Medtronic base

mas-foundation/src/androidTest/java/com/ca/mas/foundation/MASMultiServerTest.java

@@ -145,7 +145,6 @@ public void testHttpOverrideContentType() throws InterruptedException {
         assertEquals(head, customCharset.toString());
     }
 
-
     @Test
     public void testMultiServerCertificatePinningWithCertChain() throws Exception {
         URL url = new URL("https://swapi.co:443");
@@ -593,6 +592,51 @@ public void testMultiServerGeneratedSecurityConfiguration() throws Exception {
         Assert.assertEquals(expectedResult, "CA Technologies");
     }
 
+    @Test
+    public void testMultiServerEnableSSLPinning() throws Exception {
+        MAS.setSSLPinningEnabled(false);
+        MASSecurityConfiguration configuration = new MASSecurityConfiguration.Builder()
+                .host(new Uri.Builder().encodedAuthority(HOST).build())
+                .add("ZHVtbXk=") //Dummy
+                .build();
+        MASConfiguration.getCurrentConfiguration().addSecurityConfiguration(configuration);
+
+        MASRequest request = new MASRequest.MASRequestBuilder(
+                new Uri.Builder().encodedAuthority(HOST)
+                        .scheme("https")
+                        .path("test")
+                        .build())
+                .build();
+        MASCallbackFuture<MASResponse<JSONObject>> callback = new MASCallbackFuture<>();
+        MAS.invoke(request, callback);
+
+        // Should pass as enableSSLPinning is false.
+        Assert.assertEquals(expectResponse.toString(), callback.get().getBody().getContent().toString());
+    }
+
+    @Test
+    public void testMultiServerAllowSSLPinning() throws Exception {
+        MAS.setSSLPinningEnabled(true);
+        MASSecurityConfiguration configuration = new MASSecurityConfiguration.Builder()
+                .host(new Uri.Builder().encodedAuthority(HOST).build())
+                .add("ZHVtbXk=") //Dummy
+                .allowSSLPinning(false)
+                .build();
+        MASConfiguration.getCurrentConfiguration().addSecurityConfiguration(configuration);
+
+        MASRequest request = new MASRequest.MASRequestBuilder(
+                new Uri.Builder().encodedAuthority(HOST)
+                        .scheme("https")
+                        .path("test")
+                        .build())
+                .build();
+        MASCallbackFuture<MASResponse<JSONObject>> callback = new MASCallbackFuture<>();
+        MAS.invoke(request, callback);
+
+        // Should pass as allowSSLPinning is set to False
+        Assert.assertEquals(expectResponse.toString(), callback.get().getBody().getContent().toString());
+    }
+
     private Certificate[] getCert(URL url) throws Exception {
         //URL url = new URL("https://mobile-staging-androidautomation.l7tech.com:8443");
         //URL url = new URL("https://swapi.co");

mas-foundation/src/main/java/com/ca/mas/core/MobileSsoConfig.java

@@ -255,7 +255,7 @@ public interface MobileSsoConfig {
      *
      * True if MSISDN information should be included.  False if MSISDN information should not be included.
      */
-     String PROP_MSISDN_ENABLED = "msso.msisdn.enabled";
+    String PROP_MSISDN_ENABLED = "msso.msisdn.enabled";
 
     /**
      * String.  URL suffix for client credentials endpoint.
@@ -310,7 +310,8 @@ public interface MobileSsoConfig {
     String PROP_DEVICE_METADATA_PATH = "msso_device_metadata";
 
 
+    String PROP_ALLOW_SSL_PINNING = "allow_ssl_pinning";
     // If you add any properties to this file, you must update MobileSsoFactory.createConfig()
     // or they will be ignored.
 
