Add client certificate support (https://github.com/gotify/android/issues/229)

app/src/main/java/com/github/gotify/SSLSettings.java

@@ -3,9 +3,13 @@
 public class SSLSettings {
     public boolean validateSSL;
     public String cert;
+    public String clientCert;
+    public String clientCertPassword;
 
-    public SSLSettings(boolean validateSSL, String cert) {
+    public SSLSettings(boolean validateSSL, String cert, String clientCert, String clientCertPassword) {
         this.validateSSL = validateSSL;
         this.cert = cert;
+        this.clientCert = clientCert;
+        this.clientCertPassword = clientCertPassword;
     }
 }

app/src/main/java/com/github/gotify/Settings.java

@@ -11,6 +11,30 @@ public Settings(Context context) {
         sharedPreferences = context.getSharedPreferences("gotify", Context.MODE_PRIVATE);
     }
 
+    public void clientCertUri(String clientCertUri) {
+        sharedPreferences.edit().putString("clientCertUri", clientCertUri).apply();
+    }
+
+    public String clientCertUri() {
+        return sharedPreferences.getString("clientCertUri", null);
+    }
+
+    public void clientCert(String clientCert) {
+        sharedPreferences.edit().putString("clientCert", clientCert).apply();
+    }
+
+    public String clientCert() {
+        return sharedPreferences.getString("clientCert", null);
+    }
+
+    public void clientCertPass(String clientCertPass) {
+        sharedPreferences.edit().putString("clientCertPass", clientCertPass).apply();
+    }
+
+    public String clientCertPass() {
+        return sharedPreferences.getString("clientCertPass", "");
+    }
+
     public void url(String url) {
         sharedPreferences.edit().putString("url", url).apply();
     }
@@ -36,6 +60,9 @@ public void clear() {
         token(null);
         validateSSL(true);
         cert(null);
+        clientCert(null);
+        clientCertUri(null);
+        clientCertPass("");
     }
 
     public void user(String name, boolean admin) {
@@ -77,6 +104,6 @@ public void cert(String cert) {
     }
 
     public SSLSettings sslSettings() {
-        return new SSLSettings(validateSSL(), cert());
+        return new SSLSettings(validateSSL(), cert(), clientCert(), clientCertPass());
     }
 }

app/src/main/java/com/github/gotify/Utils.java

@@ -5,9 +5,12 @@
 import android.graphics.Bitmap;
 import android.graphics.drawable.BitmapDrawable;
 import android.graphics.drawable.Drawable;
+import android.os.Build;
 import android.text.format.DateUtils;
+import java.util.Base64;
 import android.view.View;
 import androidx.annotation.NonNull;
+import androidx.annotation.RequiresApi;
 import com.github.gotify.client.JSON;
 import com.github.gotify.log.Log;
 import com.google.android.material.snackbar.Snackbar;
@@ -77,6 +80,21 @@ public void onPrepareLoad(Drawable placeHolderDrawable) {}
         };
     }
 
+    @RequiresApi(api = Build.VERSION_CODES.O)
+    public static String binaryFileToBase64(@NonNull InputStream inputStream) {
+        byte[] bytes;
+
+        try {
+            bytes = new byte[inputStream.available()];
+            //noinspection ResultOfMethodCallIgnored
+            inputStream.read(bytes);
+        } catch (IOException e) {
+            throw new IllegalArgumentException("failed to read input");
+        }
+
+        return Base64.getEncoder().encodeToString(bytes);
+    }
+
     public static String readFileFromStream(@NonNull InputStream inputStream) {
         StringBuilder sb = new StringBuilder();
         String currentLine;

app/src/main/java/com/github/gotify/api/CertUtils.java

@@ -1,18 +1,28 @@
 package com.github.gotify.api;
 
 import android.annotation.SuppressLint;
+import android.os.Build;
+import androidx.annotation.RequiresApi;
 import com.github.gotify.SSLSettings;
 import com.github.gotify.Utils;
 import com.github.gotify.log.Log;
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.security.UnrecoverableKeyException;
 import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import java.util.Base64;
 import java.util.Collection;
 import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
@@ -60,21 +70,62 @@ public static void applySslSettings(OkHttpClient.Builder builder, SSLSettings se
             }
 
