Merge pull request #13 from smartdevicelink/release/1.2.0

1.2.0 Release

CHANGELOG.md

@@ -1,5 +1,9 @@
-# 1.1.0 Release Notes
+# 1.2.0 Release Notes
 
-## Enhancements
+## Enhancements:
+
+- [Certificate issuer and date are not verified](https://github.com/smartdevicelink/sdl_security_java_suite/issues/2)
+- [Move constants to Java files to avoid recompiling Native layer](https://github.com/smartdevicelink/sdl_security_java_suite/issues/8)
+- [Sdl java suite should be updated to 5.0.0](https://github.com/smartdevicelink/sdl_security_java_suite/issues/10)
+- [Use AndroidX](https://github.com/smartdevicelink/sdl_security_java_suite/issues/11)
 
-- Update the included Sdl Java Suite module version to 4.11.0

SdlSecurity/build.gradle

@@ -7,7 +7,7 @@ buildscript {
 
     }
     dependencies {
-        classpath 'com.android.tools.build:gradle:3.5.0'
+        classpath 'com.android.tools.build:gradle:4.0.2'
 
         // NOTE: Do not place your application dependencies here; they belong
         // in the individual module build.gradle files

SdlSecurity/gradle.properties

@@ -6,6 +6,8 @@
 # http://www.gradle.org/docs/current/userguide/build_environment.html
 # Specifies the JVM arguments used for the daemon process.
 # The setting is particularly useful for tweaking memory settings.
+android.enableJetifier=true
+android.useAndroidX=true
 org.gradle.jvmargs=-Xmx1536m
 # When configured, Gradle will run in incubating parallel mode.
 # This option should only be used with decoupled projects. More details, visit

SdlSecurity/gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
-#Wed Sep 25 13:32:42 EDT 2019
+#Wed Nov 04 15:22:31 EST 2020
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-5.4.1-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip

SdlSecurity/sdl_security/build.gradle

@@ -1,14 +1,14 @@
 apply plugin: 'com.android.library'
 
 android {
-    compileSdkVersion 28
+    compileSdkVersion 29
 
 
     defaultConfig {
         minSdkVersion 26
-        targetSdkVersion 28
+        targetSdkVersion 29
         versionCode 2
-        versionName "1.1.0"
+        versionName "1.2.0"
 
         ndk {
             moduleName "ssl"
@@ -34,6 +34,6 @@ android {
 
 dependencies {
     api fileTree(dir: 'libs', include: ['*.jar'])
-    api 'com.android.support:appcompat-v7:28.0.0'
-    api 'com.smartdevicelink:sdl_android:4.11.0'
+    api 'androidx.appcompat:appcompat:1.2.0'
+    api 'com.smartdevicelink:sdl_android:5.0.0'
 }

SdlSecurity/sdl_security/src/main/java/com/smartdevicelink/sdlsecurity/CertificateManager.java

@@ -1,6 +1,6 @@
 package com.smartdevicelink.sdlsecurity;
 
-import android.util.Log;
+import com.smartdevicelink.util.DebugTool;
 
 import org.json.JSONObject;
 
@@ -49,7 +49,7 @@ public void run() {
 
 
                     if (urlConnection.getResponseCode() != HttpURLConnection.HTTP_OK) {
-                        Log.e(TAG, "Server error: " + urlConnection.getResponseCode());
+                        DebugTool.logError(TAG, "Server error: " + urlConnection.getResponseCode());
                         listener.onFail("Failed to download the certificate");
                         return;
                     }
@@ -75,7 +75,7 @@ public void run() {
                     listener.onSuccess(certBuffer);
                 } catch (Exception e) {
                     e.printStackTrace();
-                    Log.e(TAG, e.getMessage());
+                    DebugTool.logError(TAG, e.getMessage());
                     listener.onFail("Failed to download the certificate");
                 } finally {
                     if (urlConnection != null) {

SdlSecurity/sdl_security/src/main/java/com/smartdevicelink/sdlsecurity/Constants.java

@@ -1,12 +1,31 @@
 package com.smartdevicelink.sdlsecurity;
 
+import java.io.IOException;
 import java.util.Collections;
 import java.util.List;
 
+import cz.adamh.utils.NativeUtils;
+
 /**
  * Created by Bilal Alsharifi && Bretty on 2019-09-25.
  */
 class Constants {
     final static String CERT_URL = "http://www.mocky.io/v2/5d9b565132000072002ae80f";
     final static List<String> MAKE_LIST = Collections.singletonList("SDL");
+    final static String CERT_PASS = "password"; // This needs to be changed to the actual certificate password
+    final static String CERT_ISSUER = "SDL"; // This needs to be changed to the actual certificate issuer
+
+    static {
+        try {
+            // For Android
+            System.loadLibrary("security");
+        } catch(java.lang.UnsatisfiedLinkError e){
+            // For JavaSE
+            try {
+                NativeUtils.loadLibraryFromJar("/libs/libsecurity.dylib");
+            } catch (IOException ex) {
+                ex.printStackTrace();
+            }
+        }
+    }
 }

