[PM-16157] Support self-host servers using TLS with Client Authentication (mTLS) (#4486)

Author: rohm1

app/src/main/java/com/x8bit/bitwarden/data/auth/datasource/disk/model/EnvironmentUrlDataJson.kt

@@ -7,6 +7,7 @@ import kotlinx.serialization.Serializable
  * Represents URLs for various Bitwarden domains.
  *
  * @property base The overall base URL.
+ * @property keyUri A Uri containing the alias and host of the key used for mutual TLS.
  * @property api Separate base URL for the "/api" domain (if applicable).
  * @property identity Separate base URL for the "/identity" domain (if applicable).
  * @property icon Separate base URL for the icon domain (if applicable).
@@ -19,6 +20,9 @@ data class EnvironmentUrlDataJson(
     @SerialName("base")
     val base: String,
 
+    @SerialName("keyUri")
+    val keyUri: String? = null,
+
     @SerialName("api")
     val api: String? = null,
 
@@ -51,6 +55,7 @@ data class EnvironmentUrlDataJson(
          */
         val DEFAULT_LEGACY_US: EnvironmentUrlDataJson = EnvironmentUrlDataJson(
             base = "https://vault.bitwarden.com",
+            keyUri = null,
             api = "https://api.bitwarden.com",
             identity = "https://identity.bitwarden.com",
             icon = "https://icons.bitwarden.net",
@@ -71,6 +76,7 @@ data class EnvironmentUrlDataJson(
          */
         val DEFAULT_LEGACY_EU: EnvironmentUrlDataJson = EnvironmentUrlDataJson(
             base = "https://vault.bitwarden.eu",
+            keyUri = null,
             api = "https://api.bitwarden.eu",
             identity = "https://identity.bitwarden.eu",
             icon = "https://icons.bitwarden.eu",

app/src/main/java/com/x8bit/bitwarden/data/platform/datasource/network/di/PlatformNetworkModule.kt

@@ -14,6 +14,10 @@ import com.x8bit.bitwarden.data.platform.datasource.network.service.EventService
 import com.x8bit.bitwarden.data.platform.datasource.network.service.EventServiceImpl
 import com.x8bit.bitwarden.data.platform.datasource.network.service.PushService
 import com.x8bit.bitwarden.data.platform.datasource.network.service.PushServiceImpl
+import com.x8bit.bitwarden.data.platform.datasource.network.ssl.SslManager
+import com.x8bit.bitwarden.data.platform.datasource.network.ssl.SslManagerImpl
+import com.x8bit.bitwarden.data.platform.manager.KeyManager
+import com.x8bit.bitwarden.data.platform.repository.EnvironmentRepository
 import dagger.Module
 import dagger.Provides
 import dagger.hilt.InstallIn
@@ -70,20 +74,33 @@ object PlatformNetworkModule {
     @Singleton
     fun providesRefreshAuthenticator(): RefreshAuthenticator = RefreshAuthenticator()
 
+    @Provides
+    @Singleton
+    fun provideSslManager(
+        keyManager: KeyManager,
+        environmentRepository: EnvironmentRepository,
+    ): SslManager =
+        SslManagerImpl(
+            keyManager = keyManager,
+            environmentRepository = environmentRepository,
+        )
+
     @Provides
     @Singleton
     fun provideRetrofits(
         authTokenInterceptor: AuthTokenInterceptor,
         baseUrlInterceptors: BaseUrlInterceptors,
         headersInterceptor: HeadersInterceptor,
         refreshAuthenticator: RefreshAuthenticator,
+        sslManager: SslManager,
         json: Json,
     ): Retrofits =
         RetrofitsImpl(
             authTokenInterceptor = authTokenInterceptor,
             baseUrlInterceptors = baseUrlInterceptors,
             headersInterceptor = headersInterceptor,
             refreshAuthenticator = refreshAuthenticator,
+            sslManager = sslManager,
             json = json,
         )
 

app/src/main/java/com/x8bit/bitwarden/data/platform/datasource/network/retrofit/RetrofitsImpl.kt

@@ -6,6 +6,7 @@ import com.x8bit.bitwarden.data.platform.datasource.network.interceptor.AuthToke
 import com.x8bit.bitwarden.data.platform.datasource.network.interceptor.BaseUrlInterceptor
 import com.x8bit.bitwarden.data.platform.datasource.network.interceptor.BaseUrlInterceptors
 import com.x8bit.bitwarden.data.platform.datasource.network.interceptor.HeadersInterceptor
+import com.x8bit.bitwarden.data.platform.datasource.network.ssl.SslManager
 import com.x8bit.bitwarden.data.platform.datasource.network.util.HEADER_KEY_AUTHORIZATION
 import kotlinx.serialization.json.Json
 import okhttp3.MediaType.Companion.toMediaType
@@ -14,6 +15,9 @@ import okhttp3.logging.HttpLoggingInterceptor
 import retrofit2.Retrofit
 import retrofit2.converter.kotlinx.serialization.asConverterFactory
 import timber.log.Timber
+import javax.net.ssl.SSLContext
+import javax.net.ssl.TrustManager
+import javax.net.ssl.X509TrustManager
 