-}
+}

mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java

@@ -56,6 +56,7 @@ public class Config {
     public static final Config TRUSTED_CERT_PINNED_PUBLIC_KEY_HASHES = new Config(false, MobileSsoConfig.PROP_TRUSTED_CERT_PINNED_PUBLIC_KEY_HASHES, "mag.mobile_sdk.trusted_cert_pinned_public_key_hashes", List.class);
     public static final Config CLIENT_CERT_RSA_KEYBITS = new Config(false, MobileSsoConfig.PROP_CLIENT_CERT_RSA_KEYBITS, "mag.mobile_sdk.client_cert_rsa_keybits", Integer.class);
     public static final Config CLIENT_STORAGE = new Config(false, MobileSsoConfig.PROP_STORAGE, "mag.mobile_sdk.storage", String.class);
+    public static final Config ALLOW_SSL_PINNING = new Config(false, MobileSsoConfig.PROP_ALLOW_SSL_PINNING, "mag.mobile_sdk.allow_ssl_pinning", Boolean.class);
 
     //mag.ble
     public static final Config BLE_SERVICE_UUID = new Config(false, MobileSsoConfig.PROP_BLE_SERVICE_UUID, "mag.ble.msso_ble_service_uuid", String.class);
@@ -66,7 +67,7 @@ public class Config {
             HOSTNAME, PORT, PREFIX, SERVER_CERTS, ORGANIZATION, CLIENT_KEY, CLIENT_SECRET, SCOPE, REDIRECT_URI, AUTHORIZE_PATH, REGISTER_TOKEN_PATH, REGISTER_TOKEN_PATH_SSO, LOGOUT_DEVICE_PATH, REVOKE_PATH,
             REMOVE_DEVICE_PATH, REGISTER_DEVICE_PATH, RENEW_DEVICE_PATH, REGISTER_DEVICE_PATH_CLIENT, CLIENT_CREDENTIAL_INIT_PATH, ENTERPRISE_APP_PATH, SSO_ENABLED, LOCATION_ENABLED, LOCATION_PROVIDER,
             MSISDN_ENABLED, TRUSTED_PUBLIC_PKI,DEVICE_METADATA_PATH, TRUSTED_CERT_PINNED_PUBLIC_KEY_HASHES, CLIENT_CERT_RSA_KEYBITS, CLIENT_STORAGE, BLE_SERVICE_UUID, BLE_USER_SESSION_CHARACTERISTIC_UUID,
-            BLE_RSSI, AUTHENTICATE_OTP_PATH
+            BLE_RSSI, AUTHENTICATE_OTP_PATH, ALLOW_SSL_PINNING
     };
 
     public boolean mandatory;
@@ -89,4 +90,4 @@ public Config(boolean mandatory, String key, String path, Class type) {
         this.type = type;
     }
 
-}
+}

mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java

@@ -46,6 +46,7 @@ public class ConfigurationManager {
     private List<Config> appConfigs;
     private String configurationFileName = null;
     private boolean enablePKCE = true;
+    private boolean sslPinningEnabled = true;
     private boolean idTokenValidation = true;
     private boolean enableJwksPreload = false;
     private JSONObject jsonConfiguration;
@@ -78,6 +79,10 @@ public void enablePKCE(boolean enablePKCE) {
         this.enablePKCE = enablePKCE;
     }
 
+    public void setSSLPinningEnabled(boolean enable) {
+        this.sslPinningEnabled = enable;
+    }
+
     public void enableIdTokenValidation(boolean enableValidation) {
         this.idTokenValidation = enableValidation;
     }
@@ -90,6 +95,10 @@ public boolean isPKCEEnabled() {
         return enablePKCE;
     }
 
+    public boolean isSslPinningEnabled() {
+        return sslPinningEnabled;
+    }
+
     public void reset() {
         connectedGatewayConfigurationProvider = null;
     }
@@ -258,6 +267,12 @@ public ConfigurationProvider create(JSONObject jsonObject) throws JSONException
                 conf.setAlsoTrustPublicPki((Boolean) getValue(Config.TRUSTED_PUBLIC_PKI, jsonObject, Boolean.FALSE));
                 continue;
             }
+
+            if (attr == Config.ALLOW_SSL_PINNING) {
+                conf.setAllowSSLPinning((Boolean) getValue(Config.ALLOW_SSL_PINNING, jsonObject, Boolean.TRUE));
+                continue;
+            }
+
             Object value = getValue(attr, jsonObject);
             if (value != null) {
                 conf.putProperty(attr.key, value);
@@ -477,4 +492,4 @@ public void enableJwksPreload(boolean enableJwksPreload) {
     public void setJsonConfig(JSONObject jsonConfig) {
         this.jsonConfiguration = jsonConfig;
     }
-}
+}

mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationProvider.java

@@ -90,6 +90,13 @@ public interface ConfigurationProvider extends TrustedCertificateConfiguration,
      */
     String getPrefix();
 
+    /**
+     * Based on the provided configuration the SDK, retrieve the ssl_pinning_enabled attribute.
+     *
+     * @return the ssl pinning enabled flag configured for the Gateway.
+     */
+    boolean isSSLPinningAllowed();
+
     // Configuration properties that are not currently documented as part of the public API.
 
