accept) {
-              HttpRequest.setSSLCertMode(HttpRequest.CERT_MODE_TRUSTALL);
-            } else {
-              HttpRequest.setSSLCertMode(HttpRequest.CERT_MODE_DEFAULT);
+            if (mode.equals("default")) {
+                HttpRequest.setSSLCertMode(HttpRequest.CERT_MODE_DEFAULT);
+                callbackContext.success();
+            } else if (mode.equals("nocheck")) {
+                HttpRequest.setSSLCertMode(HttpRequest.CERT_MODE_TRUSTALL);
+                callbackContext.success();
+            } else if (mode.equals("pinned")) {
+                try {
+                    this.loadSSLCerts();
+                    HttpRequest.setSSLCertMode(HttpRequest.CERT_MODE_PINNED);
+                    callbackContext.success();
+                } catch(Exception e) {
+                    e.printStackTrace();
+                    callbackContext.error("There was an error setting up ssl pinning");
+                }
             }
-
-            callbackContext.success();
         } else if (action.equals("uploadFile")) {
             String urlString = args.getString(0);
             Object params = args.get(1);
@@ -125,50 +125,44 @@ else if (action.equals("delete")) {
 
             cordova.getThreadPool().execute(download);
         } else if (action.equals("disableRedirect")) {
-           boolean disable = args.getBoolean(0);
-           CordovaHttp.disableRedirect(disable);
-           callbackContext.success();
+            boolean disable = args.getBoolean(0);
+            CordovaHttp.disableRedirect(disable);
+            callbackContext.success();
         } else {
             return false;
         }
         return true;
     }
 
-    private void enableSSLPinning(boolean enable) throws GeneralSecurityException, IOException {
-        if (enable) {
-            AssetManager assetManager = cordova.getActivity().getAssets();
-            String[] files = assetManager.list("");
-            int index;
-            ArrayList<String> cerFiles = new ArrayList<String>();
-            for (int i = 0; i < files.length; i++) {
-                index = files[i].lastIndexOf('.');
-                if (index != -1) {
-                    if (files[i].substring(index).equals(".cer")) {
-                        cerFiles.add(files[i]);
-                    }
-                }
-            }
-
-            // scan the www/certificates folder for .cer files as well
-            files = assetManager.list("www/certificates");
-            for (int i = 0; i < files.length; i++) {
-              index = files[i].lastIndexOf('.');
-              if (index != -1) {
+    private void loadSSLCerts() throws GeneralSecurityException, IOException {
+        AssetManager assetManager = cordova.getActivity().getAssets();
+        String[] files = assetManager.list("");
+        int index;
+        ArrayList<String> cerFiles = new ArrayList<String>();
+        for (int i = 0; i < files.length; i++) {
+            index = files[i].lastIndexOf('.');
+            if (index != -1) {
                 if (files[i].substring(index).equals(".cer")) {
-                  cerFiles.add("www/certificates/" + files[i]);
+                    cerFiles.add(files[i]);
                 }
-              }
             }
+        }
 
-            for (int i = 0; i < cerFiles.size(); i++) {
-                InputStream in = cordova.getActivity().getAssets().open(cerFiles.get(i));
-                InputStream caInput = new BufferedInputStream(in);
-                HttpRequest.addCert(caInput);
+        // scan the www/certificates folder for .cer files as well
+        files = assetManager.list("www/certificates");
+        for (int i = 0; i < files.length; i++) {
+          index = files[i].lastIndexOf('.');
+          if (index != -1) {
+            if (files[i].substring(index).equals(".cer")) {
+              cerFiles.add("www/certificates/" + files[i]);
             }
+          }
+        }
 
