Remove SSL Pinning (APPS-1821) (#222)

Author: cmaier

CHANGELOG.md

@@ -5,6 +5,8 @@ All notable changes to this project will be documented in this file.
 ### Added
 ### Changed
 ### Removed
+* core: SSL Pinning has been removed
+* ui: Datatrans SSL Pinning has been deactivated
 ### Fixed
 
 ## [0.79.0]

core/src/main/java/io/snabble/sdk/Config.kt

@@ -1,13 +1,18 @@
 package io.snabble.sdk
 
 import android.content.Context
-import com.google.gson.*
+import com.google.gson.JsonDeserializationContext
+import com.google.gson.JsonDeserializer
+import com.google.gson.JsonElement
+import com.google.gson.JsonNull
+import com.google.gson.JsonPrimitive
+import com.google.gson.JsonSerializationContext
+import com.google.gson.JsonSerializer
 import io.snabble.sdk.utils.Dispatch
 import io.snabble.sdk.utils.GsonHolder
 import io.snabble.sdk.utils.Logger
 import okhttp3.Interceptor
 import java.io.File
-import java.lang.Exception
 import java.lang.reflect.Type
 import java.util.concurrent.TimeUnit
 
@@ -96,10 +101,6 @@ data class Config (
     @JvmField
     var maxShoppingCartAge: Long  = TimeUnit.HOURS.toMillis(4),
 
-    /** If set to true, disables certificate pinning. Not recommended for production!  */
-    @JvmField
-    var disableCertificatePinning: Boolean = false,
-
     /** SQL queries that will get executed in order on the product database. */
     @JvmField
     var initialSQL: List<String> = emptyList(),

core/src/main/java/io/snabble/sdk/OkHttpClientFactory.kt

@@ -6,55 +6,20 @@ import io.snabble.sdk.auth.useragent.UserAgentInterceptor
 import io.snabble.sdk.utils.LetsEncryptCertHelper
 import io.snabble.sdk.utils.Logger
 import okhttp3.Cache
-import okhttp3.CertificatePinner
 import okhttp3.OkHttpClient
 import java.util.concurrent.TimeUnit
 
 @RestrictTo(RestrictTo.Scope.LIBRARY)
 internal object OkHttpClientFactory {
-    private val PINS = arrayOf(
-        "sha256/YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=",  // Let's Encrypt X3 cross-signed
-        "sha256/sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=",  // Let's Encrypt X4 cross-signed
-        "sha256/J2/oqMTsdhFWW/n85tys6b4yDBtb6idZayIEBx7QTxA=",  // Let's Encrypt E1
-        "sha256/vZNucrIS7293MQLGt304+UKXMi78JTlrwyeUIuDIknA=",  // Let's Encrypt E2
-        "sha256/jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=",  // Let's Encrypt R3 cross-signed
-        "sha256/5VReIRNHJBiRxVSgOTTN6bdJZkpZ0m1hX+WPd5kPLQM=",  // Let's Encrypt R4 cross-signed
-        // backup CAs
-        "sha256/C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=",  // ISRG Root X1
-        "sha256/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=",  // AddTrust External Root
-        "sha256/r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=",  // DigiCert Global Root
-        "sha256/i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=",  // DigiCert Global Root G2
-        "sha256/WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=",  // DigiCert HA Root
-        "sha256/h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU=",  // GeoTrust Global
-        "sha256/q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8=",  // GeoTrust PCA G3 Root
-        "sha256/47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=",  // GeoTrust PCA G4
-        "sha256/SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo=" // GeoTrust PCA
-    )
 
     @RestrictTo(RestrictTo.Scope.LIBRARY)
-    internal fun createOkHttpClient(application: Application): OkHttpClient {
-        val builder = OkHttpClient.Builder()
-        builder.cache(Cache(application.cacheDir, 10 * 1024 * 1024))
-        builder.retryOnConnectionFailure(true)
-        builder.pingInterval(5, TimeUnit.SECONDS) // workaround for https://github.com/square/okhttp/issues/3146
-        builder.addInterceptor(OkHttpLogger { message: String? ->
-            Logger.i(message)
-        })
-        Snabble.config.networkInterceptor?.let {
-            builder.addNetworkInterceptor(it)
-        }
-        builder.addInterceptor(UserAgentInterceptor(application))
-        if (!Snabble.config.disableCertificatePinning) {
-            val environments = Environment.values()
-            builder.certificatePinner(CertificatePinner.Builder().apply {
-                PINS.forEach { pin ->
-                    environments.forEach { env ->
-                        add(env.wildcardUrl, pin)
-                    }
-                }
-            }.build())
-        }
-        LetsEncryptCertHelper.addLetsEncryptCertificatesForMarshmallowOrEarlier(builder)
-        return builder.build()
-    }
+    internal fun createOkHttpClient(application: Application): OkHttpClient = OkHttpClient.Builder()
+        .cache(Cache(application.cacheDir, 10 * 1024 * 1024))
+        .retryOnConnectionFailure(true)
+        .pingInterval(5, TimeUnit.SECONDS) // workaround for https://github.com/square/okhttp/issues/3146
+        .addInterceptor(OkHttpLogger { message: String? -> Logger.i(message) })
+        .addInterceptor(UserAgentInterceptor(application))
+        .apply { Snabble.config.networkInterceptor?.let { addNetworkInterceptor(it) } }
+        .apply { LetsEncryptCertHelper.addLetsEncryptCertificatesForMarshmallowOrEarlier(this) }
+        .build()
 }

core/src/main/java/io/snabble/sdk/SnabbleInitializer.kt

@@ -40,7 +40,6 @@ class SnabbleInitializer : Initializer<Snabble> {
                 generateSearchIndex = properties.getBoolean("generateSearchIndex", generateSearchIndex)
                 maxProductDatabaseAge = properties.getLong("maxProductDatabaseAge", maxProductDatabaseAge)
                 maxShoppingCartAge = properties.getLong("maxShoppingCartAge", maxShoppingCartAge)
-                disableCertificatePinning = properties.getBoolean("disableCertificatePinning", disableCertificatePinning)
                 vibrateToConfirmCartFilled = properties.getBoolean("vibrateToConfirmCartFilled", vibrateToConfirmCartFilled)
                 loadActiveShops = properties.getBoolean("loadActiveShops", loadActiveShops)
                 checkInRadius = properties.getFloat("checkInRadius", checkInRadius)
@@ -81,7 +80,6 @@ class SnabbleInitializer : Initializer<Snabble> {
                 generateSearchIndex = getBoolean("snabble_generate_search_index", generateSearchIndex)
                 maxProductDatabaseAge = getLong("snabble_max_product_database_age", maxProductDatabaseAge)
                 maxShoppingCartAge = getLong("snabble_max_shopping_cart_age", maxShoppingCartAge)
-                disableCertificatePinning = getBoolean("snabble_disable_certificate_pinning")
                 vibrateToConfirmCartFilled = getBoolean("snabble_vibrate_to_confirm_cart_filled", vibrateToConfirmCartFilled)
                 loadActiveShops = getBoolean("snabble_load_active_shops", loadActiveShops)
                 checkInRadius = getFloat("snabble_check_in_radius", checkInRadius)

ui/src/main/java/io/snabble/sdk/ui/payment/creditcard/datatrans/ui/DatatransViewModel.kt

@@ -86,7 +86,6 @@ internal class DatatransViewModel(
         }
         options.appCallbackScheme = "snabble"
         options.isTesting = isTesting
-        options.useCertificatePinning = true
     }
 
     fun errorHandled() {