From d9fe9374dfc01be7603fb4f2c4d2d438c1f76373 Mon Sep 17 00:00:00 2001
From: Andreas Schildbach <andreas@schildbach.de>
Date: Wed, 23 Nov 2016 20:11:41 +0100
Subject: [PATCH] HttpClient: Allow certificate pinning.

---
 .../de/schildbach/pte/util/HttpClient.java    | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/enabler/src/de/schildbach/pte/util/HttpClient.java b/enabler/src/de/schildbach/pte/util/HttpClient.java
index 693bcffb..841b2235 100644
--- a/enabler/src/de/schildbach/pte/util/HttpClient.java
+++ b/enabler/src/de/schildbach/pte/util/HttpClient.java
@@ -46,6 +46,7 @@ import de.schildbach.pte.exception.SessionExpiredException;
 import de.schildbach.pte.exception.UnexpectedRedirectException;
 
 import okhttp3.Call;
+import okhttp3.CertificatePinner;
 import okhttp3.Cookie;
 import okhttp3.Headers;
 import okhttp3.HttpUrl;
@@ -68,6 +69,8 @@ public final class HttpClient {
     private String sessionCookieName = null;
     @Nullable
     private Cookie sessionCookie = null;
+    @Nullable
+    private CertificatePinner certificatePinner = null;
     private boolean sslAcceptAllHostnames = false;
 
     private static final OkHttpClient OKHTTP_CLIENT;
@@ -108,6 +111,10 @@ public final class HttpClient {
         this.sessionCookieName = sessionCookieName;
     }
 
+    public void setCertificatePin(final String host, final String... hashes) {
+        this.certificatePinner = new CertificatePinner.Builder().add(host, hashes).build();
+    }
+
     public void setSslAcceptAllHostnames(final boolean sslAcceptAllHostnames) {
         this.sslAcceptAllHostnames = sslAcceptAllHostnames;
     }
@@ -175,10 +182,16 @@ public final class HttpClient {
                 request.header("Cookie", sessionCookie.toString());
 
             final OkHttpClient okHttpClient;
-            if (sslAcceptAllHostnames)
-                okHttpClient = OKHTTP_CLIENT.newBuilder().hostnameVerifier(SSL_ACCEPT_ALL_HOSTNAMES).build();
-            else
+            if (certificatePinner != null || sslAcceptAllHostnames) {
+                final OkHttpClient.Builder builder = OKHTTP_CLIENT.newBuilder();
+                if (certificatePinner != null)
+                    builder.certificatePinner(certificatePinner);
+                if (sslAcceptAllHostnames)
+                    builder.hostnameVerifier(SSL_ACCEPT_ALL_HOSTNAMES);
+                okHttpClient = builder.build();
+            } else {
                 okHttpClient = OKHTTP_CLIENT;
+            }
 
             final Call call = okHttpClient.newCall(request.build());
             Response response = null;