     /**

mas-foundation/src/main/java/com/ca/mas/core/conf/DefaultConfiguration.java

@@ -64,6 +64,7 @@ public class DefaultConfiguration implements ConfigurationProvider {
 
     private List<X509Certificate> trustedCertificateAnchors = new ArrayList<X509Certificate>();
     private boolean alsoTrustPublicPki = true;
+    private boolean allowSSLPinning = true;
     private Set<PublicKeyHash> trustedCertificatePinnedPublicKeyHashes = new HashSet<PublicKeyHash>();
 
     /**
@@ -121,6 +122,10 @@ public void setAlsoTrustPublicPki(boolean alsoTrustPublicPki) {
         this.alsoTrustPublicPki = alsoTrustPublicPki;
     }
 
+    public void setAllowSSLPinning(boolean allowSSLPinning) {
+        this.allowSSLPinning = allowSSLPinning;
+    }
+
     /**
      * Add one or more trusted certificates to be returned by {@link #getTrustedCertificateAnchors()}.
      *
@@ -272,6 +277,9 @@ public boolean isAlsoTrustPublicPki() {
         return alsoTrustPublicPki;
     }
 
+    @Override
+    public boolean isSSLPinningAllowed() { return allowSSLPinning; }
+
     @Override
     public Collection<PublicKeyHash> getTrustedCertificatePinnedPublicKeyHashes() {
         return Collections.unmodifiableCollection(trustedCertificatePinnedPublicKeyHashes);

mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java

@@ -9,6 +9,7 @@
 
 import com.ca.mas.core.cert.PublicKeyHash;
 import com.ca.mas.core.cert.TrustedCertificateConfiguration;
+import com.ca.mas.foundation.MAS;
 import com.ca.mas.foundation.MASSecurityConfiguration;
 
 import java.io.IOException;
@@ -117,6 +118,11 @@ public void checkServerTrusted(X509Certificate[] chain, String s) throws Certifi
         List<Certificate> certs = config.getCertificates();
         List<String> hashes = config.getPublicKeyHashes();
 
+        // Bypass the SSL Pinning if not enabled.
+        if (!MAS.isSSLPinningEnabled() || !config.allowSSLPinning()) {
+            return;
+        }
+
         //If we don't trust the public PKI, we fail the validation
         if (config.trustPublicPki()) {
             //All public PKI delegates must succeed
@@ -156,4 +162,4 @@ public void checkServerTrusted(X509Certificate[] chain, String s) throws Certifi
     public X509Certificate[] getAcceptedIssuers() {
         return new X509Certificate[0];
     }
-}
+}

mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java

@@ -21,6 +21,7 @@
 
 import com.ca.mas.core.EventDispatcher;
 import com.ca.mas.core.MAGResultReceiver;
+import com.ca.mas.core.MobileSsoConfig;
 import com.ca.mas.core.MobileSsoFactory;
 import com.ca.mas.core.client.ServerClient;
 import com.ca.mas.core.conf.ConfigurationManager;
@@ -556,6 +557,12 @@ public static void enableIdTokenValidation(boolean enableValidation) {
         ConfigurationManager.getInstance().enableIdTokenValidation(enableValidation);
     }
 
+    /**
+     * Enables the SSL Pinning.
+     */
+    public static void setSSLPinningEnabled(boolean enable) {
+        ConfigurationManager.getInstance().setSSLPinningEnabled(enable);
+    }
     /**
      *  Value of the boolean indicator which indicate if the id_token validation is active or not.
      */
@@ -572,6 +579,15 @@ public static boolean isPKCEEnabled() {
         return ConfigurationManager.getInstance().isPKCEEnabled();
     }
 