-            HttpRequest.setSSLCertMode(HttpRequest.CERT_MODE_PINNED);
-        } else {
-            HttpRequest.setSSLCertMode(HttpRequest.CERT_MODE_DEFAULT);
+        for (int i = 0; i < cerFiles.size(); i++) {
+            InputStream in = cordova.getActivity().getAssets().open(cerFiles.get(i));
+            InputStream caInput = new BufferedInputStream(in);
+            HttpRequest.addCert(caInput);
         }
     }
 }

src/ios/CordovaHttpPlugin.h

@@ -4,8 +4,7 @@
 
 @interface CordovaHttpPlugin : CDVPlugin
 
-- (void)enableSSLPinning:(CDVInvokedUrlCommand*)command;
-- (void)acceptAllCerts:(CDVInvokedUrlCommand*)command;
+- (void)setSSLCertMode:(CDVInvokedUrlCommand*)command;
 - (void)disableRedirect:(CDVInvokedUrlCommand*)command;
 - (void)post:(CDVInvokedUrlCommand*)command;
 - (void)get:(CDVInvokedUrlCommand*)command;

src/ios/CordovaHttpPlugin.m

@@ -120,23 +120,31 @@ - (NSMutableDictionary*)copyHeaderFields:(NSDictionary *)headerFields {
     return headerFieldsCopy;
 }
 
-- (void)setTimeout:(NSTimeInterval)timeout forManager:(AFHTTPSessionManager*)manager {
-    [manager.requestSerializer setTimeoutInterval:timeout];
-}
+- (void)setSSLCertMode:(CDVInvokedUrlCommand*)command {
+    NSString *certMode = [command.arguments objectAtIndex:0];
 
-- (void)enableSSLPinning:(CDVInvokedUrlCommand*)command {
-    bool enable = [[command.arguments objectAtIndex:0] boolValue];
-
-    if (enable) {
-        securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];
-    } else {
+    if ([certMode isEqualToString: @"default"]) {
+        securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeNone];
+        securityPolicy.allowInvalidCertificates = NO;
+        securityPolicy.validatesDomainName = YES;
+    } else if ([certMode isEqualToString: @"nocheck"]) {
         securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeNone];
+        securityPolicy.allowInvalidCertificates = YES;
+        securityPolicy.validatesDomainName = NO;
+    } else if ([certMode isEqualToString: @"pinned"]) {
+        securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];
+        securityPolicy.allowInvalidCertificates = NO;
+        securityPolicy.validatesDomainName = YES;
     }
 
     CDVPluginResult* pluginResult = [CDVPluginResult resultWithStatus:CDVCommandStatus_OK];
     [self.commandDelegate sendPluginResult:pluginResult callbackId:command.callbackId];
 }
 
+- (void)setTimeout:(NSTimeInterval)timeout forManager:(AFHTTPSessionManager*)manager {
+    [manager.requestSerializer setTimeoutInterval:timeout];
+}
+
 - (void)disableRedirect:(CDVInvokedUrlCommand*)command {
     CDVPluginResult* pluginResult = nil;
     bool disable = [[command.arguments objectAtIndex:0] boolValue];
@@ -147,17 +155,6 @@ - (void)disableRedirect:(CDVInvokedUrlCommand*)command {
     [self.commandDelegate sendPluginResult:pluginResult callbackId:command.callbackId];
 }
 
-- (void)acceptAllCerts:(CDVInvokedUrlCommand*)command {
-    CDVPluginResult* pluginResult = nil;
-    bool allow = [[command.arguments objectAtIndex:0] boolValue];
-
-    securityPolicy.allowInvalidCertificates = allow;
-    securityPolicy.validatesDomainName = !allow;
-
-    pluginResult = [CDVPluginResult resultWithStatus:CDVCommandStatus_OK];
-    [self.commandDelegate sendPluginResult:pluginResult callbackId:command.callbackId];
-}
-
 - (void)post:(CDVInvokedUrlCommand*)command {
     AFHTTPSessionManager *manager = [AFHTTPSessionManager manager];
     manager.securityPolicy = securityPolicy;

