From 2515295fc60521d50adac420854170c932d9aa7e Mon Sep 17 00:00:00 2001 From: Djorkaeff Alexandre Date: Mon, 2 Sep 2019 13:19:05 -0300 Subject: [PATCH] [NEW] Support client certificates for SSL (two-way authentication) (#1125) --- app/actions/server.js | 5 +- app/i18n/locales/en.js | 5 + app/lib/rocketchat.js | 8 ++ app/sagas/selectServer.js | 7 +- app/utils/server.js | 18 ++++ app/views/NewServerView.js | 118 +++++++++++++++++++++-- package.json | 1 + patches/react-native+0.60.4.patch | 151 +++++++++++++++++++++++++++++- yarn.lock | 2 +- 9 files changed, 301 insertions(+), 14 deletions(-) create mode 100644 app/utils/server.js diff --git a/app/actions/server.js b/app/actions/server.js index a5441c7ba..a3356d89a 100644 --- a/app/actions/server.js +++ b/app/actions/server.js @@ -23,10 +23,11 @@ export function selectServerFailure() { }; } -export function serverRequest(server) { +export function serverRequest(server, certificate = null) { return { type: SERVER.REQUEST, - server + server, + certificate }; } diff --git a/app/i18n/locales/en.js b/app/i18n/locales/en.js index cf1803758..a8f814da0 100644 --- a/app/i18n/locales/en.js +++ b/app/i18n/locales/en.js @@ -94,6 +94,7 @@ export default { and: 'and', announcement: 'announcement', Announcement: 'Announcement', + Apply_Your_Certificate: 'Apply Your Certificate', ARCHIVE: 'ARCHIVE', archive: 'archive', are_typing: 'are typing', @@ -137,6 +138,8 @@ export default { Copied_to_clipboard: 'Copied to clipboard!', Copy: 'Copy', Permalink: 'Permalink', + Certificate_password: 'Certificate Password', + Whats_the_password_for_your_certificate: 'What\'s the password for your certificate?', Create_account: 'Create an account', Create_Channel: 'Create Channel', Created_snippet: 'Created a snippet', @@ -155,6 +158,7 @@ export default { Disable_notifications: 'Disable notifications', Discussions: 'Discussions', Dont_Have_An_Account: 'Don\'t have an account?', + Do_you_have_a_certificate: 'Do you have a certificate?', Do_you_really_want_to_key_this_room_question_mark: 'Do you really want to {{key}} this room?', edit: 'edit', edited: 'edited', @@ -427,6 +431,7 @@ export default { you: 'you', You: 'You', You_need_to_access_at_least_one_RocketChat_server_to_share_something: 'You need to access at least one Rocket.Chat server to share something.', + Your_certificate: 'Your Certificate', Version_no: 'Version: {{version}}', You_will_not_be_able_to_recover_this_message: 'You will not be able to recover this message!', Change_Language: 'Change Language', diff --git a/app/lib/rocketchat.js b/app/lib/rocketchat.js index 552a474b5..05a1f6c6d 100644 --- a/app/lib/rocketchat.js +++ b/app/lib/rocketchat.js @@ -2,6 +2,7 @@ import { AsyncStorage, InteractionManager } from 'react-native'; import semver from 'semver'; import { Rocketchat as RocketchatClient } from '@rocket.chat/sdk'; import RNUserDefaults from 'rn-user-defaults'; +import * as FileSystem from 'expo-file-system'; import reduxStore from './createStore'; import defaultSettings from '../constants/settings'; @@ -9,6 +10,7 @@ import messagesStatus from '../constants/messagesStatus'; import database from './realm'; import log from '../utils/log'; import { isIOS, getBundleId } from '../utils/deviceInfo'; +import { extractHostname } from '../utils/server'; import { setUser, setLoginServices, loginRequest, loginFailure, logout @@ -364,6 +366,12 @@ const RocketChat = { try { const servers = await RNUserDefaults.objectForKey(SERVERS); await RNUserDefaults.setObjectForKey(SERVERS, servers && servers.filter(srv => srv[SERVER_URL] !