react-native-security-suite 0.9.21 → 1.0.0-rc.1

package/android/src/main/java/com/securitysuite/Sslpinning.java

@@ -31,8 +31,6 @@ import java.util.HashMap;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
 
-import javax.crypto.SecretKey;
-
 import okhttp3.CertificatePinner;
 import okhttp3.Headers;
 import okhttp3.MediaType;
@@ -45,10 +43,10 @@ import okhttp3.Response;
 import okio.Buffer;
 
 public class Sslpinning {
-  private ReactApplicationContext context;
+  private final ReactApplicationContext context;
   private static String hostname = "";
-  private static String content_type = "application/json; charset=utf-8";
-  public static MediaType mediaType = MediaType.parse(content_type);
+  private static final String CONTENT_TYPE = "application/json; charset=utf-8";
+  public static final MediaType mediaType = MediaType.parse(CONTENT_TYPE);
   String responseBodyString = "{}";
   Callback callback;
 
@@ -56,22 +54,34 @@ public class Sslpinning {
     this.context = context;
   }
 
-  public void fetch(String url, final ReadableMap options, SecretKey sharedKey, Callback callback) {
+  public void fetch(String url, final ReadableMap options, Callback callback) {
     this.callback = callback;
 
-    if (!isValidUrl(url)) {
-      callback.invoke(null, "url is invalid!");
+    if (!CryptoUtils.isHttpsUrl(url)) {
+      callback.invoke(null, "Only HTTPS URLs are allowed");
+      return;
+    }
+
+    PinningConfig pinningConfig = PinningConfig.fromOptions(options);
+    if (pinningConfig.hasError()) {
+      callback.invoke(null, pinningConfig.getError());
       return;
     }
 
     try {
       this.hostname = getHostname(url);
     } catch (URISyntaxException e) {
-      this.hostname = url;
+      callback.invoke(null, "Invalid URL hostname");
+      return;
+    }
+
+    if (pinningConfig.isEnabled() && !isValidDomain(this.hostname, options)) {
+      callback.invoke(null, "Hostname '" + this.hostname + "' is not in validDomains");
+      return;
     }
 
     try {
-      OkHttpClient client = getClient(options);
+      OkHttpClient client = getClient(options, pinningConfig);
 
       Headers header = setHeader(options);
       String method = getMethod(options);
@@ -82,34 +92,68 @@ public class Sslpinning {
         return;
       }
 
-      // JWS handler
       String jwsHeader = "";
-      if (options.hasKey("keyId") && options.hasKey("requestId")) {
-        String keyId = options.getString("keyId");
-        String requestId = options.getString("requestId");
+      String jwsHeaderName = "X-Request-Signature";
+      if (options.hasKey("jws") && options.getMap("jws") != null) {
+        ReadableMap jwsOptions = options.getMap("jws");
+        if (jwsOptions == null || !jwsOptions.hasKey("secret")) {
+          callback.invoke(null, "JWS secret is required and must be a non-empty string");
+          return;
+        }
+        String secret = jwsOptions.getString("secret");
+        if (secret == null || secret.trim().isEmpty()) {
+          callback.invoke(null, "JWS secret is required and must be a non-empty string");
+          return;
+        }
 
-        byte[] payload = new byte[0];
-        if (requestBody != null) {
-          Buffer buffer = new Buffer();
-          try {
-            requestBody.writeTo(buffer);
-            payload = buffer.readByteArray();
-          } catch (IOException e) {
-            e.printStackTrace();
-          }
+        if (jwsOptions.hasKey("headerName") && jwsOptions.getString("headerName") != null) {
+          jwsHeaderName = jwsOptions.getString("headerName");
         }
 
+        byte[] requestBodyBytes = extractPayload(requestBody);
+        String payloadString = JwsFetchPayload.build(url, method, requestBodyBytes, jwsOptions);
+        boolean detached = jwsOptions.hasKey("detached") && jwsOptions.getBoolean("detached");
+        String algorithm = jwsOptions.hasKey("algorithm") ? jwsOptions.getString("algorithm") : null;
+        ReadableMap headers = jwsOptions.hasKey("headers") ? jwsOptions.getMap("headers") : null;
+
         JWSGenerator jwsGenerator = new JWSGenerator();
-        jwsHeader = jwsGenerator.jwsHeader(payload, keyId, requestId, sharedKey);
+        jwsHeader = jwsGenerator.generate(
+            payloadString,
+            secret,
+            algorithm,
+            headers,
+            detached
+        );
+      } else if (options.hasKey("keyId") && options.hasKey("requestId")) {
+        if (!options.hasKey("secret")) {
+          callback.invoke(null, "JWS secret is required. Pass options.jws.secret or options.secret for legacy signing.");
+          return;
+        }
+        String secret = options.getString("secret");
+        if (secret == null || secret.trim().isEmpty()) {
+          callback.invoke(null, "JWS secret is required and must be a non-empty string");
+          return;
+        }
+        String keyId = options.getString("keyId");
+        String requestId = options.getString("requestId");
+        byte[] payload = extractPayload(requestBody);
+        JWSGenerator jwsGenerator = new JWSGenerator();
+        jwsHeader = jwsGenerator.jwsHeader(payload, keyId, requestId, secret);
+        jwsHeaderName = "X-JWS-Signature";
       }
 
