Adds SSLCertificateVerifier to the Java API.

The native API supports setting an SSLCertificateVerifier that can be used to provide a custom certificate verifier for incoming SSL certificates. This change provides this functionality to the Java API so that a Java implementation can also be provided. It is expected this will only be used in specialized circumstances and most users will not hit this code path. Bug: webrtc:9541 Change-Id: Id3c75b8f288333b53edc2959bac533e3ec614978 Reviewed-on: https://webrtc-review.googlesource.com/89500 Commit-Queue: Benjamin Wright <benwright@webrtc.org> Reviewed-by: Sami Kalliomäki <sakal@webrtc.org> Cr-Commit-Position: refs/heads/master@{#24057}
2018-07-20 15:08:03 -07:00
parent 2ffed6d65c
commit 8cf30401eb
7 changed files with 174 additions and 18 deletions
--- a/sdk/android/BUILD.gn
+++ b/sdk/android/BUILD.gn
@ -492,6 +492,7 @@ generate_jni("generated_peerconnection_jni") {
    "api/org/webrtc/RtpReceiver.java",
    "api/org/webrtc/RtpSender.java",
    "api/org/webrtc/RtpTransceiver.java",
    "api/org/webrtc/SSLCertificateVerifier.java",
    "api/org/webrtc/SdpObserver.java",
    "api/org/webrtc/SessionDescription.java",
    "api/org/webrtc/StatsObserver.java",
@ -578,6 +579,8 @@ rtc_static_library("peerconnection_jni") {
    "src/jni/pc/sdpobserver.h",
    "src/jni/pc/sessiondescription.cc",
    "src/jni/pc/sessiondescription.h",
    "src/jni/pc/sslcertificateverifierwrapper.cc",
    "src/jni/pc/sslcertificateverifierwrapper.h",
    "src/jni/pc/statsobserver.cc",
    "src/jni/pc/statsobserver.h",
    "src/jni/pc/turncustomizer.cc",
@ -990,6 +993,7 @@ rtc_android_library("peerconnection_java") {
    "api/org/webrtc/RtpReceiver.java",
    "api/org/webrtc/RtpSender.java",
    "api/org/webrtc/RtpTransceiver.java",
    "api/org/webrtc/SSLCertificateVerifier.java",
    "api/org/webrtc/SdpObserver.java",
    "api/org/webrtc/SessionDescription.java",
    "api/org/webrtc/StatsObserver.java",
--- a/sdk/android/api/org/webrtc/PeerConnectionDependencies.java
+++ b/sdk/android/api/org/webrtc/PeerConnectionDependencies.java
@ -20,18 +20,27 @@ import javax.annotation.Nullable;
 */
 public final class PeerConnectionDependencies {
  // Mandatory dependencies.
-  private PeerConnection.Observer observer;
+  private final PeerConnection.Observer observer;
  // Optional fields.
  private final SSLCertificateVerifier sslCertificateVerifier;
  public static class Builder {
    private PeerConnection.Observer observer;
    private SSLCertificateVerifier sslCertificateVerifier;
    private Builder(PeerConnection.Observer observer) {
      this.observer = observer;
    }
    public Builder setSSLCertificateVerifier(SSLCertificateVerifier sslCertificateVerifier) {
      this.sslCertificateVerifier = sslCertificateVerifier;
      return this;
    }
    // Observer is a required dependency and so is forced in the construction of the object.
    public PeerConnectionDependencies createPeerConnectionDependencies() {
-      return new PeerConnectionDependencies(observer);
+      return new PeerConnectionDependencies(observer, sslCertificateVerifier);
    }
  }
@ -43,7 +52,14 @@ public final class PeerConnectionDependencies {
    return observer;
  }
-  private PeerConnectionDependencies(PeerConnection.Observer observer) {
+  @Nullable
  SSLCertificateVerifier getSSLCertificateVerifier() {
    return sslCertificateVerifier;
  }
  private PeerConnectionDependencies(
      PeerConnection.Observer observer, SSLCertificateVerifier sslCertificateVerifier) {
    this.observer = observer;
    this.sslCertificateVerifier = sslCertificateVerifier;
  }
 }
--- a/sdk/android/api/org/webrtc/PeerConnectionFactory.java
+++ b/sdk/android/api/org/webrtc/PeerConnectionFactory.java
@ -328,6 +328,25 @@ public class PeerConnectionFactory {
    this.nativeFactory = nativeFactory;
  }
  /**
   * Internal helper function to pass the parameters down into the native JNI bridge.
   */
  @Nullable
  PeerConnection createPeerConnectionInternal(PeerConnection.RTCConfiguration rtcConfig,
      MediaConstraints constraints, PeerConnection.Observer observer,
      SSLCertificateVerifier sslCertificateVerifier) {
    long nativeObserver = PeerConnection.createNativePeerConnectionObserver(observer);
    if (nativeObserver == 0) {
      return null;
    }
    long nativePeerConnection = nativeCreatePeerConnection(
        nativeFactory, rtcConfig, constraints, nativeObserver, sslCertificateVerifier);
    if (nativePeerConnection == 0) {
      return null;
    }
    return new PeerConnection(nativePeerConnection);
  }
  /**
   * Deprecated. PeerConnection constraints are deprecated. Supply values in rtcConfig struct
   * instead and use the method without constraints in the signature.
