Add client certificate support (https://github.com/gotify/android/issues/229)

app/src/main/java/com/github/gotify/SSLSettings.java

@@ -3,9 +3,13 @@
 public class SSLSettings {
     public boolean validateSSL;
     public String cert;
+    public String clientCert;
+    public String clientCertPassword;
 
-    public SSLSettings(boolean validateSSL, String cert) {
+    public SSLSettings(boolean validateSSL, String cert, String clientCert, String clientCertPassword) {
         this.validateSSL = validateSSL;
         this.cert = cert;
+        this.clientCert = clientCert;
+        this.clientCertPassword = clientCertPassword;
     }
 }

app/src/main/java/com/github/gotify/Settings.java

@@ -11,6 +11,30 @@ public Settings(Context context) {
         sharedPreferences = context.getSharedPreferences("gotify", Context.MODE_PRIVATE);
     }
 
+    public void clientCertUri(String clientCertUri) {
+        sharedPreferences.edit().putString("clientCertUri", clientCertUri).apply();
+    }
+
+    public String clientCertUri() {
+        return sharedPreferences.getString("clientCertUri", null);
+    }
+
+    public void clientCert(String clientCert) {
+        sharedPreferences.edit().putString("clientCert", clientCert).apply();
+    }
+
+    public String clientCert() {
+        return sharedPreferences.getString("clientCert", null);
+    }
+
+    public void clientCertPass(String clientCertPass) {
+        sharedPreferences.edit().putString("clientCertPass", clientCertPass).apply();
+    }
+
+    public String clientCertPass() {
+        return sharedPreferences.getString("clientCertPass", "");
+    }
+
     public void url(String url) {
         sharedPreferences.edit().putString("url", url).apply();
     }
@@ -36,6 +60,9 @@ public void clear() {
         token(null);
         validateSSL(true);
         cert(null);
+        clientCert(null);
+        clientCertUri(null);
+        clientCertPass("");
     }
 
     public void user(String name, boolean admin) {
@@ -77,6 +104,6 @@ public void cert(String cert) {
     }
 
     public SSLSettings sslSettings() {
-        return new SSLSettings(validateSSL(), cert());
+        return new SSLSettings(validateSSL(), cert(), clientCert(), clientCertPass());
     }
 }

app/src/main/java/com/github/gotify/Utils.java

@@ -5,9 +5,12 @@
 import android.graphics.Bitmap;
 import android.graphics.drawable.BitmapDrawable;
 import android.graphics.drawable.Drawable;
+import android.os.Build;
 import android.text.format.DateUtils;
+import java.util.Base64;
 import android.view.View;
 import androidx.annotation.NonNull;
+import androidx.annotation.RequiresApi;
 import com.github.gotify.client.JSON;
 import com.github.gotify.log.Log;
 import com.google.android.material.snackbar.Snackbar;
@@ -77,6 +80,21 @@ public void onPrepareLoad(Drawable placeHolderDrawable) {}
         };
     }
 
+    @RequiresApi(api = Build.VERSION_CODES.O)
+    public static String binaryFileToBase64(@NonNull InputStream inputStream) {
+        byte[] bytes;
+
+        try {
+            bytes = new byte[inputStream.available()];
+            //noinspection ResultOfMethodCallIgnored
+            inputStream.read(bytes);
+        } catch (IOException e) {
+            throw new IllegalArgumentException("failed to read input");
+        }
+
+        return Base64.getEncoder().encodeToString(bytes);
+    }
+
     public static String readFileFromStream(@NonNull InputStream inputStream) {
         StringBuilder sb = new StringBuilder();
         String currentLine;

app/src/main/java/com/github/gotify/api/CertUtils.java

@@ -1,18 +1,24 @@
 package com.github.gotify.api;
 
 import android.annotation.SuppressLint;
+import android.os.Build;
+import androidx.annotation.RequiresApi;
 import com.github.gotify.SSLSettings;
 import com.github.gotify.Utils;
 import com.github.gotify.log.Log;
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 import java.security.SecureRandom;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import java.util.Base64;
 import java.util.Collection;
 import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
@@ -46,6 +52,7 @@ public static Certificate parseCertificate(String cert) {
         }
     }
 
+    @RequiresApi(api = Build.VERSION_CODES.O)
     public static void applySslSettings(OkHttpClient.Builder builder, SSLSettings settings) {
         // Modified from ApiClient.applySslSettings in the client package.
 