-      Request request = new Request.Builder()
+      Request.Builder requestBuilder = new Request.Builder()
           .url(url)
-          .headers(header)
-          .addHeader("X-JWS-Signature", jwsHeader)
-          .method(method, requestBody)
-          .build();
+          .method(method, requestBody);
 
+      if (header != null) {
+        requestBuilder.headers(header);
+      }
+      if (!jwsHeader.isEmpty()) {
+        requestBuilder.addHeader(jwsHeaderName, jwsHeader);
+      }
+
+      Request request = requestBuilder.build();
       WritableMap output = Arguments.createMap();
 
       try {
@@ -122,7 +166,6 @@ public class Sslpinning {
         output.putInt("status", responseCode);
         output.putString("url", request.url().toString());
 
-        // response time
         long tx = response.sentRequestAtMillis();
         long rx = response.receivedResponseAtMillis();
         output.putString("duration", (rx - tx) + "ms");
@@ -135,37 +178,48 @@ public class Sslpinning {
         output.putString("response", responseBodyString);
         callback.invoke(output, null);
       } catch (IOException e) {
-        output.putString("error", responseBodyString);
-
+        output.putString("error", e.getMessage() != null ? e.getMessage() : responseBodyString);
         callback.invoke(null, output);
-        if (e instanceof SocketTimeoutException) {
-          System.err.print("Socket TimeOut");
-        } else {
+        if (!(e instanceof SocketTimeoutException)) {
           e.printStackTrace();
         }
       }
-    } catch (JSONException e) {
-      callback.invoke(null, e);
+    } catch (Exception e) {
+      callback.invoke(null, e.getMessage() != null ? e.getMessage() : "Request failed");
+    }
+  }
+
+  private byte[] extractPayload(RequestBody requestBody) throws IOException {
+    if (requestBody == null) {
+      return new byte[0];
     }
+    Buffer buffer = new Buffer();
+    requestBody.writeTo(buffer);
+    return buffer.readByteArray();
   }
 
   private CertificatePinner getCertificatePinner(ReadableMap options) {
     CertificatePinner.Builder certificatePinner = new CertificatePinner.Builder();
-
     ReadableArray hashes = options.getArray("certificates");
+
     for (int i = 0; i < hashes.size(); i++) {
-      certificatePinner.add(this.hostname, "sha256/" + hashes.getString(i).replaceAll("sha256/", ""));
+      String pin = CryptoUtils.normalizePinHash(hashes.getString(i));
+      if (pin.isEmpty()) {
+        throw new IllegalArgumentException("Invalid certificate/public key pin at index " + i);
+      }
+      // OkHttp CertificatePinner pins SPKI SHA-256 hashes (public key pinning).
+      certificatePinner.add(this.hostname, "sha256/" + pin);
     }
 
     return certificatePinner.build();
   }
 
-  private OkHttpClient getClient(ReadableMap options) throws JSONException {
+  private OkHttpClient getClient(ReadableMap options, PinningConfig pinningConfig) {
     OkHttpClient.Builder builder = new OkHttpClient.Builder();
 
-    if (options.hasKey("certificates")) {
-      CertificatePinner certificatePinner = getCertificatePinner(options);
-      builder.certificatePinner(certificatePinner);
+    // Fail-closed: once pinning is configured, OkHttp enforces pins with no system-trust fallback.
+    if (pinningConfig.isEnabled()) {
+      builder.certificatePinner(getCertificatePinner(options));
     }
 
     if (options.hasKey("timeout")) {
@@ -175,25 +229,34 @@ public class Sslpinning {
           .writeTimeout(timeout, TimeUnit.MILLISECONDS);
     }
 