SdlSecurity/sdl_security/src/main/java/com/smartdevicelink/sdlsecurity/SdlSecurity.java

@@ -1,9 +1,8 @@
 package com.smartdevicelink.sdlsecurity;
 
-import android.util.Log;
-
 import com.smartdevicelink.protocol.enums.SessionType;
 import com.smartdevicelink.security.SdlSecurityBase;
+import com.smartdevicelink.util.DebugTool;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -27,7 +26,7 @@ public void initialize() {
         this.state = STATE_DISCONNECTED;
 
         nativeSSL = new NativeSSL();
-        Log.i(TAG, "Downloading certificate");
+        DebugTool.logInfo(TAG, "Downloading certificate");
         CertificateManager.downloadCert(Constants.CERT_URL, getAppId(), new DownloadListener() {
             @Override
             public void onSuccess(byte[] certBuffer) {
@@ -36,7 +35,7 @@ public void onSuccess(byte[] certBuffer) {
                     SdlSecurity.this.state = STATE_INITIALIZED;
                 } else {
                     SdlSecurity.this.state = STATE_DISCONNECTED;
-                    Log.e(TAG, "nativeSSL.initialize() failed");
+                    DebugTool.logError(TAG, "nativeSSL.initialize() failed");
                 }
                 handleInitResult(success);
             }
@@ -45,15 +44,15 @@ public void onSuccess(byte[] certBuffer) {
             public void onFail(String error) {
                 SdlSecurity.this.state = STATE_DISCONNECTED;
                 handleInitResult(false);
-                Log.e(TAG, "onFail: " + error);
+                DebugTool.logError(TAG, "onFail: " + error);
             }
         });
     }
 
     @Override
     public Integer runHandshake(byte[] inputData, byte[] outputData) {
         if (this.state == STATE_DISCONNECTED){
-            Log.e(TAG, "Security not initialized");
+            DebugTool.logError(TAG, "Security not initialized");
             return null;
         }
         return nativeSSL.runHandshake(inputData, outputData);
@@ -62,7 +61,7 @@ public Integer runHandshake(byte[] inputData, byte[] outputData) {
     @Override
     public Integer encryptData(byte[] inputData, byte[] outputData) {
         if (this.state == STATE_DISCONNECTED){
-            Log.e(TAG, "Security not initialized");
+            DebugTool.logError(TAG, "Security not initialized");
             return null;
         }
         return nativeSSL.encryptData(inputData, outputData);
@@ -71,7 +70,7 @@ public Integer encryptData(byte[] inputData, byte[] outputData) {
     @Override
     public Integer decryptData(byte[] inputData, byte[] outputData) {
         if (this.state == STATE_DISCONNECTED){
-            Log.e(TAG, "Security not initialized");
+            DebugTool.logError(TAG, "Security not initialized");
             return null;
         }
         return nativeSSL.decryptData(inputData, outputData);

SdlSecurity/sdl_security/src/main/jni/tlsEngine.cpp

@@ -1,12 +1,14 @@
 #include <stdio.h>
 #include <unistd.h>
 #include <stdlib.h>
+#include <time.h>
 #include <memory.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/bio.h>
 #include <openssl/conf.h>
 #include <openssl/pkcs12.h>
+#include <jni.h>
 
 #define LOG_TAG "SdlSecurity_Native"
 #ifdef ANDROID
@@ -33,7 +35,8 @@ const int STATE_INITIALIZED = 1;
 
 
 const int BUFFER_SIZE_MAX = 4096;
-const char *CERT_PASS = "password"; // This needs to be changed to your own password
+const char *CERT_PASS = "";
+const char *CERT_ISSUER = "";
 
 
 SSL* ssl = NULL;
@@ -105,8 +108,79 @@ void clean_up_initialization(X509* cert, RSA* rsa, PKCS12* p12, BIO *pbio, EVP_P
     }
 }
 