 /**
  * Primary implementation of [Retrofits].
@@ -24,6 +28,7 @@ class RetrofitsImpl(
     headersInterceptor: HeadersInterceptor,
     refreshAuthenticator: RefreshAuthenticator,
     json: Json,
+    private val sslManager: SslManager,
 ) : Retrofits {
     //region Authenticated Retrofits
 
@@ -67,6 +72,10 @@ class RetrofitsImpl(
                 baseClient
                     .newBuilder()
                     .addInterceptor(loggingInterceptor)
+                    .setSslSocketFactory(
+                        sslContext = sslManager.sslContext,
+                        trustManagers = sslManager.trustManagers,
+                    )
                     .build(),
             )
             .build()
@@ -93,6 +102,10 @@ class RetrofitsImpl(
             .newBuilder()
             .authenticator(refreshAuthenticator)
             .addInterceptor(authTokenInterceptor)
+            .setSslSocketFactory(
+                sslContext = sslManager.sslContext,
+                trustManagers = sslManager.trustManagers,
+            )
             .build()
     }
 
@@ -133,9 +146,22 @@ class RetrofitsImpl(
                     .newBuilder()
                     .addInterceptor(baseUrlInterceptor)
                     .addInterceptor(loggingInterceptor)
+                    .setSslSocketFactory(
+                        sslContext = sslManager.sslContext,
+                        trustManagers = sslManager.trustManagers,
+                    )
                     .build(),
             )
             .build()
 
+    private fun OkHttpClient.Builder.setSslSocketFactory(
+        sslContext: SSLContext,
+        trustManagers: Array<TrustManager>,
+    ): OkHttpClient.Builder =
+        sslSocketFactory(
+            sslContext.socketFactory,
+            trustManagers.first() as X509TrustManager,
+        )
+
     //endregion Helper properties and functions
 }

app/src/main/java/com/x8bit/bitwarden/data/platform/datasource/network/ssl/SslManager.kt

@@ -0,0 +1,20 @@
+package com.x8bit.bitwarden.data.platform.datasource.network.ssl
+
+import javax.net.ssl.SSLContext
+import javax.net.ssl.TrustManager
+
+/**
+ * Interface for managing SSL connections.
+ */
+interface SslManager {
+
+    /**
+     * The SSL context to use for SSL connections.
+     */
+    val sslContext: SSLContext
+
+    /**
+     * The trust managers to use for SSL connections.
+     */
+    val trustManagers: Array<TrustManager>
+}

app/src/main/java/com/x8bit/bitwarden/data/platform/datasource/network/ssl/SslManagerImpl.kt

