From 4fac9b14bc4e35fd317bcb75ae5e7f39c22b3c75 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Mon, 26 Nov 2018 13:00:33 +0100
Subject: [PATCH 01/37] Migrate to SDK level 28 and AndroidX

---
 build.gradle                                  | 14 ++++++-------
 gradle.properties                             |  1 +
 .../cert4android/CustomCertManagerTest.kt     | 20 +++++++++----------
 .../bitfire/cert4android/CustomCertService.kt |  2 +-
 .../bitfire/cert4android/NotificationUtils.kt |  2 +-
 .../cert4android/TrustCertificateActivity.kt  |  2 +-
 .../res/layout/activity_trust_certificate.xml |  8 ++++----
 7 files changed, 25 insertions(+), 24 deletions(-)

diff --git a/build.gradle b/build.gradle
index 5dc5fb9..0d6e7ab 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,6 +1,6 @@
 
 buildscript {
-    ext.kotlin_version = '1.2.71'
+    ext.kotlin_version = '1.3.10'
     ext.dokka_version = '0.9.17'
 
     repositories {
@@ -9,7 +9,7 @@ buildscript {
     }
 
     dependencies {
-        classpath 'com.android.tools.build:gradle:3.2.0'
+        classpath 'com.android.tools.build:gradle:3.2.1'
         classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
         classpath "org.jetbrains.dokka:dokka-android-gradle-plugin:${dokka_version}"
     }
@@ -39,18 +39,18 @@ android {
     }
 
     defaultConfig {
-        testInstrumentationRunner "android.support.test.runner.AndroidJUnitRunner"
+        testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
     }
 }
 
 dependencies {
     implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:$kotlin_version"
 
-    implementation 'com.android.support:appcompat-v7:28.0.0'
-    implementation 'com.android.support:cardview-v7:28.0.0'
+    implementation 'androidx.appcompat:appcompat:1.0.2'
+    implementation 'androidx.cardview:cardview:1.0.0'
 
-    androidTestImplementation 'com.android.support.test:runner:1.0.2'
-    androidTestImplementation 'com.android.support.test:rules:1.0.2'
+    androidTestImplementation 'androidx.test:runner:1.1.0'
+    androidTestImplementation 'androidx.test:rules:1.1.0'
 
     testImplementation 'junit:junit:4.12'
 }
diff --git a/gradle.properties b/gradle.properties
index 8bd86f6..d9cf55d 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -1 +1,2 @@
 org.gradle.jvmargs=-Xmx1536M
+android.useAndroidX=true
diff --git a/src/androidTest/java/at/bitfire/cert4android/CustomCertManagerTest.kt b/src/androidTest/java/at/bitfire/cert4android/CustomCertManagerTest.kt
index 02172de..042439f 100644
--- a/src/androidTest/java/at/bitfire/cert4android/CustomCertManagerTest.kt
+++ b/src/androidTest/java/at/bitfire/cert4android/CustomCertManagerTest.kt
@@ -11,9 +11,8 @@ package at.bitfire.cert4android
 import android.app.Service
 import android.content.Intent
 import android.os.IBinder
-import android.support.test.InstrumentationRegistry.getContext
-import android.support.test.InstrumentationRegistry.getTargetContext
-import android.support.test.rule.ServiceTestRule
+import androidx.test.platform.app.InstrumentationRegistry.getInstrumentation
+import androidx.test.rule.ServiceTestRule
 import org.junit.After
 import org.junit.Assert.assertNotNull
 import org.junit.Assume.assumeNotNull
@@ -70,12 +69,13 @@ class CustomCertManagerTest {
         val binder = bindService(CustomCertService::class.java)
         assertNotNull(binder)
 
-        CustomCertManager.resetCertificates(getContext())
+        val context = getInstrumentation().context
+        CustomCertManager.resetCertificates(context)
 
-        certManager = CustomCertManager(getContext(), false)
+        certManager = CustomCertManager(context, false)
         assertNotNull(certManager)
 
-        paranoidCertManager = CustomCertManager(getContext(), false, false)
+        paranoidCertManager = CustomCertManager(context, false, false)
         assertNotNull(paranoidCertManager)
     }
 
@@ -114,7 +114,7 @@ class CustomCertManagerTest {
 
         // remove certificate and check again
         // should now be rejected for the whole session, i.e. no timeout anymore
-        val intent = Intent(getContext(), CustomCertService::class.java)
+        val intent = Intent(getInstrumentation().context, CustomCertService::class.java)
         intent.action = CustomCertService.CMD_CERTIFICATION_DECISION
         intent.putExtra(CustomCertService.EXTRA_CERTIFICATE, siteCerts!!.first().encoded)
         intent.putExtra(CustomCertService.EXTRA_TRUSTED, false)
@@ -124,7 +124,7 @@ class CustomCertManagerTest {
 
     private fun addCustomCertificate() {
         // add certificate and check again
-        val intent = Intent(getContext(), CustomCertService::class.java)
+        val intent = Intent(getInstrumentation().context, CustomCertService::class.java)
         intent.action = CustomCertService.CMD_CERTIFICATION_DECISION
         intent.putExtra(CustomCertService.EXTRA_CERTIFICATE, siteCerts!!.first().encoded)
         intent.putExtra(CustomCertService.EXTRA_TRUSTED, true)
@@ -133,10 +133,10 @@ class CustomCertManagerTest {
 
 
     private fun bindService(clazz: Class<out Service>): IBinder {
-        var binder = serviceTestRule.bindService(Intent(getTargetContext(), clazz))
+        var binder = serviceTestRule.bindService(Intent(getInstrumentation().targetContext, clazz))
         var it = 0
         while (binder == null && it++ <100) {
-            binder = serviceTestRule.bindService(Intent(getTargetContext(), clazz))
+            binder = serviceTestRule.bindService(Intent(getInstrumentation().targetContext, clazz))
             System.err.println("Waiting for ServiceTestRule.bindService")
             Thread.sleep(50)
         }
diff --git a/src/main/java/at/bitfire/cert4android/CustomCertService.kt b/src/main/java/at/bitfire/cert4android/CustomCertService.kt
index 61aee67..f07e020 100644
--- a/src/main/java/at/bitfire/cert4android/CustomCertService.kt
+++ b/src/main/java/at/bitfire/cert4android/CustomCertService.kt
@@ -12,8 +12,8 @@ import android.app.PendingIntent
 import android.app.Service
 import android.content.Context
 import android.content.Intent
-import android.support.v4.app.NotificationCompat
 import android.widget.Toast
+import androidx.core.app.NotificationCompat
 import java.io.ByteArrayInputStream
 import java.io.File
 import java.io.FileInputStream
diff --git a/src/main/java/at/bitfire/cert4android/NotificationUtils.kt b/src/main/java/at/bitfire/cert4android/NotificationUtils.kt
index d0371f9..2f32f01 100644
--- a/src/main/java/at/bitfire/cert4android/NotificationUtils.kt
+++ b/src/main/java/at/bitfire/cert4android/NotificationUtils.kt
@@ -12,7 +12,7 @@ import android.app.NotificationChannel
 import android.app.NotificationManager
 import android.content.Context
 import android.os.Build
-import android.support.v4.app.NotificationManagerCompat
+import androidx.core.app.NotificationManagerCompat
 
 object NotificationUtils {
 
diff --git a/src/main/java/at/bitfire/cert4android/TrustCertificateActivity.kt b/src/main/java/at/bitfire/cert4android/TrustCertificateActivity.kt
index cec7b42..5b2693e 100644
--- a/src/main/java/at/bitfire/cert4android/TrustCertificateActivity.kt
+++ b/src/main/java/at/bitfire/cert4android/TrustCertificateActivity.kt
@@ -10,11 +10,11 @@ package at.bitfire.cert4android
 
 import android.content.Intent
 import android.os.Bundle
-import android.support.v7.app.AppCompatActivity
 import android.view.View
 import android.widget.Button
 import android.widget.CheckBox
 import android.widget.TextView
+import androidx.appcompat.app.AppCompatActivity
 import java.io.ByteArrayInputStream
 import java.security.MessageDigest
 import java.security.cert.CertificateFactory
diff --git a/src/main/res/layout/activity_trust_certificate.xml b/src/main/res/layout/activity_trust_certificate.xml
index e49d290..f978e3c 100644
--- a/src/main/res/layout/activity_trust_certificate.xml
+++ b/src/main/res/layout/activity_trust_certificate.xml
@@ -18,7 +18,7 @@
             android:text="@string/trust_certificate_unknown_certificate_found"
             android:textAppearance="?android:attr/textAppearanceMedium"/>
 
-        <android.support.v7.widget.CardView
+        <androidx.cardview.widget.CardView
             android:layout_width="match_parent"
             android:layout_height="wrap_content"
             app:cardElevation="8dp">
@@ -97,7 +97,7 @@
                     android:layout_marginBottom="8dp"
                     android:text="@string/trust_certificate_fingerprint_verified"/>
 
-                <android.support.v7.widget.ButtonBarLayout
+                <androidx.appcompat.widget.ButtonBarLayout
                     android:layout_width="match_parent"
                     android:layout_height="wrap_content">
 
@@ -118,11 +118,11 @@
                         android:text="@string/trust_certificate_reject"
                         android:onClick="rejectCertificate"/>
 
-                </android.support.v7.widget.ButtonBarLayout>
+                </androidx.appcompat.widget.ButtonBarLayout>
 
             </LinearLayout>
 
-        </android.support.v7.widget.CardView>
+        </androidx.cardview.widget.CardView>
 
         <TextView
             android:layout_width="match_parent"
-- 
GitLab


From 8a9b0acd4bbfb6240d4bf625afab214655fb7a8e Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Fri, 30 Nov 2018 12:48:10 +0100
Subject: [PATCH 02/37] Don't do emulator checks (because we can only use
 shared runners at the moment); minor lint

---
 .gitlab-ci.yml                                       |  5 +++--
 .../at/bitfire/cert4android/CustomCertManager.kt     | 12 +++++++-----
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 809a32a..7f79ead 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,8 +9,9 @@ cache:
 
 test:
   script:
-    - (cd /sdk/emulator; ./emulator @test -no-audio -no-window & wait-for-emulator.sh)
-    - ./gradlew check connectedCheck
+#   - (cd /sdk/emulator; ./emulator @test -no-audio -no-window & wait-for-emulator.sh)
+#   - ./gradlew check connectedCheck
+    - ./gradlew check
   artifacts:
     paths:
       - build/outputs/lint-results-debug.html
diff --git a/src/main/java/at/bitfire/cert4android/CustomCertManager.kt b/src/main/java/at/bitfire/cert4android/CustomCertManager.kt
index 380d504..a6830db 100644
--- a/src/main/java/at/bitfire/cert4android/CustomCertManager.kt
+++ b/src/main/java/at/bitfire/cert4android/CustomCertManager.kt
@@ -62,7 +62,7 @@ class CustomCertManager @JvmOverloads constructor(
     }
 
     var service: ICustomCertService? = null
-    private var serviceConnection: ServiceConnection?
+    private var serviceConn: ServiceConnection? = null
     private var serviceLock = Object()
 
     /** system-default trust store */
@@ -75,7 +75,7 @@ class CustomCertManager @JvmOverloads constructor(
 
 
     init {
-        serviceConnection = object: ServiceConnection {
+        val newServiceConn = object: ServiceConnection {
             override fun onServiceConnected(className: ComponentName, binder: IBinder) {
                 Constants.log.fine("Connected to service")
                 synchronized(serviceLock) {
@@ -96,7 +96,9 @@ class CustomCertManager @JvmOverloads constructor(
             throw IllegalStateException("must not be run on main thread")
 
         Constants.log.fine("Binding to service")
-        if (context.bindService(Intent(context, CustomCertService::class.java), serviceConnection, Context.BIND_AUTO_CREATE)) {
+        if (context.bindService(Intent(context, CustomCertService::class.java), newServiceConn, Context.BIND_AUTO_CREATE)) {
+            serviceConn = newServiceConn
+
             Constants.log.fine("Waiting for service to be bound")
             synchronized(serviceLock) {
                 while (service == null)
@@ -110,10 +112,10 @@ class CustomCertManager @JvmOverloads constructor(
     }
 
     override fun close() {
-        serviceConnection?.let {
+        serviceConn?.let {
             try {
                 context.unbindService(it)
-                serviceConnection = null
+                serviceConn = null
             } catch (e: Exception) {
                 Constants.log.log(Level.WARNING, "Couldn't unbind CustomCertService", e)
             }
-- 
GitLab


From 960d33c71956e96decb9699b589427989e501f51 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Mon, 3 Dec 2018 11:18:12 +0100
Subject: [PATCH 03/37] Fetch translations from Transifex

---
 src/main/res/values-sr/strings.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main/res/values-sr/strings.xml b/src/main/res/values-sr/strings.xml
index d79c291..c931a8f 100644
--- a/src/main/res/values-sr/strings.xml
+++ b/src/main/res/values-sr/strings.xml
@@ -4,6 +4,8 @@
     <string name="certificate_notification_connection_security">Безбедност везе</string>
     <string name="certificate_notification_user_interaction">Прегледајте сертификат</string>
 
+    <string name="service_rejected_temporarily">Сертификат привремено одбијен</string>
+
     <string name="trust_certificate_unknown_certificate_found">серт-за-Андроид је наишао на непознат сертификат. Желите ли да се поуздате у њега?</string>
     <string name="trust_certificate_x509_certificate_details">Детаљи X509 сертификата</string>
     <string name="trust_certificate_issued_for">Издат за</string>
-- 
GitLab


From 75dafa4397aacd98efda846818ad3c23367bcf05 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Sun, 6 Jan 2019 18:13:45 +0100
Subject: [PATCH 04/37] Update gradle, Kotlin

---
 build.gradle                             | 6 +++---
 gradle/wrapper/gradle-wrapper.properties | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/build.gradle b/build.gradle
index 0d6e7ab..7ea47ae 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,6 +1,6 @@
 
 buildscript {
-    ext.kotlin_version = '1.3.10'
+    ext.kotlin_version = '1.3.11'
     ext.dokka_version = '0.9.17'
 
     repositories {
@@ -49,8 +49,8 @@ dependencies {
     implementation 'androidx.appcompat:appcompat:1.0.2'
     implementation 'androidx.cardview:cardview:1.0.0'
 
-    androidTestImplementation 'androidx.test:runner:1.1.0'
-    androidTestImplementation 'androidx.test:rules:1.1.0'
+    androidTestImplementation 'androidx.test:runner:1.1.1'
+    androidTestImplementation 'androidx.test:rules:1.1.1'
 
     testImplementation 'junit:junit:4.12'
 }
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
index 5801d8e..a547d65 100644
--- a/gradle/wrapper/gradle-wrapper.properties
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -3,4 +3,4 @@ distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-4.8-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-5.1-all.zip
-- 
GitLab


From dce08592cb6c9431002f9e3727965793e386b8e6 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Sun, 6 Jan 2019 18:43:40 +0100
Subject: [PATCH 05/37] Fix CI

---
 .gitlab-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7f79ead..7031330 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,4 +1,4 @@
-image: registry.gitlab.com/bitfireat/davdroid:latest
+image: registry.gitlab.com/bitfireat/davx5-ose:latest
 
 before_script:
   - export GRADLE_USER_HOME=`pwd`/.gradle; chmod +x gradlew
-- 
GitLab


From 0ba3ff0271b2d6afb897859281a78d211513e5e4 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Fri, 18 Jan 2019 09:51:29 +0100
Subject: [PATCH 06/37] Fetch translations from Transifex

