mirror/FairEmail
1
0
Fork 0
mirror of https://github.com/M66B/FairEmail.git synced 2025-01-03 13:44:40 +00:00
Code Issues Releases Wiki Activity

Added optional BC JSSE provider

Browse source
This commit is contained in:
M66B 2023-11-09 21:17:52 +01:00
parent 5bdbec77cb
commit 426cc45d3b
7 changed files with 91 additions and 52 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
app/build.gradle
View file

@ -716,6 +716,7 @@ dependencies {
// https://www.bouncycastle.org/latest_releases.html
// https://mvnrepository.com/artifact/org.bouncycastle/bcpkix-jdk15on
implementation "org.bouncycastle:bcpkix-jdk15to18:$bouncycastle_version"
implementation "org.bouncycastle:bctls-jdk15to18:$bouncycastle_version"
// https://github.com/openid/AppAuth-Android
// https://mvnrepository.com/artifact/net.openid/appauth

15
app/src/main/java/eu/faircode/email/EmailService.java
View file

@ -46,6 +46,8 @@ import com.sun.mail.util.MailConnectException;
import com.sun.mail.util.SocketConnectException;
import com.sun.mail.util.TraceOutputStream;
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
@ -445,7 +447,8 @@ public class EmailService implements AutoCloseable {
}
}
factory = new SSLSocketFactoryService(host, insecure, ssl_harden, strict, cert_strict, key, chain, fingerprint);
boolean bc = prefs.getBoolean("bouncy_castle", false);
factory = new SSLSocketFactoryService(host, insecure, ssl_harden, strict, cert_strict, bc, key, chain, fingerprint);
properties.put("mail." + protocol + ".ssl.socketFactory", factory);
properties.put("mail." + protocol + ".socketFactory.fallback", "false");
properties.put("mail." + protocol + ".ssl.checkserveridentity", "false");
@ -1035,7 +1038,7 @@ public class EmailService implements AutoCloseable {
private SSLSocketFactory factory;
private X509Certificate certificate;
SSLSocketFactoryService(String host, boolean insecure, boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
SSLSocketFactoryService(String host, boolean insecure, boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict, boolean bc, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
this.server = host;
this.secure = !insecure;
this.ssl_harden = ssl_harden;
@ -1044,7 +1047,13 @@ public class EmailService implements AutoCloseable {
this.trustedFingerprint = fingerprint;
// https://developer.android.com/about/versions/oreo/android-8.0-changes.html#security-all
SSLContext sslContext = SSLContext.getInstance(insecure ? "SSL" : "TLS");
SSLContext sslContext;
String protocol = (insecure ? "SSL" : "TLS");
if (bc)
sslContext = SSLContext.getInstance(protocol, new BouncyCastleJsseProvider());
else
sslContext = SSLContext.getInstance(protocol);
Log.i("Using protocol=" + protocol + " bc=" + bc);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);

12
app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java
View file

@ -92,6 +92,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
private SwitchCompat swSslHardenStrict;
private SwitchCompat swCertStrict;
private SwitchCompat swOpenSafe;
private SwitchCompat swBouncyCastle;
private Button btnManage;
private TextView tvNetworkMetered;
private TextView tvNetworkRoaming;
@ -110,7 +111,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
"download_headers", "download_eml", "download_plain",
"require_validated", "require_validated_captive", "vpn_only",
"timeout", "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive",
"ssl_harden", "ssl_harden_strict", "cert_strict", "open_safe"
"ssl_harden", "ssl_harden_strict", "cert_strict", "open_safe", "bouncy_castle"
};
@Override
@ -144,6 +145,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
swSslHardenStrict = view.findViewById(R.id.swSslHardenStrict);
swCertStrict = view.findViewById(R.id.swCertStrict);
swOpenSafe = view.findViewById(R.id.swOpenSafe);
swBouncyCastle = view.findViewById(R.id.swBouncyCastle);
btnManage = view.findViewById(R.id.btnManage);
tvNetworkMetered = view.findViewById(R.id.tvNetworkMetered);
@ -348,6 +350,13 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
}
});
swBouncyCastle.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
@Override
public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
prefs.edit().putBoolean("bouncy_castle", checked).apply();
}
});
final Intent manage = getIntentConnectivity();
PackageManager pm = getContext().getPackageManager();
btnManage.setVisibility(
@ -609,6 +618,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
swSslHardenStrict.setEnabled(swSslHarden.isChecked());
swCertStrict.setChecked(prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE));
swOpenSafe.setChecked(prefs.getBoolean("open_safe", false));
swBouncyCastle.setChecked(prefs.getBoolean("bouncy_castle", false));
} catch (Throwable ex) {
Log.e(ex);
}