-    if (options.hasKey("loggerIsEnabled") && options.getBoolean("loggerIsEnabled")) {
-      builder.addInterceptor(new ChuckerInterceptor.Builder(context).build());
+    // Hard-gate network logging to debug builds only.
+    if (options.hasKey("loggerIsEnabled")
+        && options.getBoolean("loggerIsEnabled")
+        && BuildConfig.DEBUG) {
+      ChuckerInterceptor.Builder chuckerBuilder = new ChuckerInterceptor.Builder(context);
+      for (String header : HeaderSanitizer.SENSITIVE_HEADERS) {
+        chuckerBuilder.redactHeader(header);
+      }
+      builder.addInterceptor(chuckerBuilder.build());
     }
 
     return builder.build();
   }
 
   private static String getHostname(String url) throws URISyntaxException {
-    URI uri = new URI(url);
+    URI uri = new URI(url.trim());
     String domain = uri.getHost();
+    if (domain == null) {
+      throw new URISyntaxException(url, "Missing host");
+    }
     return domain.startsWith("www.") ? domain.substring(4) : domain;
   }
 
   private String getMethod(ReadableMap options) {
     String method = "GET";
-    if (options.hasKey("method")) {
-      method = options.getString("method");
+    if (options.hasKey("method") && options.getString("method") != null) {
+      method = options.getString("method").toUpperCase();
     }
-
     return method;
   }
 
@@ -204,38 +267,26 @@ public class Sslpinning {
 
     ReadableMap headers = options.getMap("headers");
     Headers.Builder builder = new Headers.Builder();
-
     Map<String, String> headersMap = readableMapToHashMap(headers);
     for (Map.Entry<String, String> set : headersMap.entrySet()) {
       builder.add(set.getKey(), set.getValue());
     }
-
     return builder.build();
   }
 
-  private HashMap readableMapToHashMap(ReadableMap readableMap) {
+  private HashMap<String, String> readableMapToHashMap(ReadableMap readableMap) {
+    HashMap<String, String> map = new HashMap<>();
     if (readableMap == null) {
-      return null;
+      return map;
     }
 
-    HashMap map = new HashMap<String, String>();
     ReadableMapKeySetIterator keySetIterator = readableMap.keySetIterator();
     while (keySetIterator.hasNextKey()) {
       String key = keySetIterator.nextKey();
-      ReadableType type = readableMap.getType(key);
-      switch (type) {
-        case String:
-          map.put(key, readableMap.getString(key));
-          break;
-        case Map:
-          HashMap<String, Object> attributes = this.readableMapToHashMap(readableMap.getMap(key));
-          map.put(key, attributes);
-          break;
-        default:
-          // do nothing
+      if (readableMap.getType(key) == ReadableType.String) {
+        map.put(key, readableMap.getString(key));
       }
     }
-
     return map;
   }
 
@@ -248,36 +299,31 @@ public class Sslpinning {
   }
 
   private RequestBody setBody(ReadableMap options) {
-    RequestBody body = null;
-
     if (!options.hasKey("body")) {
-      return body;
+      return null;
     }
 
     ReadableType bodyType = options.getType("body");
     switch (bodyType) {
       case String:
-        body = RequestBody.create(mediaType, options.getString("body"));
-        break;
+        return RequestBody.create(mediaType, options.getString("body"));
       case Map:
         ReadableMap bodyMap = options.getMap("body");
         if (bodyMap.hasKey("formData")) {
-          ReadableMap formData = bodyMap.getMap("formData");
-          body = getBody(formData);
+          return getBody(bodyMap.getMap("formData"));
         } else if (bodyMap.hasKey("_parts")) {
-          body = getBody(bodyMap);
+          return getBody(bodyMap);
         } else {
-          body = RequestBody.create(mediaType, bodyMap.toString());
+          return RequestBody.create(mediaType, bodyMap.toString());
         }
-        break;
+      default:
+        return null;
     }
-
-    return body;
   }
 
   private RequestBody getBody(ReadableMap body) {
-    MultipartBody.Builder multipartBodyBuilder = new MultipartBody.Builder().setType(MultipartBody.FORM);
-    multipartBodyBuilder.setType((MediaType.parse("multipart/form-data")));
+    MultipartBody.Builder multipartBodyBuilder = new MultipartBody.Builder()
+        .setType(MultipartBody.FORM);
     if (body.hasKey("_parts")) {
       ReadableArray parts = body.getArray("_parts");
       for (int i = 0; i < parts.size(); i++) {
@@ -293,53 +339,120 @@ public class Sslpinning {
           ReadableMap fileData = part.getMap(1);
           addFormDataPart(this.context, multipartBodyBuilder, fileData, key);
         } else {
-          String value = part.getString(1);
-          multipartBodyBuilder.addFormDataPart(key, value);
+          multipartBodyBuilder.addFormDataPart(key, part.getString(1));
         }
       }
     }
     return multipartBodyBuilder.build();
   }
 