---
 src/main/res/values-fa/strings.xml     |  4 ++++
 src/main/res/values-gl/strings.xml     | 21 +++++++++++++++++++++
 src/main/res/values-sl-rSI/strings.xml |  4 ++++
 3 files changed, 29 insertions(+)
 create mode 100644 src/main/res/values-fa/strings.xml
 create mode 100644 src/main/res/values-gl/strings.xml
 create mode 100644 src/main/res/values-sl-rSI/strings.xml

diff --git a/src/main/res/values-fa/strings.xml b/src/main/res/values-fa/strings.xml
new file mode 100644
index 0000000..583641d
--- /dev/null
+++ b/src/main/res/values-fa/strings.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+
+    </resources>
\ No newline at end of file
diff --git a/src/main/res/values-gl/strings.xml b/src/main/res/values-gl/strings.xml
new file mode 100644
index 0000000..c2dabb2
--- /dev/null
+++ b/src/main/res/values-gl/strings.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+
+    <string name="certificate_notification_connection_security">Seguridade da conexión</string>
+    <string name="certificate_notification_user_interaction">Por favor revise o certificado</string>
+
+    <string name="service_rejected_temporarily">Certificado temporalmente rexeitado</string>
+
+    <string name="trust_certificate_unknown_certificate_found">cert4android atopou un certificado descoñecido. Quere confiar nel?</string>
+    <string name="trust_certificate_x509_certificate_details">Detalles do certificado X509</string>
+    <string name="trust_certificate_issued_for">Proporcionado para</string>
+    <string name="trust_certificate_issued_by">Proporcionado por</string>
+    <string name="trust_certificate_validity_period">Válido por </string>
+    <string name="trust_certificate_validity_period_value">%1$s – %2$s (non será imposto)</string>
+    <string name="trust_certificate_fingerprints">Pegadas dixitais</string>
+    <string name="trust_certificate_fingerprint_verified">Verifiquei manualmente toda a pegada dixital.</string>
+    <string name="trust_certificate_accept">Aceptar</string>
+    <string name="trust_certificate_reject">Rexeitar</string>
+    <string name="trust_certificate_reset_info">Pode restablecer os certificados personalizados nos axustes da app.</string>
+
+</resources>
\ No newline at end of file
diff --git a/src/main/res/values-sl-rSI/strings.xml b/src/main/res/values-sl-rSI/strings.xml
new file mode 100644
index 0000000..583641d
--- /dev/null
+++ b/src/main/res/values-sl-rSI/strings.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+
+    </resources>
\ No newline at end of file
-- 
GitLab


From 99e61963607a0566eb49561d8d7a8074a7bc7cee Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Tue, 29 Jan 2019 19:59:39 +0100
Subject: [PATCH 07/37] Update gradle, Kotlin

---
 build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 7ea47ae..54a637c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,6 +1,6 @@
 
 buildscript {
-    ext.kotlin_version = '1.3.11'
+    ext.kotlin_version = '1.3.20'
     ext.dokka_version = '0.9.17'
 
     repositories {
@@ -9,7 +9,7 @@ buildscript {
     }
 
     dependencies {
-        classpath 'com.android.tools.build:gradle:3.2.1'
+        classpath 'com.android.tools.build:gradle:3.3.0'
         classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
         classpath "org.jetbrains.dokka:dokka-android-gradle-plugin:${dokka_version}"
     }
-- 
GitLab


From 1f797b70ccaa2df0f3ed589f90e89be7d26e3ec4 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Wed, 6 Feb 2019 16:38:43 +0100
Subject: [PATCH 08/37] Fetch translations from Transifex

---
 src/main/res/values-el/strings.xml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 src/main/res/values-el/strings.xml

diff --git a/src/main/res/values-el/strings.xml b/src/main/res/values-el/strings.xml
new file mode 100644
index 0000000..28f051f
--- /dev/null
+++ b/src/main/res/values-el/strings.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+
+    <string name="certificate_notification_connection_security">Ασφάλεια σύνδεσης</string>
+    <string name="certificate_notification_user_interaction">Παρακαλώ ελέγξτε το πιστοποιητικό</string>
+
+    <string name="service_rejected_temporarily">Το πιστοποιητικό απορρίφθηκε προσωρινά</string>
+
+    <string name="trust_certificate_unknown_certificate_found">Το cert4android εντόπισε ένα άγνωστο πιστοποιητικό. Θέλετε να το εμπιστεύεστε;</string>
+    <string name="trust_certificate_x509_certificate_details">Λεπτομέρειες πιστοποιητικού X509</string>
+    <string name="trust_certificate_issued_for">Εκδόθηκε για</string>
+    <string name="trust_certificate_issued_by">Εκδόθηκε από</string>
+    <string name="trust_certificate_validity_period">Περίοδος ισχύος</string>
+    <string name="trust_certificate_validity_period_value">%1$s – %2$s (δεν θα εφαρμοστεί)</string>
+    <string name="trust_certificate_fingerprints">Αποτυπώματα</string>
+    <string name="trust_certificate_fingerprint_verified">Έχω πιστοποιήσει χειροκίνητα το δακτυλικό αποτύπωμα.</string>
+    <string name="trust_certificate_accept">Αποδοχή</string>
+    <string name="trust_certificate_reject">Απόρριψη</string>
+    <string name="trust_certificate_reset_info">Μπορείτε να επαναφέρετε όλα τα προσαρμοσμένα πιστοποιητικά στις ρυθμίσεις της εφαρμογής.</string>
+
+</resources>
\ No newline at end of file
-- 
GitLab


From fa58cc80d7e8262b67223178b81b5a08680e34a0 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Wed, 20 Feb 2019 17:08:09 +0100
Subject: [PATCH 09/37] Add custom socket factory to support client
 certificates and more ciphers on Android >= 4.4 <6

---
 .../cert4android/CertTlsSocketFactory.kt      | 168 ++++++++++++++++++
 .../bitfire/cert4android/CustomCertManager.kt |  10 +-
 2 files changed, 173 insertions(+), 5 deletions(-)
 create mode 100644 src/main/java/at/bitfire/cert4android/CertTlsSocketFactory.kt

diff --git a/src/main/java/at/bitfire/cert4android/CertTlsSocketFactory.kt b/src/main/java/at/bitfire/cert4android/CertTlsSocketFactory.kt
new file mode 100644
index 0000000..9a860ef
--- /dev/null
+++ b/src/main/java/at/bitfire/cert4android/CertTlsSocketFactory.kt
@@ -0,0 +1,168 @@
+/*
+ * Copyright © Ricki Hirner (bitfire web engineering).
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the GNU Public License v3.0
+ * which accompanies this distribution, and is available at
+ * http://www.gnu.org/licenses/gpl.html
+ */
+
+package at.bitfire.cert4android
+
+import android.os.Build
+import android.util.Log
+import java.io.IOException
+import java.net.InetAddress
+import java.net.Socket
+import java.security.GeneralSecurityException
+import java.util.*
+import javax.net.ssl.*
+
+/**
+ * Custom TLS socket factory with support for
+ *   - enabling/disabling algorithms depending on the Android version,
+ *   - client certificate authentication
+ *
+ * @param keyManager     a key manager which provides client certificates, or null
+ * @param trustManager   trust manager to use (most likely a [CustomCertManager] instance)
+ */
+class CertTlsSocketFactory(
+        keyManager: KeyManager?,
+        trustManager: X509TrustManager
+): SSLSocketFactory() {
+
+    private var delegate: SSLSocketFactory
+
+    companion object {
+        // Android 5.0+ (API level 21) provides reasonable default settings
+        // but it still allows SSLv3
+        // https://developer.android.com/reference/javax/net/ssl/SSLSocket.html
+        var protocols: Array<String>? = null
+        var cipherSuites: Array<String>? = null
+        init {
+            if (Build.VERSION.SDK_INT >= 23) {
+                // Since Android 6.0 (API level 23),
+                // - TLSv1.1 and TLSv1.2 is enabled by default
+                // - SSLv3 is disabled by default
+                // - all modern ciphers are activated by default
+                protocols = null
+                cipherSuites = null
+                Log.d(Constants.TAG, "Using device default TLS protocols/ciphers")
+            } else {
+                (SSLSocketFactory.getDefault().createSocket() as? SSLSocket)?.use { socket ->
+                    try {
+                        /* set reasonable protocol versions */
+                        // - enable all supported protocols (enables TLSv1.1 and TLSv1.2 on Android <5.0)
+                        // - remove all SSL versions (especially SSLv3) because they're insecure now
+                        val whichProtocols = LinkedList<String>()
+                        for (protocol in socket.supportedProtocols.filterNot { it.contains("SSL", true) })
+                            whichProtocols += protocol
+                        Log.i(Constants.TAG, "Enabling (only) these TLS protocols: ${whichProtocols.joinToString(", ")}")
+                        protocols = whichProtocols.toTypedArray()
+
+                        /* set up reasonable cipher suites */
+                        val knownCiphers = arrayOf(
+                                // TLS 1.2
+                                "TLS_RSA_WITH_AES_256_GCM_SHA384",
+                                "TLS_RSA_WITH_AES_128_GCM_SHA256",
+                                "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+                                "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+                                "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+                                "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+                                "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+                                // maximum interoperability
+                                "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+                                "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
+                                "TLS_RSA_WITH_AES_128_CBC_SHA",
+                                // additionally
+                                "TLS_RSA_WITH_AES_256_CBC_SHA",
+                                "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+                                "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+                                "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+                                "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
+                        )
+                        val availableCiphers = socket.supportedCipherSuites
+                        Log.i(Constants.TAG, "Available cipher suites: ${availableCiphers.joinToString(", ")}")
+
+                        /* For maximum security, preferredCiphers should *replace* enabled ciphers (thus
+                         * disabling ciphers which are enabled by default, but have become unsecure), but for
+                         * the security level of DAVx5 and maximum compatibility, disabling of insecure
+                         * ciphers should be a server-side task */
+
+                        // for the final set of enabled ciphers, take the ciphers enabled by default, ...
+                        val whichCiphers = LinkedList<String>()
+                        whichCiphers.addAll(socket.enabledCipherSuites)
+                        Log.i(Constants.TAG, "Cipher suites enabled by default: ${whichCiphers.joinToString(", ")}")
+                        // ... add explicitly allowed ciphers ...
+                        whichCiphers.addAll(knownCiphers)
+                        // ... and keep only those which are actually available
+                        whichCiphers.retainAll(availableCiphers)
+
+                        Log.i(Constants.TAG, "Enabling (only) these TLS ciphers: " + whichCiphers.joinToString(", "))
+                        cipherSuites = whichCiphers.toTypedArray()
+                    } catch (e: IOException) {
+                        Log.e(Constants.TAG, "Couldn't determine default TLS settings")
+                    }
+                }
+            }
+        }
+    }
+
+
+    init {
+        try {
+            val sslContext = SSLContext.getInstance("TLS")
+            sslContext.init(
+                    if (keyManager != null) arrayOf(keyManager) else null,
+                    arrayOf(trustManager),
+                    null)
+            delegate = sslContext.socketFactory
+        } catch (e: GeneralSecurityException) {
+            throw IllegalStateException()      // system has no TLS
+        }
+    }
+
+    override fun getDefaultCipherSuites(): Array<String>? = cipherSuites ?: delegate.defaultCipherSuites
+    override fun getSupportedCipherSuites(): Array<String>? = cipherSuites ?: delegate.supportedCipherSuites
+
+    override fun createSocket(s: Socket, host: String, port: Int, autoClose: Boolean): Socket {
+        val ssl = delegate.createSocket(s, host, port, autoClose)
+        if (ssl is SSLSocket)
+            upgradeTLS(ssl)
+        return ssl
+    }
+
+    override fun createSocket(host: String, port: Int): Socket {
+        val ssl = delegate.createSocket(host, port)
+        if (ssl is SSLSocket)
+            upgradeTLS(ssl)
+        return ssl
+    }
+
+    override fun createSocket(host: String, port: Int, localHost: InetAddress, localPort: Int): Socket {
+        val ssl = delegate.createSocket(host, port, localHost, localPort)
+        if (ssl is SSLSocket)
+            upgradeTLS(ssl)
+        return ssl
+    }
+
+    override fun createSocket(host: InetAddress, port: Int): Socket {
+        val ssl = delegate.createSocket(host, port)
+        if (ssl is SSLSocket)
+            upgradeTLS(ssl)
+        return ssl
+    }
+
+    override fun createSocket(address: InetAddress, port: Int, localAddress: InetAddress, localPort: Int): Socket {
+        val ssl = delegate.createSocket(address, port, localAddress, localPort)
+        if (ssl is SSLSocket)
+            upgradeTLS(ssl)
+        return ssl
+    }
+
+
+    private fun upgradeTLS(ssl: SSLSocket) {
+        protocols?.let { ssl.enabledProtocols = it }
+        cipherSuites?.let { ssl.enabledCipherSuites = it }
+    }
+
+}
diff --git a/src/main/java/at/bitfire/cert4android/CustomCertManager.kt b/src/main/java/at/bitfire/cert4android/CustomCertManager.kt
index a6830db..dcbc69e 100644
--- a/src/main/java/at/bitfire/cert4android/CustomCertManager.kt
+++ b/src/main/java/at/bitfire/cert4android/CustomCertManager.kt
@@ -34,6 +34,7 @@ import javax.net.ssl.X509TrustManager
  * @param interactive true: users will be notified in case of unknown certificates;
  *                    false: unknown certificates will be rejected (only uses custom certificate key store)
  * @param trustSystemCerts whether system certificates will be trusted
+ * @param appInForeground  Whether to launch [TrustCertificateActivity] directly. The notification will always be shown.
  *
  * @constructor Creates a new instance, using a certain [CustomCertService] messenger (for testing).
  * Must not be run from the main thread because this constructor may request binding to [CustomCertService].
@@ -45,7 +46,10 @@ import javax.net.ssl.X509TrustManager
 class CustomCertManager @JvmOverloads constructor(
         val context: Context,
         val interactive: Boolean = true,
-        trustSystemCerts: Boolean = true
+        trustSystemCerts: Boolean = true,
+
+        @Volatile
+        var appInForeground: Boolean = false
 ): X509TrustManager, Closeable {
 
     companion object {
@@ -70,10 +74,6 @@ class CustomCertManager @JvmOverloads constructor(
             if (trustSystemCerts) CertUtils.getTrustManager(null) else null
 
 
-    /** Whether to launch [TrustCertificateActivity] directly. The notification will always be shown. */
-    var appInForeground = false
-
-
     init {
         val newServiceConn = object: ServiceConnection {
             override fun onServiceConnected(className: ComponentName, binder: IBinder) {
-- 
GitLab


From aaeb4de094b613e1be68d170522c42a3d974edf4 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Wed, 20 Feb 2019 18:15:20 +0100
Subject: [PATCH 10/37] Add test