             if (settings.cert != null) {
+                KeyManager[] keyManagers = new KeyManager[] {};
                 TrustManager[] trustManagers = certToTrustManager(settings.cert);
 
                 if (trustManagers != null && trustManagers.length > 0) {
+                    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
+                        if (settings.clientCert != null) {
+                            keyManagers = getClientCerts(settings.clientCert, settings.clientCertPassword.toCharArray());
+                        }
+                    }
+
                     SSLContext context = SSLContext.getInstance("TLS");
-                    context.init(new KeyManager[] {}, trustManagers, new SecureRandom());
+                    context.init(keyManagers, trustManagers, new SecureRandom());
                     builder.sslSocketFactory(
                             context.getSocketFactory(), (X509TrustManager) trustManagers[0]);
                 }
+            } else {
+                if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
+                    if (settings.clientCert != null) {
+                        KeyManager[] keyManagers = getClientCerts(settings.clientCert, settings.clientCertPassword.toCharArray());
+
+                        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
+                                TrustManagerFactory.getDefaultAlgorithm());
+                        trustManagerFactory.init((KeyStore) null);
+                        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
+                        if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
+                            throw new IllegalStateException("Unexpected default trust managers:");
+                        }
+                        X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
+
+                        SSLContext context = SSLContext.getInstance("TLS");
+                        context.init(keyManagers, new TrustManager[] { trustManager }, null);
+                        builder.sslSocketFactory(
+                                context.getSocketFactory(), trustManager);
+                    }
+                }
             }
-        } catch (Exception e) {
+        }
+        catch (Exception e) {
             // We shouldn't have issues since the cert is verified on login.
             Log.e("Failed to apply SSL settings", e);
         }
     }
 
+    @RequiresApi(api = Build.VERSION_CODES.O)
+    private static KeyManager[] getClientCerts(String clientCert, char[] password)
+            throws CertificateException, IOException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException {
+        KeyStore ks = KeyStore.getInstance("PKCS12");
+        InputStream bs = new ByteArrayInputStream(Base64.getDecoder().decode(clientCert));
+        ks.load(bs, password);
+
+        KeyManagerFactory kmf = KeyManagerFactory.getInstance("X509");
+        kmf.init(ks, password);
+
+        return kmf.getKeyManagers();
+    }
+
     private static TrustManager[] certToTrustManager(String cert) throws GeneralSecurityException {
         CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
         Collection<? extends Certificate> certificates =

app/src/main/java/com/github/gotify/login/AdvancedDialog.java

@@ -2,16 +2,19 @@
 
 import android.app.AlertDialog;
 import android.content.Context;
+import android.os.Build;
 import android.view.LayoutInflater;
 import android.view.View;
 import android.widget.Button;
 import android.widget.CheckBox;
 import android.widget.CompoundButton;
+import android.widget.EditText;
 import android.widget.TextView;
 import androidx.annotation.Nullable;
 import butterknife.BindView;
 import butterknife.ButterKnife;
 import com.github.gotify.R;
+import com.github.gotify.Settings;
 
 class AdvancedDialog {
 
@@ -20,6 +23,8 @@ class AdvancedDialog {
     private CompoundButton.OnCheckedChangeListener onCheckedChangeListener;
     private Runnable onClickSelectCaCertificate;
     private Runnable onClickRemoveCaCertificate;
+    private Runnable onClickSelectClientCertificate;
+    private Runnable onClickRemoveClientCertificate;
 
     AdvancedDialog(Context context) {
         this.context = context;
@@ -41,32 +46,56 @@ AdvancedDialog onClickRemoveCaCertificate(Runnable onClickRemoveCaCertificate) {
         return this;
     }
 
