Android: Get SSL root certificates from TrustManager

On Android, when not using Ministro, we cannot read certificates
from the file system, so we have to get them through Java APIs instead.

Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@digia.com>
(cherry picked from commit 591584d9a940d374e20a62573d71054e0081c6ac)

Task-Number: QTBUG-32508
Change-Id: Ia157e28bc3b2c141e3444d628e7a7c59eca39db0
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@digia.com>

5 files changed, 253 insertions, 29 deletions

diff --git a/src/android/jar/src/org/qtproject/qt5/android/QtNative.java b/src/android/jar/src/org/qtproject/qt5/android/QtNative.java
index 4586ae2002..22e3701e47 100644
--- a/src/android/jar/src/org/qtproject/qt5/android/QtNative.java
+++ b/src/android/jar/src/org/qtproject/qt5/android/QtNative.java
@@ -57,6 +57,12 @@ import android.view.ContextMenu;
 import android.view.Menu;
 import android.view.MotionEvent;
 
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
 public class QtNative
 {
     private static Activity m_activity = null;
@@ -534,6 +540,33 @@ public class QtNative
         });
     }
 
+    private static byte[][] getSSLCertificates()
+    {
+        ArrayList<byte[]> certificateList = new ArrayList<byte[]>();
+
+        try {
+            TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            factory.init((KeyStore) null);
+
+            for (TrustManager manager : factory.getTrustManagers()) {
+                if (manager instanceof X509TrustManager) {
+                    X509TrustManager trustManager = (X509TrustManager) manager;
+
+                    for (X509Certificate certificate : trustManager.getAcceptedIssuers()) {
+                        byte buffer[] = certificate.getEncoded();
+                        certificateList.add(buffer);
+                    }
+                }
+            }
+        } catch (Exception e) {
+            Log.e(QtTAG, "Failed to get certificates", e);
+        }
+
+        byte[][] certificateArray = new byte[certificateList.size()][];
+        certificateArray = certificateList.toArray(certificateArray);
+        return certificateArray;
+    }
+
     // screen methods
     public static native void setDisplayMetrics(int screenWidthPixels,
                                                 int screenHeightPixels,
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 675bd7d9f7..4e6275f306 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -686,41 +686,48 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates()
     }
 #elif defined(Q_OS_UNIX)
     QSet<QString> certFiles;
-# ifdef Q_OS_ANDROID
-    QList<QByteArray> directories;
-    directories << qgetenv("MINISTRO_SSL_CERTS_PATH"); // Set by Ministro
-# else
-    QList<QByteArray> directories = unixRootCertDirectories();
-# endif
     QDir currentDir;
     QStringList nameFilters;
-# ifdef Q_OS_ANDROID
-    nameFilters << QLatin1String("*.der");
-#else
+    QList<QByteArray> directories;
+    QSsl::EncodingFormat platformEncodingFormat;
+# ifndef Q_OS_ANDROID
+    directories = unixRootCertDirectories();
     nameFilters << QLatin1String("*.pem") << QLatin1String("*.crt");
-# endif
-    currentDir.setNameFilters(nameFilters);
-    for (int a = 0; a < directories.count(); a++) {
-        currentDir.setPath(QLatin1String(directories.at(a)));
-        QDirIterator it(currentDir);
-        while(it.hasNext()) {
-            it.next();
-            // use canonical path here to not load the same certificate twice if symlinked
-            certFiles.insert(it.fileInfo().canonicalFilePath());
-        }
-    }
-    QSetIterator<QString> it(certFiles);
-    while(it.hasNext()) {
-# ifdef Q_OS_ANDROID
-        systemCerts.append(QSslCertificate::fromPath(it.next(), QSsl::Der));
+    platformEncodingFormat = QSsl::Pem;
 # else
-        systemCerts.append(QSslCertificate::fromPath(it.next(), QSsl::Pem));
-# endif
-    }
+    // Q_OS_ANDROID
+    QByteArray ministroPath = qgetenv("MINISTRO_SSL_CERTS_PATH"); // Set by Ministro
+    directories << ministroPath;
+    nameFilters << QLatin1String("*.der");
+    platformEncodingFormat = QSsl::Der;
+#  ifndef Q_OS_ANDROID_NO_SDK
+    if (ministroPath.isEmpty()) {
+        QList<QByteArray> certificateData = fetchSslCertificateData();
+        for (int i = 0; i < certificateData.size(); ++i) {
+            systemCerts.append(QSslCertificate::fromData(certificateData.at(i), QSsl::Der));
+        }
+    } else
+#   endif //Q_OS_ANDROID_NO_SDK
+# endif //Q_OS_ANDROID
+    {
+        currentDir.setNameFilters(nameFilters);
+        for (int a = 0; a < directories.count(); a++) {