---
 build.gradle                                  |   7 +-
 .../cert4android/CertTlsSocketFactoryTest.kt  | 127 ++++++++++++++++++
 src/androidTest/resources/sample.crt          |  24 ++++
 src/androidTest/resources/sample.key          | Bin 0 -> 1220 bytes
 4 files changed, 156 insertions(+), 2 deletions(-)
 create mode 100644 src/androidTest/java/at/bitfire/cert4android/CertTlsSocketFactoryTest.kt
 create mode 100644 src/androidTest/resources/sample.crt
 create mode 100644 src/androidTest/resources/sample.key

diff --git a/build.gradle b/build.gradle
index 54a637c..9415182 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,6 +1,6 @@
 
 buildscript {
-    ext.kotlin_version = '1.3.20'
+    ext.kotlin_version = '1.3.21'
     ext.dokka_version = '0.9.17'
 
     repositories {
@@ -9,7 +9,7 @@ buildscript {
     }
 
     dependencies {
-        classpath 'com.android.tools.build:gradle:3.3.0'
+        classpath 'com.android.tools.build:gradle:3.3.1'
         classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
         classpath "org.jetbrains.dokka:dokka-android-gradle-plugin:${dokka_version}"
     }
@@ -51,6 +51,9 @@ dependencies {
 
     androidTestImplementation 'androidx.test:runner:1.1.1'
     androidTestImplementation 'androidx.test:rules:1.1.1'
+    androidTestImplementation 'com.squareup.okhttp3:mockwebserver:3.12.1'
+    androidTestImplementation 'commons-io:commons-io:2.6'
+    androidTestImplementation 'org.apache.commons:commons-lang3:3.8.1'
 
     testImplementation 'junit:junit:4.12'
 }
diff --git a/src/androidTest/java/at/bitfire/cert4android/CertTlsSocketFactoryTest.kt b/src/androidTest/java/at/bitfire/cert4android/CertTlsSocketFactoryTest.kt
new file mode 100644
index 0000000..521bfb5
--- /dev/null
+++ b/src/androidTest/java/at/bitfire/cert4android/CertTlsSocketFactoryTest.kt
@@ -0,0 +1,127 @@
+/*
+ * Copyright © Ricki Hirner (bitfire web engineering).
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the GNU Public License v3.0
+ * which accompanies this distribution, and is available at
+ * http://www.gnu.org/licenses/gpl.html
+ */
+
+package at.bitfire.cert4android
+
+import androidx.test.platform.app.InstrumentationRegistry.getInstrumentation
+import okhttp3.OkHttpClient
+import okhttp3.Request
+import okhttp3.mockwebserver.MockWebServer
+import org.apache.commons.io.IOUtils
+import org.apache.commons.lang3.ArrayUtils.contains
+import org.junit.After
+import org.junit.Assert.*
+import org.junit.Before
+import org.junit.Test
+import java.net.Socket
+import java.security.KeyFactory
+import java.security.KeyStore
+import java.security.Principal
+import java.security.cert.CertificateFactory
+import java.security.cert.X509Certificate
+import java.security.spec.PKCS8EncodedKeySpec
+import javax.net.ssl.SSLSocket
+import javax.net.ssl.TrustManagerFactory
+import javax.net.ssl.X509ExtendedKeyManager
+import javax.net.ssl.X509TrustManager
+
+class CertTlsSocketFactoryTest {
+
+    private lateinit var certMgr: CustomCertManager
+    private lateinit var factory: CertTlsSocketFactory
+    private val server = MockWebServer()
+
+    @Before
+    fun startServer() {
+        certMgr = CustomCertManager(getInstrumentation().context, false, true)
+        factory = CertTlsSocketFactory(null, certMgr)
+        server.start()
+    }
+
+    @After
+    fun stopServer() {
+        server.shutdown()
+        certMgr.close()
+    }
+
+
+    @Test
+    fun testSendClientCertificate() {
+        var public: X509Certificate? = null
+        javaClass.classLoader!!.getResourceAsStream("sample.crt").use {
+            public = CertificateFactory.getInstance("X509").generateCertificate(it) as? X509Certificate
+        }
+        assertNotNull(public)
+
+        val keyFactory = KeyFactory.getInstance("RSA")
+        val private = keyFactory.generatePrivate(PKCS8EncodedKeySpec(readResource("sample.key")))
+        assertNotNull(private)
+
+        val keyStore = KeyStore.getInstance("AndroidKeyStore")
+        keyStore.load(null)
+        val alias = "sample"
+        keyStore.setKeyEntry(alias, private, null, arrayOf(public))
+        assertTrue(keyStore.containsAlias(alias))
+
+        val trustManagerFactory = TrustManagerFactory.getInstance("X509")
+        trustManagerFactory.init(null as KeyStore?)
+        val trustManager = trustManagerFactory.trustManagers.first() as X509TrustManager
+
+        val factory = CertTlsSocketFactory(object: X509ExtendedKeyManager() {
+            override fun getServerAliases(p0: String?, p1: Array<out Principal>?): Array<String>? = null
+            override fun chooseServerAlias(p0: String?, p1: Array<out Principal>?, p2: Socket?) = null
+
+            override fun getClientAliases(p0: String?, p1: Array<out Principal>?) =
+                    arrayOf(alias)
+
+            override fun chooseClientAlias(p0: Array<out String>?, p1: Array<out Principal>?, p2: Socket?) =
+                    alias
+
+            override fun getCertificateChain(forAlias: String?) =
+                    arrayOf(public).takeIf { forAlias == alias }
+
+            override fun getPrivateKey(forAlias: String?) =
+                    private.takeIf { forAlias == alias }
+        }, trustManager)
+
+        /* known client cert test URLs (thanks!):
+        *  - https://prod.idrix.eu/secure/
+        *  - https://server.cryptomix.com/secure/
+        */
+        val client = OkHttpClient.Builder()
+                .sslSocketFactory(factory, trustManager)
+                .build()
+        client.newCall(Request.Builder()
+                .get()
+                .url("https://prod.idrix.eu/secure/")
+                .build()).execute().use { response ->
+            assertTrue(response.isSuccessful)
+            assertTrue(response.body()!!.string().contains("CN=User Cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=CA"))
+        }
+    }
+
+    @Test
+    fun testUpgradeTLS() {
+        val s = factory.createSocket(server.hostName, server.port)
+        assertTrue(s is SSLSocket)
+        val ssl = s as SSLSocket
+
+        assertFalse(contains(ssl.enabledProtocols, "SSLv3"))
+        assertTrue(contains(ssl.enabledProtocols, "TLSv1"))
+        assertTrue(contains(ssl.enabledProtocols, "TLSv1.1"))
+        assertTrue(contains(ssl.enabledProtocols, "TLSv1.2"))
+    }
+
+
+    private fun readResource(name: String): ByteArray {
+        javaClass.classLoader!!.getResourceAsStream(name).use {
+            return IOUtils.toByteArray(it)
+        }
+    }
+
+}
diff --git a/src/androidTest/resources/sample.crt b/src/androidTest/resources/sample.crt
new file mode 100644
index 0000000..c813980
--- /dev/null
+++ b/src/androidTest/resources/sample.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEEzCCAfsCAQEwDQYJKoZIhvcNAQEFBQAwRjELMAkGA1UEBhMCQ0ExEzARBgNV
+BAgMClNvbWUtU3RhdGUxEDAOBgNVBAoMB0NBIENlcnQxEDAOBgNVBAMMB0NBIENl
+cnQwHhcNMTgwMTEzMjAyOTI5WhcNMTkwMTEzMjAyOTI5WjBZMQswCQYDVQQGEwJD
+QTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
+cyBQdHkgTHRkMRIwEAYDVQQDDAlVc2VyIENlcnQwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDqOyHAeG4psE/f6i/eTfwbhn6j7WaFXxZiSOWwpQZmzRrx
+MrfkABJCk0X7KNgCaJcmBkG9G1Ri4HfKrxvJFswMXknlq+0ulGBk7oDnZM+pihuX
+3D9VCWMMkCqYhLCGADj2zB2mkX4LpcMRi6XoOetKURE/vcIy7rSLAtJM6ZRdftfh
+2ZxnautS1Tyujh9Au3NI/+Of80tT/nA+oBJQeT1fB/ga1OQlZP5kjSaA7IPiIbTz
+QBO+r898MvqK/lwsvOYnWAp7TY03z+vPfCs0zjijZEl9Wrl0hW6o5db5kU1v5bcr
+p87hxFJsGD2HIr2y6kvYfL2hn+h9iANyYdRnUgapAgMBAAEwDQYJKoZIhvcNAQEF
+BQADggIBAHANsiJITedXPyp89lVMEmGY3zKtOqgQ3tqjvjlNt2sdPnj7wmZbmrNd
+sa90S/UwOn8PzEFOVxYy1BPlljlEjtjmc4OHMcm4P4Zv36uawHilmK8V+zT59gCK
+ftB5FP2TLFUFi2X9o8J06d0xJRE77uewN155NV4RmPuP4b/tMmeixoQppHqLqEr5
+lgEUnt3Mh1ctmeFQFJR6lJ01hlB0gdpVHIhzrVLTO3uo8ePLJTmxP6tyKl/HXj9F
+mpVsKb1kriKwbkGczfw99OUZeUVbTwQOR07r0SrG71B7IuDvxIORnhQc1OUjt7ob
+wjdaZauAHxpGBRu+hw9Yqaxchk9Gldy1nEjGyyVCD0FU5taXbl8PhBWEDc4U9tI+
+xVNmPpsSuCsbz3Mjd1YIVRGL99vLrKsQcj+TNM+jJKKRKes3ihl+l/0FwG6UuO7L
+EvjlUg5hOtYi1D7xuYyMjroGBGh7swYMt6w4eCDbcjzcCkaCi0H2pScM/rLBpDjS
+LIoGCvZ1LBdi933/iOj1/8dxGZwY6fEgcyiD2n0xAgYIniLWjEZXOMdIK5FNTNga
+Tswanvp+6Noa4oIu/hl/LXvPMsouaWfSEbRe0Dshi3GpLj3YtEHoN9DHB8bn7jy5
+34By81GT41m5kq3hWP//x9kSHYSADpbovCbKbElU1qSt6vTVR4nq
+-----END CERTIFICATE-----
diff --git a/src/androidTest/resources/sample.key b/src/androidTest/resources/sample.key
new file mode 100644
index 0000000000000000000000000000000000000000..af8f903d41f5948cda0eb46c3f471d2ed013a099
GIT binary patch
literal 1220
zcmXqLVmZLX$Y8+B#;Mij(e|B}k&%&=fu)IMl|d8BGA2d_rY1&4hF8{#2P*P3H~8Ow
zrGL-&k91qz;<st7@nT6HPd6-OOFJv|(P;Y<1|g@(uD>;IFl9_vV{_aq9g_5*{M35s
zlVWFh;yj<OeycYnA?01e^OW-|yQHVzu@B`;=9!>1qh&)IgT=QqvdbpcaW6eA*uC_H
z<!i4%LHoUjjNWbOX1e6_a!PF7^@lg-q-VVjx@xnoPu^j7vB&?%^FMnB|0}RtAQVt(
z8_)hj>dF(<lz%C`Y7K9iA1QA6>>#{v{rMWBUtRxVboM+`kKn5I?KMCD`h1PH$vKO~
zDW0`aJ4;&gRy@7-bE0ql)9u>J&pkX6lp|r=uC#a4EAJaMdl$}sQQN^>lz1gQh;1bk
zGa~~dI3(6+N%X!pH+}9JH`U^W&=#%RmV5G)_psF`6|AUUnsCfej=OU^+nk{Di`wee
ztiKqWYW(VWrgBbBEW7`Q;D^kMS8iXCoL#hdrkbqg-~Q=gH+cB6B(J609}^UNm0`Dh
zZQ8%`3y<uwr%Y9q`rO^K|Msbseo?=oM3p{l-@9?0g@TPhcv5-Tjn$#AXH2Yq_x<Jp
zbKR4#9|*lxGAwIn{p@}9xS(p};qpZq!YBQi=lwNPHeYq|?rc65#z((T7_6Q$zo`Ae
z%WJb0i!0}_&MMW+OAx<Rrr9Dnulh3U9iAyF3jX1<XPModc*We9`G?oWMGgYn9_G*b
zQap1H!v(MHU*11jkdnTZk*Tqf;ip@`nJrUK&5Yzf#rtya!%2cG?q1q7>0+q9zT#S$
zLi6Ph_gWNrn!o0peMQ<`Qcm{+^M|doS!PSSrWWsb;IlO}lw~sC%bo&$U%vBOvPF8l
z)XeOrGw%O$CcIT*^5Ho@`A+;j+9~_e`mM<V*1+i+4j(T&gtxvp5@%SuMd9hSKGyz+
zAUAyIdAa_-ho|w<Noig7w_N5;&C%(u=F6_Ua_sGc9Gx&WM<d&fi{%7j^v|U}?&Em+
z-DBPR^M{_xA1x_i3DiBVYb6=K-f;`-tnLoijZ-ddp3$cg{o?#$(Zc4YsUN+LUH<-R
z?ke?n7yGyOOuc{RnV0X4sVcMNOL*TW-}1k2Fmv|7_a{MaXj?EZ<iT{s%YA{)dt_f^
zCB?*gWrY9lbk#1M#@;>q9h=h3Pm%fT_kAy!`7&y$tZmtq!(YiU<;1qb%G&1@>^7T~
zH8QcDIv00TCvmln>)l<K+_G23oSn9P=ZCi{8o!pu)Zco}z4hCT#I1tC>v%NGl2wjh
zv32%ndUWxM9#8P$r1XU#H#E-kS$aC$OlyI&E#ul-wZ?X9o@U?n)W0)F=daGMyNseM
zx8FL|o^$X3*RNSCYRkG<^p~gz>|Jbdvsq!qt-DDKQa4f~Zq&@$kS3hRRa5chVrf~N
zgtSy~=S0;-T{e?$T{M#T&gj^)tSsMSwPyFxR|->d{w?p&UnD7|z<lvn@YKzMAUB-r
z$Z5Qj!>A_KZzVG2sr0miQ9XZ`$u0?g`02t&y$9;&_&@ucG@b5O|4zom|F0p_*Xols
z>lV0LJX!INcl(W(hn{3<b3eE=WB>L3$LVbb)ovPs&!694!MA@a^9k?#<rbeJdkbq~
i{`;sXycX0GbkSqp>&4yteBU{pn>rt*;-)fe_y_>yKuLW7

literal 0
HcmV?d00001

-- 
GitLab


From a24d07c52c18ad573aff5560f9dd9e74cb32c09a Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Mon, 11 Mar 2019 11:57:17 +0100
Subject: [PATCH 11/37] Update gradle plugin, avoid
 ConcurrentModificationException

---
 project.properties                                        | 3 ---
 .../java/at/bitfire/cert4android/CustomCertService.kt     | 8 ++------
 2 files changed, 2 insertions(+), 9 deletions(-)
 delete mode 100644 project.properties

diff --git a/project.properties b/project.properties
deleted file mode 100644
index 2e788c3..0000000
--- a/project.properties
+++ /dev/null
@@ -1,3 +0,0 @@
-
-android.library=true
-
diff --git a/src/main/java/at/bitfire/cert4android/CustomCertService.kt b/src/main/java/at/bitfire/cert4android/CustomCertService.kt
index f07e020..b0d1c41 100644
--- a/src/main/java/at/bitfire/cert4android/CustomCertService.kt
+++ b/src/main/java/at/bitfire/cert4android/CustomCertService.kt
@@ -172,7 +172,7 @@ class CustomCertService: Service() {
 
     // bound service
 
-    val binder = object: ICustomCertService.Stub() {
+    private val binder = object: ICustomCertService.Stub() {
 
         override fun checkTrusted(raw: ByteArray, interactive: Boolean, foreground: Boolean, callback: IOnCertificateDecision) {
             val cert: X509Certificate? = try {
@@ -246,11 +246,7 @@ class CustomCertService: Service() {
 
         override fun abortCheck(callback: IOnCertificateDecision) {
             for ((cert, list) in pendingDecisions) {
-                val it = list.listIterator()
-                while (it.hasNext())
-                    if (it.next() == callback)
-                        it.remove()
-
+                list.removeAll { it == callback }
                 if (list.isEmpty())
                     pendingDecisions -= cert
             }
-- 
GitLab


From 0b01d3740aafd5a0f07bfecdd42cb7de2596af2c Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Sat, 16 Mar 2019 14:00:17 +0100
Subject: [PATCH 12/37] Use ViewModel/data binding for TrustCertificateActivity

---
 build.gradle                                  |   9 +-
 .../cert4android/TrustCertificateActivity.kt  | 141 ++++++-----
 .../res/layout/activity_trust_certificate.xml | 234 +++++++++---------
 3 files changed, 207 insertions(+), 177 deletions(-)

diff --git a/build.gradle b/build.gradle
index 9415182..4a5e279 100644
--- a/build.gradle
+++ b/build.gradle
@@ -9,7 +9,7 @@ buildscript {
     }
 
     dependencies {
-        classpath 'com.android.tools.build:gradle:3.3.1'
+        classpath 'com.android.tools.build:gradle:3.3.2'
         classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
         classpath "org.jetbrains.dokka:dokka-android-gradle-plugin:${dokka_version}"
     }
@@ -33,6 +33,8 @@ android {
         targetSdkVersion 28
     }
 