@ -336,16 +355,8 @@ public class PeerConnectionFactory {
  @Deprecated
  public PeerConnection createPeerConnection(PeerConnection.RTCConfiguration rtcConfig,
      MediaConstraints constraints, PeerConnection.Observer observer) {
-    long nativeObserver = PeerConnection.createNativePeerConnectionObserver(observer);
+    return createPeerConnectionInternal(
-    if (nativeObserver == 0) {
+        rtcConfig, constraints, observer, /* sslCertificateVerifier= */ null);
      return null;
    }
    long nativePeerConnection =
        nativeCreatePeerConnection(nativeFactory, rtcConfig, constraints, nativeObserver);
    if (nativePeerConnection == 0) {
      return null;
    }
    return new PeerConnection(nativePeerConnection);
  }
  /**
@ -376,7 +387,8 @@ public class PeerConnectionFactory {
  @Nullable
  public PeerConnection createPeerConnection(
      PeerConnection.RTCConfiguration rtcConfig, PeerConnectionDependencies dependencies) {
-    return createPeerConnection(rtcConfig, null /* constraints */, dependencies.getObserver());
+    return createPeerConnectionInternal(rtcConfig, null /* constraints */,
        dependencies.getObserver(), dependencies.getSSLCertificateVerifier());
  }
  public MediaStream createLocalMediaStream(String label) {
@ -514,7 +526,8 @@ public class PeerConnectionFactory {
      VideoDecoderFactory decoderFactory, long nativeAudioProcessor,
      long nativeFecControllerFactory);
  private static native long nativeCreatePeerConnection(long factory,
-      PeerConnection.RTCConfiguration rtcConfig, MediaConstraints constraints, long nativeObserver);
+      PeerConnection.RTCConfiguration rtcConfig, MediaConstraints constraints, long nativeObserver,
      SSLCertificateVerifier sslCertificateVerifier);
  private static native long nativeCreateLocalMediaStream(long factory, String label);
  private static native long nativeCreateVideoSource(long factory, boolean is_screencast);
  private static native long nativeCreateVideoTrack(
--- a/sdk/android/api/org/webrtc/SSLCertificateVerifier.java
+++ b/sdk/android/api/org/webrtc/SSLCertificateVerifier.java
@ -0,0 +1,27 @@
 /*
 *  Copyright 2018 The WebRTC project authors. All Rights Reserved.
 *
 *  Use of this source code is governed by a BSD-style license
 *  that can be found in the LICENSE file in the root of the source
 *  tree. An additional intellectual property rights grant can be found
 *  in the file PATENTS.  All contributing project authors may
 *  be found in the AUTHORS file in the root of the source tree.
 */
 package org.webrtc;
 /**
 * The SSLCertificateVerifier interface allows API users to provide custom
 * logic to verify certificates.
 */
 public interface SSLCertificateVerifier {
  /**
   * Implementations of verify allow applications to provide custom logic for
   * verifying certificates. This is not required by default and should be used
   * with care.
   *
   * @param certificate A byte array containing a DER encoded X509 certificate.
   * @return True if the certificate is verified and trusted else false.
   */
  @CalledByNative boolean verify(byte[] certificate);
 }
--- a/sdk/android/src/jni/pc/peerconnectionfactory.cc
+++ b/sdk/android/src/jni/pc/peerconnectionfactory.cc
@ -34,6 +34,7 @@
 #include "sdk/android/src/jni/pc/media.h"
 #include "sdk/android/src/jni/pc/ownedfactoryandthreads.h"
 #include "sdk/android/src/jni/pc/peerconnection.h"
 #include "sdk/android/src/jni/pc/sslcertificateverifierwrapper.h"
 #include "sdk/android/src/jni/pc/video.h"
 #include "system_wrappers/include/field_trial.h"
 // Adding 'nogncheck' to disable the gn include headers check.
