drop broken pinning mechanism
This commit is contained in:
Vincent Breitmoser
@@ -23,21 +23,13 @@ import java.lang.reflect.Method;
|
||||
import java.security.Security;
|
||||
import java.util.HashMap;
|
||||
|
||||
import android.accounts.Account;
|
||||
import android.accounts.AccountManager;
|
||||
import android.annotation.SuppressLint;
|
||||
import android.app.Application;
|
||||
import android.content.Context;
|
||||
import android.graphics.Bitmap;
|
||||
import android.os.Build;
|
||||
import android.os.Build.VERSION;
|
||||
import android.os.Build.VERSION_CODES;
|
||||
import android.widget.Toast;
|
||||
|
||||
import androidx.annotation.Nullable;
|
||||
import org.bouncycastle.jce.provider.BouncyCastleProvider;
|
||||
import org.sufficientlysecure.keychain.keysync.KeyserverSyncManager;
|
||||
import org.sufficientlysecure.keychain.network.TlsCertificatePinning;
|
||||
import org.sufficientlysecure.keychain.provider.TemporaryFileProvider;
|
||||
import org.sufficientlysecure.keychain.util.PRNGFixes;
|
||||
import org.sufficientlysecure.keychain.util.Preferences;
|
||||
@@ -95,11 +87,6 @@ public class KeychainApplication extends Application {
|
||||
// Upgrade preferences as needed
|
||||
preferences.upgradePreferences();
|
||||
|
||||
TlsCertificatePinning.addPinnedCertificate("keys.openpgp.org", getAssets(), "LetsEncryptCA.cer");
|
||||
TlsCertificatePinning.addPinnedCertificate("hkps.pool.sks-keyservers.net", getAssets(), "hkps.pool.sks-keyservers.net.CA.cer");
|
||||
TlsCertificatePinning.addPinnedCertificate("pgp.mit.edu", getAssets(), "pgp.mit.edu.cer");
|
||||
TlsCertificatePinning.addPinnedCertificate("keyserver.ubuntu.com", getAssets(), "LetsEncryptCA.cer");
|
||||
|
||||
// only set up the rest on our main process
|
||||
if (!BuildConfig.APPLICATION_ID.equals(getProcessName())) {
|
||||
return;
|
||||
|
||||
@@ -71,15 +71,6 @@ public class OkHttpClientFactory {
|
||||
.readTimeout(25000, TimeUnit.MILLISECONDS);
|
||||
}
|
||||
|
||||
// If a pinned cert is available, use it!
|
||||
// NOTE: this fails gracefully back to "no pinning" if no cert is available.
|
||||
TlsCertificatePinning tlsCertificatePinning = new TlsCertificatePinning(url);
|
||||
boolean isHttpsProtocol = "https".equals(url.getProtocol());
|
||||
boolean isPinAvailable = tlsCertificatePinning.isPinAvailable();
|
||||
if (isHttpsProtocol && isPinAvailable) {
|
||||
tlsCertificatePinning.pinCertificate(builder);
|
||||
}
|
||||
|
||||
return builder.build();
|
||||
}
|
||||
|
||||
|
||||
@@ -1,140 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2017 Schürmann & Breitmoser GbR
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
package org.sufficientlysecure.keychain.network;
|
||||
|
||||
import android.content.res.AssetManager;
|
||||
|
||||
import java.io.ByteArrayInputStream;
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.net.URL;
|
||||
import java.security.KeyManagementException;
|
||||
import java.security.KeyStore;
|
||||
import java.security.KeyStoreException;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.cert.Certificate;
|
||||
import java.security.cert.CertificateException;
|
||||
import java.security.cert.CertificateFactory;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import javax.net.ssl.SSLContext;
|
||||
import javax.net.ssl.SSLSocketFactory;
|
||||
import javax.net.ssl.TrustManager;
|
||||
import javax.net.ssl.TrustManagerFactory;
|
||||
import javax.net.ssl.X509TrustManager;
|
||||
|
||||
import okhttp3.OkHttpClient;
|
||||
import timber.log.Timber;
|
||||
|
||||
|
||||
public class TlsCertificatePinning {
|
||||
|
||||
private static Map<String, byte[]> sCertificatePins = new HashMap<>();
|
||||
|
||||
/**
|
||||
* Add certificate from assets to pinned certificate map.
|
||||
*/
|
||||
public static void addPinnedCertificate(String host, AssetManager assetManager, String cerFilename) {
|
||||
try {
|
||||
InputStream is = assetManager.open(cerFilename);
|
||||
ByteArrayOutputStream baos = new ByteArrayOutputStream();
|
||||
int reads = is.read();
|
||||
|
||||
while (reads != -1) {
|
||||
baos.write(reads);
|
||||
reads = is.read();
|
||||
}
|
||||
|
||||
is.close();
|
||||
|
||||
sCertificatePins.put(host, baos.toByteArray());
|
||||
} catch (IOException e) {
|
||||
Timber.w(e);
|
||||
}
|
||||
}
|
||||
|
||||
private final URL url;
|
||||
|
||||
public TlsCertificatePinning(URL url) {
|
||||
this.url = url;
|
||||
}
|
||||
|
||||
public boolean isPinAvailable() {
|
||||
return sCertificatePins.containsKey(url.getHost());
|
||||
}
|
||||
|
||||
/**
|
||||
* Modifies the builder to accept only requests with a given certificate.