+    dataBinding.enabled = true
+
     lintOptions {
         disable 'MissingTranslation', 'ExtraTranslation'	// translations from Transifex are not always up to date
         disable "OnClick"     // doesn't recognize Kotlin onClick methods
@@ -48,10 +50,13 @@ dependencies {
 
     implementation 'androidx.appcompat:appcompat:1.0.2'
     implementation 'androidx.cardview:cardview:1.0.0'
+    implementation 'androidx.lifecycle:lifecycle-extensions:2.0.0'
+    implementation 'androidx.lifecycle:lifecycle-livedata:2.0.0'
+    implementation 'androidx.lifecycle:lifecycle-viewmodel-ktx:2.0.0'
 
     androidTestImplementation 'androidx.test:runner:1.1.1'
     androidTestImplementation 'androidx.test:rules:1.1.1'
-    androidTestImplementation 'com.squareup.okhttp3:mockwebserver:3.12.1'
+    androidTestImplementation 'com.squareup.okhttp3:mockwebserver:3.12.2'
     androidTestImplementation 'commons-io:commons-io:2.6'
     androidTestImplementation 'org.apache.commons:commons-lang3:3.8.1'
 
diff --git a/src/main/java/at/bitfire/cert4android/TrustCertificateActivity.kt b/src/main/java/at/bitfire/cert4android/TrustCertificateActivity.kt
index 5b2693e..f8bfe0f 100644
--- a/src/main/java/at/bitfire/cert4android/TrustCertificateActivity.kt
+++ b/src/main/java/at/bitfire/cert4android/TrustCertificateActivity.kt
@@ -11,84 +11,48 @@ package at.bitfire.cert4android
 import android.content.Intent
 import android.os.Bundle
 import android.view.View
-import android.widget.Button
-import android.widget.CheckBox
-import android.widget.TextView
 import androidx.appcompat.app.AppCompatActivity
+import androidx.databinding.DataBindingUtil
+import androidx.lifecycle.MutableLiveData
+import androidx.lifecycle.ViewModel
+import androidx.lifecycle.ViewModelProviders
+import at.bitfire.cert4android.databinding.ActivityTrustCertificateBinding
 import java.io.ByteArrayInputStream
 import java.security.MessageDigest
 import java.security.cert.CertificateFactory
 import java.security.cert.CertificateParsingException
 import java.security.cert.X509Certificate
+import java.security.spec.MGF1ParameterSpec.SHA1
+import java.security.spec.MGF1ParameterSpec.SHA256
 import java.text.DateFormat
 import java.util.*
 import java.util.logging.Level
+import kotlin.concurrent.thread
 
 class TrustCertificateActivity: AppCompatActivity() {
 
     companion object {
         const val EXTRA_CERTIFICATE = "certificate"
-
-        val certFactory = CertificateFactory.getInstance("X.509")!!
     }
 
+    private lateinit var model: Model
 
     override fun onCreate(savedInstanceState: Bundle?) {
         super.onCreate(savedInstanceState)
 
-        setContentView(R.layout.activity_trust_certificate)
-        showCertificate()
+        model = ViewModelProviders.of(this).get(Model::class.java)
+        model.processIntent(intent)
+
+        val binding = DataBindingUtil.setContentView<ActivityTrustCertificateBinding>(this, R.layout.activity_trust_certificate)
+        binding.lifecycleOwner = this
+        binding.model = model
     }
 
     override fun onNewIntent(intent: Intent) {
         super.onNewIntent(intent)
-        this.intent = intent
-        showCertificate()
+        model.processIntent(intent)
     }
 
-    private fun showCertificate() {
-        val raw = intent.getByteArrayExtra(EXTRA_CERTIFICATE)
-        (certFactory.generateCertificate(ByteArrayInputStream(raw)) as X509Certificate?)?.let { cert ->
-            val subject: String
-            try {
-                subject = if (cert.issuerAlternativeNames != null) {
-                    val sb = StringBuilder()
-                    for (altName in cert.subjectAlternativeNames.orEmpty()) {
-                        val name = altName[1]
-                        if (name is String)
-                            sb.append("[").append(altName[0]).append("]").append(name).append(" ")
-                    }
-                    sb.toString()
-                } else
-                    cert.subjectDN.name
-
-                var tv = findViewById<TextView>(R.id.issuedFor)
-                tv.text = subject
-
-                tv = findViewById(R.id.issuedBy)
-                tv.text = cert.issuerDN.toString()
-
-                val formatter = DateFormat.getDateInstance(DateFormat.LONG)
-                tv = findViewById(R.id.validity_period)
-                tv.text = getString(R.string.trust_certificate_validity_period_value,
-                        formatter.format(cert.notBefore),
-                        formatter.format(cert.notAfter))
-
-                tv = findViewById(R.id.fingerprint_sha1)
-                tv.text = fingerprint(cert, "SHA-1")
-                tv = findViewById(R.id.fingerprint_sha256)
-                tv.text = fingerprint(cert, "SHA-256")
-            } catch(e: CertificateParsingException) {
-                Constants.log.log(Level.WARNING, "Couldn't parse certificate", e)
-            }
-        }
-
-        val btnAccept = findViewById<Button>(R.id.accept)
-        val cb = findViewById<CheckBox>(R.id.fingerprint_ok)
-        cb.setOnCheckedChangeListener { _, state -> btnAccept.isEnabled = state }
-    }
-
-
     fun acceptCertificate(view: View) {
         sendDecision(true)
         finish()
@@ -110,17 +74,70 @@ class TrustCertificateActivity: AppCompatActivity() {
     }
 
 
-    private fun fingerprint(cert: X509Certificate, algorithm: String) =
-            try {
-                val md = MessageDigest.getInstance(algorithm)
-                "$algorithm: ${hexString(md.digest(cert.encoded))}"
-            } catch(e: Exception) {
-                e.message ?: "Couldn't create message digest"
+    class Model: ViewModel() {
+
+        companion object {
+            val certFactory = CertificateFactory.getInstance("X.509")!!
+        }
+
+        val issuedFor = MutableLiveData<String>()
+        val issuedBy = MutableLiveData<String>()
+
+        val validFrom = MutableLiveData<String>()
+        val validTo = MutableLiveData<String>()
+
+        val sha1 = MutableLiveData<String>()
+        val sha256 = MutableLiveData<String>()
+
+        val verifiedByUser = MutableLiveData<Boolean>()
+
+        fun processIntent(intent: Intent?) {
+            intent?.getByteArrayExtra(EXTRA_CERTIFICATE)?.let { raw ->
+                thread {
+                    val cert = certFactory.generateCertificate(ByteArrayInputStream(raw)) as? X509Certificate ?: return@thread
+
+                    try {
+                        val subject = if (cert.issuerAlternativeNames != null) {
+                            val sb = StringBuilder()
+                            for (altName in cert.subjectAlternativeNames.orEmpty()) {
+                                val name = altName[1]
+                                if (name is String)
+                                    sb.append("[").append(altName[0]).append("]").append(name).append(" ")
+                            }
+                            sb.toString()
+                        } else
+                            cert.subjectDN.name
+                        issuedFor.postValue(subject)
+
+                        issuedBy.postValue(cert.issuerDN.toString())
+
+                        val formatter = DateFormat.getDateInstance(DateFormat.LONG)
+                        validFrom.postValue(formatter.format(cert.notBefore))
+                        validTo.postValue(formatter.format(cert.notAfter))
+
+                        sha1.postValue(fingerprint(cert, SHA1.digestAlgorithm))
+                        sha256.postValue(fingerprint(cert, SHA256.digestAlgorithm))
+
+                    } catch(e: CertificateParsingException) {
+                        Constants.log.log(Level.WARNING, "Couldn't parse certificate", e)
+                    }
+                }
             }
+        }
+
+        fun fingerprint(cert: X509Certificate, algorithm: String) =
+                try {
+                    val md = MessageDigest.getInstance(algorithm)
+                    "$algorithm: ${hexString(md.digest(cert.encoded))}"
+                } catch(e: Exception) {
+                    e.message ?: "Couldn't create message digest"
+                }
+
+        fun hexString(data: ByteArray): String {
+            val str = data.mapTo(LinkedList()) { String.format("%02x", it) }
+            return str.joinToString(":")
+        }
 
-    private fun hexString(data: ByteArray): String {
-        val str = data.mapTo(LinkedList()) { String.format("%02x", it) }
-        return str.joinToString(":")
     }
 
-}
+}
\ No newline at end of file
diff --git a/src/main/res/layout/activity_trust_certificate.xml b/src/main/res/layout/activity_trust_certificate.xml
index f978e3c..9470a59 100644
--- a/src/main/res/layout/activity_trust_certificate.xml
+++ b/src/main/res/layout/activity_trust_certificate.xml
@@ -1,134 +1,142 @@
 <?xml version="1.0" encoding="utf-8"?>
-
-<ScrollView xmlns:android="http://schemas.android.com/apk/res/android"
-            xmlns:tools="http://schemas.android.com/tools"
-            xmlns:app="http://schemas.android.com/apk/res-auto"
-            android:layout_height="match_parent"
-            android:layout_width="match_parent"
-            android:layout_margin="@dimen/activity_margin">
-
-    <LinearLayout android:orientation="vertical"
-                  android:layout_width="match_parent"
-                  android:layout_height="wrap_content">
-
-        <TextView
-            android:layout_width="match_parent"
-            android:layout_height="wrap_content"
-            android:layout_marginBottom="16dp"
-            android:text="@string/trust_certificate_unknown_certificate_found"
-            android:textAppearance="?android:attr/textAppearanceMedium"/>
-
-        <androidx.cardview.widget.CardView
+<layout xmlns:android="http://schemas.android.com/apk/res/android"
+        xmlns:tools="http://schemas.android.com/tools"
+        xmlns:app="http://schemas.android.com/apk/res-auto">
+
+    <data>
+        <variable
+            name="model"
+            type="at.bitfire.cert4android.TrustCertificateActivity.Model"/>
+    </data>
+
+    <ScrollView
+        android:layout_height="match_parent"
+        android:layout_width="match_parent"
+        android:layout_margin="@dimen/activity_margin">
+
+        <LinearLayout android:orientation="vertical"
             android:layout_width="match_parent"
-            android:layout_height="wrap_content"
-            app:cardElevation="8dp">
+            android:layout_height="wrap_content">
 
-            <LinearLayout
+            <TextView
                 android:layout_width="match_parent"
                 android:layout_height="wrap_content"
-                android:orientation="vertical"
-                android:layout_margin="8dp">
+                android:layout_marginBottom="16dp"
+                android:text="@string/trust_certificate_unknown_certificate_found"
+                android:textAppearance="?android:attr/textAppearanceMedium"/>
 
-                <TextView
-                    android:layout_width="match_parent"
-                    android:layout_height="wrap_content"
-                    style="@style/TextView.Heading"
-                    android:layout_marginBottom="16dp"
-                    android:text="@string/trust_certificate_x509_certificate_details"/>
-
-                <TextView
-                    android:layout_width="match_parent"
-                    android:layout_height="wrap_content"
-                    android:textStyle="bold"
-                    android:text="@string/trust_certificate_issued_for"/>
-                <TextView
-                    android:id="@+id/issuedFor"
-                    android:layout_width="match_parent"
-                    android:layout_height="wrap_content"
-                    android:layout_marginBottom="16dp"
-                    tools:text="CN=example.com"/>
+            <androidx.cardview.widget.CardView
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                app:cardElevation="8dp">
 
-                <TextView
+                <LinearLayout
                     android:layout_width="match_parent"
                     android:layout_height="wrap_content"
-                    android:textStyle="bold"
-                    android:text="@string/trust_certificate_issued_by"/>
-                <TextView
-                    android:id="@+id/issuedBy"
-                    android:layout_width="match_parent"
-                    android:layout_height="wrap_content"
-                    android:layout_marginBottom="16dp"
-                    tools:text="CN=example.com"/>
+                    android:orientation="vertical"
+                    android:layout_margin="8dp">
 
-                <TextView
-                    android:layout_width="match_parent"
-                    android:layout_height="wrap_content"
-                    android:textStyle="bold"
-                    android:text="@string/trust_certificate_validity_period"/>
-                <TextView
-                    android:id="@+id/validity_period"
-                    android:layout_width="match_parent"
-                    android:layout_height="wrap_content"
-                    android:layout_marginBottom="16dp"
-                    tools:text="1.1.1000 – 2.2.2000"/>
+                    <TextView
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        style="@style/TextView.Heading"
+                        android:layout_marginBottom="16dp"
+                        android:text="@string/trust_certificate_x509_certificate_details"/>
 
-                <TextView
-                    android:layout_width="match_parent"
-                    android:layout_height="wrap_content"
-                    android:textStyle="bold"
-                    android:text="@string/trust_certificate_fingerprints"/>
-                <TextView
-                    android:id="@+id/fingerprint_sha1"
-                    android:layout_width="match_parent"
-                    android:layout_height="wrap_content"
-                    tools:text="SHA-1: abcdef"/>
-                <TextView
-                    android:id="@+id/fingerprint_sha256"
-                    android:layout_width="match_parent"
-                    android:layout_height="wrap_content"
-                    android:layout_marginBottom="16dp"
-                    tools:text="SHA-256: abcdef"/>
+                    <TextView
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        android:textStyle="bold"
+                        android:text="@string/trust_certificate_issued_for"/>
+                    <TextView
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        android:layout_marginBottom="16dp"
+                        android:text="@{model.issuedFor}"
+                        tools:text="CN=example.com"/>
 
-                <CheckBox
-                    android:id="@+id/fingerprint_ok"
-                    android:layout_width="match_parent"
-                    android:layout_height="wrap_content"
-                    android:padding="8dp"
-                    android:layout_marginBottom="8dp"
-                    android:text="@string/trust_certificate_fingerprint_verified"/>
+                    <TextView
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        android:textStyle="bold"
+                        android:text="@string/trust_certificate_issued_by"/>
+                    <TextView
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        android:layout_marginBottom="16dp"
+                        android:text="@{model.issuedBy}"
+                        tools:text="CN=example.com"/>
 
-                <androidx.appcompat.widget.ButtonBarLayout
-                    android:layout_width="match_parent"
-                    android:layout_height="wrap_content">
+                    <TextView
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        android:textStyle="bold"
+                        android:text="@string/trust_certificate_validity_period"/>
+                    <TextView
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        android:layout_marginBottom="16dp"
+                        android:text="@{@string/trust_certificate_validity_period_value(model.validFrom, model.validTo)}"
+                        tools:text="1.1.1000 – 2.2.2000"/>
 
-                    <Button
-                        android:id="@+id/accept"
-                        android:layout_width="wrap_content"
+                    <TextView
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        android:textStyle="bold"
+                        android:text="@string/trust_certificate_fingerprints"/>
+                    <TextView
+                        android:layout_width="match_parent"
                         android:layout_height="wrap_content"
-                        style="@style/Widget.AppCompat.Button.Borderless.Colored"
-                        android:text="@string/trust_certificate_accept"
-                        android:onClick="acceptCertificate"
-                        android:enabled="false"/>
-
-                    <Button
-                        android:id="@+id/reject"
-                        android:layout_width="wrap_content"
+                        android:layout_marginTop="4dp"
+                        android:text="@{model.sha1}"
+                        tools:text="SHA-1: abcdef"/>
+                    <TextView
+                        android:layout_width="match_parent"
                         android:layout_height="wrap_content"
-                        style="@style/Widget.AppCompat.Button.Borderless"
-                        android:text="@string/trust_certificate_reject"
-                        android:onClick="rejectCertificate"/>
+                        android:layout_marginTop="4dp"
+                        android:layout_marginBottom="16dp"
+                        android:text="@{model.sha256}"
+                        tools:text="SHA-256: abcdef"/>
 
-                </androidx.appcompat.widget.ButtonBarLayout>
+                    <CheckBox
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        android:padding="8dp"
+                        android:layout_marginBottom="8dp"
+                        android:checked="@={model.verifiedByUser}"
+                        android:text="@string/trust_certificate_fingerprint_verified"/>
 
-            </LinearLayout>
+                    <androidx.appcompat.widget.ButtonBarLayout
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content">
 
-        </androidx.cardview.widget.CardView>
+                        <Button
+                            android:layout_width="wrap_content"
+                            android:layout_height="wrap_content"
+                            style="@style/Widget.AppCompat.Button.Borderless.Colored"
+                            android:text="@string/trust_certificate_accept"
+                            android:onClick="acceptCertificate"
+                            android:enabled="@{model.verifiedByUser}"/>
 
