Support client certificates

library/build.gradle

@@ -48,6 +48,7 @@ configurations {
 }
 
 dependencies {
+    implementation 'com.github.stephanritscher:InteractiveKeyManager:0.1'
     implementation 'org.apache.jackrabbit:jackrabbit-webdav:2.13.5'
     api 'com.squareup.okhttp3:okhttp:5.0.0-alpha.10'
     implementation 'com.gitlab.bitfireAT:dav4jvm:2.1.3' // in transition phase, we use old and new libs

library/src/main/java/com/owncloud/android/lib/common/OwnCloudClient.java

@@ -25,6 +25,7 @@
 
 package com.owncloud.android.lib.common;
 
+import android.content.Context;
 import android.net.Uri;
 
 import com.nextcloud.common.DNSCache;
@@ -53,6 +54,10 @@
 import java.net.SocketTimeoutException;
 import java.util.Locale;
 
+import de.ritscher.ssl.InteractiveKeyManager;
+import lombok.Getter;
+import lombok.Setter;
+
 public class OwnCloudClient extends HttpClient {
 
     private static final String TAG = OwnCloudClient.class.getSimpleName();
@@ -69,17 +74,24 @@ public class OwnCloudClient extends HttpClient {
     private OwnCloudCredentials credentials = null;
     private int mInstanceNumber;
 
+    @Getter private Uri baseUri;
+    @Setter private String userId;
+    private Context context;
+
     /**
      * Constructor
      */
-    public OwnCloudClient(Uri baseUri, HttpConnectionManager connectionMgr) {
+    public OwnCloudClient(Uri baseUri, HttpConnectionManager connectionMgr, Context context) {
         super(connectionMgr);
 
         if (baseUri == null) {
         	throw new IllegalArgumentException("Parameter 'baseUri' cannot be NULL");
         }
         nextcloudUriDelegate = new NextcloudUriDelegate(baseUri);
 
+        this.baseUri = baseUri;
+        this.context = context;
+
         mInstanceNumber = sInstanceCounter++;
         Log_OC.d(TAG + " #" + mInstanceNumber, "Creating OwnCloudClient");
 
@@ -206,6 +218,10 @@ public int executeMethod(HttpMethod method) throws IOException {
 //	        logCookiesAtState("after");
 //	        logSetCookiesAtResponse(method.getResponseHeaders());
 
+            if (status >= 400 && status < 500) {
+                Log_OC.w(TAG, "executeMethod failed with error code " + status + "; remove key chain aliases disabled");
+                //new InteractiveKeyManager(context).removeKeys(baseUri.getHost(), baseUri.getPort());
+            }
             return status;
 
         } catch (SocketTimeoutException | ConnectException e) {

library/src/main/java/com/owncloud/android/lib/common/OwnCloudClientFactory.java

@@ -151,7 +151,8 @@ public static OwnCloudClient createOwnCloudClient(Uri uri, Context context, bool
             Log_OC.e(TAG, "The local server truststore could not be read. Default SSL management" +
                     " in the system will be used for HTTPS connections", e);
         }
-        OwnCloudClient client = new OwnCloudClient(uri, NetworkUtils.getMultiThreadedConnManager());
+
+        OwnCloudClient client = new OwnCloudClient(uri, NetworkUtils.getMultiThreadedConnManager(), context);
         client.setDefaultTimeouts(DEFAULT_DATA_TIMEOUT, DEFAULT_CONNECTION_TIMEOUT);
         client.setFollowRedirects(followRedirects);
 

library/src/main/java/com/owncloud/android/lib/common/network/AdvancedSslSocketFactory.java

@@ -25,6 +25,9 @@
 package com.owncloud.android.lib.common.network;
 
 import com.nextcloud.common.DNSCache;
+import android.content.Context;
+import android.util.Log;
+
 import com.owncloud.android.lib.common.utils.Log_OC;
 
 import org.apache.commons.httpclient.ConnectTimeoutException;
@@ -50,6 +53,8 @@
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocket;
 
