Android: Get SSL root certificates from TrustManager

On Android, when not using Ministro, we cannot read certificates
from the file system, so we have to get them through Java APIs instead.

Change-Id: I415329fcb45836735c1112dbe832214b3c73dc9a
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@digia.com>

src/android/jar/src/org/qtproject/qt5/android/QtNative.java

@@ -57,6 +57,12 @@ import android.view.ContextMenu;
 import android.view.Menu;
 import android.view.MotionEvent;
 
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
 public class QtNative
 {
     private static Activity m_activity = null;
@@ -534,6 +540,33 @@ public class QtNative
         });
     }
 
+    private static byte[][] getSSLCertificates()
+    {
+        ArrayList<byte[]> certificateList = new ArrayList<byte[]>();
+
+        try {
+            TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            factory.init((KeyStore) null);
+
+            for (TrustManager manager : factory.getTrustManagers()) {
+                if (manager instanceof X509TrustManager) {
+                    X509TrustManager trustManager = (X509TrustManager) manager;
+
+                    for (X509Certificate certificate : trustManager.getAcceptedIssuers()) {
+                        byte buffer[] = certificate.getEncoded();
+                        certificateList.add(buffer);
+                    }
+                }
+            }
+        } catch (Exception e) {
+            Log.e(QtTAG, "Failed to get certificates", e);
+        }
+
+        byte[][] certificateArray = new byte[certificateList.size()][];
+        certificateArray = certificateList.toArray(certificateArray);
+        return certificateArray;
+    }
+
     // screen methods
     public static native void setDisplayMetrics(int screenWidthPixels,
                                                 int screenHeightPixels,

src/network/ssl/qsslsocket_openssl.cpp

@@ -688,41 +688,48 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates()
     }
 #elif defined(Q_OS_UNIX)
     QSet<QString> certFiles;
-# ifdef Q_OS_ANDROID
-    QList<QByteArray> directories;
-    directories << qgetenv("MINISTRO_SSL_CERTS_PATH"); // Set by Ministro
-# else
-    QList<QByteArray> directories = unixRootCertDirectories();
-# endif
     QDir currentDir;
     QStringList nameFilters;
-# ifdef Q_OS_ANDROID
+    QList<QByteArray> directories;
-    nameFilters << QLatin1String("*.der");
+    QSsl::EncodingFormat platformEncodingFormat;
-#else
-    nameFilters << QLatin1String("*.pem") << QLatin1String("*.crt");
-# endif
-    currentDir.setNameFilters(nameFilters);
-    for (int a = 0; a < directories.count(); a++) {
-        currentDir.setPath(QLatin1String(directories.at(a)));
-        QDirIterator it(currentDir);
-        while(it.hasNext()) {
-            it.next();
-            // use canonical path here to not load the same certificate twice if symlinked
-            certFiles.insert(it.fileInfo().canonicalFilePath());
-        }
-    }
-    QSetIterator<QString> it(certFiles);
-    while(it.hasNext()) {
-# ifdef Q_OS_ANDROID
-        systemCerts.append(QSslCertificate::fromPath(it.next(), QSsl::Der));
-# else
-        systemCerts.append(QSslCertificate::fromPath(it.next(), QSsl::Pem));
-# endif
-    }
 # ifndef Q_OS_ANDROID
-    systemCerts.append(QSslCertificate::fromPath(QLatin1String("/etc/pki/tls/certs/ca-bundle.crt"), QSsl::Pem)); // Fedora, Mandriva
+    directories = unixRootCertDirectories();
-    systemCerts.append(QSslCertificate::fromPath(QLatin1String("/usr/local/share/certs/ca-root-nss.crt"), QSsl::Pem)); // FreeBSD's ca_root_nss
+    nameFilters << QLatin1String("*.pem") << QLatin1String("*.crt");
+    platformEncodingFormat = QSsl::Pem;
+# else
+    // Q_OS_ANDROID
+    QByteArray ministroPath = qgetenv("MINISTRO_SSL_CERTS_PATH"); // Set by Ministro
+    directories << ministroPath;
+    nameFilters << QLatin1String("*.der");
+    platformEncodingFormat = QSsl::Der;
+#  ifndef Q_OS_ANDROID_NO_SDK
+    if (ministroPath.isEmpty()) {
+        QList<QByteArray> certificateData = fetchSslCertificateData();
+        for (int i = 0; i < certificateData.size(); ++i) {
+            systemCerts.append(QSslCertificate::fromData(certificateData.at(i), QSsl::Der));
+        }
+    } else
+#   endif //Q_OS_ANDROID_NO_SDK
+# endif //Q_OS_ANDROID
+    {
+        currentDir.setNameFilters(nameFilters);
+        for (int a = 0; a < directories.count(); a++) {
+            currentDir.setPath(QLatin1String(directories.at(a)));
+            QDirIterator it(currentDir);
+            while (it.hasNext()) {
+                it.next();
+                // use canonical path here to not load the same certificate twice if symlinked
+                certFiles.insert(it.fileInfo().canonicalFilePath());
+            }
+        }
+        QSetIterator<QString> it(certFiles);
+        while (it.hasNext())
+            systemCerts.append(QSslCertificate::fromPath(it.next(), platformEncodingFormat));
+# ifndef Q_OS_ANDROID
+        systemCerts.append(QSslCertificate::fromPath(QLatin1String("/etc/pki/tls/certs/ca-bundle.crt"), QSsl::Pem)); // Fedora, Mandriva
+        systemCerts.append(QSslCertificate::fromPath(QLatin1String("/usr/local/share/certs/ca-root-nss.crt"), QSsl::Pem)); // FreeBSD's ca_root_nss
 # endif
+    }
 #endif
 #ifdef QSSLSOCKET_DEBUG
     qDebug() << "systemCaCertificates retrieval time " << timer.elapsed() << "ms";