+    /**
+     * Determines whether PKCE extension is enabled.
+     *
+     * @return true if ssl pinning is enabled, false otherwise
+     */
+    public static boolean isSSLPinningEnabled() {
+        return ConfigurationManager.getInstance().isSslPinningEnabled();
+    }
+
     /**
      * Stops the lifecycle of all MAS processes.
      */

mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java

@@ -84,9 +84,11 @@ public void update(Observable o, Object arg) {
      */
     static MASSecurityConfiguration createPrimaryConfiguration(Uri uri) {
         ConfigurationProvider configurationProvider = ConfigurationManager.getInstance().getConnectedGatewayConfigurationProvider();
+
         MASSecurityConfiguration.Builder configBuilder = new MASSecurityConfiguration.Builder()
                 .host(uri)
-                .trustPublicPKI(configurationProvider.isAlsoTrustPublicPki());
+                .trustPublicPKI(configurationProvider.isAlsoTrustPublicPki())
+                .allowSSLPinning(configurationProvider.isSSLPinningAllowed());
 
         //Add certificates, if any exist
         Collection<X509Certificate> certificates = configurationProvider.getTrustedCertificateAnchors();
@@ -247,6 +249,13 @@ public boolean isSsoEnabled() {
         return ConfigurationManager.getInstance().getConnectedGatewayConfigurationProvider().getProperty(MobileSsoConfig.PROP_SSO_ENABLED);
     }
 
+    /**
+     * Determines if the SDK will perform SSL Pinning for an authentication challenge. This read only value is within the JSON configuration file..
+     */
+    public boolean isSslPinningEnabled() {
+        return ConfigurationManager.getInstance().getConnectedGatewayConfigurationProvider().getProperty(MobileSsoConfig.PROP_ALLOW_SSL_PINNING);
+    }
+
     /**
      * Retrieves an endpoint path fragment for a given endpoint key, the keys can be one of the following
      * <ul>

mas-foundation/src/main/java/com/ca/mas/foundation/MASRequestBody.java

@@ -375,7 +375,7 @@ public ContentType getContentType() {
 
                 @Override
                 public long getContentLength() {
-                    return content.length + multipart_separator.length();
+                    return content.length;
                 }
 
                 @Override
@@ -397,8 +397,7 @@ public void write(OutputStream outputStream) throws IOException {
                             progressListener.onProgress("" + (int) ((progress * 100) / content.length)); // sending progress percent to publishProgress
                         }
                     }
-                    outputStream.write((multipart_separator).getBytes());
-                    outputStream.flush();
+
                     if (progressListener != null) {
                         progressListener.onComplete();
                     }

mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java

@@ -23,12 +23,14 @@ public interface MASSecurityConfiguration {
     Uri getHost();
     boolean isPublic();
     boolean trustPublicPki();
+    boolean allowSSLPinning();
     List<Certificate> getCertificates();
     List<String> getPublicKeyHashes();
 
     class Builder {
 
         private boolean isPublic;
+        private boolean allowSSLPinning = true;
         private boolean trustPublicPKI;
 
         private List<Certificate> certificates;
@@ -56,6 +58,16 @@ public Builder trustPublicPKI(boolean trust) {
             return this;
         }
 
+        /**
+         * Determines whether or not to enable ssl pinning to primary gateway.
+         * @param sslPinning to include or not
+         * @return the builder object
+         */
+        public Builder allowSSLPinning(boolean sslPinning) {
+            this.allowSSLPinning = sslPinning;
+            return this;
+        }
+
         /**
          * The URI of the designated host.
          * @param host URI for the host
@@ -104,7 +116,7 @@ public MASSecurityConfiguration build() {
             }
 
             // If trustPublicPKI is false and no pinning information is found, throw an exception.
-            if (!trustPublicPKI && publicKeyHashes == null && certificates == null) {
+            if (allowSSLPinning && !trustPublicPKI && publicKeyHashes == null && certificates == null) {
                 throw new IllegalArgumentException("Missing pinning type, cannot establish SSL.");
             }
 
@@ -133,7 +145,12 @@ public List<String> getPublicKeyHashes() {
                 public boolean trustPublicPki() {
                     return trustPublicPKI;
                 }
+
+                @Override
+                public boolean allowSSLPinning() {
+                    return allowSSLPinning;
+                }
             };
         }
     }
-}
+}