-        <TextView
-            android:layout_width="match_parent"
-            android:layout_height="wrap_content"
-            android:layout_marginTop="16dp"
-            android:text="@string/trust_certificate_reset_info"/>
+                        <Button
+                            android:layout_width="wrap_content"
+                            android:layout_height="wrap_content"
+                            style="@style/Widget.AppCompat.Button.Borderless"
+                            android:text="@string/trust_certificate_reject"
+                            android:onClick="rejectCertificate"/>
+
+                    </androidx.appcompat.widget.ButtonBarLayout>
+
+                </LinearLayout>
+
+            </androidx.cardview.widget.CardView>
+
+            <TextView
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                android:layout_marginTop="16dp"
+                android:text="@string/trust_certificate_reset_info"/>
 
-    </LinearLayout>
-</ScrollView>
\ No newline at end of file
+        </LinearLayout>
+    </ScrollView>
+</layout>
-- 
GitLab


From bd48ac822259554da19183d41949327b2ce46691 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Sat, 16 Mar 2019 14:30:38 +0100
Subject: [PATCH 13/37] Fetch translations from Transifex

---
 src/main/res/values-es/strings.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main/res/values-es/strings.xml b/src/main/res/values-es/strings.xml
index d3c8636..f826685 100644
--- a/src/main/res/values-es/strings.xml
+++ b/src/main/res/values-es/strings.xml
@@ -4,6 +4,8 @@
     <string name="certificate_notification_connection_security">Seguridad de conexión</string>
     <string name="certificate_notification_user_interaction">Por favor, revisa el certificado</string>
 
+    <string name="service_rejected_temporarily">Certificado rechazado temporalmente</string>
+
     <string name="trust_certificate_unknown_certificate_found">cert4android ha encontrado un certificado desconocido. ¿Quieres que sea válido?</string>
     <string name="trust_certificate_x509_certificate_details">Detalles del certificado X509</string>
     <string name="trust_certificate_issued_for">Expedido para</string>
-- 
GitLab


From e4314588f8a42b302416aac6e324396ca857b597 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Sun, 17 Mar 2019 16:00:29 +0100
Subject: [PATCH 14/37] Add info for AboutLibraries

---
 src/main/res/values/about_strings.xml | 692 ++++++++++++++++++++++++++
 1 file changed, 692 insertions(+)
 create mode 100644 src/main/res/values/about_strings.xml

diff --git a/src/main/res/values/about_strings.xml b/src/main/res/values/about_strings.xml
new file mode 100644
index 0000000..156c2de
--- /dev/null
+++ b/src/main/res/values/about_strings.xml
@@ -0,0 +1,692 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+
+    <string name="define_cert4android" translatable="false" />
+    <string name="library_cert4android_author" translatable="false">Ricki Hirner</string>
+    <string name="library_cert4android_authorWebsite" translatable="false">https://www.bitfire.at</string>
+    <string name="library_cert4android_libraryName" translatable="false">cert4android</string>
+    <string name="library_cert4android_libraryDescription">Library for managing custom certificates in an app-private key store</string>
+    <string name="library_cert4android_libraryWebsite" translatable="false">https://gitlab.com/bitfireAT/cert4android</string>
+    <string name="library_cert4android_licenseId" translatable="false">gpl_3_0</string>
+    <string name="library_cert4android_isOpenSource" translatable="false">true</string>
+
+    <string name="define_license_gpl_3_0" translatable="false" />
+    <string name="license_gpl_3_0_licenseName">GPLv3</string>
+    <string name="license_gpl_3_0_licenseWebsite" translatable="false">http://www.gnu.org/licenses/gpl-3.0.html</string>
+    <string name="license_gpl_3_0_licenseShortDescription"><![CDATA[
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers\' and authors\' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users\' and
+authors\' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users\' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work\'s
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users\' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work\'s
+users, your or third parties\' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program\'s source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation\'s users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party\'s predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor\'s "contributor version".
+
+  A contributor\'s "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor\'s essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient\'s use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others\' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy\'s
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program\'s name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w\'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c\' for details.
+
+The hypothetical commands `show w\' and `show c\' should show the appropriate
+parts of the General Public License.  Of course, your program\'s commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<http://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<http://www.gnu.org/philosophy/why-not-lgpl.html>.]]></string>
+
+</resources>
\ No newline at end of file
-- 
GitLab


From b72b162e904f1f7f9992e25ad039763e2b26c879 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Sat, 23 Mar 2019 22:37:31 +0100
Subject: [PATCH 15/37] Enable Gitlab CI again

---
 .gitlab-ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7031330..b61997a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,8 +9,8 @@ cache:
 
 test:
   script:
-#   - (cd /sdk/emulator; ./emulator @test -no-audio -no-window & wait-for-emulator.sh)
-#   - ./gradlew check connectedCheck
+    - (cd /sdk/emulator; ./emulator @test -no-audio -no-window & wait-for-emulator.sh)
+    - ./gradlew check connectedCheck
     - ./gradlew check
   artifacts:
     paths:
-- 
GitLab


From 9407024853be31aab8a3421df73ff1eac18840a1 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Tue, 26 Mar 2019 12:02:42 +0100
Subject: [PATCH 16/37] Remove gpl_3_0 for AboutLibraries 6.2.3+

---
 src/main/res/values/about_strings.xml | 679 --------------------------
 1 file changed, 679 deletions(-)

diff --git a/src/main/res/values/about_strings.xml b/src/main/res/values/about_strings.xml
index 156c2de..c46baa7 100644
--- a/src/main/res/values/about_strings.xml
+++ b/src/main/res/values/about_strings.xml
@@ -10,683 +10,4 @@
     <string name="library_cert4android_licenseId" translatable="false">gpl_3_0</string>
     <string name="library_cert4android_isOpenSource" translatable="false">true</string>
 
-    <string name="define_license_gpl_3_0" translatable="false" />
-    <string name="license_gpl_3_0_licenseName">GPLv3</string>
-    <string name="license_gpl_3_0_licenseWebsite" translatable="false">http://www.gnu.org/licenses/gpl-3.0.html</string>
-    <string name="license_gpl_3_0_licenseShortDescription"><![CDATA[
-                    GNU GENERAL PUBLIC LICENSE
-                       Version 3, 29 June 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU General Public License is a free, copyleft license for
-software and other kinds of works.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-the GNU General Public License is intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.  We, the Free Software Foundation, use the
-GNU General Public License for most of our software; it applies also to
-any other work released this way by its authors.  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  To protect your rights, we need to prevent others from denying you
-these rights or asking you to surrender the rights.  Therefore, you have
-certain responsibilities if you distribute copies of the software, or if
-you modify it: responsibilities to respect the freedom of others.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must pass on to the recipients the same
-freedoms that you received.  You must make sure that they, too, receive
-or can get the source code.  And you must show them these terms so they
-know their rights.
-
-  Developers that use the GNU GPL protect your rights with two steps:
-(1) assert copyright on the software, and (2) offer you this License
-giving you legal permission to copy, distribute and/or modify it.
-
-  For the developers\' and authors\' protection, the GPL clearly explains
-that there is no warranty for this free software.  For both users\' and
-authors\' sake, the GPL requires that modified versions be marked as
-changed, so that their problems will not be attributed erroneously to
-authors of previous versions.
-
-  Some devices are designed to deny users access to install or run
-modified versions of the software inside them, although the manufacturer
-can do so.  This is fundamentally incompatible with the aim of
-protecting users\' freedom to change the software.  The systematic
-pattern of such abuse occurs in the area of products for individuals to
-use, which is precisely where it is most unacceptable.  Therefore, we
-have designed this version of the GPL to prohibit the practice for those
-products.  If such problems arise substantially in other domains, we
-stand ready to extend this provision to those domains in future versions
-of the GPL, as needed to protect the freedom of users.
-
-  Finally, every program is threatened constantly by software patents.
-States should not allow patents to restrict development and use of
-software on general-purpose computers, but in those that do, we wish to
-avoid the special danger that patents applied to a free program could
-make it effectively proprietary.  To prevent this, the GPL assures that
-patents cannot be used to render the program non-free.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work\'s
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users\' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work\'s
-users, your or third parties\' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program\'s source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation\'s users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party\'s predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor\'s "contributor version".
-
-  A contributor\'s "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor\'s essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient\'s use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others\' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Use with the GNU Affero General Public License.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU Affero General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the special requirements of the GNU Affero General Public License,
-section 13, concerning interaction through a network will apply to the
-combination as such.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU General Public License can be used, that proxy\'s
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program\'s name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If the program does terminal interaction, make it output a short
-notice like this when it starts in an interactive mode:
-
-    <program>  Copyright (C) <year>  <name of author>
-    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w\'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c\' for details.
-
-The hypothetical commands `show w\' and `show c\' should show the appropriate
-parts of the General Public License.  Of course, your program\'s commands
-might be different; for a GUI interface, you would use an "about box".
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU GPL, see
-<http://www.gnu.org/licenses/>.
-
-  The GNU General Public License does not permit incorporating your program
-into proprietary programs.  If your program is a subroutine library, you
-may consider it more useful to permit linking proprietary applications with
-the library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.  But first, please read
-<http://www.gnu.org/philosophy/why-not-lgpl.html>.]]></string>
-
 </resources>
\ No newline at end of file
-- 
GitLab


From b1f57b518f7595eabf9842d0b950cdc82f0e21db Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Tue, 2 Apr 2019 23:56:50 +0200
Subject: [PATCH 17/37] Fetch translations from Transifex

---
 src/main/res/values-ru/strings.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/res/values-ru/strings.xml b/src/main/res/values-ru/strings.xml
index ce0d26a..7fb7cac 100644
--- a/src/main/res/values-ru/strings.xml
+++ b/src/main/res/values-ru/strings.xml
@@ -7,7 +7,7 @@
     <string name="service_rejected_temporarily">Сертификат временно отклонен</string>
 
     <string name="trust_certificate_unknown_certificate_found">cert4android обнаружил неизвестный сертификат. Вы хотите доверять ему?</string>
-    <string name="trust_certificate_x509_certificate_details">Сведения о сертификате X509</string>
+    <string name="trust_certificate_x509_certificate_details">Данные сертификата X509</string>
     <string name="trust_certificate_issued_for">Выдан для</string>
     <string name="trust_certificate_issued_by">Кем выдан</string>
     <string name="trust_certificate_validity_period">Срок действия</string>
-- 
GitLab


From aae988de2107873e2130b175969ce9b49e8fc0b6 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Wed, 17 Apr 2019 22:46:31 +0200
Subject: [PATCH 18/37] Update Kotlin, gradle, gradle plugin

---
 build.gradle                             | 14 ++++++++------
 gradle/wrapper/gradle-wrapper.properties |  4 ++--
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/build.gradle b/build.gradle
index 4a5e279..f056d9c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,7 +1,9 @@
 
 buildscript {
-    ext.kotlin_version = '1.3.21'
-    ext.dokka_version = '0.9.17'
+    ext.versions = [
+        kotlin: '1.3.30',
+        dokka: '0.9.17'
+    ]
 
     repositories {
         jcenter()
@@ -9,9 +11,9 @@ buildscript {
     }
 
     dependencies {
-        classpath 'com.android.tools.build:gradle:3.3.2'
-        classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
-        classpath "org.jetbrains.dokka:dokka-android-gradle-plugin:${dokka_version}"
+        classpath 'com.android.tools.build:gradle:3.4.0'
+        classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:${versions.kotlin}"
+        classpath "org.jetbrains.dokka:dokka-android-gradle-plugin:${versions.dokka}"
     }
 }
 
@@ -46,7 +48,7 @@ android {
 }
 
 dependencies {
-    implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:$kotlin_version"
+    implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:${versions.kotlin}"
 
     implementation 'androidx.appcompat:appcompat:1.0.2'
     implementation 'androidx.cardview:cardview:1.0.0'
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
index a547d65..bf1e464 100644
--- a/gradle/wrapper/gradle-wrapper.properties
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
-#Tue Aug 23 16:42:17 CEST 2016
+#Wed Apr 17 22:31:47 CEST 2019
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-5.1-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-5.1.1-all.zip
-- 
GitLab


From 846f0cd3d540677e39491d8ba7e2a34a78b0abfc Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Fri, 19 Apr 2019 01:53:32 +0200
Subject: [PATCH 19/37] Use Conscrypt

---
 README.md                                     |  18 ++
 build.gradle                                  |   4 +-
 .../cert4android/CertTlsSocketFactoryTest.kt  | 127 -------------
 .../cert4android/CertTlsSocketFactory.kt      | 168 ------------------
 .../bitfire/cert4android/CustomCertService.kt |  18 +-
 5 files changed, 38 insertions(+), 297 deletions(-)
 delete mode 100644 src/androidTest/java/at/bitfire/cert4android/CertTlsSocketFactoryTest.kt
 delete mode 100644 src/main/java/at/bitfire/cert4android/CertTlsSocketFactory.kt

diff --git a/README.md b/README.md
index 316f7aa..27c44df 100644
--- a/README.md
+++ b/README.md
@@ -31,6 +31,24 @@ Discussion: https://forums.bitfire.at/category/7/transport-level-security
 1. Close the instance when it's not required anymore (will disconnect from the
    `CustomCertService`, thus allowing it to be destroyed).
 
+Example of initialzing an okhttp client:
+
+    val keyManager = ...
+    CustomCertManager(...).use { trustManager ->
+        val sslContext = SSLContext.getInstance("TLS")
+        sslContext.init(
+            if (keyManager != null) arrayOf(keyManager) else null,
+            arrayOf(trustManager),
+            null
+        )
+        val builder = OkHttpClient.Builder()
+        builder.sslSocketFactory(sslContext.socketFactory, trustManager)
+               .hostnameVerifier(hostnameVerifier)
+        val httpClient = builder.build()
+        // use httpClient
+    }
+
+
 You can overwrite resources when you want, just have a look at the `res/strings`
 directory. Especially `certificate_notification_connection_security` and
 `trust_certificate_unknown_certificate_found` should contain your app name.
diff --git a/build.gradle b/build.gradle
index f056d9c..1931c2c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -2,7 +2,8 @@
 buildscript {
     ext.versions = [
         kotlin: '1.3.30',
-        dokka: '0.9.17'
+        dokka: '0.9.17',
+        conscrypt: '2.1.0'
     ]
 
     repositories {
@@ -55,6 +56,7 @@ dependencies {
     implementation 'androidx.lifecycle:lifecycle-extensions:2.0.0'
     implementation 'androidx.lifecycle:lifecycle-livedata:2.0.0'
     implementation 'androidx.lifecycle:lifecycle-viewmodel-ktx:2.0.0'
+    implementation "org.conscrypt:conscrypt-android:${versions.conscrypt}"
 