src/network/ssl/qsslsocket_openssl_android.cpp

@@ -0,0 +1,179 @@
+/****************************************************************************
+**
+** Copyright (C) 2013 Digia Plc and/or its subsidiary(-ies).
+** Contact: http://www.qt-project.org/legal
+**
+** This file is part of the QtNetwork module of the Qt Toolkit.
+**
+** $QT_BEGIN_LICENSE:LGPL$
+** Commercial License Usage
+** Licensees holding valid commercial Qt licenses may use this file in
+** accordance with the commercial license agreement provided with the
+** Software or, alternatively, in accordance with the terms contained in
+** a written agreement between you and Digia.  For licensing terms and
+** conditions see http://qt.digia.com/licensing.  For further information
+** use the contact form at http://qt.digia.com/contact-us.
+**
+** GNU Lesser General Public License Usage
+** Alternatively, this file may be used under the terms of the GNU Lesser
+** General Public License version 2.1 as published by the Free Software
+** Foundation and appearing in the file LICENSE.LGPL included in the
+** packaging of this file.  Please review the following information to
+** ensure the GNU Lesser General Public License version 2.1 requirements
+** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
+**
+** In addition, as a special exception, Digia gives you certain additional
+** rights.  These rights are described in the Digia Qt LGPL Exception
+** version 1.1, included in the file LGPL_EXCEPTION.txt in this package.
+**
+** GNU General Public License Usage
+** Alternatively, this file may be used under the terms of the GNU
+** General Public License version 3.0 as published by the Free Software
+** Foundation and appearing in the file LICENSE.GPL included in the
+** packaging of this file.  Please review the following information to
+** ensure the GNU General Public License version 3.0 requirements will be
+** met: http://www.gnu.org/copyleft/gpl.html.
+**
+**
+** $QT_END_LICENSE$
+**
+****************************************************************************/
+
+/****************************************************************************
+**
+** In addition, as a special exception, the copyright holders listed above give
+** permission to link the code of its release of Qt with the OpenSSL project's
+** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the
+** same license as the original version), and distribute the linked executables.
+**
+** You must comply with the GNU General Public License version 2 in all
+** respects for all of the code used other than the "OpenSSL" code.  If you
+** modify this file, you may extend this exception to your version of the file,
+** but you are not obligated to do so.  If you do not wish to do so, delete
+** this exception statement from your version of this file.
+**
+****************************************************************************/
+
+#include "qsslsocket_openssl_p.h"
+
+
+
+#include <jni.h>
+#include <android/log.h>
+
+static JavaVM *javaVM = 0;
+static jclass appClass;
+
+static jmethodID getSslCertificatesMethodID;
+
+struct AttachedJNIEnv
+{
+    AttachedJNIEnv()
+    {
+        attached = false;
+        if (javaVM->GetEnv((void**)&jniEnv, JNI_VERSION_1_6) < 0) {
+            if (javaVM->AttachCurrentThread(&jniEnv, NULL) < 0) {
+                __android_log_print(ANDROID_LOG_ERROR, "Qt", "AttachCurrentThread failed");
+                jniEnv = 0;
+                return;
+            }
+            attached = true;
+        }
+    }
+
+    ~AttachedJNIEnv()
+    {
+        if (attached)
+            javaVM->DetachCurrentThread();
+    }
+    bool attached;
+    JNIEnv *jniEnv;
+};
+
+static const char logTag[] = "Qt";