test/app-test-definitions.js

@@ -1,15 +1,14 @@
 const hooks = {
   onBeforeEachTest: function(done) {
     cordova.plugin.http.clearCookies();
-    cordova.plugin.http.acceptAllCerts(false, function() {
-      cordova.plugin.http.enableSSLPinning(false, done, done);
-    }, done);
+    helpers.setDefaultCertMode(done);
   }
 };
 
 const helpers = {
-  acceptAllCerts: function(done) { cordova.plugin.http.acceptAllCerts(true, done, done); },
-  enableSSLPinning: function(done) { cordova.plugin.http.enableSSLPinning(true, done, done); },
+  setDefaultCertMode: function(done) { cordova.plugin.http.setSSLCertMode('default', done, done); },
+  setNoCheckCertMode: function(done) { cordova.plugin.http.setSSLCertMode('nocheck', done, done); },
+  setPinnedCertMode: function(done) { cordova.plugin.http.setSSLCertMode('pinned', done, done); },
   setJsonSerializer: function(done) { done(cordova.plugin.http.setDataSerializer('json')); },
   setUtf8StringSerializer: function(done) { done(cordova.plugin.http.setDataSerializer('utf8')); },
   setUrlEncodedSerializer: function(done) { done(cordova.plugin.http.setDataSerializer('urlencoded')); },
@@ -82,7 +81,7 @@ const tests = [
   },{
     description: 'should accept bad cert (GET)',
     expected: 'resolved: {"status":200, ...',
-    before: helpers.acceptAllCerts,
+    before: helpers.setNoCheckCertMode,
     func: function(resolve, reject) { cordova.plugin.http.get('https://self-signed.badssl.com/', {}, {}, resolve, reject); },
     validationFunc: function(driver, result) {
       result.type.should.be.equal('resolved');
@@ -91,7 +90,7 @@ const tests = [
   },{
     description: 'should accept bad cert (PUT)',
     expected: 'rejected: {"status":405, ... // will be rejected because PUT is not allowed',
-    before: helpers.acceptAllCerts,
+    before: helpers.setNoCheckCertMode,
     func: function(resolve, reject) { cordova.plugin.http.put('https://self-signed.badssl.com/', { test: 'testString' }, {}, resolve, reject); },
     validationFunc: function(driver, result) {
       result.type.should.be.equal('rejected');
@@ -100,7 +99,7 @@ const tests = [
   },{
     description: 'should accept bad cert (POST)',
     expected: 'rejected: {"status":405, ... // will be rejected because POST is not allowed',
-    before: helpers.acceptAllCerts,
+    before: helpers.setNoCheckCertMode,
     func: function(resolve, reject) { cordova.plugin.http.post('https://self-signed.badssl.com/', { test: 'testString' }, {}, resolve, reject); },
     validationFunc: function(driver, result) {
       result.type.should.be.equal('rejected');
@@ -109,7 +108,7 @@ const tests = [
   },{
     description: 'should accept bad cert (PATCH)',
     expected: 'rejected: {"status":405, ... // will be rejected because PATCH is not allowed',
-    before: helpers.acceptAllCerts,
+    before: helpers.setNoCheckCertMode,
     func: function(resolve, reject) { cordova.plugin.http.patch('https://self-signed.badssl.com/', { test: 'testString' }, {}, resolve, reject); },
     validationFunc: function(driver, result) {
       result.type.should.be.equal('rejected');
@@ -118,7 +117,7 @@ const tests = [
   },{
     description: 'should accept bad cert (DELETE)',
     expected: 'rejected: {"status":405, ... // will be rejected because DELETE is not allowed',
-    before: helpers.acceptAllCerts,
+    before: helpers.setNoCheckCertMode,
     func: function(resolve, reject) { cordova.plugin.http.delete('https://self-signed.badssl.com/', {}, {}, resolve, reject); },
     validationFunc: function(driver, result) {
       result.type.should.be.equal('rejected');
@@ -127,7 +126,7 @@ const tests = [
   },{
     description: 'should fetch data from http://httpbin.org/ (GET)',
     expected: 'resolved: {"status":200, ...',
-    before: helpers.acceptAllCerts,
+    before: helpers.setNoCheckCertMode,
     func: function(resolve, reject) { cordova.plugin.http.get('http://httpbin.org/', {}, {}, resolve, reject); },
     validationFunc: function(driver, result) {
       result.type.should.be.equal('resolved');
@@ -430,7 +429,7 @@ const tests = [
   },{
     description: 'should pin SSL cert correctly (GET)',
     expected: 'resolved: {"status": 200 ...',
-    before: helpers.enableSSLPinning,
+    before: helpers.setPinnedCertMode,
     func: function(resolve, reject) {
       cordova.plugin.http.get('https://httpbin.org', {}, {}, resolve, reject);
     },
@@ -440,7 +439,7 @@ const tests = [
   },{
     description: 'should reject when pinned cert does not match received server cert (GET)',
     expected: 'rejected: {"status": -1 ...',
-    before: helpers.enableSSLPinning,
+    before: helpers.setPinnedCertMode,
     func: function(resolve, reject) {
       cordova.plugin.http.get('https://sha512.badssl.com/', {}, {}, resolve, reject);
     },

