From 8b31507e1da3fab8dd3d5979495e97f385cd413b Mon Sep 17 00:00:00 2001
From: Raphael Michel <michel@rami.io>
Date: Fri, 23 Feb 2024 16:26:38 +0100
Subject: [PATCH] Fix SSL connections to pretix.eu on Android 5-7

---
 pretixscan/app/build.gradle                   |  1 +
 .../droid/AndroidHttpClientFactory.kt         |  4 +
 .../eu/pretix/pretixscan/droid/CustomTrust.kt | 90 +++++++++++++++++++
 3 files changed, 95 insertions(+)
 create mode 100644 pretixscan/app/src/main/java/eu/pretix/pretixscan/droid/CustomTrust.kt

diff --git a/pretixscan/app/build.gradle b/pretixscan/app/build.gradle
index 1143d6d2..fc5cd4c7 100644
--- a/pretixscan/app/build.gradle
+++ b/pretixscan/app/build.gradle
@@ -132,6 +132,7 @@ dependencies {
     implementation 'com.github.kizitonwose:CalendarView:1.0.4'
 
     implementation 'com.squareup.okhttp3:okhttp:4.9.3'
+    implementation 'com.squareup.okhttp3:okhttp-tls:4.9.3'
     implementation 'io.sentry:sentry-android:6.29.0'
     implementation 'org.slf4j:slf4j-nop:1.7.30'
     implementation 'joda-time:joda-time:2.10.10'
diff --git a/pretixscan/app/src/main/java/eu/pretix/pretixscan/droid/AndroidHttpClientFactory.kt b/pretixscan/app/src/main/java/eu/pretix/pretixscan/droid/AndroidHttpClientFactory.kt
index 72428f43..3f06d273 100644
--- a/pretixscan/app/src/main/java/eu/pretix/pretixscan/droid/AndroidHttpClientFactory.kt
+++ b/pretixscan/app/src/main/java/eu/pretix/pretixscan/droid/AndroidHttpClientFactory.kt
@@ -1,5 +1,6 @@
 package eu.pretix.pretixscan.droid
 
+import android.os.Build
 import eu.pretix.libpretixsync.api.HttpClientFactory
 import eu.pretix.libpretixsync.api.RateLimitInterceptor
 import okhttp3.OkHttpClient
@@ -52,6 +53,9 @@ class AndroidHttpClientFactory(val app: PretixScan) : HttpClientFactory {
 
             builder.sslSocketFactory(sslSocketFactory, trustAllCerts[0])
             builder.hostnameVerifier(HostnameVerifier { hostname, session -> true })
+        } else if (Build.VERSION.SDK_INT < 26) {  // Android 7.0 or lower
+            val certificates = CustomTrust().getCertificates()
+            builder.sslSocketFactory(certificates.sslSocketFactory(), certificates.trustManager)
         }
 
         return builder.build()
diff --git a/pretixscan/app/src/main/java/eu/pretix/pretixscan/droid/CustomTrust.kt b/pretixscan/app/src/main/java/eu/pretix/pretixscan/droid/CustomTrust.kt
new file mode 100644
index 00000000..1a721b57
--- /dev/null
+++ b/pretixscan/app/src/main/java/eu/pretix/pretixscan/droid/CustomTrust.kt
@@ -0,0 +1,90 @@
+package eu.pretix.pretixscan.droid
+
+/*
+*  With inspiration from https://github.com/square/okhttp/blob/master/samples/guide/src/main/java/okhttp3/recipes/kt/CustomTrust.kt
+ * Copyright (C) 2015 Square, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import java.io.IOException
+import java.security.cert.X509Certificate
+import okhttp3.OkHttpClient
+import okhttp3.Request.Builder
+import okhttp3.tls.HandshakeCertificates
+import okhttp3.tls.decodeCertificatePem
+
+class CustomTrust {
+    // RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1
+    val isrgRootX1 =
+        """
+        -----BEGIN CERTIFICATE-----
+        MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+        TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+        cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+        WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+        ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+        MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+        h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+        0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+        A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+        T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+        B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+        B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+        KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+        OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+        jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+        qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+        rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+        HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+        hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+        ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+        3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+        NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+        ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+        TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+        jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+        oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+        4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+        mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+        emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+        -----END CERTIFICATE-----
+    """.trimIndent().decodeCertificatePem()
+
+    // ECDSA P-384, O = Internet Security Research Group, CN = ISRG Root X2
+    val isrgRootX2 =
+        """
+        -----BEGIN CERTIFICATE-----
+        MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
+        CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
+        R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
+        MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
+        ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
+        EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
+        +1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
+        ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
+        AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
+        zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
+        tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
+        /q4AaOeMSQ+2b1tbFfLn
+        -----END CERTIFICATE-----
+    """.trimIndent().decodeCertificatePem()
+
+    fun getCertificates(): HandshakeCertificates {
+        return HandshakeCertificates.Builder()
+            .addPlatformTrustedCertificates()
+            .addTrustedCertificate(isrgRootX1)
+            .addTrustedCertificate(isrgRootX2)
+            .build()
+    }
+}
\ No newline at end of file