-    AdvancedDialog show(boolean disableSSL, @Nullable String selectedCertificate) {
+    AdvancedDialog onClickSelectClientCertificate(Runnable onClickSelectClientCertificate) {
+        this.onClickSelectClientCertificate = onClickSelectClientCertificate;
+        return this;
+    }
+
+    AdvancedDialog onClickRemoveClientCertificate(Runnable onClickRemoveClientCertificate) {
+        this.onClickRemoveClientCertificate = onClickRemoveClientCertificate;
+        return this;
+    }
 
+    AdvancedDialog show(boolean disableSSL, @Nullable String selectedCaCertificate, @Nullable String selectedClientCertificate, String password, Settings settings) {
         View dialogView =
                 LayoutInflater.from(context).inflate(R.layout.advanced_settings_dialog, null);
         holder = new ViewHolder(dialogView);
         holder.disableSSL.setChecked(disableSSL);
         holder.disableSSL.setOnCheckedChangeListener(onCheckedChangeListener);
+        holder.editClientCertPass.setText(password);
 
-        if (selectedCertificate == null) {
+        if (Build.VERSION.SDK_INT < Build.VERSION_CODES.O) {
+            holder.editClientCertPass.setVisibility(View.GONE);
+            holder.selectedClientCertificate.setVisibility(View.GONE);
+            holder.toggleClientCert.setVisibility(View.GONE);
+        }
+
+        if (selectedCaCertificate == null) {
             showSelectCACertificate();
         } else {
-            showRemoveCACertificate(selectedCertificate);
+            showRemoveCACertificate(selectedCaCertificate);
+        }
+
+        if (selectedClientCertificate == null) {
+            showSelectClientCertificate();
+        } else {
+            showRemoveClientCertificate(selectedClientCertificate);
         }
 
         new AlertDialog.Builder(context)
                 .setView(dialogView)
                 .setTitle(R.string.advanced_settings)
-                .setPositiveButton(context.getString(R.string.done), (ignored, ignored2) -> {})
+                .setPositiveButton(context.getString(R.string.done), (ignored, ignored2) -> {
+                    settings.clientCertPass(holder.editClientCertPass.getText().toString());
+                })
                 .show();
         return this;
     }
 
     private void showSelectCACertificate() {
         holder.toggleCaCert.setText(R.string.select_ca_certificate);
         holder.toggleCaCert.setOnClickListener((a) -> onClickSelectCaCertificate.run());
-        holder.selectedCaCertificate.setText(R.string.no_certificate_selected);
+        holder.selectedCaCertificate.setText(R.string.no_ca_certificate_selected);
     }
 
     void showRemoveCACertificate(String certificate) {
@@ -79,16 +108,41 @@ void showRemoveCACertificate(String certificate) {
         holder.selectedCaCertificate.setText(certificate);
     }
 
+    private void showSelectClientCertificate() {
+        holder.toggleClientCert.setText(R.string.select_client_certificate);
+        holder.toggleClientCert.setOnClickListener((a) -> onClickSelectClientCertificate.run());
+        holder.selectedClientCertificate.setText(R.string.no_client_certificate_selected);
+    }
+
+    void showRemoveClientCertificate(String certificate) {
+        holder.toggleClientCert.setText(R.string.remove_client_certificate);
+        holder.toggleClientCert.setOnClickListener(
+                (a) -> {
+                    showSelectClientCertificate();
+                    onClickRemoveClientCertificate.run();
+                });
+        holder.selectedClientCertificate.setText(certificate);
+    }
+
     class ViewHolder {
         @BindView(R.id.disableSSL)
         CheckBox disableSSL;
 
         @BindView(R.id.toggle_ca_cert)
         Button toggleCaCert;
 
-        @BindView(R.id.seleceted_ca_cert)
+        @BindView(R.id.selected_ca_cert)
         TextView selectedCaCertificate;
 
+        @BindView(R.id.toggle_client_cert)
+        Button toggleClientCert;
+
+        @BindView(R.id.selected_client_cert)
+        TextView selectedClientCertificate;
+
+        @BindView(R.id.edit_client_cert_pass)
+        EditText editClientCertPass;
+
         ViewHolder(View view) {
             ButterKnife.bind(this, view);
         }