|
||||
* Applies to all URLs requested by the builder.
|
||||
* Therefore a builder that is pinned this way should be used to only make requests
|
||||
* to URLs with passed certificate.
|
||||
*/
|
||||
void pinCertificate(OkHttpClient.Builder builder) {
|
||||
Timber.d("Pinning certificate for " + url);
|
||||
|
||||
// We don't use OkHttp's CertificatePinner since it can not be used to pin self-signed
|
||||
// certificate if such certificate is not accepted by TrustManager.
|
||||
// (Refer to note at end of description:
|
||||
// http://square.github.io/okhttp/javadoc/com/squareup/okhttp/CertificatePinner.html )
|
||||
// Creating our own TrustManager that trusts only our certificate eliminates the need for certificate pinning
|
||||
try {
|
||||
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||
byte[] certificate = sCertificatePins.get(url.getHost());
|
||||
Certificate ca = cf.generateCertificate(new ByteArrayInputStream(certificate));
|
||||
|
||||
KeyStore keyStore = createSingleCertificateKeyStore(ca);
|
||||
X509TrustManager trustManager = createTrustManager(keyStore);
|
||||
|
||||
SSLContext sslContext = SSLContext.getInstance("TLS");
|
||||
sslContext.init(null, new TrustManager[]{trustManager}, null);
|
||||
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
|
||||
|
||||
builder.sslSocketFactory(sslSocketFactory, trustManager);
|
||||
} catch (CertificateException | KeyStoreException |
|
||||
KeyManagementException | NoSuchAlgorithmException | IOException e) {
|
||||
throw new IllegalStateException(e);
|
||||
}
|
||||
}
|
||||
|
||||
private KeyStore createSingleCertificateKeyStore(Certificate ca) throws KeyStoreException,
|
||||
CertificateException, NoSuchAlgorithmException, IOException {
|
||||
String keyStoreType = KeyStore.getDefaultType();
|
||||
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
|
||||
keyStore.load(null, null);
|
||||
keyStore.setCertificateEntry("ca", ca);
|
||||
|
||||
return keyStore;
|
||||
}
|
||||
|
||||
private X509TrustManager createTrustManager(KeyStore keyStore) throws NoSuchAlgorithmException,
|
||||
KeyStoreException {
|
||||
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
|
||||
TrustManagerFactory.getDefaultAlgorithm());
|
||||
trustManagerFactory.init(keyStore);
|
||||
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
|
||||
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
|
||||
throw new IllegalStateException("Unexpected default trust managers: "
|
||||
+ Arrays.toString(trustManagers));
|
||||
}
|
||||
|
||||
return (X509TrustManager) trustManagers[0];
|
||||
}
|
||||
}
|
||||
@@ -33,10 +33,6 @@ import android.os.Bundle;
|
||||
import android.os.Message;
|
||||
import android.os.Messenger;
|
||||
import android.os.RemoteException;
|
||||
import androidx.annotation.NonNull;
|
||||
import com.google.android.material.textfield.TextInputLayout;
|
||||
import androidx.fragment.app.DialogFragment;
|
||||
import androidx.appcompat.app.AlertDialog;
|
||||
import android.view.KeyEvent;
|
||||
import android.view.LayoutInflater;
|
||||
import android.view.View;
|
||||
@@ -44,17 +40,19 @@ import android.view.inputmethod.EditorInfo;
|
||||
import android.view.inputmethod.InputMethodManager;
|
||||
import android.widget.Button;
|
||||
import android.widget.CheckBox;
|
||||
import android.widget.CompoundButton;
|
||||
import android.widget.EditText;
|
||||
import android.widget.TextView;
|
||||
import android.widget.TextView.OnEditorActionListener;
|
||||
|
||||
import androidx.annotation.NonNull;
|
||||
import androidx.appcompat.app.AlertDialog;
|
||||
import androidx.fragment.app.DialogFragment;
|
||||
import com.google.android.material.textfield.TextInputLayout;
|
||||
import okhttp3.OkHttpClient;
|
||||
import okhttp3.Request;
|
||||
import org.sufficientlysecure.keychain.R;
|
||||
import org.sufficientlysecure.keychain.keyimport.HkpKeyserverAddress;
|
||||
import org.sufficientlysecure.keychain.network.OkHttpClientFactory;
|
||||
import org.sufficientlysecure.keychain.network.TlsCertificatePinning;
|
||||
import org.sufficientlysecure.keychain.network.orbot.OrbotHelper;
|
||||
import org.sufficientlysecure.keychain.util.ParcelableProxy;
|
||||