+            currentDir.setPath(QLatin1String(directories.at(a)));
+            QDirIterator it(currentDir);
+            while (it.hasNext()) {
+                it.next();
+                // use canonical path here to not load the same certificate twice if symlinked
+                certFiles.insert(it.fileInfo().canonicalFilePath());
+            }
+        }
+        QSetIterator<QString> it(certFiles);
+        while (it.hasNext())
+            systemCerts.append(QSslCertificate::fromPath(it.next(), platformEncodingFormat));
 # ifndef Q_OS_ANDROID
-    systemCerts.append(QSslCertificate::fromPath(QLatin1String("/etc/pki/tls/certs/ca-bundle.crt"), QSsl::Pem)); // Fedora, Mandriva
-    systemCerts.append(QSslCertificate::fromPath(QLatin1String("/usr/local/share/certs/ca-root-nss.crt"), QSsl::Pem)); // FreeBSD's ca_root_nss
+        systemCerts.append(QSslCertificate::fromPath(QLatin1String("/etc/pki/tls/certs/ca-bundle.crt"), QSsl::Pem)); // Fedora, Mandriva
+        systemCerts.append(QSslCertificate::fromPath(QLatin1String("/usr/local/share/certs/ca-root-nss.crt"), QSsl::Pem)); // FreeBSD's ca_root_nss
 # endif
+    }
 #endif
 #ifdef QSSLSOCKET_DEBUG
     qDebug() << "systemCaCertificates retrieval time " << timer.elapsed() << "ms";
diff --git a/src/network/ssl/qsslsocket_openssl_android.cpp b/src/network/ssl/qsslsocket_openssl_android.cpp
new file mode 100644
index 0000000000..fa612a75a6
--- /dev/null
+++ b/src/network/ssl/qsslsocket_openssl_android.cpp
@@ -0,0 +1,179 @@
+/****************************************************************************
+**
+** Copyright (C) 2013 Digia Plc and/or its subsidiary(-ies).
+** Contact: http://www.qt-project.org/legal
+**
+** This file is part of the QtNetwork module of the Qt Toolkit.
+**
+** $QT_BEGIN_LICENSE:LGPL$
+** Commercial License Usage
+** Licensees holding valid commercial Qt licenses may use this file in
+** accordance with the commercial license agreement provided with the
+** Software or, alternatively, in accordance with the terms contained in
+** a written agreement between you and Digia.  For licensing terms and
+** conditions see http://qt.digia.com/licensing.  For further information
+** use the contact form at http://qt.digia.com/contact-us.
+**
+** GNU Lesser General Public License Usage
+** Alternatively, this file may be used under the terms of the GNU Lesser
+** General Public License version 2.1 as published by the Free Software
+** Foundation and appearing in the file LICENSE.LGPL included in the
+** packaging of this file.  Please review the following information to
+** ensure the GNU Lesser General Public License version 2.1 requirements
+** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
+**
+** In addition, as a special exception, Digia gives you certain additional
+** rights.  These rights are described in the Digia Qt LGPL Exception
+** version 1.1, included in the file LGPL_EXCEPTION.txt in this package.
+**
+** GNU General Public License Usage
+** Alternatively, this file may be used under the terms of the GNU
+** General Public License version 3.0 as published by the Free Software
+** Foundation and appearing in the file LICENSE.GPL included in the
+** packaging of this file.  Please review the following information to
+** ensure the GNU General Public License version 3.0 requirements will be
+** met: http://www.gnu.org/copyleft/gpl.html.
+**
+**
+** $QT_END_LICENSE$
+**
+****************************************************************************/
+
+/****************************************************************************
+**
+** In addition, as a special exception, the copyright holders listed above give
+** permission to link the code of its release of Qt with the OpenSSL project's
+** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the
+** same license as the original version), and distribute the linked executables.
+**
+** You must comply with the GNU General Public License version 2 in all
+** respects for all of the code used other than the "OpenSSL" code.  If you
+** modify this file, you may extend this exception to your version of the file,
+** but you are not obligated to do so.  If you do not wish to do so, delete
+** this exception statement from your version of this file.
+**
+****************************************************************************/
+
+#include "qsslsocket_openssl_p.h"
+
+
+
+#include <jni.h>
+#include <android/log.h>
+
+static JavaVM *javaVM = 0;
+static jclass appClass;
+
+static jmethodID getSslCertificatesMethodID;
+
+struct AttachedJNIEnv
+{
+    AttachedJNIEnv()
