info.guardianproject.netcipher.client

Class SSLConnectionSocketFactory

java.lang.Object

info.guardianproject.netcipher.client.SSLConnectionSocketFactory

All Implemented Interfaces:

cz.msebera.android.httpclient.conn.socket.ConnectionSocketFactory, cz.msebera.android.httpclient.conn.socket.LayeredConnectionSocketFactory

Direct Known Subclasses:

StrongSSLSocketFactory2

public class SSLConnectionSocketFactory
extends java.lang.Object
implements cz.msebera.android.httpclient.conn.socket.LayeredConnectionSocketFactory

Layered socket factory for TLS/SSL connections.

SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates and to authenticate to the HTTPS server using a private key.

SSLSocketFactory will enable server authentication when supplied with a trust-store file containing one or several trusted certificates. The client secure socket will reject the connection during the SSL session handshake if the target HTTPS server attempts to authenticate itself with a non-trusted certificate.

Use JDK keytool utility to import a trusted certificate and generate a trust-store file:

     keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
    

In special cases the standard trust verification process can be bypassed by using a custom org.apache.http.conn.ssl.TrustStrategy. This interface is primarily intended for allowing self-signed certificates to be accepted as trusted without having to add them to the trust-store file.

SSLSocketFactory will enable client authentication when supplied with a key-store file containing a private key/public certificate pair. The client secure socket will use the private key to authenticate itself to the target HTTPS server during the SSL session handshake if requested to do so by the server. The target HTTPS server will in its turn verify the certificate presented by the client in order to establish client's authenticity.

Use the following sequence of actions to generate a key-store file

• Use JDK keytool utility to generate a new key

  keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystore

  For simplicity use the same password for the key as that of the key-store

• Issue a certificate signing request (CSR)

  keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore

• Send the certificate request to the trusted Certificate Authority for signature. One may choose to act as her own CA and sign the certificate request using a PKI tool, such as OpenSSL.

• Import the trusted CA root certificate

  keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore

• Import the PKCS#7 file containing the complete certificate chain

  keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore

• Verify the content of the resultant keystore file

  keytool -list -v -keystore my.keystore

Since:

4.3

Constructor Summary

Constructors

Constructor and Description
SSLConnectionSocketFactory(javax.net.ssl.SSLContext sslContext)
SSLConnectionSocketFactory(javax.net.ssl.SSLContext sslContext, javax.net.ssl.HostnameVerifier hostnameVerifier)
SSLConnectionSocketFactory(javax.net.ssl.SSLContext sslContext, java.lang.String[] supportedProtocols, java.lang.String[] supportedCipherSuites, javax.net.ssl.HostnameVerifier hostnameVerifier)
SSLConnectionSocketFactory(javax.net.ssl.SSLContext sslContext, java.lang.String[] supportedProtocols, java.lang.String[] supportedCipherSuites, cz.msebera.android.httpclient.conn.ssl.X509HostnameVerifier hostnameVerifier) Deprecated. (4.4) Use SSLConnectionSocketFactory(SSLContext, String[], String[], HostnameVerifier)
SSLConnectionSocketFactory(javax.net.ssl.SSLContext sslContext, cz.msebera.android.httpclient.conn.ssl.X509HostnameVerifier hostnameVerifier) Deprecated. (4.4) Use SSLConnectionSocketFactory(SSLContext, HostnameVerifier)
SSLConnectionSocketFactory(javax.net.ssl.SSLSocketFactory socketfactory, javax.net.ssl.HostnameVerifier hostnameVerifier)
SSLConnectionSocketFactory(javax.net.ssl.SSLSocketFactory socketfactory, java.lang.String[] supportedProtocols, java.lang.String[] supportedCipherSuites, javax.net.ssl.HostnameVerifier hostnameVerifier)
SSLConnectionSocketFactory(javax.net.ssl.SSLSocketFactory socketfactory, java.lang.String[] supportedProtocols, java.lang.String[] supportedCipherSuites, cz.msebera.android.httpclient.conn.ssl.X509HostnameVerifier hostnameVerifier) Deprecated. (4.4) Use SSLConnectionSocketFactory(javax.net.ssl.SSLSocketFactory, String[], String[], HostnameVerifier)
SSLConnectionSocketFactory(javax.net.ssl.SSLSocketFactory socketfactory, cz.msebera.android.httpclient.conn.ssl.X509HostnameVerifier hostnameVerifier) Deprecated. (4.4) Use SSLConnectionSocketFactory(javax.net.ssl.SSLSocketFactory, HostnameVerifier)

Method Summary

Modifier and Type	Method and Description
java.net.Socket	connectSocket(int connectTimeout, java.net.Socket socket, cz.msebera.android.httpclient.HttpHost host, java.net.InetSocketAddress remoteAddress, java.net.InetSocketAddress localAddress, cz.msebera.android.httpclient.protocol.HttpContext context)
java.net.Socket	createLayeredSocket(java.net.Socket socket, java.lang.String target, int port, cz.msebera.android.httpclient.protocol.HttpContext context)
java.net.Socket	createSocket(cz.msebera.android.httpclient.protocol.HttpContext context)
static javax.net.ssl.HostnameVerifier	getDefaultHostnameVerifier()
static SSLConnectionSocketFactory	getSocketFactory() Obtains default SSL socket factory with an SSL context based on the standard JSSE trust material (cacerts file in the security properties directory).
static SSLConnectionSocketFactory	getSystemSocketFactory() Obtains default SSL socket factory with an SSL context based on system properties as described in Java™ Secure Socket Extension (JSSE) Reference Guide.
protected void	prepareSocket(javax.net.ssl.SSLSocket socket) Performs any custom initialization for a newly created SSLSocket (before the SSL handshake happens).

