This repository has been archived by the owner on Nov 17, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 49
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Skip certificate verification for tor connections (#242)
- Loading branch information
1 parent
ae5bf47
commit 7772f2d
Showing
21 changed files
with
185 additions
and
136 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
65 changes: 0 additions & 65 deletions
65
...ain/java/zapsolutions/zap/connection/establishConnectionToLnd/CustomSSLSocketFactory.java
This file was deleted.
Oops, something went wrong.
11 changes: 0 additions & 11 deletions
11
...n/java/zapsolutions/zap/connection/establishConnectionToLnd/HostnameVerifierAllowAll.java
This file was deleted.
Oops, something went wrong.
15 changes: 15 additions & 0 deletions
15
app/src/main/java/zapsolutions/zap/connection/lndConnection/BlindHostnameVerifier.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
package zapsolutions.zap.connection.lndConnection; | ||
|
||
import javax.net.ssl.HostnameVerifier; | ||
import javax.net.ssl.SSLSession; | ||
|
||
/** | ||
* This HostnameVerifier trust all host names. No verification will take place. | ||
* In our context we only use it for tor connections and in debug builds to simplify the regtest setup. | ||
*/ | ||
public class BlindHostnameVerifier implements HostnameVerifier { | ||
@Override | ||
public boolean verify(String hostname, SSLSession session) { | ||
return true; | ||
} | ||
} |
27 changes: 27 additions & 0 deletions
27
app/src/main/java/zapsolutions/zap/connection/lndConnection/BlindTrustManager.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
package zapsolutions.zap.connection.lndConnection; | ||
|
||
import java.security.cert.CertificateException; | ||
import java.security.cert.X509Certificate; | ||
|
||
import javax.net.ssl.X509TrustManager; | ||
|
||
/** | ||
* This TrustManager trust ALL certificates. No validation takes place. | ||
* In our context we use it only for tor connections. | ||
*/ | ||
public class BlindTrustManager implements X509TrustManager { | ||
|
||
public X509Certificate[] getAcceptedIssuers() { | ||
return null; | ||
} | ||
|
||
public void checkClientTrusted(X509Certificate[] chain, String authType) | ||
throws CertificateException { | ||
|
||
} | ||
|
||
public void checkServerTrusted(X509Certificate[] chain, String authType) | ||
throws CertificateException { | ||
|
||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
98 changes: 98 additions & 0 deletions
98
app/src/main/java/zapsolutions/zap/connection/lndConnection/LndSSLSocketFactory.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
package zapsolutions.zap.connection.lndConnection; | ||
|
||
import com.google.common.io.BaseEncoding; | ||
|
||
import java.io.ByteArrayInputStream; | ||
import java.io.InputStream; | ||
import java.security.KeyManagementException; | ||
import java.security.KeyStore; | ||
import java.security.NoSuchAlgorithmException; | ||
import java.security.SecureRandom; | ||
import java.security.cert.Certificate; | ||
import java.security.cert.CertificateFactory; | ||
|
||
import javax.net.ssl.SSLContext; | ||
import javax.net.ssl.SSLSocketFactory; | ||
import javax.net.ssl.TrustManager; | ||
import javax.net.ssl.TrustManagerFactory; | ||
|
||
import zapsolutions.zap.connection.manageWalletConfigs.WalletConfig; | ||
import zapsolutions.zap.util.ZapLog; | ||
|
||
/** | ||
* Creates an SSLSocketFactory instance for use with a self signed Certificate, | ||
* which would otherwise be considered "not trustworthy". | ||
* This can be fed into HttpsURLConnection, as well as networking libraries such as OkHttp's OkHttpClient. | ||
*/ | ||
public class LndSSLSocketFactory { | ||
|
||
private static final String LOG_TAG = LndSSLSocketFactory.class.getName(); | ||
|
||
private LndSSLSocketFactory() { | ||
throw new AssertionError(); | ||
} | ||
|
||
public static SSLSocketFactory create(WalletConfig walletConfig) { | ||
SSLContext sslCtx = null; | ||
|
||
try { | ||
sslCtx = SSLContext.getInstance("TLS"); | ||
} catch (NoSuchAlgorithmException e) { | ||
e.printStackTrace(); | ||
return null; | ||
} | ||
|
||
if (walletConfig.isTor()) { | ||
// Always trust the certificate on Tor connection | ||
try { | ||
sslCtx.init(null, new TrustManager[]{new BlindTrustManager()}, null); | ||
} catch (KeyManagementException e) { | ||
e.printStackTrace(); | ||
return null; | ||
} | ||
return sslCtx.getSocketFactory(); | ||
|
||
} else { | ||
// On clearnet we want to validate the certificate. | ||
if (walletConfig.getCert() != null && !walletConfig.getCert().isEmpty()) { | ||
//try to create a trustmanager that trust the certificate that was transmitted with the lndconnect string. | ||
try { | ||
InputStream caInput = null; | ||
String certificateBase64UrlString = walletConfig.getCert(); | ||
byte[] certificateBytes = BaseEncoding.base64Url().decode(certificateBase64UrlString); | ||
|
||
// Generate the CA Certificate from the supplied byte array | ||
caInput = new ByteArrayInputStream(certificateBytes); | ||
Certificate ca = CertificateFactory.getInstance("X.509").generateCertificate(caInput); | ||
|
||
// Load the key store using the CA | ||
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); | ||
keyStore.load(null, null); | ||
keyStore.setCertificateEntry("ca", ca); | ||
|
||
// Initialize the TrustManager with this CA | ||
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); | ||
tmf.init(keyStore); | ||
|
||
// Create an SSL context that uses the created trust manager | ||
sslCtx.init(null, tmf.getTrustManagers(), new SecureRandom()); | ||
return sslCtx.getSocketFactory(); | ||
|
||
} catch (Exception e) { | ||
ZapLog.e(LOG_TAG, "Error while initializing self signed certificate."); | ||
e.printStackTrace(); | ||
} | ||
} | ||
} | ||
|
||
// If the above failed, use the default TrustManager which is used when set to null | ||
// This will be the case for btc pay for example as no self signed certificates are used | ||
try { | ||
sslCtx.init(null, null, new SecureRandom()); | ||
} catch (KeyManagementException e) { | ||
e.printStackTrace(); | ||
return null; | ||
} | ||
return sslCtx.getSocketFactory(); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.