99
app/src/main/java/eu/faircode/email/Log.java
View file

@ -124,6 +124,7 @@ import com.sun.mail.util.MailConnectException;
import net.openid.appauth.AuthState;
import net.openid.appauth.TokenResponse;
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
import org.json.JSONException;
import org.json.JSONObject;
@ -3613,67 +3614,73 @@ public class Log {
static SpannableStringBuilder getCiphers() {
SpannableStringBuilder ssb = new SpannableStringBuilderEx();
for (String protocol : new String[]{"SSL", "TLS"})
try {
int begin = ssb.length();
ssb.append("Protocol: ").append(protocol);
ssb.setSpan(new StyleSpan(Typeface.BOLD), begin, ssb.length(), 0);
ssb.append("\r\n\r\n");
for (Provider provider : new Provider[]{null, new BouncyCastleJsseProvider()})
for (String protocol : new String[]{"SSL", "TLS"})
try {
int begin = ssb.length();
ssb.append("Protocol: ").append(protocol)
.append(" ")
.append(provider == null ? "Android" : provider.getClass().getSimpleName());
ssb.setSpan(new StyleSpan(Typeface.BOLD), begin, ssb.length(), 0);
ssb.append("\r\n\r\n");
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
ssb.append("Provider: ").append(tmf.getProvider().getName()).append("\r\n");
ssb.append("Algorithm: ").append(tmf.getAlgorithm()).append("\r\n");
ssb.append("Provider: ").append(tmf.getProvider().getName()).append("\r\n");
ssb.append("Algorithm: ").append(tmf.getAlgorithm()).append("\r\n");
TrustManager[] tms = tmf.getTrustManagers();
if (tms != null)
for (TrustManager tm : tms)
ssb.append("Manager: ").append(tm.getClass().getName()).append("\r\n");
TrustManager[] tms = tmf.getTrustManagers();
if (tms != null)
for (TrustManager tm : tms)
ssb.append("Manager: ").append(tm.getClass().getName()).append("\r\n");
SSLContext sslContext = SSLContext.getInstance(protocol);
SSLContext sslContext = (provider == null
? SSLContext.getInstance(protocol)
: SSLContext.getInstance(protocol, provider));
ssb.append("Context: ").append(sslContext.getProtocol()).append("\r\n\r\n");
sslContext.init(null, tmf.getTrustManagers(), null);
SSLSocket socket = (SSLSocket) sslContext.getSocketFactory().createSocket();
ssb.append("Context: ").append(sslContext.getProtocol()).append("\r\n\r\n");
List<String> protocols = new ArrayList<>();
protocols.addAll(Arrays.asList(socket.getEnabledProtocols()));
sslContext.init(null, tmf.getTrustManagers(), null);
SSLSocket socket = (SSLSocket) sslContext.getSocketFactory().createSocket();
for (String p : socket.getSupportedProtocols()) {
boolean enabled = protocols.contains(p);
if (!enabled)
ssb.append('(');
int start = ssb.length();
ssb.append(p);
if (!enabled) {
ssb.setSpan(new StrikethroughSpan(), start, ssb.length(), 0);
ssb.append(')');
List<String> protocols = new ArrayList<>();
protocols.addAll(Arrays.asList(socket.getEnabledProtocols()));
for (String p : socket.getSupportedProtocols()) {
boolean enabled = protocols.contains(p);
if (!enabled)
ssb.append('(');
int start = ssb.length();
ssb.append(p);
if (!enabled) {
ssb.setSpan(new StrikethroughSpan(), start, ssb.length(), 0);
ssb.append(')');
}
ssb.append("\r\n");
}
ssb.append("\r\n");
}
ssb.append("\r\n");
List<String> ciphers = new ArrayList<>();
ciphers.addAll(Arrays.asList(socket.getEnabledCipherSuites()));
List<String> ciphers = new ArrayList<>();
ciphers.addAll(Arrays.asList(socket.getEnabledCipherSuites()));
for (String c : socket.getSupportedCipherSuites()) {
boolean enabled = ciphers.contains(c);
if (!enabled)
ssb.append('(');
int start = ssb.length();
ssb.append(c);
if (!enabled) {
ssb.setSpan(new StrikethroughSpan(), start, ssb.length(), 0);
ssb.append(')');
for (String c : socket.getSupportedCipherSuites()) {
boolean enabled = ciphers.contains(c);
if (!enabled)
ssb.append('(');
int start = ssb.length();
ssb.append(c);
if (!enabled) {
ssb.setSpan(new StrikethroughSpan(), start, ssb.length(), 0);
ssb.append(')');
}
ssb.append("\r\n");
}
ssb.append("\r\n");
} catch (Throwable ex) {
ssb.append(ex.toString());
}
ssb.append("\r\n");
} catch (Throwable ex) {
ssb.append(ex.toString());
}
ssb.setSpan(new RelativeSizeSpan(HtmlHelper.FONT_SMALL), 0, ssb.length(), 0);