www/advanced-http.js

@@ -67,14 +67,11 @@ var publicInterface = {
   setRequestTimeout: function (timeout) {
     globalConfigs.timeout = timeout;
   },
-  enableSSLPinning: function (enable, success, failure) {
-    return exec(success, failure, 'CordovaHttpPlugin', 'enableSSLPinning', [ enable ]);
-  },
-  acceptAllCerts: function (allow, success, failure) {
-    return exec(success, failure, 'CordovaHttpPlugin', 'acceptAllCerts', [ allow ]);
+  setSSLCertMode: function (mode, success, failure) {
+    return exec(success, failure, 'CordovaHttpPlugin', 'setSSLCertMode', [ helpers.checkSSLCertMode(mode) ]);
   },
   disableRedirect: function (disable, success, failure) {
-    return exec(success, failure, 'CordovaHttpPlugin', 'disableRedirect', [ disable ]);
+    return exec(success, failure, 'CordovaHttpPlugin', 'disableRedirect', [ !!disable ]);
   },
   sendRequest: function (url, options, success, failure) {
     helpers.handleMissingCallbacks(success, failure);

www/helpers.js

@@ -3,12 +3,14 @@ var cookieHandler = require(pluginId + '.cookie-handler');
 var messages = require(pluginId + '.messages');
 
 var validSerializers = [ 'urlencoded', 'json', 'utf8' ];
+var validCertModes = [ 'default', 'nocheck', 'pinned' ];
 var validHttpMethods = [ 'get', 'put', 'post', 'patch', 'head', 'delete', 'upload', 'download' ];
 
 module.exports = {
   b64EncodeUnicode: b64EncodeUnicode,
   getTypeOf: getTypeOf,
   checkSerializer: checkSerializer,
+  checkSSLCertMode: checkSSLCertMode,
   checkForBlacklistedHeaderKey: checkForBlacklistedHeaderKey,
   checkForInvalidHeaderValue: checkForInvalidHeaderValue,
   injectCookieHandler: injectCookieHandler,
@@ -79,6 +81,10 @@ function checkSerializer(serializer) {
   return checkForValidStringValue(validSerializers, serializer, messages.INVALID_DATA_SERIALIZER);
 }
 
+function checkSSLCertMode(mode) {
+  return checkForValidStringValue(validCertModes, mode, messages.INVALID_SSL_CERT_MODE);
+}
+
 function checkForBlacklistedHeaderKey(key) {
   if (key.toLowerCase() === 'cookie') {
     throw new Error(messages.ADDING_COOKIES_NOT_SUPPORTED);