Overview

Home Connect protocol driver uses REST calls towards the Home Connect backend server. It is designed with the idea to support any URL for the backend server. It may be:

• https://api.home-connect.com - backend server working with real, physical home appliances.
• https://developer.home-connect.com - backend server working with simulated home appliances.

Both these servers are accessible through HTTPS. This requires certain checks to be performed upon each connection to make sure that the client (Home Connect protocol driver) is actually communicating the the expected server, in order to prevent no man-in-the-middle attacks.

External services to extend Home Connect protocol driver behaviour

Home Connect protocol driver is modified is a way that it will track and use any javax.net.ssl.X509TrustManager and/or javax.net.ssl.HostnameVerifier registered with service registration property service.pid=homeconnect in the OSGi service registry.

1. If multiple OSGi services with Home Connect service.pid are available, the one with the highest service ranking will be used to check the server certificates and its hostname.
2. If no OSGi services with Home Connect service.pid are available, then the Home Connect protocol driver will use the JVM default javax.net.ssl.X509TrustManager and javax.net.ssl.HostnameVerifier implementations as fallback.
   1. Getting JVM default X509TrustManager is done by the following code:

              // get instance of the default TrustManagerFactory

                    TrustManagerFactory tmFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

                    // init with null trust KeyStore, this will make the implementation load the default cacerts file (JDK)

                    tmFactory.init((KeyStore) null);

                    // iterate through the array with TrustManagers and use the first X509TrustManager instance

                    for (TrustManager trustManager : tmFactory.getTrustManagers()) {

                      if (trustManager instanceof X509TrustManager) {

                        defaultTrustManager = (X509TrustManager) trustManager;

                        break;

                      }

                    }

   2. Getting JVM default HostnameVerifier is easier:

      HostnameVerifier defaultHostnameVerifier = HttpsURLConnection.getDefaultHostnameVerifier();

   3. If there is any problem getting a JVM default implementations, the server certificate and/or hostname verification will fail. This means if the protocol driver could not find the default X509TrustManager, it will throw java.security.cert.CertificateException when checking server certificate.

Additional Notes

• JVM default implementations are used as fallback, only when there is no Home Connect dedicated javax.net.ssl.X509TrustManager and javax.net.ssl.HostnameVerifier services.
• Different JVMs have different default implementations javax.net.ssl.X509TrustManager and javax.net.ssl.HostnameVerifier. Different JVMs installations may have different set of trusted CA certificates. For example, Oracle JDK/JRE implementation and its default trusted CA certificates work with Home Connect backend servers (*.home-connect.com) without problems - home-connect server certificates are signed by a known public trusted authority.
• In order to handle cases when JVM defaut trust manages does not work with home-connect servers, we will provide a special bundle that will registered dummy implementations of javax.net.ssl.X509TrustManager and/or javax.net.ssl.HostnameVerifier as OSGi services with property service.pid=homeconnect. These services will have the lowest possible service ranking and they will disable any checks of the server certificates or hostnames, e.g they will accept and allow connection to any backend servers. It should be noticed that this bundle is just for demo/testing/development purposes and it is unsafe to use it in a production setup.