import org.sufficientlysecure.keychain.util.Preferences;
|
||||
@@ -84,7 +82,6 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On
|
||||
private EditText mKeyserverEditOnionText;
|
||||
private TextInputLayout mKeyserverEditOnionTextLayout;
|
||||
private CheckBox mVerifyKeyserverCheckBox;
|
||||
private CheckBox mOnlyTrustedKeyserverCheckBox;
|
||||
|
||||
public enum DialogAction {
|
||||
ADD,
|
||||
@@ -134,13 +131,6 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On
|
||||
mKeyserverEditOnionText = view.findViewById(R.id.keyserver_onion_edit_text);
|
||||
mKeyserverEditOnionTextLayout = view.findViewById(R.id.keyserver_onion_edit_text_layout);
|
||||
mVerifyKeyserverCheckBox = view.findViewById(R.id.verify_connection_checkbox);
|
||||
mOnlyTrustedKeyserverCheckBox = view.findViewById(R.id.only_trusted_keyserver_checkbox);
|
||||
mVerifyKeyserverCheckBox.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
|
||||
@Override
|
||||
public void onCheckedChanged(CompoundButton buttonView, boolean isChecked) {
|
||||
mOnlyTrustedKeyserverCheckBox.setEnabled(isChecked);
|
||||
}
|
||||
});
|
||||
|
||||
switch (mDialogAction) {
|
||||
case ADD: {
|
||||
@@ -243,20 +233,12 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On
|
||||
OrbotHelper.DialogActions dialogActions = new OrbotHelper.DialogActions() {
|
||||
@Override
|
||||
public void onOrbotStarted() {
|
||||
verifyConnection(
|
||||
keyserver,
|
||||
proxy,
|
||||
mOnlyTrustedKeyserverCheckBox.isChecked()
|
||||
);
|
||||
verifyConnection(keyserver, proxy);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void onNeutralButton() {
|
||||
verifyConnection(
|
||||
keyserver,
|
||||
null,
|
||||
mOnlyTrustedKeyserverCheckBox.isChecked()
|
||||
);
|
||||
verifyConnection(keyserver, null);
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -266,11 +248,7 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On
|
||||
};
|
||||
|
||||
if (OrbotHelper.putOrbotInRequiredState(dialogActions, getActivity())) {
|
||||
verifyConnection(
|
||||
keyserver,
|
||||
proxy,
|
||||
mOnlyTrustedKeyserverCheckBox.isChecked()
|
||||
);
|
||||
verifyConnection(keyserver, proxy);
|
||||
}
|
||||
} else {
|
||||
dismiss();
|
||||
@@ -327,7 +305,7 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On
|
||||
|
||||
}
|
||||
|
||||
public void verifyConnection(HkpKeyserverAddress keyserver, final ParcelableProxy proxy, final boolean onlyTrustedKeyserver) {
|
||||
public void verifyConnection(HkpKeyserverAddress keyserver, ParcelableProxy proxy) {
|
||||
|
||||
new AsyncTask<HkpKeyserverAddress, Void, VerifyReturn>() {
|
||||
ProgressDialog mProgressDialog;
|
||||
@@ -345,7 +323,7 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On
|
||||
protected VerifyReturn doInBackground(HkpKeyserverAddress... keyservers) {
|
||||
mKeyserver = keyservers[0];
|
||||
|
||||
return verifyKeyserver(mKeyserver, proxy, onlyTrustedKeyserver);
|
||||
return verifyKeyserver(mKeyserver, proxy);
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -360,20 +338,11 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On
|
||||
}.execute(keyserver);
|
||||
}
|
||||
|
||||
private VerifyReturn verifyKeyserver(HkpKeyserverAddress keyserver, final ParcelableProxy proxy, final boolean onlyTrustedKeyserver) {
|
||||
private VerifyReturn verifyKeyserver(HkpKeyserverAddress keyserver, ParcelableProxy proxy) {
|
||||
VerifyReturn reason = VerifyReturn.GOOD;
|
||||
try {
|
||||
URI keyserverUriHttp = keyserver.getUrlURI();
|
||||
|
||||
// check TLS pinning only for non-Tor keyservers
|
||||
TlsCertificatePinning tlsCertificatePinning = new TlsCertificatePinning(keyserverUriHttp.toURL());
|
||||
boolean isPinAvailable = tlsCertificatePinning.isPinAvailable();
|
||||
if (onlyTrustedKeyserver && !isPinAvailable) {
|
||||
Timber.w("No pinned certificate for this host in OpenKeychain's assets.");
|
||||
reason = VerifyReturn.NO_PINNED_CERTIFICATE;
|
||||
return reason;
|
||||
}
|
||||
|
||||
OkHttpClient client = OkHttpClientFactory.getClientPinnedIfAvailable(
|
||||
keyserverUriHttp.toURL(), proxy.getProxy());
|
||||
client.newCall(new Request.Builder().url(keyserverUriHttp.toURL()).build()).execute();
|
||||
|
||||
Reference in New Issue
Block a user