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SSLConnectionSocketFactory

public SSLConnectionSocketFactory(javax.net.ssl.SSLContext sslContext)

SSLConnectionSocketFactory

@Deprecated
public SSLConnectionSocketFactory(javax.net.ssl.SSLContext sslContext,
                                              cz.msebera.android.httpclient.conn.ssl.X509HostnameVerifier hostnameVerifier)

Deprecated. (4.4) Use SSLConnectionSocketFactory(SSLContext, HostnameVerifier)

SSLConnectionSocketFactory

@Deprecated
public SSLConnectionSocketFactory(javax.net.ssl.SSLContext sslContext,
                                              java.lang.String[] supportedProtocols,
                                              java.lang.String[] supportedCipherSuites,
                                              cz.msebera.android.httpclient.conn.ssl.X509HostnameVerifier hostnameVerifier)

Deprecated. (4.4) Use SSLConnectionSocketFactory(SSLContext, String[], String[], HostnameVerifier)

SSLConnectionSocketFactory

@Deprecated
public SSLConnectionSocketFactory(javax.net.ssl.SSLSocketFactory socketfactory,
                                              cz.msebera.android.httpclient.conn.ssl.X509HostnameVerifier hostnameVerifier)

Deprecated. (4.4) Use SSLConnectionSocketFactory(javax.net.ssl.SSLSocketFactory, HostnameVerifier)

SSLConnectionSocketFactory

@Deprecated
public SSLConnectionSocketFactory(javax.net.ssl.SSLSocketFactory socketfactory,
                                              java.lang.String[] supportedProtocols,
                                              java.lang.String[] supportedCipherSuites,
                                              cz.msebera.android.httpclient.conn.ssl.X509HostnameVerifier hostnameVerifier)

Deprecated. (4.4) Use SSLConnectionSocketFactory(javax.net.ssl.SSLSocketFactory, String[], String[], HostnameVerifier)

SSLConnectionSocketFactory

public SSLConnectionSocketFactory(javax.net.ssl.SSLContext sslContext,
                                  javax.net.ssl.HostnameVerifier hostnameVerifier)

Since:

4.4

SSLConnectionSocketFactory

public SSLConnectionSocketFactory(javax.net.ssl.SSLContext sslContext,
                                  java.lang.String[] supportedProtocols,
                                  java.lang.String[] supportedCipherSuites,
                                  javax.net.ssl.HostnameVerifier hostnameVerifier)

Since:

4.4

SSLConnectionSocketFactory

public SSLConnectionSocketFactory(javax.net.ssl.SSLSocketFactory socketfactory,
                                  javax.net.ssl.HostnameVerifier hostnameVerifier)

Since:

4.4

SSLConnectionSocketFactory

public SSLConnectionSocketFactory(javax.net.ssl.SSLSocketFactory socketfactory,
                                  java.lang.String[] supportedProtocols,
                                  java.lang.String[] supportedCipherSuites,
                                  javax.net.ssl.HostnameVerifier hostnameVerifier)

Since:

4.4

Method Detail

getDefaultHostnameVerifier

public static javax.net.ssl.HostnameVerifier getDefaultHostnameVerifier()

Since:

4.4

getSocketFactory

public static SSLConnectionSocketFactory getSocketFactory()
                                                   throws cz.msebera.android.httpclient.conn.ssl.SSLInitializationException

Obtains default SSL socket factory with an SSL context based on the standard JSSE trust material (cacerts file in the security properties directory). System properties are not taken into consideration.

Returns:

default SSL socket factory

Throws:

cz.msebera.android.httpclient.conn.ssl.SSLInitializationException

getSystemSocketFactory

public static SSLConnectionSocketFactory getSystemSocketFactory()
                                                         throws cz.msebera.android.httpclient.conn.ssl.SSLInitializationException

Obtains default SSL socket factory with an SSL context based on system properties as described in Java™ Secure Socket Extension (JSSE) Reference Guide.

Returns:

default system SSL socket factory

Throws:

cz.msebera.android.httpclient.conn.ssl.SSLInitializationException

prepareSocket

protected void prepareSocket(javax.net.ssl.SSLSocket socket)
                      throws java.io.IOException

Performs any custom initialization for a newly created SSLSocket (before the SSL handshake happens).

The default implementation is a no-op, but could be overridden to, e.g., call SSLSocket.setEnabledCipherSuites(String[]).

Throws:

java.io.IOException - may be thrown if overridden

createSocket

public java.net.Socket createSocket(cz.msebera.android.httpclient.protocol.HttpContext context)
                             throws java.io.IOException

Specified by:

createSocket in interface cz.msebera.android.httpclient.conn.socket.ConnectionSocketFactory

Throws:

java.io.IOException

connectSocket

public java.net.Socket connectSocket(int connectTimeout,
                                     java.net.Socket socket,
                                     cz.msebera.android.httpclient.HttpHost host,
                                     java.net.InetSocketAddress remoteAddress,
                                     java.net.InetSocketAddress localAddress,
                                     cz.msebera.android.httpclient.protocol.HttpContext context)
                              throws java.io.IOException

Specified by:

connectSocket in interface cz.msebera.android.httpclient.conn.socket.ConnectionSocketFactory

Throws:

java.io.IOException

createLayeredSocket

public java.net.Socket createLayeredSocket(java.net.Socket socket,
                                           java.lang.String target,
                                           int port,
                                           cz.msebera.android.httpclient.protocol.HttpContext context)
                                    throws java.io.IOException

Specified by:

createLayeredSocket in interface cz.msebera.android.httpclient.conn.socket.LayeredConnectionSocketFactory

Throws:

java.io.IOException