== server)); + // clear certificate for server - SSL Pinning + const certificate = await RNUserDefaults.objectForKey(extractHostname(server)); + if (certificate && certificate.path) { + await RNUserDefaults.clear(extractHostname(server)); + await FileSystem.deleteAsync(certificate.path); + } } catch (error) { console.log('logout_rn_user_defaults', error); } diff --git a/app/sagas/selectServer.js b/app/sagas/selectServer.js index ef5d83afb..04e851fa1 100644 --- a/app/sagas/selectServer.js +++ b/app/sagas/selectServer.js @@ -14,6 +14,7 @@ import { setUser } from '../actions/login'; import RocketChat from '../lib/rocketchat'; import database from '../lib/realm'; import log from '../utils/log'; +import { extractHostname } from '../utils/server'; import I18n from '../i18n'; import { SERVERS, TOKEN, SERVER_URL } from '../constants/userDefaults'; @@ -77,8 +78,12 @@ const handleSelectServer = function* handleSelectServer({ server, version, fetch } }; -const handleServerRequest = function* handleServerRequest({ server }) { +const handleServerRequest = function* handleServerRequest({ server, certificate }) { try { + if (certificate) { + yield RNUserDefaults.setObjectForKey(extractHostname(server), certificate); + } + const serverInfo = yield getServerInfo({ server }); const loginServicesLength = yield RocketChat.getLoginServices(server); diff --git a/app/utils/server.js b/app/utils/server.js new file mode 100644 index 000000000..0dcc10546 --- /dev/null +++ b/app/utils/server.js @@ -0,0 +1,18 @@ +/* + Extract hostname from url + url = 'https://open.rocket.chat/method' + hostname = 'open.rocket.chat' +*/ +export const extractHostname = (url) => { + let hostname; + + if (url.indexOf('//') > -1) { + [,, hostname] = url.split('/'); + } else { + [hostname] = url.split('/'); + } + [hostname] = hostname.split(':'); + [hostname] = hostname.split('?'); + + return hostname; +}; diff --git a/app/views/NewServerView.js b/app/views/NewServerView.js index 463aeb4c7..5d03cb0ed 100644 --- a/app/views/NewServerView.js +++ b/app/views/NewServerView.js @@ -1,10 +1,14 @@ import React from 'react'; import PropTypes from 'prop-types'; import { - Text, ScrollView, Keyboard, Image, StyleSheet, TouchableOpacity + Text, ScrollView, Keyboard, Image, StyleSheet, TouchableOpacity, View, Alert, LayoutAnimation } from 'react-native'; import { connect } from 'react-redux'; import { SafeAreaView } from 'react-navigation'; +import * as FileSystem from 'expo-file-system'; +import DocumentPicker from 'react-native-document-picker'; +import ActionSheet from 'react-native-action-sheet'; +import isEqual from 'deep-equal'; import { serverRequest } from '../actions/server'; import sharedStyles from './Styles'; @@ -18,6 +22,7 @@ import { isIOS, isNotch } from '../utils/deviceInfo'; import { CustomIcon } from '../lib/Icons'; import StatusBar from '../containers/StatusBar'; import { COLOR_PRIMARY } from '../constants/colors'; +import log from '../utils/log'; const styles = StyleSheet.create({ image: { @@ -41,6 +46,22 @@ const styles = StyleSheet.create({ position: 'absolute', paddingHorizontal: 9, left: 15 + }, + certificatePicker: { + flex: 1, + marginTop: 40, + alignItems: 'center', + justifyContent: 'center' + }, + chooseCertificateTitle: { + fontSize: 15, + ...sharedStyles.textRegular, + ...sharedStyles.textColorDescription + }, + chooseCertificate: { + fontSize: 15, + ...sharedStyles.textSemibold, + ...sharedStyles.textColorHeaderBack } }); @@ -61,9 +82,19 @@ class NewServerView extends React.Component { constructor(props) { super(props); const server = props.navigation.getParam('server'); + + // Cancel + this.options = [I18n.t('Cancel')]; + this.CANCEL_INDEX = 0; + + // Delete + this.options.push(I18n.t('Delete')); + this.DELETE_INDEX = 1; + this.state = { text: server || '', - autoFocus: !server + autoFocus: !server, + certificate: null }; } @@ -76,11 +107,14 @@ class NewServerView extends React.Component { } shouldComponentUpdate(nextProps, nextState) { - const { text } = this.state; + const { text, certificate } = this.state; const { connecting } = this.props; if (nextState.text !