-  private static void addFormDataPart(Context context, MultipartBody.Builder multipartBodyBuilder, ReadableMap fileData,
-      String key) {
-    Uri _uri = Uri.parse("");
+  private static void addFormDataPart(
+      Context context,
+      MultipartBody.Builder multipartBodyBuilder,
+      ReadableMap fileData,
+      String key
+  ) {
+    Uri uri = Uri.parse("");
     if (fileData.hasKey("uri")) {
-      _uri = Uri.parse(fileData.getString("uri"));
+      uri = Uri.parse(fileData.getString("uri"));
     } else if (fileData.hasKey("path")) {
-      _uri = Uri.parse(fileData.getString("path"));
+      uri = Uri.parse(fileData.getString("path"));
     }
     String type = fileData.getString("type");
-    String fileName = "";
-    if (fileData.hasKey("fileName")) {
-      fileName = fileData.getString("fileName");
-    } else if (fileData.hasKey("name")) {
-      fileName = fileData.getString("name");
-    }
+    String fileName = fileData.hasKey("fileName")
+        ? fileData.getString("fileName")
+        : fileData.getString("name");
 
     try {
-      File file = getTempFile(context, _uri);
+      File file = getTempFile(context, uri);
       multipartBodyBuilder.addFormDataPart(key, fileName, RequestBody.create(MediaType.parse(type), file));
     } catch (IOException e) {
-      e.printStackTrace();
+      throw new IllegalStateException("Failed to read multipart file", e);
     }
   }
 
   public static File getTempFile(Context context, Uri uri) throws IOException {
     File file = File.createTempFile("media", null);
-    InputStream inputStream = context.getContentResolver().openInputStream(uri);
-    OutputStream outputStream = new BufferedOutputStream(new FileOutputStream(file));
-    byte[] buffer = new byte[1024];
-    int len;
-    while ((len = inputStream.read(buffer)) != -1)
-      outputStream.write(buffer, 0, len);
-    inputStream.close();
-    outputStream.close();
+    try (InputStream inputStream = context.getContentResolver().openInputStream(uri);
+         OutputStream outputStream = new BufferedOutputStream(new FileOutputStream(file))) {
+      if (inputStream == null) {
+        throw new IOException("Unable to open URI: " + uri);
+      }
+      byte[] buffer = new byte[1024];
+      int len;
+      while ((len = inputStream.read(buffer)) != -1) {
+        outputStream.write(buffer, 0, len);
+      }
+    }
     return file;
   }
 
-  private boolean isValidUrl(String url) {
-    String regex = "^(https?|ftp|file)://[-a-zA-Z0-9+&@#/%?=~_|!:,.;]*[-a-zA-Z0-9+&@#/%=~_|]";
-    return url.matches(regex);
+  private boolean isValidDomain(String hostname, ReadableMap options) {
+    ReadableArray domains = options.getArray("validDomains");
+    if (domains == null || domains.size() == 0) {
+      return false;
+    }
+
+    for (int i = 0; i < domains.size(); i++) {
+      String domain = domains.getString(i);
+      if (domain == null || domain.trim().isEmpty()) {
+        continue;
+      }
+      String normalized = domain.trim().toLowerCase();
+      String host = hostname.toLowerCase();
+      if (host.equals(normalized) || host.endsWith("." + normalized)) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  static final class PinningConfig {
+    private final boolean enabled;
+    private final String error;
+
+    private PinningConfig(boolean enabled, String error) {
+      this.enabled = enabled;
+      this.error = error;
+    }
+
+    static PinningConfig fromOptions(ReadableMap options) {
+      boolean hasCertificates = options.hasKey("certificates");
+      boolean hasValidDomains = options.hasKey("validDomains");
+
+      if (hasCertificates != hasValidDomains) {
+        return new PinningConfig(
+            false,
+            "SSL pinning requires both 'certificates' (SPKI SHA-256 hashes) and 'validDomains'"
+        );
+      }
+
+      if (!hasCertificates) {
+        return new PinningConfig(false, null);
+      }
+
+      ReadableArray certs = options.getArray("certificates");
+      ReadableArray domains = options.getArray("validDomains");
+      if (certs == null || certs.size() == 0) {
+        return new PinningConfig(false, "At least one certificate/public key pin is required");
+      }
+      if (domains == null || domains.size() == 0) {
+        return new PinningConfig(false, "At least one valid domain is required");
+      }
+
+      return new PinningConfig(true, null);
+    }
+
+    boolean isEnabled() {
+      return enabled;
+    }
+
+    boolean hasError() {
+      return error != null;
+    }
+
+    String getError() {
+      return error;
+    }
   }
 }

package/android/src/main/java/com/securitysuite/security/AppIntegrityChecker.java