@@ -0,0 +1,116 @@
+package com.x8bit.bitwarden.data.platform.datasource.network.ssl
+
+import android.net.Uri
+import androidx.annotation.VisibleForTesting
+import androidx.annotation.WorkerThread
+import androidx.core.net.toUri
+import com.x8bit.bitwarden.data.platform.datasource.disk.model.MutualTlsCertificate
+import com.x8bit.bitwarden.data.platform.datasource.disk.model.MutualTlsKeyHost
+import com.x8bit.bitwarden.data.platform.manager.KeyManager
+import com.x8bit.bitwarden.data.platform.repository.EnvironmentRepository
+import java.net.Socket
+import java.security.KeyStore
+import java.security.Principal
+import java.security.PrivateKey
+import java.security.cert.X509Certificate
+import javax.net.ssl.SSLContext
+import javax.net.ssl.TrustManager
+import javax.net.ssl.TrustManagerFactory
+import javax.net.ssl.X509ExtendedKeyManager
+
+/**
+ * Primary implementation of [SslManager].
+ */
+class SslManagerImpl(
+    private val keyManager: KeyManager,
+    private val environmentRepository: EnvironmentRepository,
+) : SslManager {
+
+    /*
+        This property must only be accessed from a background thread. Accessing this property from
+        the main thread will result in an exception being thrown when retrieving the mutual TLS
+        certificate from [KeyManager].
+     */
+    @VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+    @get:WorkerThread
+    internal val mutualTlsCertificate: MutualTlsCertificate?
+        get() {
+            val keyUri = getKeyUri()
+                ?: return null
+
+            val host = MutualTlsKeyHost
+                .entries
+                .find { it.name == keyUri.authority }
+                ?: return null
+
+            val alias = keyUri.path
+                ?.trim('/')
+                ?.takeUnless { it.isEmpty() }
+                ?: return null
+
+            return keyManager.getMutualTlsCertificateChain(
+                alias = alias,
+                host = host,
+            )
+        }
+
+    override val trustManagers: Array<TrustManager>
+        get() = TrustManagerFactory
+            .getInstance(TrustManagerFactory.getDefaultAlgorithm())
+            .apply { init(null as KeyStore?) }
+            .trustManagers
+
+    override val sslContext: SSLContext
+        get() = SSLContext
+            .getInstance("TLS")
+            .apply {
+                init(
+                    arrayOf(X509ExtendedKeyManagerImpl()),
+                    trustManagers,
+                    null,
+                )
+            }
+
+    private fun getKeyUri(): Uri? = environmentRepository
+        .environment
+        .environmentUrlData
+        .keyUri
+        ?.toUri()
+
+    private inner class X509ExtendedKeyManagerImpl : X509ExtendedKeyManager() {
+        override fun chooseClientAlias(
+            keyType: Array<out String>?,
+            issuers: Array<out Principal>?,
+            socket: Socket?,
+        ): String = mutualTlsCertificate?.alias ?: ""
+
+        override fun getCertificateChain(
+            alias: String?,
+        ): Array<X509Certificate>? =
+            mutualTlsCertificate
+                ?.certificateChain
+                ?.toTypedArray()
+
+        override fun getPrivateKey(alias: String?): PrivateKey? =
+            mutualTlsCertificate
+                ?.privateKey
+
+        //region Unused server side methods
+        override fun getServerAliases(
+            alias: String?,
+            issuers: Array<out Principal>?,
+        ): Array<String> = arrayOf()
+
+        override fun getClientAliases(
+            keyType: String?,
+            issuers: Array<out Principal>?,
+        ): Array<String> = emptyArray()
+
+        override fun chooseServerAlias(
+            alias: String?,
+            issuers: Array<out Principal>?,
+            socket: Socket?,
+        ): String = ""
+        //endregion Unused server side methods
+    }
+}

app/src/main/java/com/x8bit/bitwarden/data/platform/manager/KeyManager.kt

@@ -1,6 +1,7 @@
 package com.x8bit.bitwarden.data.platform.manager
 
-import com.x8bit.bitwarden.data.platform.datasource.disk.model.ImportPrivateKeyResult
+import androidx.annotation.WorkerThread
+import com.x8bit.bitwarden.data.platform.manager.model.ImportPrivateKeyResult
 import com.x8bit.bitwarden.data.platform.datasource.disk.model.MutualTlsCertificate
 import com.x8bit.bitwarden.data.platform.datasource.disk.model.MutualTlsKeyHost
 
@@ -29,7 +30,10 @@ interface KeyManager {
 
     /**
      * Retrieve the certificate chain for the selected mTLS key.
+     *
+     * Must be called from a background thread to prevent possible deadlocks on the main thread.
      */
+    @WorkerThread
     fun getMutualTlsCertificateChain(
         alias: String,
         host: MutualTlsKeyHost,

app/src/main/java/com/x8bit/bitwarden/data/platform/manager/KeyManagerImpl.kt

@@ -3,9 +3,9 @@ package com.x8bit.bitwarden.data.platform.manager
 import android.content.Context
 import android.security.KeyChain
 import android.security.KeyChainException
-import com.x8bit.bitwarden.data.platform.datasource.disk.model.ImportPrivateKeyResult
 import com.x8bit.bitwarden.data.platform.datasource.disk.model.MutualTlsCertificate
 import com.x8bit.bitwarden.data.platform.datasource.disk.model.MutualTlsKeyHost
+import com.x8bit.bitwarden.data.platform.manager.model.ImportPrivateKeyResult
 import timber.log.Timber
 import java.io.IOException
 import java.security.KeyStore

app/src/main/java/com/x8bit/bitwarden/data/platform/datasource/disk/model/ImportPrivateKeyResult.kt renamed to app/src/main/java/com/x8bit/bitwarden/data/platform/manager/model/ImportPrivateKeyResult.kt

@@ -1,4 +1,4 @@
-package com.x8bit.bitwarden.data.platform.datasource.disk.model
+package com.x8bit.bitwarden.data.platform.manager.model
 
 /**
  * Models the result of importing a private key.