     androidTestImplementation 'androidx.test:runner:1.1.1'
     androidTestImplementation 'androidx.test:rules:1.1.1'
diff --git a/src/androidTest/java/at/bitfire/cert4android/CertTlsSocketFactoryTest.kt b/src/androidTest/java/at/bitfire/cert4android/CertTlsSocketFactoryTest.kt
deleted file mode 100644
index 521bfb5..0000000
--- a/src/androidTest/java/at/bitfire/cert4android/CertTlsSocketFactoryTest.kt
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * Copyright © Ricki Hirner (bitfire web engineering).
- * All rights reserved. This program and the accompanying materials
- * are made available under the terms of the GNU Public License v3.0
- * which accompanies this distribution, and is available at
- * http://www.gnu.org/licenses/gpl.html
- */
-
-package at.bitfire.cert4android
-
-import androidx.test.platform.app.InstrumentationRegistry.getInstrumentation
-import okhttp3.OkHttpClient
-import okhttp3.Request
-import okhttp3.mockwebserver.MockWebServer
-import org.apache.commons.io.IOUtils
-import org.apache.commons.lang3.ArrayUtils.contains
-import org.junit.After
-import org.junit.Assert.*
-import org.junit.Before
-import org.junit.Test
-import java.net.Socket
-import java.security.KeyFactory
-import java.security.KeyStore
-import java.security.Principal
-import java.security.cert.CertificateFactory
-import java.security.cert.X509Certificate
-import java.security.spec.PKCS8EncodedKeySpec
-import javax.net.ssl.SSLSocket
-import javax.net.ssl.TrustManagerFactory
-import javax.net.ssl.X509ExtendedKeyManager
-import javax.net.ssl.X509TrustManager
-
-class CertTlsSocketFactoryTest {
-
-    private lateinit var certMgr: CustomCertManager
-    private lateinit var factory: CertTlsSocketFactory
-    private val server = MockWebServer()
-
-    @Before
-    fun startServer() {
-        certMgr = CustomCertManager(getInstrumentation().context, false, true)
-        factory = CertTlsSocketFactory(null, certMgr)
-        server.start()
-    }
-
-    @After
-    fun stopServer() {
-        server.shutdown()
-        certMgr.close()
-    }
-
-
-    @Test
-    fun testSendClientCertificate() {
-        var public: X509Certificate? = null
-        javaClass.classLoader!!.getResourceAsStream("sample.crt").use {
-            public = CertificateFactory.getInstance("X509").generateCertificate(it) as? X509Certificate
-        }
-        assertNotNull(public)
-
-        val keyFactory = KeyFactory.getInstance("RSA")
-        val private = keyFactory.generatePrivate(PKCS8EncodedKeySpec(readResource("sample.key")))
-        assertNotNull(private)
-
-        val keyStore = KeyStore.getInstance("AndroidKeyStore")
-        keyStore.load(null)
-        val alias = "sample"
-        keyStore.setKeyEntry(alias, private, null, arrayOf(public))
-        assertTrue(keyStore.containsAlias(alias))
-
-        val trustManagerFactory = TrustManagerFactory.getInstance("X509")
-        trustManagerFactory.init(null as KeyStore?)
-        val trustManager = trustManagerFactory.trustManagers.first() as X509TrustManager
-
-        val factory = CertTlsSocketFactory(object: X509ExtendedKeyManager() {
-            override fun getServerAliases(p0: String?, p1: Array<out Principal>?): Array<String>? = null
-            override fun chooseServerAlias(p0: String?, p1: Array<out Principal>?, p2: Socket?) = null
-
-            override fun getClientAliases(p0: String?, p1: Array<out Principal>?) =
-                    arrayOf(alias)
-
-            override fun chooseClientAlias(p0: Array<out String>?, p1: Array<out Principal>?, p2: Socket?) =
-                    alias
-
-            override fun getCertificateChain(forAlias: String?) =
-                    arrayOf(public).takeIf { forAlias == alias }
-
-            override fun getPrivateKey(forAlias: String?) =
-                    private.takeIf { forAlias == alias }
-        }, trustManager)
-
-        /* known client cert test URLs (thanks!):
-        *  - https://prod.idrix.eu/secure/
-        *  - https://server.cryptomix.com/secure/
-        */
-        val client = OkHttpClient.Builder()
-                .sslSocketFactory(factory, trustManager)
-                .build()
-        client.newCall(Request.Builder()
-                .get()
-                .url("https://prod.idrix.eu/secure/")
-                .build()).execute().use { response ->
-            assertTrue(response.isSuccessful)
-            assertTrue(response.body()!!.string().contains("CN=User Cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=CA"))
-        }
-    }
-
-    @Test
-    fun testUpgradeTLS() {
-        val s = factory.createSocket(server.hostName, server.port)
-        assertTrue(s is SSLSocket)
-        val ssl = s as SSLSocket
-
-        assertFalse(contains(ssl.enabledProtocols, "SSLv3"))
-        assertTrue(contains(ssl.enabledProtocols, "TLSv1"))
-        assertTrue(contains(ssl.enabledProtocols, "TLSv1.1"))
-        assertTrue(contains(ssl.enabledProtocols, "TLSv1.2"))
-    }
-
-
-    private fun readResource(name: String): ByteArray {
-        javaClass.classLoader!!.getResourceAsStream(name).use {
-            return IOUtils.toByteArray(it)
-        }
-    }
-
-}
diff --git a/src/main/java/at/bitfire/cert4android/CertTlsSocketFactory.kt b/src/main/java/at/bitfire/cert4android/CertTlsSocketFactory.kt
deleted file mode 100644
index 9a860ef..0000000
--- a/src/main/java/at/bitfire/cert4android/CertTlsSocketFactory.kt
+++ /dev/null
@@ -1,168 +0,0 @@
-/*
- * Copyright © Ricki Hirner (bitfire web engineering).
- * All rights reserved. This program and the accompanying materials
- * are made available under the terms of the GNU Public License v3.0
- * which accompanies this distribution, and is available at
- * http://www.gnu.org/licenses/gpl.html
- */
-
-package at.bitfire.cert4android
-
-import android.os.Build
-import android.util.Log
-import java.io.IOException
-import java.net.InetAddress
-import java.net.Socket
-import java.security.GeneralSecurityException
-import java.util.*
-import javax.net.ssl.*
-
-/**
- * Custom TLS socket factory with support for
- *   - enabling/disabling algorithms depending on the Android version,
- *   - client certificate authentication
- *
- * @param keyManager     a key manager which provides client certificates, or null
- * @param trustManager   trust manager to use (most likely a [CustomCertManager] instance)
- */
-class CertTlsSocketFactory(
-        keyManager: KeyManager?,
-        trustManager: X509TrustManager
-): SSLSocketFactory() {
-
-    private var delegate: SSLSocketFactory
-
-    companion object {
-        // Android 5.0+ (API level 21) provides reasonable default settings
-        // but it still allows SSLv3
-        // https://developer.android.com/reference/javax/net/ssl/SSLSocket.html
-        var protocols: Array<String>? = null
-        var cipherSuites: Array<String>? = null
-        init {
-            if (Build.VERSION.SDK_INT >= 23) {
-                // Since Android 6.0 (API level 23),
-                // - TLSv1.1 and TLSv1.2 is enabled by default
-                // - SSLv3 is disabled by default
-                // - all modern ciphers are activated by default
-                protocols = null
-                cipherSuites = null
-                Log.d(Constants.TAG, "Using device default TLS protocols/ciphers")
-            } else {
-                (SSLSocketFactory.getDefault().createSocket() as? SSLSocket)?.use { socket ->
-                    try {
-                        /* set reasonable protocol versions */
-                        // - enable all supported protocols (enables TLSv1.1 and TLSv1.2 on Android <5.0)
-                        // - remove all SSL versions (especially SSLv3) because they're insecure now
-                        val whichProtocols = LinkedList<String>()
-                        for (protocol in socket.supportedProtocols.filterNot { it.contains("SSL", true) })
-                            whichProtocols += protocol
-                        Log.i(Constants.TAG, "Enabling (only) these TLS protocols: ${whichProtocols.joinToString(", ")}")
-                        protocols = whichProtocols.toTypedArray()
-
-                        /* set up reasonable cipher suites */
-                        val knownCiphers = arrayOf(
-                                // TLS 1.2
-                                "TLS_RSA_WITH_AES_256_GCM_SHA384",
-                                "TLS_RSA_WITH_AES_128_GCM_SHA256",
-                                "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
-                                "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-                                "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-                                "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
-                                "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-                                // maximum interoperability
-                                "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
-                                "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
-                                "TLS_RSA_WITH_AES_128_CBC_SHA",
-                                // additionally
-                                "TLS_RSA_WITH_AES_256_CBC_SHA",
-                                "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
-                                "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
-                                "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
-                                "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
-                        )
-                        val availableCiphers = socket.supportedCipherSuites
-                        Log.i(Constants.TAG, "Available cipher suites: ${availableCiphers.joinToString(", ")}")
-
-                        /* For maximum security, preferredCiphers should *replace* enabled ciphers (thus
-                         * disabling ciphers which are enabled by default, but have become unsecure), but for
-                         * the security level of DAVx5 and maximum compatibility, disabling of insecure
-                         * ciphers should be a server-side task */
-
-                        // for the final set of enabled ciphers, take the ciphers enabled by default, ...
-                        val whichCiphers = LinkedList<String>()
-                        whichCiphers.addAll(socket.enabledCipherSuites)
-                        Log.i(Constants.TAG, "Cipher suites enabled by default: ${whichCiphers.joinToString(", ")}")
-                        // ... add explicitly allowed ciphers ...
-                        whichCiphers.addAll(knownCiphers)
-                        // ... and keep only those which are actually available
-                        whichCiphers.retainAll(availableCiphers)
-
-                        Log.i(Constants.TAG, "Enabling (only) these TLS ciphers: " + whichCiphers.joinToString(", "))
-                        cipherSuites = whichCiphers.toTypedArray()
-                    } catch (e: IOException) {
-                        Log.e(Constants.TAG, "Couldn't determine default TLS settings")
-                    }
-                }
-            }
-        }
-    }
-
-
-    init {
-        try {
-            val sslContext = SSLContext.getInstance("TLS")
-            sslContext.init(
-                    if (keyManager != null) arrayOf(keyManager) else null,
-                    arrayOf(trustManager),
-                    null)
-            delegate = sslContext.socketFactory
-        } catch (e: GeneralSecurityException) {
-            throw IllegalStateException()      // system has no TLS
-        }
-    }
-
-    override fun getDefaultCipherSuites(): Array<String>? = cipherSuites ?: delegate.defaultCipherSuites
-    override fun getSupportedCipherSuites(): Array<String>? = cipherSuites ?: delegate.supportedCipherSuites
-
-    override fun createSocket(s: Socket, host: String, port: Int, autoClose: Boolean): Socket {
-        val ssl = delegate.createSocket(s, host, port, autoClose)
-        if (ssl is SSLSocket)
-            upgradeTLS(ssl)
-        return ssl
-    }
-
-    override fun createSocket(host: String, port: Int): Socket {
-        val ssl = delegate.createSocket(host, port)
-        if (ssl is SSLSocket)
-            upgradeTLS(ssl)
-        return ssl
-    }
-
-    override fun createSocket(host: String, port: Int, localHost: InetAddress, localPort: Int): Socket {
-        val ssl = delegate.createSocket(host, port, localHost, localPort)
-        if (ssl is SSLSocket)
-            upgradeTLS(ssl)
-        return ssl
-    }
-
-    override fun createSocket(host: InetAddress, port: Int): Socket {
-        val ssl = delegate.createSocket(host, port)
-        if (ssl is SSLSocket)
-            upgradeTLS(ssl)
-        return ssl
-    }
-
-    override fun createSocket(address: InetAddress, port: Int, localAddress: InetAddress, localPort: Int): Socket {
-        val ssl = delegate.createSocket(address, port, localAddress, localPort)
-        if (ssl is SSLSocket)
-            upgradeTLS(ssl)
-        return ssl
-    }
-
-
-    private fun upgradeTLS(ssl: SSLSocket) {
-        protocols?.let { ssl.enabledProtocols = it }
-        cipherSuites?.let { ssl.enabledCipherSuites = it }
-    }
-
-}
diff --git a/src/main/java/at/bitfire/cert4android/CustomCertService.kt b/src/main/java/at/bitfire/cert4android/CustomCertService.kt
index b0d1c41..a35ef8a 100644
--- a/src/main/java/at/bitfire/cert4android/CustomCertService.kt
+++ b/src/main/java/at/bitfire/cert4android/CustomCertService.kt
@@ -12,23 +12,27 @@ import android.app.PendingIntent
 import android.app.Service
 import android.content.Context
 import android.content.Intent
+import android.util.Log
 import android.widget.Toast
 import androidx.core.app.NotificationCompat
+import org.conscrypt.Conscrypt
 import java.io.ByteArrayInputStream
 import java.io.File
 import java.io.FileInputStream
 import java.io.FileOutputStream
 import java.security.KeyStore
 import java.security.KeyStoreException
+import java.security.Security
 import java.security.cert.CertificateFactory
 import java.security.cert.X509Certificate
 import java.util.*
 import java.util.logging.Level
+import javax.net.ssl.SSLContext
 import javax.net.ssl.X509TrustManager
 
 /**
  * The service which manages the certificates. Communications with
- * the [CustomCertManager]s over IPC.
+ * the [CustomCertManager]s over IPC. Initializes Conscrypt when class is loaded.
  *
  * This services is both a started and a bound service.
  */
@@ -51,6 +55,18 @@ class CustomCertService: Service() {
 
         const val KEYSTORE_DIR = "KeyStore"
         const val KEYSTORE_NAME = "KeyStore.bks"
+
+        init {
+            // initialize Conscrypt
+            Security.insertProviderAt(Conscrypt.newProvider(), 1)
+
+            val version = Conscrypt.version()
+            Log.i(Constants.TAG, "Using Conscrypt/${version.major()}.${version.minor()}.${version.patch()} for TLS")
+            val engine = SSLContext.getDefault().createSSLEngine()
+            Log.i(Constants.TAG, "Enabled protocols: ${engine.enabledProtocols.joinToString(", ")}")
+            Log.i(Constants.TAG, "Enabled ciphers: ${engine.enabledCipherSuites.joinToString(", ")}")
+        }
+
     }
 
     private lateinit var keyStoreFile: File
-- 
GitLab


From 443a57fb2a1631099a620ce00131216b7505a573 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Fri, 10 May 2019 16:44:29 +0200
Subject: [PATCH 20/37] Update kotlin and okhttp; new translation: Slovak
 (thanks brango67!)

---
 build.gradle                       |  4 ++--
 src/main/res/values-sk/strings.xml | 21 +++++++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 src/main/res/values-sk/strings.xml

diff --git a/build.gradle b/build.gradle
index 1931c2c..c45a0eb 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,7 +1,7 @@
 
 buildscript {
     ext.versions = [
-        kotlin: '1.3.30',
+        kotlin: '1.3.31',
         dokka: '0.9.17',
         conscrypt: '2.1.0'
     ]
@@ -60,7 +60,7 @@ dependencies {
 
     androidTestImplementation 'androidx.test:runner:1.1.1'
     androidTestImplementation 'androidx.test:rules:1.1.1'
-    androidTestImplementation 'com.squareup.okhttp3:mockwebserver:3.12.2'
+    androidTestImplementation 'com.squareup.okhttp3:mockwebserver:3.12.3'
     androidTestImplementation 'commons-io:commons-io:2.6'
     androidTestImplementation 'org.apache.commons:commons-lang3:3.8.1'
 
diff --git a/src/main/res/values-sk/strings.xml b/src/main/res/values-sk/strings.xml
new file mode 100644
index 0000000..32e4546
--- /dev/null
+++ b/src/main/res/values-sk/strings.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+
+    <string name="certificate_notification_connection_security">Zabezpečenie spojenia</string>
+    <string name="certificate_notification_user_interaction">Skontrolujte, prosím, certifikát</string>
+
+    <string name="service_rejected_temporarily">Certifikát bol dočasne odmietnutý</string>
+
+    <string name="trust_certificate_unknown_certificate_found">cert4android  zistil neznámy certifikát. Prajete si dôverovať mu?</string>
+    <string name="trust_certificate_x509_certificate_details">Detaily X509 certifikátu</string>
+    <string name="trust_certificate_issued_for">Vydaný pre</string>
+    <string name="trust_certificate_issued_by">Vydaný</string>
+    <string name="trust_certificate_validity_period">Obdobie platnosti</string>
+    <string name="trust_certificate_validity_period_value">%1$s – %2$s (nebude sa vynocovať)</string>
+    <string name="trust_certificate_fingerprints">Odtlačky</string>
+    <string name="trust_certificate_fingerprint_verified">Manuálne som skontroloval celý odtlačok.</string>
+    <string name="trust_certificate_accept">Prijať</string>
+    <string name="trust_certificate_reject">Odmietnuť</string>
+    <string name="trust_certificate_reset_info">V nastavení aplikácie môžete vynulovať všetky používateľské certifikáty</string>
+
+</resources>
\ No newline at end of file
-- 
GitLab


From 62f07b342fffd684f0111e82d7a8ea37879df14f Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Fri, 17 May 2019 12:02:46 +0200
Subject: [PATCH 21/37] Update gradle plugin