@@ -0,0 +1,133 @@
+package com.securitysuite.security;
+
+import android.content.Context;
+import android.content.pm.ApplicationInfo;
+import android.content.pm.PackageInfo;
+import android.content.pm.PackageManager;
+import android.content.pm.Signature;
+import android.os.Build;
+
+import com.facebook.react.bridge.Arguments;
+import com.facebook.react.bridge.WritableMap;
+
+import java.security.MessageDigest;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Set;
+
+/**
+ * Native app integrity checks (Android).
+ */
+public final class AppIntegrityChecker {
+  private static final Set<String> TRUSTED_INSTALLERS = new HashSet<>(Arrays.asList(
+      "com.android.vending",
+      "com.google.android.packageinstaller",
+      "com.android.packageinstaller"
+  ));
+
+  private AppIntegrityChecker() {}
+
+  public static WritableMap verify(Context context) {
+    WritableMap result = Arguments.createMap();
+    PackageManager pm = context.getPackageManager();
+    String packageName = context.getPackageName();
+
+    boolean debuggable = (context.getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0;
+    String buildType = debuggable ? "debug" : "release";
+    String signingSha256 = getSigningCertificateSha256(pm, packageName);
+    boolean validSignature = signingSha256 != null && !signingSha256.isEmpty();
+
+    String installer = getInstallerPackageName(pm, packageName);
+    boolean installerTrusted = installer == null
+        ? debuggable
+        : TRUSTED_INSTALLERS.contains(installer);
+
+    boolean tampered = !validSignature
+        || (!debuggable && installer != null && !installerTrusted)
+        || hasSuspiciousSplitSource(context.getApplicationInfo());
+
+    result.putBoolean("validSignature", validSignature);
+    result.putBoolean("debuggable", debuggable);
+    result.putBoolean("tampered", tampered);
+    result.putBoolean("installerTrusted", installerTrusted);
+    result.putString("buildType", buildType);
+    if (signingSha256 != null) {
+      result.putString("signingCertificateSha256", signingSha256);
+    }
+    if (installer != null) {
+      result.putString("installerPackage", installer);
+    } else {
+      result.putNull("installerPackage");
+    }
+    result.putString("bundleIdentifier", packageName);
+    return result;
+  }
+
+  private static String getSigningCertificateSha256(PackageManager pm, String packageName) {
+    try {
+      Signature[] signatures;
+      if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
+        PackageInfo info = pm.getPackageInfo(
+            packageName,
+            PackageManager.GET_SIGNING_CERTIFICATES
+        );
+        if (info.signingInfo == null) {
+          return null;
+        }
+        signatures = info.signingInfo.hasMultipleSigners()
+            ? info.signingInfo.getApkContentsSigners()
+            : info.signingInfo.getSigningCertificateHistory();
+      } else {
+        @SuppressWarnings("deprecation")
+        PackageInfo info = pm.getPackageInfo(packageName, PackageManager.GET_SIGNATURES);
+        @SuppressWarnings("deprecation")
+        Signature[] legacySignatures = info.signatures;
+        signatures = legacySignatures;
+      }
+
+      if (signatures == null || signatures.length == 0) {
+        return null;
+      }
+
+      MessageDigest digest = MessageDigest.getInstance("SHA-256");
+      byte[] hash = digest.digest(signatures[0].toByteArray());
+      return bytesToHex(hash).toLowerCase(Locale.US);
+    } catch (Exception ignored) {
+      return null;
+    }
+  }
+
+  private static String getInstallerPackageName(PackageManager pm, String packageName) {
+    try {
+      if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) {
+        return pm.getInstallSourceInfo(packageName).getInstallingPackageName();
+      }
+      @SuppressWarnings("deprecation")
+      String installer = pm.getInstallerPackageName(packageName);
+      return installer;
+    } catch (Exception ignored) {
+      return null;
+    }
+  }
+
+  private static boolean hasSuspiciousSplitSource(ApplicationInfo info) {
+    if (info.splitSourceDirs == null) {
+      return false;
+    }
+    for (String split : info.splitSourceDirs) {
+      if (split != null && split.toLowerCase(Locale.US).contains("/data/local/tmp")) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  private static String bytesToHex(byte[] bytes) {
+    StringBuilder builder = new StringBuilder(bytes.length * 2);
+    for (byte value : bytes) {
+      builder.append(String.format(Locale.US, "%02x", value));
+    }
+    return builder.toString();
+  }
+}