Require cert pinning for HTTPS

moonlight-common/src/main/java/com/limelight/nvstream/http/NvHTTP.java

@@ -66,8 +66,11 @@ public class NvHTTP {
 		
 	private TrustManager[] trustManager;
 	private KeyManager[] keyManager;
+	private X509Certificate serverCert;
+
+	void setServerCert(final X509Certificate serverCert) {
+		this.serverCert = serverCert;
 
-	private void initializeHttpState(final X509Certificate serverCert, final LimelightCryptoProvider cryptoProvider) {
 		trustManager = new TrustManager[] {
 			new X509TrustManager() {
 				public X509Certificate[] getAcceptedIssuers() {
@@ -82,11 +85,17 @@ public class NvHTTP {
 					}
 
 					// Check the server certificate if we've paired to this host
-						if (serverCert != null && !certs[0].equals(serverCert)) {
+					if (!certs[0].equals(serverCert)) {
 						throw new CertificateException("Certificate mismatch");
 					}
 				}
-				}};
+			}
+		};
+	}
+
+	private void initializeHttpState(final X509Certificate serverCert, final LimelightCryptoProvider cryptoProvider) {
+		// Set up TrustManager
+		setServerCert(serverCert);
 
 		keyManager = new KeyManager[] {
 				new X509KeyManager() {
@@ -187,7 +196,7 @@ public class NvHTTP {
 		}
 	}
 	
-	public String getServerInfo() throws MalformedURLException, IOException, XmlPullParserException {
+	public String getServerInfo() throws IOException, XmlPullParserException {
 		String resp;
 		
 		//
@@ -196,6 +205,8 @@ public class NvHTTP {
 		// like there are extra request headers required to make this stuff work over HTTP.
 		//
 
+		// When we have a pinned cert, use HTTPS to fetch serverinfo and fall back on cert mismatch
+		if (serverCert != null) {
 			try {
 				try {
 					resp = openHttpConnectionToString(baseUrlHttps + "/serverinfo?"+buildUniqueIdUuidString(), true);
@@ -224,10 +235,16 @@ public class NvHTTP {
 				// If it's not a cert validation error, throw it
 				throw e;
 			}
+
 			return resp;
 		}
+		else {
+			// No pinned cert, so use HTTP
+			return openHttpConnectionToString(baseUrlHttp + "/serverinfo", true);
+		}
+	}
 	
-	public ComputerDetails getComputerDetails() throws MalformedURLException, IOException, XmlPullParserException {
+	public ComputerDetails getComputerDetails() throws IOException, XmlPullParserException {
 		ComputerDetails details = new ComputerDetails();
 		String serverInfo = getServerInfo();
 		
@@ -285,6 +302,10 @@ public class NvHTTP {
 		Request request = new Request.Builder().url(url).build();
 		Response response;
 
+		if (serverCert == null && !url.startsWith(baseUrlHttp)) {
+			throw new IllegalStateException("Attempted HTTPS fetch without pinned cert");
+		}
+		
 		if (enableReadTimeout) {
 			performAndroidTlsHack(httpClientWithReadTimeout);
 			response = httpClientWithReadTimeout.newCall(request).execute();
@@ -552,7 +573,7 @@ public class NvHTTP {
 	}
 	
 	public void unpair() throws IOException {
-		openHttpConnectionToString(baseUrlHttps + "/unpair?"+buildUniqueIdUuidString(), true);
+		openHttpConnectionToString(baseUrlHttp + "/unpair?"+buildUniqueIdUuidString(), true);
 	}
 	
 	public InputStream getBoxArt(NvApp app) throws IOException {

moonlight-common/src/main/java/com/limelight/nvstream/http/PairingManager.java

@@ -198,7 +198,7 @@ public class PairingManager {
 			return PairState.FAILED;
 		}
 
-		// Save this cert for retrieval later for pinning
+		// Save this cert for retrieval later
 		serverCert = extractPlainCert(getCert);
 		if (serverCert == null) {
 			// Attempting to pair while another device is pairing will cause GFE
@@ -206,6 +206,9 @@ public class PairingManager {
 			return PairState.ALREADY_IN_PROGRESS;
 		}
 
+		// Require this cert for TLS to this host
+		http.setServerCert(serverCert);
+		
 		// Generate a random challenge and encrypt it with our AES key
 		byte[] randomChallenge = generateRandomBytes(16);
 		byte[] encryptedChallenge = encryptAes(randomChallenge, aesKey);