+import de.ritscher.ssl.InteractiveKeyManager;
+
 
 /**
  * AdvancedSSLProtocolSocketFactory allows to create SSL {@link Socket}s with
@@ -65,12 +70,14 @@ public class AdvancedSslSocketFactory implements SecureProtocolSocketFactory {
     private SSLContext mSslContext = null;
     private AdvancedX509TrustManager mTrustManager = null;
     private X509HostnameVerifier mHostnameVerifier = null;
+    private Context mContext = null;
 
     /**
      * Constructor for AdvancedSSLProtocolSocketFactory.
      */
     public AdvancedSslSocketFactory(
-            SSLContext sslContext, AdvancedX509TrustManager trustManager, X509HostnameVerifier hostnameVerifier
+            SSLContext sslContext, AdvancedX509TrustManager trustManager, X509HostnameVerifier hostnameVerifier,
+            Context context
     ) {
 
         if (sslContext == null)
@@ -83,6 +90,7 @@ public AdvancedSslSocketFactory(
         mSslContext = sslContext;
         mTrustManager = trustManager;
         mHostnameVerifier = hostnameVerifier;
+        mContext = context;
     }
 
     public SSLContext getSslContext() {
@@ -249,8 +257,13 @@ private void verifyPeerIdentity(String host, int port, Socket socket) throws IOE
             ///	(that should be an instance of AdvancedX509TrustManager) 
             try {
                 SSLSocket sock = (SSLSocket) socket;    // a new SSLSession instance is created as a "side effect" 
-                sock.startHandshake();
-
+                try {
+                    sock.startHandshake();
+                } catch (SSLHandshakeException e1) {
+                    Log.w(TAG, "SSL handshake failed; remove key chain aliases disabled", e1);
+                    //new InteractiveKeyManager(mContext).removeKeys(sock.getInetAddress().getHostName(), sock.getPort());
+                    throw e1;
+                }
             } catch (RuntimeException e) {
 
                 if (e instanceof CertificateCombinedException) {

library/src/main/java/com/owncloud/android/lib/common/network/NetworkUtils.java

@@ -47,8 +47,11 @@
 import java.security.cert.CertificateException;
 
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.KeyManager;
 import javax.net.ssl.TrustManager;
 
+import de.ritscher.ssl.InteractiveKeyManager;
+
 public class NetworkUtils {
 
     final private static String TAG = NetworkUtils.class.getSimpleName();
@@ -116,13 +119,23 @@ public static AdvancedSslSocketFactory getAdvancedSslSocketFactory(Context conte
         if (mAdvancedSslSocketFactory == null) {
             KeyStore trustStore = getKnownServersStore(context);
             AdvancedX509TrustManager trustMgr = new AdvancedX509TrustManager(trustStore);
-            TrustManager[] tms = new TrustManager[]{trustMgr};
+            TrustManager[] tms = new TrustManager[] { trustMgr };
+            InteractiveKeyManager keyMgr = new InteractiveKeyManager(context);
+            KeyManager[] kms = new KeyManager[] { keyMgr };
 
-            SSLContext sslContext = getSSLContext();
-            sslContext.init(null, tms, null);
+            SSLContext sslContext;
+            try {
+		sslContext = SSLContext.getInstance("TLSv1.2");
+            } catch (NoSuchAlgorithmException e) {
+		Log_OC.w(TAG, "TLSv1.2 is not supported in this device; falling through TLSv1.0");
+		sslContext = SSLContext.getInstance("TLSv1");
+		// should be available in any device; see reference of supported protocols in
+		// http://developer.android.com/reference/javax/net/ssl/SSLSocket.html
+            }
+            sslContext.init(kms, tms, null);
 
             mHostnameVerifier = new BrowserCompatHostnameVerifier();
-            mAdvancedSslSocketFactory = new AdvancedSslSocketFactory(sslContext, trustMgr, mHostnameVerifier);
+            mAdvancedSslSocketFactory = new AdvancedSslSocketFactory(sslContext, trustMgr, mHostnameVerifier, context);
         }
         return mAdvancedSslSocketFactory;
     }

sample_client/build.gradle

@@ -32,7 +32,7 @@ android {
         exclude 'META-INF/LICENSE.txt'
     }
     defaultConfig {
-        minSdkVersion 14
+        minSdkVersion 21
         targetSdkVersion 28
     }
 }