---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index c45a0eb..5439c16 100644
--- a/build.gradle
+++ b/build.gradle
@@ -12,7 +12,7 @@ buildscript {
     }
 
     dependencies {
-        classpath 'com.android.tools.build:gradle:3.4.0'
+        classpath 'com.android.tools.build:gradle:3.4.1'
         classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:${versions.kotlin}"
         classpath "org.jetbrains.dokka:dokka-android-gradle-plugin:${versions.dokka}"
     }
-- 
GitLab


From 40829f2818e05062da62d34bced651c23ccd3e8f Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Sun, 9 Jun 2019 11:04:33 +0200
Subject: [PATCH 22/37] Fetch translations from Transifex

---
 src/main/res/values-eu/strings.xml     |  4 ++++
 src/main/res/values-fi/strings.xml     |  4 ++++
 src/main/res/values-sl-rSI/strings.xml | 19 ++++++++++++++++++-
 3 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 src/main/res/values-eu/strings.xml
 create mode 100644 src/main/res/values-fi/strings.xml

diff --git a/src/main/res/values-eu/strings.xml b/src/main/res/values-eu/strings.xml
new file mode 100644
index 0000000..583641d
--- /dev/null
+++ b/src/main/res/values-eu/strings.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+
+    </resources>
\ No newline at end of file
diff --git a/src/main/res/values-fi/strings.xml b/src/main/res/values-fi/strings.xml
new file mode 100644
index 0000000..583641d
--- /dev/null
+++ b/src/main/res/values-fi/strings.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+
+    </resources>
\ No newline at end of file
diff --git a/src/main/res/values-sl-rSI/strings.xml b/src/main/res/values-sl-rSI/strings.xml
index 583641d..9161980 100644
--- a/src/main/res/values-sl-rSI/strings.xml
+++ b/src/main/res/values-sl-rSI/strings.xml
@@ -1,4 +1,21 @@
 <?xml version="1.0" encoding="utf-8"?>
 <resources>
 
-    </resources>
\ No newline at end of file
+    <string name="certificate_notification_connection_security">Varnost povezave</string>
+    <string name="certificate_notification_user_interaction">Prosim preverite certifikat</string>
+
+    <string name="service_rejected_temporarily">Certifikat je začasno onemogočen</string>
+
+    <string name="trust_certificate_unknown_certificate_found">Cert4android ne prepozna certifikata. Ali vi zaupate certifikatu?</string>
+    <string name="trust_certificate_x509_certificate_details">X509 podrobnosti certifikata</string>
+    <string name="trust_certificate_issued_for">Izdano za</string>
+    <string name="trust_certificate_issued_by">Izdano od</string>
+    <string name="trust_certificate_validity_period">Obdobje veljave</string>
+    <string name="trust_certificate_validity_period_value">%1$s - %2$s (ne bo prisilno uporabljeno)</string>
+    <string name="trust_certificate_fingerprints">Prstni odtisi</string>
+    <string name="trust_certificate_fingerprint_verified">Sem ročno preveril celoten prstni odtis.</string>
+    <string name="trust_certificate_accept">Sprejmi</string>
+    <string name="trust_certificate_reject">Zavrni</string>
+    <string name="trust_certificate_reset_info">V nastavitvah aplikacije lahko ponastavite vse certifikate.</string>
+
+</resources>
\ No newline at end of file
-- 
GitLab


From 1ead10b7ad8e5c7399e68cd03bba25d212f2ef55 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Sun, 9 Jun 2019 11:05:19 +0200
Subject: [PATCH 23/37] Update dependencies

---
 build.gradle | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/build.gradle b/build.gradle
index 5439c16..23365c5 100644
--- a/build.gradle
+++ b/build.gradle
@@ -2,7 +2,7 @@
 buildscript {
     ext.versions = [
         kotlin: '1.3.31',
-        dokka: '0.9.17',
+        dokka: '0.9.18',
         conscrypt: '2.1.0'
     ]
 
@@ -58,8 +58,8 @@ dependencies {
     implementation 'androidx.lifecycle:lifecycle-viewmodel-ktx:2.0.0'
     implementation "org.conscrypt:conscrypt-android:${versions.conscrypt}"
 
-    androidTestImplementation 'androidx.test:runner:1.1.1'
-    androidTestImplementation 'androidx.test:rules:1.1.1'
+    androidTestImplementation 'androidx.test:runner:1.2.0'
+    androidTestImplementation 'androidx.test:rules:1.2.0'
     androidTestImplementation 'com.squareup.okhttp3:mockwebserver:3.12.3'
     androidTestImplementation 'commons-io:commons-io:2.6'
     androidTestImplementation 'org.apache.commons:commons-lang3:3.8.1'
-- 
GitLab


From 9712a8d6df890a5e62c2f6d879971598d0cc6547 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Fri, 12 Jul 2019 22:44:49 +0200
Subject: [PATCH 24/37] Update Kotlin, gradle plugin, appcompat

---
 build.gradle | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/build.gradle b/build.gradle
index 23365c5..2193866 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,7 +1,7 @@
 
 buildscript {
     ext.versions = [
-        kotlin: '1.3.31',
+        kotlin: '1.3.41',
         dokka: '0.9.18',
         conscrypt: '2.1.0'
     ]
@@ -12,7 +12,7 @@ buildscript {
     }
 
     dependencies {
-        classpath 'com.android.tools.build:gradle:3.4.1'
+        classpath 'com.android.tools.build:gradle:3.4.2'
         classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:${versions.kotlin}"
         classpath "org.jetbrains.dokka:dokka-android-gradle-plugin:${versions.dokka}"
     }
@@ -51,7 +51,7 @@ android {
 dependencies {
     implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:${versions.kotlin}"
 
-    implementation 'androidx.appcompat:appcompat:1.0.2'
+    implementation 'androidx.appcompat:appcompat:1.1.0-rc01'
     implementation 'androidx.cardview:cardview:1.0.0'
     implementation 'androidx.lifecycle:lifecycle-extensions:2.0.0'
     implementation 'androidx.lifecycle:lifecycle-livedata:2.0.0'
-- 
GitLab


From 2b3b6727e6d18adace48ba8f45b476ee6da1c3a6 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Wed, 17 Jul 2019 17:00:22 +0200
Subject: [PATCH 25/37] Update dependencies

---
 build.gradle                             | 11 ++++++++---
 gradle/wrapper/gradle-wrapper.properties |  2 +-
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/build.gradle b/build.gradle
index 2193866..396a8ed 100644
--- a/build.gradle
+++ b/build.gradle
@@ -29,13 +29,18 @@ apply plugin: 'org.jetbrains.dokka-android'
 
 android {
     compileSdkVersion 28
-    buildToolsVersion '28.0.3'
+    buildToolsVersion '29.0.1'
 
     defaultConfig {
         minSdkVersion 14
         targetSdkVersion 28
     }
 
+    compileOptions {
+        sourceCompatibility JavaVersion.VERSION_1_8
+        targetCompatibility JavaVersion.VERSION_1_8
+    }
+
     dataBinding.enabled = true
 
     lintOptions {
@@ -49,7 +54,7 @@ android {
 }
 
 dependencies {
-    implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:${versions.kotlin}"
+    implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk8:${versions.kotlin}"
 
     implementation 'androidx.appcompat:appcompat:1.1.0-rc01'
     implementation 'androidx.cardview:cardview:1.0.0'
@@ -62,7 +67,7 @@ dependencies {
     androidTestImplementation 'androidx.test:rules:1.2.0'
     androidTestImplementation 'com.squareup.okhttp3:mockwebserver:3.12.3'
     androidTestImplementation 'commons-io:commons-io:2.6'
-    androidTestImplementation 'org.apache.commons:commons-lang3:3.8.1'
+    androidTestImplementation 'org.apache.commons:commons-lang3:3.9'
 
     testImplementation 'junit:junit:4.12'
 }
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
index bf1e464..dcc7728 100644
--- a/gradle/wrapper/gradle-wrapper.properties
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -3,4 +3,4 @@ distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-5.1.1-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-5.5.1-all.zip
-- 
GitLab


From 8ad6a3db2fcd1e1ee6cf8e116fc5f69d904ad108 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Sat, 20 Jul 2019 21:59:05 +0200
Subject: [PATCH 26/37] Update README

---
 README.md | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 27c44df..7833b21 100644
--- a/README.md
+++ b/README.md
@@ -4,13 +4,16 @@
 
 # cert4android
 
-cert4android is an Android library for managing custom certificates which has
-been developed for [DAVdroid](https://davdroid.bitfire.at). Feel free to use
+cert4android is a library for Android to manage custom certificates which has
+been developed for [DAVx⁵](https://www.davx5.com). Feel free to use
 it in your own open-source app.
 
+_This software is not affiliated to, nor has it been authorized, sponsored or otherwise approved
+by Google LLC. Android is a trademark of Google LLC._
+
 Generated KDoc: https://bitfireat.gitlab.io/cert4android/dokka/cert4android/
 
-Discussion: https://forums.bitfire.at/category/7/transport-level-security
+Discussion: https://forums.bitfire.at/category/18/libraries
 
 
 # Features
@@ -54,6 +57,17 @@ directory. Especially `certificate_notification_connection_security` and
 `trust_certificate_unknown_certificate_found` should contain your app name.
 
 
+## Contact
+
+```
+bitfire web engineering – Stockmann, Hirner GesnbR
+Florastraße 27
+2540 Bad Vöslau, AUSTRIA
+```
+
+Email: [play@bitfire.at](mailto:play@bitfire.at) (do not use this)
+
+
 # License 
 
 Copyright (C) bitfire web engineering (Ricki Hirner, Bernhard Stockmann).
-- 
GitLab


From 50aa218a1cde086fdd024d25c34f17d9f352d3c2 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Wed, 18 Sep 2019 23:33:38 +0200
Subject: [PATCH 27/37] Update libraries; target SDK level 29

---
 build.gradle                                  | 20 +++++++++----------
 .../at/bitfire/cert4android/CertUtilsTest.kt  |  2 +-
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/build.gradle b/build.gradle
index 396a8ed..ac0c8e6 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,9 +1,9 @@
 
 buildscript {
     ext.versions = [
-        kotlin: '1.3.41',
+        kotlin: '1.3.50',
         dokka: '0.9.18',
-        conscrypt: '2.1.0'
+        conscrypt: '2.2.1'
     ]
 
     repositories {
@@ -12,7 +12,7 @@ buildscript {
     }
 
     dependencies {
-        classpath 'com.android.tools.build:gradle:3.4.2'
+        classpath 'com.android.tools.build:gradle:3.5.0'
         classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:${versions.kotlin}"
         classpath "org.jetbrains.dokka:dokka-android-gradle-plugin:${versions.dokka}"
     }
@@ -28,12 +28,12 @@ apply plugin: 'kotlin-android'
 apply plugin: 'org.jetbrains.dokka-android'
 
 android {
-    compileSdkVersion 28
+    compileSdkVersion 29
     buildToolsVersion '29.0.1'
 
     defaultConfig {
         minSdkVersion 14
-        targetSdkVersion 28
+        targetSdkVersion 29
     }
 
     compileOptions {
@@ -56,16 +56,16 @@ android {
 dependencies {
     implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk8:${versions.kotlin}"
 
-    implementation 'androidx.appcompat:appcompat:1.1.0-rc01'
+    implementation 'androidx.appcompat:appcompat:1.1.0'
     implementation 'androidx.cardview:cardview:1.0.0'
-    implementation 'androidx.lifecycle:lifecycle-extensions:2.0.0'
-    implementation 'androidx.lifecycle:lifecycle-livedata:2.0.0'
-    implementation 'androidx.lifecycle:lifecycle-viewmodel-ktx:2.0.0'
+    implementation 'androidx.lifecycle:lifecycle-extensions:2.1.0'
+    implementation 'androidx.lifecycle:lifecycle-livedata:2.1.0'
+    implementation 'androidx.lifecycle:lifecycle-viewmodel-ktx:2.1.0'
     implementation "org.conscrypt:conscrypt-android:${versions.conscrypt}"
 
     androidTestImplementation 'androidx.test:runner:1.2.0'
     androidTestImplementation 'androidx.test:rules:1.2.0'
-    androidTestImplementation 'com.squareup.okhttp3:mockwebserver:3.12.3'
+    androidTestImplementation 'com.squareup.okhttp3:mockwebserver:3.12.5'
     androidTestImplementation 'commons-io:commons-io:2.6'
     androidTestImplementation 'org.apache.commons:commons-lang3:3.9'
 
diff --git a/src/test/java/at/bitfire/cert4android/CertUtilsTest.kt b/src/test/java/at/bitfire/cert4android/CertUtilsTest.kt
index 1e9e7a0..d508d1f 100644
--- a/src/test/java/at/bitfire/cert4android/CertUtilsTest.kt
+++ b/src/test/java/at/bitfire/cert4android/CertUtilsTest.kt
@@ -25,7 +25,7 @@ class CertUtilsTest {
     fun getTag() {
         val factory = CertificateFactory.getInstance("X.509")
 
-        javaClass.classLoader.getResourceAsStream("davdroid-web.crt").use { stream ->
+        javaClass.classLoader!!.getResourceAsStream("davdroid-web.crt").use { stream ->
             val cert = factory.generateCertificate(stream) as X509Certificate
             assertNotNull(cert)
 
-- 
GitLab


From 3b6e552e74a39f11a0035512830af757b2901fcb Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Fri, 20 Sep 2019 00:06:33 +0200
Subject: [PATCH 28/37] Fetch translations from Transifex

---
 src/main/res/values-bg/strings.xml  | 17 +++++++++++++++++
 src/main/res/values-sk/strings.xml  |  2 +-
 src/main/res/values-szl/strings.xml | 21 +++++++++++++++++++++
 3 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 src/main/res/values-bg/strings.xml
 create mode 100644 src/main/res/values-szl/strings.xml

diff --git a/src/main/res/values-bg/strings.xml b/src/main/res/values-bg/strings.xml
new file mode 100644
index 0000000..b6ca654
--- /dev/null
+++ b/src/main/res/values-bg/strings.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+
+    <string name="certificate_notification_connection_security">Защита на връзката</string>
+    <string name="certificate_notification_user_interaction">Моля прегледай сертификата</string>
+
+    <string name="service_rejected_temporarily">Сертификатът е временно отхвърлен</string>
+
+    <string name="trust_certificate_unknown_certificate_found">cert4android се натъкна на непознат сертификат.  Искаш ли да му се довериш?</string>
+    <string name="trust_certificate_x509_certificate_details">Подробности за X509 сертификата</string>
+    <string name="trust_certificate_issued_for">Издаден за</string>
+    <string name="trust_certificate_issued_by">Издаден от</string>
+    <string name="trust_certificate_validity_period">Период на годност</string>
+    <string name="trust_certificate_validity_period_value">%1$s – %2$s (няма да се прилага)</string>
+    <string name="trust_certificate_fingerprints">Пръстови отпечатъци</string>
+    <string name="trust_certificate_fingerprint_verified">Проверих целия пръстов отпечатък</string>
+    </resources>
\ No newline at end of file
diff --git a/src/main/res/values-sk/strings.xml b/src/main/res/values-sk/strings.xml
index 32e4546..88162b7 100644
--- a/src/main/res/values-sk/strings.xml
+++ b/src/main/res/values-sk/strings.xml
@@ -11,7 +11,7 @@
     <string name="trust_certificate_issued_for">Vydaný pre</string>
     <string name="trust_certificate_issued_by">Vydaný</string>
     <string name="trust_certificate_validity_period">Obdobie platnosti</string>
-    <string name="trust_certificate_validity_period_value">%1$s – %2$s (nebude sa vynocovať)</string>
+    <string name="trust_certificate_validity_period_value">%1$s – %2$s (nebude sa vynucovať)</string>
     <string name="trust_certificate_fingerprints">Odtlačky</string>
     <string name="trust_certificate_fingerprint_verified">Manuálne som skontroloval celý odtlačok.</string>
     <string name="trust_certificate_accept">Prijať</string>
diff --git a/src/main/res/values-szl/strings.xml b/src/main/res/values-szl/strings.xml
new file mode 100644
index 0000000..2921b84
--- /dev/null
+++ b/src/main/res/values-szl/strings.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+
+    <string name="certificate_notification_connection_security">Bezpieczyństwo połōnczynio</string>
+    <string name="certificate_notification_user_interaction">Przejzdrzij certyfikat</string>
+
+    <string name="service_rejected_temporarily">Certyfikat tymczasowo ôdciepniynty</string>
+
+    <string name="trust_certificate_unknown_certificate_found">cert4android trefiōł niyznōmy certyfikat. Chcesz mu zaufać?</string>
+    <string name="trust_certificate_x509_certificate_details">Informacyje ô certyfikacie X509</string>
+    <string name="trust_certificate_issued_for">Wydane dlo</string>
+    <string name="trust_certificate_issued_by">Wydane ôd</string>
+    <string name="trust_certificate_validity_period">Ôkres ważności</string>
+    <string name="trust_certificate_validity_period_value">%1$s – %2$s (niy bydzie wymuszany)</string>
+    <string name="trust_certificate_fingerprints">Ôdciski palcōw</string>
+    <string name="trust_certificate_fingerprint_verified">Cołki ôdcisk palca bōł ryncznie zweryfikowany.</string>
+    <string name="trust_certificate_accept">Akceptuj</string>
+    <string name="trust_certificate_reject">Ôdciep</string>
+    <string name="trust_certificate_reset_info">We sztelōnkach aplikacyje możesz zresetować wszyjske włosne certyfikaty.</string>
+
+</resources>
\ No newline at end of file
-- 
GitLab


