add support for upcoming lets encrypt certificates on android 7.1.1 and earlier

Author: ajungg

CHANGELOG.md

@@ -1,6 +1,11 @@
 # Changelog  
 All notable changes to this project will be documented in this file.
 
+## [0.29.8]
+
+### Changed
+- Add support for lets encrypt certificates on Android versions before 7.1.1
+
 ## [0.29.7]
 
 - More vendor specific strings

build.gradle

@@ -29,7 +29,7 @@ allprojects {
     }
 
     project.ext {
-        sdkVersion='0.29.7'
+        sdkVersion='0.29.8'
         versionCode=1
 
         compileSdkVersion=29

core/src/androidTest/java/io/snabble/sdk/NetworkTest.java

@@ -0,0 +1,28 @@
+package io.snabble.sdk;
+
+import androidx.test.filters.LargeTest;
+import androidx.test.runner.AndroidJUnit4;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.io.IOException;
+
+import okhttp3.OkHttpClient;
+import okhttp3.Request;
+import okhttp3.Response;
+
+@RunWith(AndroidJUnit4.class)
+@LargeTest
+public class NetworkTest extends SnabbleSdkTest {
+    @Test
+    public void testLetsEncrypt() throws IOException {
+        OkHttpClient okHttpClient = project.getOkHttpClient();
+
+        Response response = okHttpClient.newCall(new Request.Builder().url("https://valid-isrgrootx1.letsencrypt.org/robots.txt").build()).execute();
+        Assert.assertTrue(response.code() == 404 || response.code() == 200);
+        response = okHttpClient.newCall(new Request.Builder().url("https://google.com/robots.txt").build()).execute();
+        Assert.assertTrue(response.code() == 404 || response.code() == 200);
+    }
+}

core/src/main/java/io/snabble/sdk/OkHttpClientFactory.java

@@ -1,9 +1,8 @@
 package io.snabble.sdk;
 
 import android.app.Application;
-
 import java.util.concurrent.TimeUnit;
-
+import io.snabble.sdk.utils.LetsEncryptCertHelper;
 import io.snabble.sdk.utils.Logger;
 import okhttp3.Cache;
 import okhttp3.CertificatePinner;
@@ -59,6 +58,8 @@ public void log(String message) {
 
         if (config.sslSocketFactory != null && config.x509TrustManager != null) {
             builder.sslSocketFactory(config.sslSocketFactory, config.x509TrustManager);
+        } else {
+            LetsEncryptCertHelper.addLetsEncryptCertificatesForMarshmallowOrEarlier(builder);
         }
 
         return builder.build();

utils/build.gradle

@@ -45,6 +45,7 @@ dependencies {
 
     implementation 'commons-io:commons-io:2.5'
     implementation "com.squareup.okhttp3:okhttp:${project.okhttpVersion}"
+    implementation "com.squareup.okhttp3:okhttp-tls:${project.okhttpVersion}"
     implementation 'androidx.appcompat:appcompat:1.2.0'
     implementation 'com.google.code.gson:gson:2.8.6'
 

utils/src/main/java/io/snabble/sdk/utils/LetsEncryptCertHelper.java

@@ -0,0 +1,68 @@
+package io.snabble.sdk.utils;
+
+import android.os.Build;
+
+import java.io.ByteArrayInputStream;
+import java.io.UnsupportedEncodingException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+
+import okhttp3.OkHttpClient;
+import okhttp3.tls.HandshakeCertificates;
+
+public class LetsEncryptCertHelper {
+    public static void addLetsEncryptCertificatesForMarshmallowOrEarlier(OkHttpClient.Builder builder) {
+        boolean androidMorEarlier = Build.VERSION.SDK_INT <= Build.VERSION_CODES.N;
+
+        if (androidMorEarlier) {
+            String isgCert =
+                    "-----BEGIN CERTIFICATE-----\n" +
+                            "MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw\n" +
+                            "TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n" +
+                            "cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4\n" +
+                            "WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu\n" +
+                            "ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY\n" +
+                            "MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc\n" +
+                            "h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+\n" +
+                            "0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U\n" +
+                            "A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW\n" +
+                            "T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH\n" +
+                            "B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC\n" +
+                            "B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv\n" +
+                            "KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn\n" +
+                            "OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn\n" +
+                            "jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw\n" +
+                            "qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI\n" +
+                            "rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\n" +
+                            "HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq\n" +
+                            "hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL\n" +
+                            "ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ\n" +
+                            "3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK\n" +
+                            "NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5\n" +
+                            "ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur\n" +
+                            "TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC\n" +
+                            "jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc\n" +
+                            "oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq\n" +
+                            "4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA\n" +
+                            "mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\n" +
+                            "emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n" +
+                            "-----END CERTIFICATE-----";
+
+            try {
+                CertificateFactory cf = CertificateFactory.getInstance("X.509");
+                Certificate isgCertificate = cf.generateCertificate(new ByteArrayInputStream(isgCert.getBytes("UTF-8")));
+
+                HandshakeCertificates certificates = new HandshakeCertificates.Builder()
+                        .addTrustedCertificate((X509Certificate) isgCertificate)
+                        .addPlatformTrustedCertificates()
+                        .build();
+
+                builder.sslSocketFactory(certificates.sslSocketFactory(), certificates.trustManager());
+            } catch (CertificateException | UnsupportedEncodingException e) {
+                // ignore
+            }
+        }
+    }
+}