From 591584d9a940d374e20a62573d71054e0081c6ac Mon Sep 17 00:00:00 2001 From: Paul Olav Tvete Date: Thu, 25 Jul 2013 14:40:06 +0200 Subject: [PATCH] Android: Get SSL root certificates from TrustManager On Android, when not using Ministro, we cannot read certificates from the file system, so we have to get them through Java APIs instead. Change-Id: I415329fcb45836735c1112dbe832214b3c73dc9a Reviewed-by: Eskil Abrahamsen Blomfeldt --- .../org/qtproject/qt5/android/QtNative.java | 33 ++++ src/network/ssl/qsslsocket_openssl.cpp | 69 ++++--- .../ssl/qsslsocket_openssl_android.cpp | 179 ++++++++++++++++++ src/network/ssl/qsslsocket_p.h | 3 + src/network/ssl/ssl.pri | 2 + 5 files changed, 255 insertions(+), 31 deletions(-) create mode 100644 src/network/ssl/qsslsocket_openssl_android.cpp diff --git a/src/android/jar/src/org/qtproject/qt5/android/QtNative.java b/src/android/jar/src/org/qtproject/qt5/android/QtNative.java index 4586ae2002..22e3701e47 100644 --- a/src/android/jar/src/org/qtproject/qt5/android/QtNative.java +++ b/src/android/jar/src/org/qtproject/qt5/android/QtNative.java @@ -57,6 +57,12 @@ import android.view.ContextMenu; import android.view.Menu; import android.view.MotionEvent; +import java.security.KeyStore; +import java.security.cert.X509Certificate; +import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.TrustManager; +import javax.net.ssl.X509TrustManager; + public class QtNative { private static Activity m_activity = null; @@ -534,6 +540,33 @@ public class QtNative }); } + private static byte[][] getSSLCertificates() + { + ArrayList certificateList = new ArrayList(); + + try { + TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + factory.init((KeyStore) null); + + for (TrustManager manager : factory.getTrustManagers()) { + if (manager instanceof X509TrustManager) { + X509TrustManager trustManager = (X509TrustManager) manager; + + for (X509Certificate certificate : trustManager.getAcceptedIssuers()) { + byte buffer[] = certificate.getEncoded(); + certificateList.add(buffer); + } + } + } + } catch (Exception e) { + Log.e(QtTAG, "Failed to get certificates", e); + } + + byte[][] certificateArray = new byte[certificateList.size()][]; + certificateArray = certificateList.toArray(certificateArray); + return certificateArray; + } + // screen methods public static native void setDisplayMetrics(int screenWidthPixels, int screenHeightPixels, diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index 9de2811374..30103edc29 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -688,41 +688,48 @@ QList QSslSocketPrivate::systemCaCertificates() } #elif defined(Q_OS_UNIX) QSet certFiles; -# ifdef Q_OS_ANDROID - QList directories; - directories << qgetenv("MINISTRO_SSL_CERTS_PATH"); // Set by Ministro -# else - QList directories = unixRootCertDirectories(); -# endif QDir currentDir; QStringList nameFilters; -# ifdef Q_OS_ANDROID - nameFilters << QLatin1String("*.der"); -#else - nameFilters << QLatin1String("*.pem") << QLatin1String("*.crt"); -# endif - currentDir.setNameFilters(nameFilters); - for (int a = 0; a < directories.count(); a++) { - currentDir.setPath(QLatin1String(directories.at(a))); - QDirIterator it(currentDir); - while(it.hasNext()) { - it.next(); - // use canonical path here to not load the same certificate twice if symlinked - certFiles.insert(it.fileInfo().canonicalFilePath()); - } - } - QSetIterator it(certFiles); - while(it.hasNext()) { -# ifdef Q_OS_ANDROID - systemCerts.append(QSslCertificate::fromPath(it.next(), QSsl::Der)); -# else - systemCerts.append(QSslCertificate::fromPath(it.next(), QSsl::Pem)); -# endif - } + QList directories; + QSsl::EncodingFormat platformEncodingFormat; # ifndef Q_OS_ANDROID - systemCerts.append(QSslCertificate::fromPath(QLatin1String("/etc/pki/tls/certs/ca-bundle.crt"), QSsl::Pem)); // Fedora, Mandriva - systemCerts.append(QSslCertificate::fromPath(QLatin1String("/usr/local/share/certs/ca-root-nss.crt"), QSsl::Pem)); // FreeBSD's ca_root_nss + directories = unixRootCertDirectories(); + nameFilters << QLatin1String("*.pem") << QLatin1String("*.crt"); + platformEncodingFormat = QSsl::Pem; +# else + // Q_OS_ANDROID + QByteArray ministroPath = qgetenv("MINISTRO_SSL_CERTS_PATH"); // Set by Ministro + directories << ministroPath; + nameFilters << QLatin1String("*.der"); + platformEncodingFormat = QSsl::Der; +# ifndef Q_OS_ANDROID_NO_SDK + if (ministroPath.isEmpty()) { + QList certificateData = fetchSslCertificateData(); + for (int i = 0; i < certificateData.size(); ++i) { + systemCerts.append(QSslCertificate::fromData(certificateData.at(i), QSsl::Der)); + } + } else +# endif //Q_OS_ANDROID_NO_SDK +# endif //Q_OS_ANDROID + { + currentDir.setNameFilters(nameFilters); + for (int a = 0; a < directories.count(); a++) { + currentDir.setPath(QLatin1String(directories.at(a))); + QDirIterator it(currentDir); + while (it.hasNext()) { + it.next(); + // use canonical path here to not load the same certificate twice if symlinked + certFiles.insert(it.fileInfo().canonicalFilePath()); + } + } + QSetIterator it(certFiles); + while (it.hasNext()) + systemCerts.append(QSslCertificate::fromPath(it.next(), platformEncodingFormat)); +# ifndef Q_OS_ANDROID + systemCerts.append(QSslCertificate::fromPath(QLatin1String("/etc/pki/tls/certs/ca-bundle.crt"), QSsl::Pem)); // Fedora, Mandriva + systemCerts.append(QSslCertificate::fromPath(QLatin1String("/usr/local/share/certs/ca-root-nss.crt"), QSsl::Pem)); // FreeBSD's ca_root_nss # endif + } #endif #ifdef QSSLSOCKET_DEBUG qDebug() << "systemCaCertificates retrieval time " << timer.elapsed() << "ms"; diff --git a/src/network/ssl/qsslsocket_openssl_android.cpp b/src/network/ssl/qsslsocket_openssl_android.cpp new file mode 100644 index 0000000000..fa612a75a6 --- /dev/null +++ b/src/network/ssl/qsslsocket_openssl_android.cpp @@ -0,0 +1,179 @@ +/**************************************************************************** +** +** Copyright (C) 2013 Digia Plc and/or its subsidiary(-ies). +** Contact: http://www.qt-project.org/legal +** +** This file is part of the QtNetwork module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and Digia. For licensing terms and +** conditions see http://qt.digia.com/licensing. For further information +** use the contact form at http://qt.digia.com/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 2.1 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 2.1 requirements +** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. +** +** In addition, as a special exception, Digia gives you certain additional +** rights. These rights are described in the Digia Qt LGPL Exception +** version 1.1, included in the file LGPL_EXCEPTION.txt in this package. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 3.0 as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL included in the +** packaging of this file. Please review the following information to +** ensure the GNU General Public License version 3.0 requirements will be +** met: http://www.gnu.org/copyleft/gpl.html. +** +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + +/**************************************************************************** +** +** In addition, as a special exception, the copyright holders listed above give +** permission to link the code of its release of Qt with the OpenSSL project's +** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the +** same license as the original version), and distribute the linked executables. +** +** You must comply with the GNU General Public License version 2 in all +** respects for all of the code used other than the "OpenSSL" code. If you +** modify this file, you may extend this exception to your version of the file, +** but you are not obligated to do so. If you do not wish to do so, delete +** this exception statement from your version of this file. +** +****************************************************************************/ + +#include "qsslsocket_openssl_p.h" + + + +#include +#include + +static JavaVM *javaVM = 0; +static jclass appClass; + +static jmethodID getSslCertificatesMethodID; + +struct AttachedJNIEnv +{ + AttachedJNIEnv() + { + attached = false; + if (javaVM->GetEnv((void**)&jniEnv, JNI_VERSION_1_6) < 0) { + if (javaVM->AttachCurrentThread(&jniEnv, NULL) < 0) { + __android_log_print(ANDROID_LOG_ERROR, "Qt", "AttachCurrentThread failed"); + jniEnv = 0; + return; + } + attached = true; + } + } + + ~AttachedJNIEnv() + { + if (attached) + javaVM->DetachCurrentThread(); + } + bool attached; + JNIEnv *jniEnv; +}; + +static const char logTag[] = "Qt"; +static const char classErrorMsg[] = "Can't find class \"%s\""; +static const char methodErrorMsg[] = "Can't find method \"%s%s\""; + + +#define FIND_AND_CHECK_CLASS(CLASS_NAME) \ +clazz = env->FindClass(CLASS_NAME); \ +if (!clazz) { \ + __android_log_print(ANDROID_LOG_FATAL, logTag, classErrorMsg, CLASS_NAME); \ + return JNI_FALSE; \ +} + +#define GET_AND_CHECK_STATIC_METHOD(VAR, CLASS, METHOD_NAME, METHOD_SIGNATURE) \ +VAR = env->GetStaticMethodID(CLASS, METHOD_NAME, METHOD_SIGNATURE); \ +if (!VAR) { \ + __android_log_print(ANDROID_LOG_FATAL, logTag, methodErrorMsg, METHOD_NAME, METHOD_SIGNATURE); \ + return JNI_FALSE; \ +} + +static bool registerNatives(JNIEnv *env) +{ + jclass clazz; + FIND_AND_CHECK_CLASS("org/qtproject/qt5/android/QtNative"); + appClass = static_cast(env->NewGlobalRef(clazz)); + +#if 0 //we don't call C++ functions from Java at this time + if (env->RegisterNatives(appClass, methods, sizeof(methods) / sizeof(methods[0])) < 0) { + __android_log_print(ANDROID_LOG_FATAL, logTag, "RegisterNatives failed"); + return JNI_FALSE; + } +#endif + + GET_AND_CHECK_STATIC_METHOD(getSslCertificatesMethodID, appClass, "getSSLCertificates", "()[[B"); + + return true; +} + +Q_DECL_EXPORT jint JNICALL JNI_OnLoad(JavaVM *vm, void * /*reserved*/) +{ + typedef union { + JNIEnv *nativeEnvironment; + void *venv; + } UnionJNIEnvToVoid; + + __android_log_print(ANDROID_LOG_INFO, logTag, "Network start"); + UnionJNIEnvToVoid uenv; + uenv.venv = NULL; + javaVM = 0; + + if (vm->GetEnv(&uenv.venv, JNI_VERSION_1_4) != JNI_OK) { + __android_log_print(ANDROID_LOG_FATAL, logTag, "GetEnv failed"); + return -1; + } + JNIEnv *env = uenv.nativeEnvironment; + if (!registerNatives(env)) { + __android_log_print(ANDROID_LOG_FATAL, logTag, "registerNatives failed"); + return -1; + } + + javaVM = vm; + return JNI_VERSION_1_4; +} + +QList QSslSocketPrivate::fetchSslCertificateData() +{ + QList certificateData; + AttachedJNIEnv env; + + if (env.jniEnv) { + jobjectArray jcertificates = + static_cast(env.jniEnv->CallStaticObjectMethod(appClass, getSslCertificatesMethodID)); + jint nCertificates = env.jniEnv->GetArrayLength(jcertificates); + + for (int i = 0; i < nCertificates; ++i) { + jbyteArray jCert = static_cast(env.jniEnv->GetObjectArrayElement(jcertificates, i)); + + const uint sz = env.jniEnv->GetArrayLength(jCert); + jbyte *buffer = env.jniEnv->GetByteArrayElements(jCert, 0); + certificateData.append(QByteArray(reinterpret_cast(buffer), sz)); + + env.jniEnv->ReleaseByteArrayElements(jCert, buffer, JNI_ABORT); // don't copy back the elements + env.jniEnv->DeleteLocalRef(jCert); + } + } + + return certificateData; +} diff --git a/src/network/ssl/qsslsocket_p.h b/src/network/ssl/qsslsocket_p.h index 9369dab8e7..6ce34ba06f 100644 --- a/src/network/ssl/qsslsocket_p.h +++ b/src/network/ssl/qsslsocket_p.h @@ -197,6 +197,9 @@ public: private: static bool ensureLibraryLoaded(); static void ensureCiphersAndCertsLoaded(); +#if defined(Q_OS_ANDROID) && !defined(Q_OS_ANDROID_NO_SDK) + static QList fetchSslCertificateData(); +#endif static bool s_libraryLoaded; static bool s_loadedCiphersAndCerts; diff --git a/src/network/ssl/ssl.pri b/src/network/ssl/ssl.pri index 1d8c8e1ab7..0fe231357b 100644 --- a/src/network/ssl/ssl.pri +++ b/src/network/ssl/ssl.pri @@ -28,6 +28,8 @@ contains(QT_CONFIG, openssl) | contains(QT_CONFIG, openssl-linked) { ssl/qsslcertificateextension.cpp \ ssl/qsslcontext.cpp +android:!android-no-sdk: SOURCES += ssl/qsslsocket_openssl_android.cpp + # Add optional SSL libs # Static linking of OpenSSL with msvc: # - Binaries http://slproweb.com/products/Win32OpenSSL.html