@@ -69,7 +76,41 @@ public static void applySslSettings(OkHttpClient.Builder builder, SSLSettings se
                             context.getSocketFactory(), (X509TrustManager) trustManagers[0]);
                 }
             }
-        } catch (Exception e) {
+
+            if (settings.clientCert != null) {
+                KeyStore ks = KeyStore.getInstance("PKCS12");
+                InputStream bs = new ByteArrayInputStream(Base64.getDecoder().decode(settings.clientCert));
+                ks.load(bs, settings.clientCertPassword.toCharArray());
+
+                KeyManagerFactory kmf = KeyManagerFactory.getInstance("X509");
+                kmf.init(ks, settings.clientCertPassword.toCharArray());
+
+
+                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
+                        TrustManagerFactory.getDefaultAlgorithm());
+                trustManagerFactory.init((KeyStore) null);
+                TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
+                if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
+                    throw new IllegalStateException("Unexpected default trust managers:");
+                }
+                X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
+
+
+                SSLContext context = SSLContext.getInstance("TLS");
+                context.init(kmf.getKeyManagers(), new TrustManager[] { trustManager }, null);
+                builder.sslSocketFactory(
+                        context.getSocketFactory(), trustManager);
+            }
+        } catch (IOException iex) {
+            String tx = iex.toString();
+            if (iex.toString().contains("wrong password")) {
+                Log.e("Incorrect client certificate password.", iex);
+                return;
+            }
+
+            Log.e("Error opening client certificate.", iex);
+        }
+        catch (Exception e) {
             // We shouldn't have issues since the cert is verified on login.
             Log.e("Failed to apply SSL settings", e);
         }

app/src/main/java/com/github/gotify/api/ClientFactory.java

@@ -1,5 +1,7 @@
 package com.github.gotify.api;
 
+import android.os.Build;
+import androidx.annotation.RequiresApi;
 import com.github.gotify.SSLSettings;
 import com.github.gotify.Settings;
 import com.github.gotify.client.ApiClient;
@@ -9,11 +11,13 @@
 import com.github.gotify.client.auth.HttpBasicAuth;
 
 public class ClientFactory {
+    @RequiresApi(api = Build.VERSION_CODES.O)
     public static com.github.gotify.client.ApiClient unauthorized(
             String baseUrl, SSLSettings sslSettings) {
         return defaultClient(new String[0], baseUrl + "/", sslSettings);
     }
 
+    @RequiresApi(api = Build.VERSION_CODES.O)
     public static ApiClient basicAuth(
             String baseUrl, SSLSettings sslSettings, String username, String password) {
         ApiClient client = defaultClient(new String[] {"basicAuth"}, baseUrl + "/", sslSettings);
@@ -23,6 +27,7 @@ public static ApiClient basicAuth(
         return client;
     }
 
+    @RequiresApi(api = Build.VERSION_CODES.O)
     public static ApiClient clientToken(String baseUrl, SSLSettings sslSettings, String token) {
         ApiClient client =
                 defaultClient(new String[] {"clientTokenHeader"}, baseUrl + "/", sslSettings);
@@ -31,15 +36,18 @@ public static ApiClient clientToken(String baseUrl, SSLSettings sslSettings, Str
         return client;
     }
 
+    @RequiresApi(api = Build.VERSION_CODES.O)
     public static VersionApi versionApi(String baseUrl, SSLSettings sslSettings) {
         return unauthorized(baseUrl, sslSettings).createService(VersionApi.class);
     }
 
+    @RequiresApi(api = Build.VERSION_CODES.O)
     public static UserApi userApiWithToken(Settings settings) {
         return clientToken(settings.url(), settings.sslSettings(), settings.token())
                 .createService(UserApi.class);
     }
 
+    @RequiresApi(api = Build.VERSION_CODES.O)
     private static ApiClient defaultClient(
             String[] authentications, String baseUrl, SSLSettings sslSettings) {
         ApiClient client = new ApiClient(authentications);

app/src/main/java/com/github/gotify/login/AdvancedDialog.java

@@ -7,11 +7,13 @@
 import android.widget.Button;
 import android.widget.CheckBox;
 import android.widget.CompoundButton;
+import android.widget.EditText;
 import android.widget.TextView;
 import androidx.annotation.Nullable;
 import butterknife.BindView;
 import butterknife.ButterKnife;
 import com.github.gotify.R;
+import com.github.gotify.Settings;
 
 class AdvancedDialog {
 
@@ -20,6 +22,8 @@ class AdvancedDialog {
     private CompoundButton.OnCheckedChangeListener onCheckedChangeListener;
     private Runnable onClickSelectCaCertificate;
     private Runnable onClickRemoveCaCertificate;
+    private Runnable onClickSelectClientCertificate;
+    private Runnable onClickRemoveClientCertificate;
 