From 1ed2d149d506975f26684c67b49256b0e5df5c8e Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Mon, 7 Oct 2019 11:41:38 +0200
Subject: [PATCH 29/37] Fetch translations from Transifex

---
 src/main/res/values-bg/strings.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main/res/values-bg/strings.xml b/src/main/res/values-bg/strings.xml
index b6ca654..f708e10 100644
--- a/src/main/res/values-bg/strings.xml
+++ b/src/main/res/values-bg/strings.xml
@@ -14,4 +14,6 @@
     <string name="trust_certificate_validity_period_value">%1$s – %2$s (няма да се прилага)</string>
     <string name="trust_certificate_fingerprints">Пръстови отпечатъци</string>
     <string name="trust_certificate_fingerprint_verified">Проверих целия пръстов отпечатък</string>
+    <string name="trust_certificate_accept">Приемам</string>
+    <string name="trust_certificate_reject">Отхвърлям</string>
     </resources>
\ No newline at end of file
-- 
GitLab


From edae5c07ac447f887ff0b0618332ad8dd6779ac1 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Thu, 7 Nov 2019 18:09:41 +0100
Subject: [PATCH 30/37] Update dependencies, lint

---
 build.gradle                                               | 4 ++--
 src/main/java/at/bitfire/cert4android/CustomCertManager.kt | 5 +++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/build.gradle b/build.gradle
index ac0c8e6..f8bc4a4 100644
--- a/build.gradle
+++ b/build.gradle
@@ -12,7 +12,7 @@ buildscript {
     }
 
     dependencies {
-        classpath 'com.android.tools.build:gradle:3.5.0'
+        classpath 'com.android.tools.build:gradle:3.5.2'
         classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:${versions.kotlin}"
         classpath "org.jetbrains.dokka:dokka-android-gradle-plugin:${versions.dokka}"
     }
@@ -29,7 +29,7 @@ apply plugin: 'org.jetbrains.dokka-android'
 
 android {
     compileSdkVersion 29
-    buildToolsVersion '29.0.1'
+    buildToolsVersion '29.0.2'
 
     defaultConfig {
         minSdkVersion 14
diff --git a/src/main/java/at/bitfire/cert4android/CustomCertManager.kt b/src/main/java/at/bitfire/cert4android/CustomCertManager.kt
index dcbc69e..4e5df4a 100644
--- a/src/main/java/at/bitfire/cert4android/CustomCertManager.kt
+++ b/src/main/java/at/bitfire/cert4android/CustomCertManager.kt
@@ -91,9 +91,10 @@ class CustomCertManager @JvmOverloads constructor(
             }
         }
 
-        if (Looper.myLooper() == Looper.getMainLooper())
+        check(Looper.myLooper() != Looper.getMainLooper()) {
             // service is actually created after bindService() by code running in looper, so this would block
-            throw IllegalStateException("must not be run on main thread")
+            "must not be run on main thread"
+        }
 
         Constants.log.fine("Binding to service")
         if (context.bindService(Intent(context, CustomCertService::class.java), newServiceConn, Context.BIND_AUTO_CREATE)) {
-- 
GitLab


From e92f802f6b30b6208a83671053812a279369f208 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Thu, 7 Nov 2019 18:45:01 +0100
Subject: [PATCH 31/37] Use headless emulator from new repo for testing

---
 .gitlab-ci.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b61997a..d0c45d3 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,4 +1,5 @@
-image: registry.gitlab.com/bitfireat/davx5-ose:latest
+# https://gitlab.com/bitfireAT/docker-android-emulator
+image: registry.gitlab.com/bitfireat/docker-android-emulator:latest
 
 before_script:
   - export GRADLE_USER_HOME=`pwd`/.gradle; chmod +x gradlew
@@ -9,9 +10,8 @@ cache:
 
 test:
   script:
-    - (cd /sdk/emulator; ./emulator @test -no-audio -no-window & wait-for-emulator.sh)
+    - start-emulator.sh
     - ./gradlew check connectedCheck
-    - ./gradlew check
   artifacts:
     paths:
       - build/outputs/lint-results-debug.html
-- 
GitLab


From 1af8ab08dce4234e0315e93d24b8441b65c8d0e6 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Sat, 9 Nov 2019 12:54:01 +0100
Subject: [PATCH 32/37] Require privileged tag for Android tests, but allow
 documentation to be built by shared runner

---
 .gitlab-ci.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d0c45d3..643777d 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,5 +1,4 @@
-# https://gitlab.com/bitfireAT/docker-android-emulator
-image: registry.gitlab.com/bitfireat/docker-android-emulator:latest
+image: openjdk:8-jdk-slim
 
 before_script:
   - export GRADLE_USER_HOME=`pwd`/.gradle; chmod +x gradlew
@@ -9,6 +8,9 @@ cache:
      - .gradle/
 
 test:
+  image: registry.gitlab.com/bitfireat/docker-android-emulator:latest
+  tags:
+    - privileged
   script:
     - start-emulator.sh
     - ./gradlew check connectedCheck
-- 
GitLab


From 77c6c30c9f45f83800be7d8fbf31c95672dc5fa3 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Sat, 9 Nov 2019 19:46:32 +0100
Subject: [PATCH 33/37] Update dokka

---
 .gitlab-ci.yml | 3 +--
 build.gradle   | 6 +++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 643777d..3e1bc60 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,4 +1,4 @@
-image: openjdk:8-jdk-slim
+image: registry.gitlab.com/bitfireat/docker-android-emulator:latest
 
 before_script:
   - export GRADLE_USER_HOME=`pwd`/.gradle; chmod +x gradlew
@@ -8,7 +8,6 @@ cache:
      - .gradle/
 
 test:
-  image: registry.gitlab.com/bitfireat/docker-android-emulator:latest
   tags:
     - privileged
   script:
diff --git a/build.gradle b/build.gradle
index f8bc4a4..735686c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -2,7 +2,7 @@
 buildscript {
     ext.versions = [
         kotlin: '1.3.50',
-        dokka: '0.9.18',
+        dokka: '0.10.0',
         conscrypt: '2.2.1'
     ]
 
@@ -14,7 +14,7 @@ buildscript {
     dependencies {
         classpath 'com.android.tools.build:gradle:3.5.2'
         classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:${versions.kotlin}"
-        classpath "org.jetbrains.dokka:dokka-android-gradle-plugin:${versions.dokka}"
+        classpath "org.jetbrains.dokka:dokka-gradle-plugin:${versions.dokka}"
     }
 }
 
@@ -25,7 +25,7 @@ repositories {
 
 apply plugin: 'com.android.library'
 apply plugin: 'kotlin-android'
-apply plugin: 'org.jetbrains.dokka-android'
+apply plugin: 'org.jetbrains.dokka'
 
 android {
     compileSdkVersion 29
-- 
GitLab


From 7ca60d8deb4ff020343f472eb6ae5c898d508bd7 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Tue, 12 Nov 2019 13:10:33 +0100
Subject: [PATCH 34/37] Dokka: add source and JDK links

---
 build.gradle | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/build.gradle b/build.gradle
index 735686c..021ce65 100644
--- a/build.gradle
+++ b/build.gradle
@@ -51,6 +51,14 @@ android {
     defaultConfig {
         testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
     }
+
+    dokka.configuration {
+        sourceLink {
+            url = "https://gitlab.com/bitfireAT/cert4android/tree/master/"
+            lineSuffix = "#L"
+        }
+        jdkVersion = 7
+    }
 }
 
 dependencies {
-- 
GitLab


From 8b2658df73a23f44994d99a9348dfbacb4eea217 Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Mon, 25 Nov 2019 22:53:02 +0100
Subject: [PATCH 35/37] Fetch translations from Transifex

---
 src/main/res/values-fa/strings.xml | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/main/res/values-fa/strings.xml b/src/main/res/values-fa/strings.xml
index 583641d..52f5aa5 100644
--- a/src/main/res/values-fa/strings.xml
+++ b/src/main/res/values-fa/strings.xml
@@ -1,4 +1,20 @@
 <?xml version="1.0" encoding="utf-8"?>
 <resources>
 
-    </resources>
\ No newline at end of file
+    <string name="certificate_notification_connection_security">امنیت اتصال</string>
+    <string name="certificate_notification_user_interaction">لطفا گواهی‌نامه‌ی خود را بازبینی کنید</string>
+
+    <string name="service_rejected_temporarily">گواهی‌نامه موقتاً رد شده‌است</string>
+
+    <string name="trust_certificate_unknown_certificate_found">cert4android با یک گواهی‌نامه‌ی ناشناخته مواجه‌شده‌است. آیا به آن اعتماد می‌کنید؟</string>
+    <string name="trust_certificate_x509_certificate_details">جزئیات گواهی‌نامه‌ی X509</string>
+    <string name="trust_certificate_issued_for">مشکل برای</string>
+    <string name="trust_certificate_issued_by">مشکل از</string>
+    <string name="trust_certificate_validity_period">دوره‌ی اعتبار</string>
+    <string name="trust_certificate_fingerprints">اثر انگشت‌ها</string>
+    <string name="trust_certificate_fingerprint_verified">به صورت دستی تمام اثر انگشت را تایید می‌کنم</string>
+    <string name="trust_certificate_accept">قبول</string>
+    <string name="trust_certificate_reject">رد</string>
+    <string name="trust_certificate_reset_info">شما می‌توانید تمام گواهی‌نامه‌های سفارشی را در تنظیمات برنامه مجدداً تنظیم کنید.</string>
+
+</resources>
\ No newline at end of file
-- 
GitLab


From ae585f252600e475c44bddce0ddb4c159e9c7f8a Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Wed, 11 Dec 2019 12:46:16 +0100
Subject: [PATCH 36/37] Update gradle plugin, Kotlin

---
 build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 021ce65..18b2e9c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,7 +1,7 @@
 
 buildscript {
     ext.versions = [
-        kotlin: '1.3.50',
+        kotlin: '1.3.61',
         dokka: '0.10.0',
         conscrypt: '2.2.1'
     ]
@@ -12,7 +12,7 @@ buildscript {
     }
 
     dependencies {
-        classpath 'com.android.tools.build:gradle:3.5.2'
+        classpath 'com.android.tools.build:gradle:3.5.3'
         classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:${versions.kotlin}"
         classpath "org.jetbrains.dokka:dokka-gradle-plugin:${versions.dokka}"
     }
-- 
GitLab


From b552b2c440b43f86b6b3d69c97c0d9d62a351f9a Mon Sep 17 00:00:00 2001
From: Ricki Hirner <hirner@bitfire.at>
Date: Thu, 26 Dec 2019 16:55:28 +0100
Subject: [PATCH 37/37] Use new Material theme

---
 build.gradle                                  |  1 +
 src/main/AndroidManifest.xml                  |  3 ++-
 .../res/layout/activity_trust_certificate.xml | 25 +++++++++++--------
 3 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/build.gradle b/build.gradle
index ac0c8e6..1f88fc4 100644
--- a/build.gradle
+++ b/build.gradle
@@ -61,6 +61,7 @@ dependencies {
     implementation 'androidx.lifecycle:lifecycle-extensions:2.1.0'
     implementation 'androidx.lifecycle:lifecycle-livedata:2.1.0'
     implementation 'androidx.lifecycle:lifecycle-viewmodel-ktx:2.1.0'
+    implementation 'com.google.android.material:material:1.2.0-alpha03'
     implementation "org.conscrypt:conscrypt-android:${versions.conscrypt}"
 
     androidTestImplementation 'androidx.test:runner:1.2.0'
diff --git a/src/main/AndroidManifest.xml b/src/main/AndroidManifest.xml
index 4295ab6..d3104a2 100644
--- a/src/main/AndroidManifest.xml
+++ b/src/main/AndroidManifest.xml
@@ -1,6 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <manifest xmlns:android="http://schemas.android.com/apk/res/android"
-	package="at.bitfire.cert4android">
+    xmlns:tools="http://schemas.android.com/tools"
+    package="at.bitfire.cert4android">
 
     <application>
 
diff --git a/src/main/res/layout/activity_trust_certificate.xml b/src/main/res/layout/activity_trust_certificate.xml
index 9470a59..acdfffb 100644
--- a/src/main/res/layout/activity_trust_certificate.xml
+++ b/src/main/res/layout/activity_trust_certificate.xml
@@ -25,21 +25,22 @@
                 android:text="@string/trust_certificate_unknown_certificate_found"
                 android:textAppearance="?android:attr/textAppearanceMedium"/>
 
-            <androidx.cardview.widget.CardView
+            <com.google.android.material.card.MaterialCardView
                 android:layout_width="match_parent"
                 android:layout_height="wrap_content"
-                app:cardElevation="8dp">
+                style="@style/Widget.MaterialComponents.CardView">
 
                 <LinearLayout
                     android:layout_width="match_parent"
                     android:layout_height="wrap_content"
                     android:orientation="vertical"
-                    android:layout_margin="8dp">
+                    android:layout_margin="8dp"
+                    android:padding="8dp">
 
                     <TextView
                         android:layout_width="match_parent"
                         android:layout_height="wrap_content"
-                        style="@style/TextView.Heading"
+                        style="@style/TextAppearance.MaterialComponents.Headline5"
                         android:layout_marginBottom="16dp"
                         android:text="@string/trust_certificate_x509_certificate_details"/>
 
@@ -106,30 +107,32 @@
                         android:checked="@={model.verifiedByUser}"
                         android:text="@string/trust_certificate_fingerprint_verified"/>
 
-                    <androidx.appcompat.widget.ButtonBarLayout
+                    <LinearLayout
                         android:layout_width="match_parent"
-                        android:layout_height="wrap_content">
+                        android:layout_height="wrap_content"
+                        android:orientation="horizontal">
 
                         <Button
                             android:layout_width="wrap_content"
                             android:layout_height="wrap_content"
-                            style="@style/Widget.AppCompat.Button.Borderless.Colored"
+                            android:layout_marginRight="16dp"
+                            style="@style/Widget.MaterialComponents.Button"
                             android:text="@string/trust_certificate_accept"
                             android:onClick="acceptCertificate"
-                            android:enabled="@{model.verifiedByUser}"/>
+                            android:enabled="@{model.verifiedByUser}" />
 
                         <Button
                             android:layout_width="wrap_content"
                             android:layout_height="wrap_content"
-                            style="@style/Widget.AppCompat.Button.Borderless"
+                            style="@style/Widget.MaterialComponents.Button.TextButton"
                             android:text="@string/trust_certificate_reject"
                             android:onClick="rejectCertificate"/>
 
-                    </androidx.appcompat.widget.ButtonBarLayout>
+                    </LinearLayout>
 
                 </LinearLayout>
 
-            </androidx.cardview.widget.CardView>
+            </com.google.android.material.card.MaterialCardView>
 
             <TextView
                 android:layout_width="match_parent"
-- 
GitLab