@ -374,7 +375,8 @@ static jlong JNI_PeerConnectionFactory_CreatePeerConnection(
    jlong factory,
    const JavaParamRef<jobject>& j_rtc_config,
    const JavaParamRef<jobject>& j_constraints,
-    jlong observer_p) {
+    jlong observer_p,
    const JavaParamRef<jobject>& j_sslCertificateVerifier) {
  rtc::scoped_refptr<PeerConnectionFactoryInterface> f(
      reinterpret_cast<PeerConnectionFactoryInterface*>(
          factoryFromJava(factory)));
@ -404,8 +406,17 @@ static jlong JNI_PeerConnectionFactory_CreatePeerConnection(
    constraints = JavaToNativeMediaConstraints(jni, j_constraints);
    CopyConstraintsIntoRtcConfiguration(constraints.get(), &rtc_config);
  }
-  rtc::scoped_refptr<PeerConnectionInterface> pc(
+
-      f->CreatePeerConnection(rtc_config, nullptr, nullptr, observer.get()));
+  PeerConnectionDependencies peer_connection_dependencies(observer.get());
  if (!j_sslCertificateVerifier.is_null()) {
    peer_connection_dependencies.tls_cert_verifier =
        absl::make_unique<SSLCertificateVerifierWrapper>(
            jni, j_sslCertificateVerifier);
  }
  rtc::scoped_refptr<PeerConnectionInterface> pc(f->CreatePeerConnection(
      rtc_config, std::move(peer_connection_dependencies)));
  return jlongFromPointer(
      new OwnedPeerConnection(pc, std::move(observer), std::move(constraints)));
 }
--- a/sdk/android/src/jni/pc/sslcertificateverifierwrapper.cc
+++ b/sdk/android/src/jni/pc/sslcertificateverifierwrapper.cc
@ -0,0 +1,44 @@
 /*
 *  Copyright 2018 The WebRTC project authors. All Rights Reserved.
 *
 *  Use of this source code is governed by a BSD-style license
 *  that can be found in the LICENSE file in the root of the source
 *  tree. An additional intellectual property rights grant can be found
 *  in the file PATENTS.  All contributing project authors may
 *  be found in the AUTHORS file in the root of the source tree.
 */
 #include "sdk/android/src/jni/pc/sslcertificateverifierwrapper.h"
 #include "sdk/android/generated_peerconnection_jni/jni/SSLCertificateVerifier_jni.h"
 #include "sdk/android/native_api/jni/class_loader.h"
 #include "sdk/android/native_api/jni/java_types.h"
 namespace webrtc {
 namespace jni {
 SSLCertificateVerifierWrapper::SSLCertificateVerifierWrapper(
    JNIEnv* jni,
    const JavaRef<jobject>& ssl_certificate_verifier)
    : ssl_certificate_verifier_(jni, ssl_certificate_verifier) {}
 SSLCertificateVerifierWrapper::~SSLCertificateVerifierWrapper() = default;
 bool SSLCertificateVerifierWrapper::Verify(
    const rtc::SSLCertificate& certificate) {
  JNIEnv* jni = AttachCurrentThreadIfNeeded();
  // Serialize the der encoding of the cert into a jbyteArray
  rtc::Buffer cert_der_buffer;
  certificate.ToDER(&cert_der_buffer);
  ScopedJavaLocalRef<jbyteArray> jni_buffer(
      jni, jni->NewByteArray(cert_der_buffer.size()));
  jni->SetByteArrayRegion(
      jni_buffer.obj(), 0, cert_der_buffer.size(),
      reinterpret_cast<const jbyte*>(cert_der_buffer.data()));
  return Java_SSLCertificateVerifier_verify(jni, ssl_certificate_verifier_,
                                            jni_buffer);
 }
 }  // namespace jni
 }  // namespace webrtc
--- a/sdk/android/src/jni/pc/sslcertificateverifierwrapper.h
+++ b/sdk/android/src/jni/pc/sslcertificateverifierwrapper.h
@ -0,0 +1,41 @@
 /*
 *  Copyright 2018 The WebRTC project authors. All Rights Reserved.
 *
 *  Use of this source code is governed by a BSD-style license
 *  that can be found in the LICENSE file in the root of the source
 *  tree. An additional intellectual property rights grant can be found
 *  in the file PATENTS.  All contributing project authors may
 *  be found in the AUTHORS file in the root of the source tree.
 */
 #ifndef SDK_ANDROID_SRC_JNI_PC_SSLCERTIFICATEVERIFIERWRAPPER_H_
 #define SDK_ANDROID_SRC_JNI_PC_SSLCERTIFICATEVERIFIERWRAPPER_H_
 #include <jni.h>
 #include <vector>
 #include "rtc_base/sslcertificate.h"
 #include "sdk/android/src/jni/jni_helpers.h"
 namespace webrtc {
 namespace jni {
 // Wrapper for Java SSLCertifiacteVerifier class. Delegates method calls through
 // JNI and wraps the encoder inside SSLCertificateVerifierWrapper.
 class SSLCertificateVerifierWrapper : public rtc::SSLCertificateVerifier {
 public:
  SSLCertificateVerifierWrapper(
      JNIEnv* jni,
      const JavaRef<jobject>& ssl_certificate_verifier);
  ~SSLCertificateVerifierWrapper() override;
  bool Verify(const rtc::SSLCertificate& certificate) override;
 private:
  const ScopedJavaGlobalRef<jobject> ssl_certificate_verifier_;
 };
 }  // namespace jni
 }  // namespace webrtc
 #endif  // SDK_ANDROID_SRC_JNI_PC_SSLCERTIFICATEVERIFIERWRAPPER_H_