+    {
+        attached = false;
+        if (javaVM->GetEnv((void**)&jniEnv, JNI_VERSION_1_6) < 0) {
+            if (javaVM->AttachCurrentThread(&jniEnv, NULL) < 0) {
+                __android_log_print(ANDROID_LOG_ERROR, "Qt", "AttachCurrentThread failed");
+                jniEnv = 0;
+                return;
+            }
+            attached = true;
+        }
+    }
+
+    ~AttachedJNIEnv()
+    {
+        if (attached)
+            javaVM->DetachCurrentThread();
+    }
+    bool attached;
+    JNIEnv *jniEnv;
+};
+
+static const char logTag[] = "Qt";
+static const char classErrorMsg[] = "Can't find class \"%s\"";
+static const char methodErrorMsg[] = "Can't find method \"%s%s\"";
+
+
+#define FIND_AND_CHECK_CLASS(CLASS_NAME) \
+clazz = env->FindClass(CLASS_NAME); \
+if (!clazz) { \
+    __android_log_print(ANDROID_LOG_FATAL, logTag, classErrorMsg, CLASS_NAME); \
+    return JNI_FALSE; \
+}
+
+#define GET_AND_CHECK_STATIC_METHOD(VAR, CLASS, METHOD_NAME, METHOD_SIGNATURE) \
+VAR = env->GetStaticMethodID(CLASS, METHOD_NAME, METHOD_SIGNATURE); \
+if (!VAR) { \
+    __android_log_print(ANDROID_LOG_FATAL, logTag, methodErrorMsg, METHOD_NAME, METHOD_SIGNATURE); \
+    return JNI_FALSE; \
+}
+
+static bool registerNatives(JNIEnv *env)
+{
+    jclass clazz;
+    FIND_AND_CHECK_CLASS("org/qtproject/qt5/android/QtNative");
+    appClass = static_cast<jclass>(env->NewGlobalRef(clazz));
+
+#if 0 //we don't call C++ functions from Java at this time
+    if (env->RegisterNatives(appClass, methods, sizeof(methods) / sizeof(methods[0])) < 0) {
+        __android_log_print(ANDROID_LOG_FATAL, logTag, "RegisterNatives failed");
+        return JNI_FALSE;
+    }
+#endif
+
+    GET_AND_CHECK_STATIC_METHOD(getSslCertificatesMethodID, appClass, "getSSLCertificates", "()[[B");
+
+    return true;
+}
+
+Q_DECL_EXPORT jint JNICALL JNI_OnLoad(JavaVM *vm, void * /*reserved*/)
+{
+    typedef union {
+        JNIEnv *nativeEnvironment;
+        void *venv;
+    } UnionJNIEnvToVoid;
+
+    __android_log_print(ANDROID_LOG_INFO, logTag, "Network start");
+    UnionJNIEnvToVoid uenv;
+    uenv.venv = NULL;
+    javaVM = 0;
+
+    if (vm->GetEnv(&uenv.venv, JNI_VERSION_1_4) != JNI_OK) {
+        __android_log_print(ANDROID_LOG_FATAL, logTag, "GetEnv failed");
+        return -1;
+    }
+    JNIEnv *env = uenv.nativeEnvironment;
+    if (!registerNatives(env)) {
+        __android_log_print(ANDROID_LOG_FATAL, logTag, "registerNatives failed");
+        return -1;
+    }
+
+    javaVM = vm;
+    return JNI_VERSION_1_4;
+}
+
+QList<QByteArray> QSslSocketPrivate::fetchSslCertificateData()
+{
+    QList<QByteArray> certificateData;
+    AttachedJNIEnv env;
+
+    if (env.jniEnv) {
+        jobjectArray jcertificates =
+            static_cast<jobjectArray>(env.jniEnv->CallStaticObjectMethod(appClass, getSslCertificatesMethodID));
+        jint nCertificates = env.jniEnv->GetArrayLength(jcertificates);
+
+        for (int i = 0; i < nCertificates; ++i) {
+            jbyteArray jCert = static_cast<jbyteArray>(env.jniEnv->GetObjectArrayElement(jcertificates, i));
+
+            const uint sz = env.jniEnv->GetArrayLength(jCert);
+            jbyte *buffer = env.jniEnv->GetByteArrayElements(jCert, 0);
+            certificateData.append(QByteArray(reinterpret_cast<char*>(buffer), sz));
+
+            env.jniEnv->ReleaseByteArrayElements(jCert, buffer, JNI_ABORT); // don't copy back the elements
+            env.jniEnv->DeleteLocalRef(jCert);
+        }
+    }
+
+    return certificateData;
+}
diff --git a/src/network/ssl/qsslsocket_p.h b/src/network/ssl/qsslsocket_p.h
index 9369dab8e7..6ce34ba06f 100644
--- a/src/network/ssl/qsslsocket_p.h
+++ b/src/network/ssl/qsslsocket_p.h
@@ -197,6 +197,9 @@ public:
 private:
     static bool ensureLibraryLoaded();
     static void ensureCiphersAndCertsLoaded();
+#if defined(Q_OS_ANDROID) && !defined(Q_OS_ANDROID_NO_SDK)
+    static QList<QByteArray> fetchSslCertificateData();
+#endif
 
     static bool s_libraryLoaded;
     static bool s_loadedCiphersAndCerts;
diff --git a/src/network/ssl/ssl.pri b/src/network/ssl/ssl.pri
index 1d8c8e1ab7..0fe231357b 100644
--- a/src/network/ssl/ssl.pri
+++ b/src/network/ssl/ssl.pri
@@ -28,6 +28,8 @@ contains(QT_CONFIG, openssl) | contains(QT_CONFIG, openssl-linked) {
                ssl/qsslcertificateextension.cpp \
                ssl/qsslcontext.cpp
 
+android:!android-no-sdk: SOURCES += ssl/qsslsocket_openssl_android.cpp
+
     # Add optional SSL libs
     # Static linking of OpenSSL with msvc:
     #   - Binaries http://slproweb.com/products/Win32OpenSSL.html