== text) { return true; } + if (!isEqual(nextState.certificate, certificate)) { + return true; + } if (nextProps.connecting !== connecting) { return true; } @@ -91,13 +125,51 @@ class NewServerView extends React.Component { this.setState({ text }); } - submit = () => { - const { text } = this.state; + submit = async() => { + const { text, certificate } = this.state; const { connectServer } = this.props; + let cert = null; + + if (certificate) { + const certificatePath = `${ FileSystem.documentDirectory }/${ certificate.name }`; + try { + await FileSystem.copyAsync({ from: certificate.path, to: certificatePath }); + } catch (error) { + log('err_save_certificate', error); + } + cert = { + path: this.uriToPath(certificatePath), // file:// isn't allowed by obj-C + password: certificate.password + }; + } if (text) { Keyboard.dismiss(); - connectServer(this.completeUrl(text)); + connectServer(this.completeUrl(text), cert); + } + } + + chooseCertificate = async() => { + try { + const res = await DocumentPicker.pick({ + type: ['com.rsa.pkcs-12'] + }); + const { uri: path, name } = res; + Alert.prompt( + I18n.t('Certificate_password'), + I18n.t('Whats_the_password_for_your_certificate'), + [ + { + text: 'OK', + onPress: password => this.saveCertificate({ path, name, password }) + } + ], + 'secure-text', + ); + } catch (error) { + if (!DocumentPicker.isCancel(error)) { + log('err_choose_certificate', error); + } } } @@ -120,6 +192,25 @@ class NewServerView extends React.Component { return url.replace(/\/+$/, ''); } + uriToPath = uri => uri.replace('file://', ''); + + saveCertificate = (certificate) => { + LayoutAnimation.easeInEaseOut(); + this.setState({ certificate }); + } + + handleDelete = () => this.setState({ certificate: null }); // We not need delete file from DocumentPicker because it is a temp file + + showActionSheet = () => { + ActionSheet.showActionSheetWithOptions({ + options: this.options, + cancelButtonIndex: this.CANCEL_INDEX, + destructiveButtonIndex: this.DELETE_INDEX + }, (actionIndex) => { + if (actionIndex === this.DELETE_INDEX) { this.handleDelete(); } + }); + } + renderBack = () => { const { navigation } = this.props; @@ -142,6 +233,18 @@ class NewServerView extends React.Component { ); } + renderCertificatePicker = () => { + const { certificate } = this.state; + return ( + + {certificate ? I18n.t('Your_certificate') : I18n.t('Do_you_have_a_certificate')} + + {certificate ? certificate.name : I18n.t('Apply_Your_Certificate')} + + + ); + } + render() { const { connecting } = this.props; const { text, autoFocus } = this.state; @@ -175,6 +278,7 @@ class NewServerView extends React.Component { loading={connecting} testID='new-server-view-button' /> + { isIOS ? this.renderCertificatePicker() : null } {this.renderBack()} @@ -188,7 +292,7 @@ const mapStateToProps = state => ({ }); const mapDispatchToProps = dispatch => ({ - connectServer: server => dispatch(serverRequest(server)) + connectServer: (server, certificate) => dispatch(serverRequest(server, certificate)) }); export default connect(mapStateToProps, mapDispatchToProps)(NewServerView); diff --git a/package.json b/package.json index f9216c95d..4e905a93c 100644 --- a/package.json +++ b/package.json @@ -29,6 +29,7 @@ "commonmark-react-renderer": "git+https://github.com/RocketChat/commonmark-react-renderer.git", "deep-equal": "^1.0.1", "ejson": "2.2.0", + "expo-file-system": "^6.0.2", "expo-av": "^6.0.0", "expo-haptics": "6.0.0", "expo-web-browser": "^6.0.0", diff --git a/patches/react-native+0.60.4.patch b/patches/react-native+0.60.4.patch index 0785c91ee..16af07e43 100644 --- a/patches/react-native+0.60.4.patch +++ b/patches/react-native+0.60.4.patch @@ -1,8 +1,140 @@ +diff --git a/node_modules/react-native/Libraries/Network/RCTHTTPRequestHandler.mm b/node_modules/react-native/Libraries/Network/RCTHTTPRequestHandler.mm +index 76131fa..59804aa 100644 +--- a/node_modules/react-native/Libraries/Network/RCTHTTPRequestHandler.mm ++++ b/node_modules/react-native/Libraries/Network/RCTHTTPRequestHandler.mm +@@ -55,6 +55,59 @@ - (BOOL)canHandleRequest:(NSURLRequest *)request + return [schemes containsObject:request.URL.scheme.lowercaseString]; + } + ++-(NSURLCredential *)getUrlCredential:(NSURLAuthenticationChallenge *)challenge path:(NSString *)path password:(NSString *)password ++{ ++ NSString *authMethod = [[challenge protectionSpace] authenticationMethod]; ++ SecTrustRef serverTrust = challenge.protectionSpace.serverTrust; ++ ++ if ([authMethod isEqualToString:NSURLAuthenticationMethodServerTrust] || path == nil || password == nil) { ++ return [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]; ++ } else if (path && password) { ++ NSMutableArray *policies = [NSMutableArray array]; ++ [policies addObject:(__bridge_transfer id)SecPolicyCreateSSL(true, (__bridge CFStringRef)challenge.protectionSpace.host)]; ++ SecTrustSetPolicies(serverTrust, (__bridge CFArrayRef)policies); ++ ++ SecTrustResultType result; ++ SecTrustEvaluate(serverTrust, &result); ++ ++ if (![[NSFileManager defaultManager] fileExistsAtPath:path]) ++ { ++ return [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]; ++ } ++ ++ NSData *p12data = [NSData dataWithContentsOfFile:path]; ++ NSDictionary* options = @{ (id)kSecImportExportPassphrase:password }; ++ CFArrayRef rawItems = NULL; ++ OSStatus status = SecPKCS12Import((__bridge CFDataRef)p12data, ++ (__bridge CFDictionaryRef)options, ++ &rawItems); ++ ++ if (status != noErr) { ++ return [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]; ++ } ++ ++ NSArray* items = (NSArray*)CFBridgingRelease(rawItems); ++ NSDictionary* firstItem = nil; ++ if ((status == errSecSuccess) && ([items count]>0)) { ++ firstItem = items[0]; ++ } ++ ++ SecIdentityRef identity = (SecIdentityRef)CFBridgingRetain(firstItem[(id)kSecImportItemIdentity]); ++ SecCertificateRef certificate = NULL; ++ if (identity) { ++ SecIdentityCopyCertificate(identity, &certificate); ++ if (certificate) { CFRelease(certificate); } ++ } ++ ++ NSMutableArray *certificates = [[NSMutableArray alloc] init]; ++ [certificates addObject:CFBridgingRelease(certificate)]; ++ ++ return [NSURLCredential credentialWithIdentity:identity certificates:certificates persistence:NSURLCredentialPersistenceNone]; ++ } ++ ++ return [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]; ++} ++ + - (NSURLSessionDataTask *)sendRequest:(NSURLRequest *)request + withDelegate:(id)delegate + { +@@ -177,4 +230,21 @@ - (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didComp + [delegate URLRequest:task didCompleteWithError:error]; + } + ++-(void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential * _Nullable))completionHandler { ++ ++ NSString *host = challenge.protectionSpace.host; ++ NSDictionary *clientSSL = [[[NSUserDefaults alloc] initWithSuiteName:@"group.ios.chat.rocket"] objectForKey:host]; ++ ++ NSURLCredential *credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]; ++ ++ if (clientSSL != (id)[NSNull null]) { ++ NSString *path = [clientSSL objectForKey:@"path"]; ++ NSString *password = [clientSSL objectForKey:@"password"]; ++ credential = [self getUrlCredential:challenge path:path password:password]; ++ } ++ ++ completionHandler(NSURLSessionAuthChallengeUseCredential, credential); ++} ++ ++ + @end diff --git a/node_modules/react-native/Libraries/WebSocket/RCTSRWebSocket.m