-bool initialize(void* cert_buffer, int cert_len, bool is_client) {
+int get_date_component(const unsigned char *str, const int start, const int size) {
+    char date_component[size + 1];
+    memcpy(date_component, &str[start], size);
+    date_component[size] = '\0';
+    int date_component_num = (int) strtol(date_component, (char **)NULL, 10);
+    return date_component_num;
+}
+
+bool cert_date_valid(X509 *certificateX509) {
+    if (certificateX509 != NULL) {
+        ASN1_TIME *time2 = X509_get_notAfter(certificateX509);
+        if (time2 != NULL) {
+            ASN1_GENERALIZEDTIME *time2_generalized = ASN1_TIME_to_generalizedtime(time2, NULL);
+            if (time2_generalized != NULL) {
+                const unsigned char *time2_data = ASN1_STRING_get0_data(time2_generalized);
+
+                // ASN1 generalized times look like this: "20131114230046Z"
+                //                                format:  YYYYMMDDHHMMSS
+                //                               indices:  01234567890123
+                //                                                   1111
+                // There are other formats (e.g. specifying partial seconds or
+                // time zones) but this is good enough for our purposes since
+                // we only use the date and not the time.
+                //
+                // (Source: http://www.obj-sys.com/asn1tutorial/node14.html)
+
+                int year2 = get_date_component(time2_data, 0, 4);
+                int month2 = get_date_component(time2_data, 4, 2);
+                int day2 = get_date_component(time2_data, 6, 2);
+
+                time_t t = time(NULL);
+                struct tm tm = *localtime(&t);
+                int year = tm.tm_year + 1900;
+                int month = tm.tm_mon + 1;
+                int day = tm.tm_mday;
+
+                if(year2 > year){
+                    return true;
+                } else if(year2 == year){
+                    if(month2 > month){
+                        return true;
+                    } else if(month2 == month){
+                        if(day2 > day){
+                            return true;
+                        }
+                    }
+                }
+            }
+        }
+    }
+    return false;
+}
+
+bool initialize(JNIEnv* env, void* cert_buffer, int cert_len, bool is_client) {
     printf("initializing \n");
+
+    //Get constants from java class
+    jclass javaConstantsClass = env->FindClass("com/smartdevicelink/sdlsecurity/Constants");
+
+    jfieldID certPassFieldId = env->GetStaticFieldID(javaConstantsClass, "CERT_PASS", "Ljava/lang/String;");
+    jfieldID certIssuerFieldId = env->GetStaticFieldID(javaConstantsClass, "CERT_ISSUER", "Ljava/lang/String;");
+
+    if (certPassFieldId == NULL || certIssuerFieldId == NULL) {
+        printf("fieldId == null");
+        return false;
+    } else {
+        jstring javaCertPass = (jstring) env->GetStaticObjectField(javaConstantsClass, certPassFieldId);
+        jstring javaCertIssuer = (jstring) env->GetStaticObjectField(javaConstantsClass, certIssuerFieldId);
+
+        CERT_PASS = env->GetStringUTFChars(javaCertPass, JNI_FALSE);
+        CERT_ISSUER = env->GetStringUTFChars(javaCertIssuer, JNI_FALSE);
+    }
+
     PKCS12 *p12 = NULL;
     EVP_PKEY *pkey = NULL;
     X509 *certX509 = NULL;
@@ -157,8 +231,19 @@ bool initialize(void* cert_buffer, int cert_len, bool is_client) {
         clean_up_initialization(certX509, rsa, p12, pbio, pkey);
         return false;
     }
-
-    // To do: should check certificate date and issuer
+
+    if (!cert_date_valid(certX509)) {
+        printf("Error in validating the certificate. Certificate has expired!\n");
+        clean_up_initialization(certX509, rsa, p12, pbio, pkey);
+        return false;
+    }
+
+    char* cert_issuer = X509_NAME_oneline(X509_get_issuer_name(certX509), NULL, 0);
+    if (strcmp(cert_issuer, CERT_ISSUER) != 0) {
+        printf("Error in verifying issuer name. Expected %s but found %s\n", CERT_ISSUER, cert_issuer);
+        // we are only printing error message in that case to make testing easier
+        // it should stop initialization and return false in production libraries
+    }
 
     rsa = EVP_PKEY_get1_RSA(pkey);
     if (rsa == NULL)

SdlSecurity/sdl_security/src/main/jni/tlsEngine_jni.cpp

@@ -8,7 +8,7 @@
         jsize len = env->GetArrayLength (cert_buffer);
         jbyte *buf = env->GetByteArrayElements(cert_buffer, 0);
 
-        bool success = initialize(buf, len, is_client);
+        bool success = initialize(env, buf, len, is_client);
 
         env->ReleaseByteArrayElements(cert_buffer, buf, 0);
 

SdlSecurity/sdl_security_se/build.gradle

@@ -1,7 +1,7 @@
 apply plugin: 'java-library'
 
 group 'com.smartdevicelink'
-version '1.1.0'
+version '1.2.0'
 
 sourceCompatibility = 1.7
 
@@ -13,7 +13,7 @@ configurations {
 
 dependencies {
     extraLibs fileTree(dir: 'libs', include: ['*.jar'])
-    extraLibs 'com.smartdevicelink:sdl_java_se:4.11.0'
+    extraLibs 'com.smartdevicelink:sdl_java_se:5.0.0'
     configurations.api.extendsFrom(configurations.extraLibs)
 }