+static const char classErrorMsg[] = "Can't find class \"%s\"";
+static const char methodErrorMsg[] = "Can't find method \"%s%s\"";
+
+
+#define FIND_AND_CHECK_CLASS(CLASS_NAME) \
+clazz = env->FindClass(CLASS_NAME); \
+if (!clazz) { \
+    __android_log_print(ANDROID_LOG_FATAL, logTag, classErrorMsg, CLASS_NAME); \
+    return JNI_FALSE; \
+}
+
+#define GET_AND_CHECK_STATIC_METHOD(VAR, CLASS, METHOD_NAME, METHOD_SIGNATURE) \
+VAR = env->GetStaticMethodID(CLASS, METHOD_NAME, METHOD_SIGNATURE); \
+if (!VAR) { \
+    __android_log_print(ANDROID_LOG_FATAL, logTag, methodErrorMsg, METHOD_NAME, METHOD_SIGNATURE); \
+    return JNI_FALSE; \
+}
+
+static bool registerNatives(JNIEnv *env)
+{
+    jclass clazz;
+    FIND_AND_CHECK_CLASS("org/qtproject/qt5/android/QtNative");
+    appClass = static_cast<jclass>(env->NewGlobalRef(clazz));
+
+#if 0 //we don't call C++ functions from Java at this time
+    if (env->RegisterNatives(appClass, methods, sizeof(methods) / sizeof(methods[0])) < 0) {
+        __android_log_print(ANDROID_LOG_FATAL, logTag, "RegisterNatives failed");
+        return JNI_FALSE;
+    }
+#endif
+
+    GET_AND_CHECK_STATIC_METHOD(getSslCertificatesMethodID, appClass, "getSSLCertificates", "()[[B");
+
+    return true;
+}
+
+Q_DECL_EXPORT jint JNICALL JNI_OnLoad(JavaVM *vm, void * /*reserved*/)
+{
+    typedef union {
+        JNIEnv *nativeEnvironment;
+        void *venv;
+    } UnionJNIEnvToVoid;
+
+    __android_log_print(ANDROID_LOG_INFO, logTag, "Network start");
+    UnionJNIEnvToVoid uenv;
+    uenv.venv = NULL;
+    javaVM = 0;
+
+    if (vm->GetEnv(&uenv.venv, JNI_VERSION_1_4) != JNI_OK) {
+        __android_log_print(ANDROID_LOG_FATAL, logTag, "GetEnv failed");
+        return -1;
+    }
+    JNIEnv *env = uenv.nativeEnvironment;
+    if (!registerNatives(env)) {
+        __android_log_print(ANDROID_LOG_FATAL, logTag, "registerNatives failed");
+        return -1;
+    }
+
+    javaVM = vm;
+    return JNI_VERSION_1_4;
+}
+
+QList<QByteArray> QSslSocketPrivate::fetchSslCertificateData()
+{
+    QList<QByteArray> certificateData;
+    AttachedJNIEnv env;
+
+    if (env.jniEnv) {
+        jobjectArray jcertificates =
+            static_cast<jobjectArray>(env.jniEnv->CallStaticObjectMethod(appClass, getSslCertificatesMethodID));
+        jint nCertificates = env.jniEnv->GetArrayLength(jcertificates);
+
+        for (int i = 0; i < nCertificates; ++i) {
+            jbyteArray jCert = static_cast<jbyteArray>(env.jniEnv->GetObjectArrayElement(jcertificates, i));
+
+            const uint sz = env.jniEnv->GetArrayLength(jCert);
+            jbyte *buffer = env.jniEnv->GetByteArrayElements(jCert, 0);
+            certificateData.append(QByteArray(reinterpret_cast<char*>(buffer), sz));
+
+            env.jniEnv->ReleaseByteArrayElements(jCert, buffer, JNI_ABORT); // don't copy back the elements
+            env.jniEnv->DeleteLocalRef(jCert);
+        }
+    }
+
+    return certificateData;
+}

src/network/ssl/qsslsocket_p.h

@@ -197,6 +197,9 @@ public:
 private:
     static bool ensureLibraryLoaded();
     static void ensureCiphersAndCertsLoaded();
+#if defined(Q_OS_ANDROID) && !defined(Q_OS_ANDROID_NO_SDK)
+    static QList<QByteArray> fetchSslCertificateData();
+#endif
 
     static bool s_libraryLoaded;
     static bool s_loadedCiphersAndCerts;

src/network/ssl/ssl.pri

@@ -28,6 +28,8 @@ contains(QT_CONFIG, openssl) | contains(QT_CONFIG, openssl-linked) {
                ssl/qsslcertificateextension.cpp \
                ssl/qsslcontext.cpp
 
+android:!android-no-sdk: SOURCES += ssl/qsslsocket_openssl_android.cpp
+
     # Add optional SSL libs
     # Static linking of OpenSSL with msvc:
     #   - Binaries http://slproweb.com/products/Win32OpenSSL.html