b/node_modules/react-native/Libraries/WebSocket/RCTSRWebSocket.m -index 6f1e5e8..b835657 100644 +index 6f1e5e8..f268d93 100644 --- a/node_modules/react-native/Libraries/WebSocket/RCTSRWebSocket.m +++ b/node_modules/react-native/Libraries/WebSocket/RCTSRWebSocket.m -@@ -595,6 +595,7 @@ - (void)closeWithCode:(NSInteger)code reason:(NSString *)reason; +@@ -479,6 +479,29 @@ - (void)didConnect + [self _readHTTPHeader]; + } + ++- (void)setClientSSL:(NSString *)path password:(NSString *)password options:(NSMutableDictionary *)options; ++{ ++ if ([[NSFileManager defaultManager] fileExistsAtPath:path]) ++ { ++ NSData *pkcs12data = [[NSData alloc] initWithContentsOfFile:path]; ++ NSDictionary* certOptions = @{ (id)kSecImportExportPassphrase:password }; ++ CFArrayRef keyref = NULL; ++ OSStatus sanityChesk = SecPKCS12Import((__bridge CFDataRef)pkcs12data, ++ (__bridge CFDictionaryRef)certOptions, ++ &keyref); ++ if (sanityChesk == noErr) { ++ CFDictionaryRef identityDict = CFArrayGetValueAtIndex(keyref, 0); ++ SecIdentityRef identityRef = (SecIdentityRef)CFDictionaryGetValue(identityDict, kSecImportItemIdentity); ++ SecCertificateRef cert = NULL; ++ OSStatus status = SecIdentityCopyCertificate(identityRef, &cert); ++ if (!status) { ++ NSArray *certificates = [[NSArray alloc] initWithObjects:(__bridge id)identityRef, (__bridge id)cert, nil]; ++ [options setObject:certificates forKey:(NSString *)kCFStreamSSLCertificates]; ++ } ++ } ++ } ++} ++ + - (void)_initializeStreams; + { + assert(_url.port.unsignedIntValue <= UINT32_MAX); +@@ -516,6 +539,15 @@ - (void)_initializeStreams; + RCTLogInfo(@"SocketRocket: In debug mode. Allowing connection to any root cert"); + #endif + ++ // SSL Pinning ++ NSDictionary *clientSSL = [[[NSUserDefaults alloc] initWithSuiteName:@"group.ios.chat.rocket"] objectForKey:host]; ++ if (clientSSL != (id)[NSNull null]) { ++ NSString *path = [clientSSL objectForKey:@"path"]; ++ NSString *password = [clientSSL objectForKey:@"password"]; ++ ++ [self setClientSSL:path password:password options:SSLOptions]; ++ } ++ + [_outputStream setProperty:SSLOptions + forKey:(__bridge id)kCFStreamPropertySSLSettings]; + } +@@ -595,6 +627,7 @@ - (void)closeWithCode:(NSInteger)code reason:(NSString *)reason; } } @@ -22,4 +154,17 @@ index 7ed4900..bb85402 100644 + return RCTSharedApplication().delegate.window.safeAreaInsets.bottom; } else { return 0; - } \ No newline at end of file + } +diff --git a/node_modules/react-native/ReactAndroid/src/main/java/com/facebook/react/modules/systeminfo/AndroidInfoModule.java b/node_modules/react-native/ReactAndroid/src/main/java/com/facebook/react/modules/systeminfo/AndroidInfoModule.java +index cf5ca40..262f22a 100644 +--- a/node_modules/react-native/ReactAndroid/src/main/java/com/facebook/react/modules/systeminfo/AndroidInfoModule.java ++++ b/node_modules/react-native/ReactAndroid/src/main/java/com/facebook/react/modules/systeminfo/AndroidInfoModule.java +@@ -91,7 +91,7 @@ public class AndroidInfoModule extends ReactContextBaseJavaModule { + + private Boolean isRunningScreenshotTest() { + try { +- Class.forName("android.support.test.rule.ActivityTestRule"); ++ Class.forName("androidx.test.rule.ActivityTestRule"); + return true; + } catch (ClassNotFoundException ignored) { + return false; diff --git a/yarn.lock b/yarn.lock index a54a5551b..cc1a18bff 100644 --- a/yarn.lock +++ b/yarn.lock @@ -4433,7 +4433,7 @@ expo-constants@~6.0.0: dependencies: ua-parser-js "^0.7.19" -expo-file-system@~6.0.1: +expo-file-system@^6.0.2, expo-file-system@~6.0.1: version "6.0.2" resolved "https://registry.yarnpkg.com/expo-file-system/-/expo-file-system-6.0.2.tgz#e65f30eb6a7213e07933df9688116eaf4e25bbf8" integrity sha512-s+6oQpLhcT7MQp7fcoj1E+zttMr0WX6c0FrddzqB4dUfhIggV+nb35nQMASIiTHAj8VPUanTFliY5rETHRMHRA==