2
app/src/main/java/eu/faircode/email/ServiceSynchronize.java
View file

@ -170,7 +170,7 @@ public class ServiceSynchronize extends ServiceBase implements SharedPreferences
"sync_folders",
"sync_shared_folders",
"download_headers", "download_eml",
"prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "ssl_harden", "ssl_harden_strict", "cert_strict", // force reconnect
"prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "ssl_harden", "ssl_harden_strict", "cert_strict", "bouncy_castle", // force reconnect
"experiments", "debug", "protocol", // force reconnect
"auth_plain", "auth_login", "auth_ntlm", "auth_sasl", "auth_apop", // force reconnect
"keep_alive_poll", "empty_pool", "idle_done", // force reconnect

13
app/src/main/res/layout/fragment_options_connection.xml
View file

@ -519,6 +519,17 @@
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/swOpenSafe" />
<androidx.appcompat.widget.SwitchCompat
android:id="@+id/swBouncyCastle"
android:layout_width="0dp"
android:layout_height="wrap_content"
android:layout_marginTop="12dp"
android:text="@string/title_advanced_bouncy_castle"
app:layout_constraintEnd_toEndOf="parent"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/tvOpenSafeHint"
app:switchPadding="12dp" />
<Button
android:id="@+id/btnManage"
style="?android:attr/buttonStyleSmall"
@ -529,7 +540,7 @@
android:drawablePadding="6dp"
android:text="@string/title_advanced_manage_connectivity"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/tvOpenSafeHint" />
app:layout_constraintTop_toBottomOf="@id/swBouncyCastle" />
<TextView
android:id="@+id/tvNetworkMetered"

1
app/src/main/res/values/strings.xml
View file

@ -517,6 +517,7 @@
<string name="title_advanced_ssl_harden_strict">Require TLS 1.3</string>
<string name="title_advanced_cert_strict">Strict certificate checking</string>
<string name="title_advanced_open_safe">Open secure connections only</string>
<string name="title_advanced_bouncy_castle">Bouncy Castle</string>
<string name="title_advanced_manage_connectivity">Manage connectivity</string>
<string name="title_advanced_caption_general">General</string>