     AdvancedDialog(Context context) {
         this.context = context;
@@ -41,32 +45,50 @@ AdvancedDialog onClickRemoveCaCertificate(Runnable onClickRemoveCaCertificate) {
         return this;
     }
 
-    AdvancedDialog show(boolean disableSSL, @Nullable String selectedCertificate) {
+    AdvancedDialog onClickSelectClientCertificate(Runnable onClickSelectClientCertificate) {
+        this.onClickSelectClientCertificate = onClickSelectClientCertificate;
+        return this;
+    }
+
+    AdvancedDialog onClickRemoveClientCertificate(Runnable onClickRemoveClientCertificate) {
+        this.onClickRemoveClientCertificate = onClickRemoveClientCertificate;
+        return this;
+    }
 
+    AdvancedDialog show(boolean disableSSL, @Nullable String selectedCaCertificate, @Nullable String selectedClientCertificate, String password, Settings settings) {
         View dialogView =
                 LayoutInflater.from(context).inflate(R.layout.advanced_settings_dialog, null);
         holder = new ViewHolder(dialogView);
         holder.disableSSL.setChecked(disableSSL);
         holder.disableSSL.setOnCheckedChangeListener(onCheckedChangeListener);
+        holder.editClientCertPass.setText(password);
 
-        if (selectedCertificate == null) {
+        if (selectedCaCertificate == null) {
             showSelectCACertificate();
         } else {
-            showRemoveCACertificate(selectedCertificate);
+            showRemoveCACertificate(selectedCaCertificate);
+        }
+
+        if (selectedClientCertificate == null) {
+            showSelectClientCertificate();
+        } else {
+            showRemoveClientCertificate(selectedClientCertificate);
         }
 
         new AlertDialog.Builder(context)
                 .setView(dialogView)
                 .setTitle(R.string.advanced_settings)
-                .setPositiveButton(context.getString(R.string.done), (ignored, ignored2) -> {})
+                .setPositiveButton(context.getString(R.string.done), (ignored, ignored2) -> {
+                    settings.clientCertPass(holder.editClientCertPass.getText().toString());
+                })
                 .show();
         return this;
     }
 
     private void showSelectCACertificate() {
         holder.toggleCaCert.setText(R.string.select_ca_certificate);
         holder.toggleCaCert.setOnClickListener((a) -> onClickSelectCaCertificate.run());
-        holder.selectedCaCertificate.setText(R.string.no_certificate_selected);
+        holder.selectedCaCertificate.setText(R.string.no_ca_certificate_selected);
     }
 
     void showRemoveCACertificate(String certificate) {
@@ -79,16 +101,41 @@ void showRemoveCACertificate(String certificate) {
         holder.selectedCaCertificate.setText(certificate);
     }
 
+    private void showSelectClientCertificate() {
+        holder.toggleClientCert.setText(R.string.select_client_certificate);
+        holder.toggleClientCert.setOnClickListener((a) -> onClickSelectClientCertificate.run());
+        holder.selectedClientCertificate.setText(R.string.no_client_certificate_selected);
+    }
+
+    void showRemoveClientCertificate(String certificate) {
+        holder.toggleClientCert.setText(R.string.remove_client_certificate);
+        holder.toggleClientCert.setOnClickListener(
+                (a) -> {
+                    showSelectClientCertificate();
+                    onClickRemoveClientCertificate.run();
+                });
+        holder.selectedClientCertificate.setText(certificate);
+    }
+
     class ViewHolder {
         @BindView(R.id.disableSSL)
         CheckBox disableSSL;
 
         @BindView(R.id.toggle_ca_cert)
         Button toggleCaCert;
 
-        @BindView(R.id.seleceted_ca_cert)
+        @BindView(R.id.selected_ca_cert)
         TextView selectedCaCertificate;
 
+        @BindView(R.id.toggle_client_cert)
+        Button toggleClientCert;
+
+        @BindView(R.id.selected_client_cert)
+        TextView selectedClientCertificate;
+
+        @BindView(R.id.edit_client_cert_pass)
+        EditText editClientCertPass;
+
         ViewHolder(View view) {
             ButterKnife.bind(this, view);
         }