Merge branch 'master' of github.com:open-keychain/open-keychain

2015-09-21 14:41:32 +02:00
parent 2b83ed6cfc 7d9e44afd7
commit 624299b3f1
9 changed files with 186 additions and 35 deletions
--- a/OpenKeychain/src/main/assets/keybase.io.CA.cer
+++ b/OpenKeychain/src/main/assets/keybase.io.CA.cer
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
+MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
+YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG
+EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg
+U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
+VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp
+SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS
+1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ
+DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM
+QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp
+YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7
+qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
+JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
+BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
+MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry
+dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs
+rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp
+fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B
+kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH
+uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O
+ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
+gP8L8mJMcCaY
+-----END CERTIFICATE-----
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java
@@ -100,6 +100,12 @@ public class KeychainApplication extends Application {

        TlsHelper.addPinnedCertificate("hkps.pool.sks-keyservers.net", getAssets(), "hkps.pool.sks-keyservers.net.CA.cer");
        TlsHelper.addPinnedCertificate("pgp.mit.edu", getAssets(), "pgp.mit.edu.cer");
+        // NOTE:
+        // keybase.io.CA.cer only holds the CA issuing the actual keybase.io certificate, but this
+        // is better than no pinning!
+        // We are not using https://github.com/keybase/node-client/blob/master/src/ca.iced
+        // because it is only valid for api.keybase.io (https://github.com/keybase/keybase-issues/issues/964)
+        TlsHelper.addPinnedCertificate("keybase.io", getAssets(), "keybase.io.CA.cer");

        TemporaryStorageProvider.cleanUp(this);

--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/keyimport/KeybaseKeyserver.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/keyimport/KeybaseKeyserver.java
@@ -19,12 +19,13 @@ package org.sufficientlysecure.keychain.keyimport;

 import com.textuality.keybase.lib.KeybaseException;
 import com.textuality.keybase.lib.Match;
-import com.textuality.keybase.lib.Search;
+import com.textuality.keybase.lib.KeybaseQuery;
 import com.textuality.keybase.lib.User;

 import org.sufficientlysecure.keychain.Constants;
 import org.sufficientlysecure.keychain.ui.util.KeyFormattingUtils;
 import org.sufficientlysecure.keychain.util.Log;
+import org.sufficientlysecure.keychain.util.OkHttpKeybaseClient;

 import java.net.Proxy;
 import java.util.ArrayList;
@@ -49,7 +50,9 @@ public class KeybaseKeyserver extends Keyserver {
        mQuery = query;

        try {
-            Iterable<Match> matches = Search.search(query, proxy);
+            KeybaseQuery keybaseQuery = new KeybaseQuery(new OkHttpKeybaseClient());
+            keybaseQuery.setProxy(proxy);
+            Iterable<Match> matches = keybaseQuery.search(query);
            for (Match match : matches) {
                results.add(makeEntry(match));
            }
@@ -101,7 +104,9 @@ public class KeybaseKeyserver extends Keyserver {
    @Override
    public String get(String id, Proxy proxy) throws QueryFailedException {
        try {
-            return User.keyForUsername(id, proxy);
+            KeybaseQuery keybaseQuery = new KeybaseQuery(new OkHttpKeybaseClient());
+            keybaseQuery.setProxy(proxy);
+            return User.keyForUsername(keybaseQuery, id);
        } catch (KeybaseException e) {
            throw new QueryFailedException(e.getMessage());
        }
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/KeybaseVerificationOperation.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/KeybaseVerificationOperation.java
@@ -20,39 +20,43 @@
 package org.sufficientlysecure.keychain.operations;


-import java.io.ByteArrayInputStream;
-import java.io.InputStream;
-import java.net.Proxy;
-import java.util.ArrayList;
-import java.util.List;
-
 import android.content.Context;
 import android.support.annotation.NonNull;

+import com.textuality.keybase.lib.KeybaseQuery;
 import com.textuality.keybase.lib.Proof;
 import com.textuality.keybase.lib.prover.Prover;
-import de.measite.minidns.Client;
-import de.measite.minidns.DNSMessage;
-import de.measite.minidns.Question;
-import de.measite.minidns.Record;
-import de.measite.minidns.record.Data;
-import de.measite.minidns.record.TXT;
+
 import org.json.JSONObject;
 import org.spongycastle.openpgp.PGPUtil;
 import org.sufficientlysecure.keychain.R;
 import org.sufficientlysecure.keychain.operations.results.DecryptVerifyResult;
 import org.sufficientlysecure.keychain.operations.results.KeybaseVerificationResult;
 import org.sufficientlysecure.keychain.operations.results.OperationResult;
-import org.sufficientlysecure.keychain.pgp.PgpDecryptVerifyOperation;
 import org.sufficientlysecure.keychain.pgp.PgpDecryptVerifyInputParcel;
+import org.sufficientlysecure.keychain.pgp.PgpDecryptVerifyOperation;
 import org.sufficientlysecure.keychain.pgp.Progressable;
 import org.sufficientlysecure.keychain.provider.ProviderHelper;
 import org.sufficientlysecure.keychain.service.KeybaseVerificationParcel;
 import org.sufficientlysecure.keychain.service.input.CryptoInputParcel;
 import org.sufficientlysecure.keychain.service.input.RequiredInputParcel;
+import org.sufficientlysecure.keychain.util.OkHttpKeybaseClient;
 import org.sufficientlysecure.keychain.util.Preferences;
 import org.sufficientlysecure.keychain.util.orbot.OrbotHelper;

+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.net.Proxy;
+import java.util.ArrayList;
+import java.util.List;
+
+import de.measite.minidns.Client;
+import de.measite.minidns.DNSMessage;
+import de.measite.minidns.Question;
+import de.measite.minidns.Record;
+import de.measite.minidns.record.Data;
+import de.measite.minidns.record.TXT;
+
 public class KeybaseVerificationOperation extends BaseOperation<KeybaseVerificationParcel> {

    public KeybaseVerificationOperation(Context context, ProviderHelper providerHelper,
@@ -83,6 +87,9 @@ public class KeybaseVerificationOperation extends BaseOperation<KeybaseVerificat
        log.add(OperationResult.LogType.MSG_KEYBASE_VERIFICATION, 0, requiredFingerprint);

        try {
+            KeybaseQuery keybaseQuery = new KeybaseQuery(new OkHttpKeybaseClient());
+            keybaseQuery.setProxy(proxy);
+
            String keybaseProof = keybaseInput.mKeybaseProof;
            Proof proof = new Proof(new JSONObject(keybaseProof));
            mProgressable.setProgress(R.string.keybase_message_fetching_data, 0, 100);
@@ -95,7 +102,7 @@ public class KeybaseVerificationOperation extends BaseOperation<KeybaseVerificat
                return new KeybaseVerificationResult(OperationResult.RESULT_ERROR, log);
            }

-            if (!prover.fetchProofData(proxy)) {
+            if (!prover.fetchProofData(keybaseQuery)) {
                log.add(OperationResult.LogType.MSG_KEYBASE_ERROR_FETCH_PROOF, 1);
                return new KeybaseVerificationResult(OperationResult.RESULT_ERROR, log);
            }
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/ViewKeyKeybaseFragment.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/ViewKeyKeybaseFragment.java
@@ -40,6 +40,7 @@ import android.widget.TableRow;
 import android.widget.TextView;

 import com.textuality.keybase.lib.KeybaseException;
+import com.textuality.keybase.lib.KeybaseQuery;
 import com.textuality.keybase.lib.Proof;
 import com.textuality.keybase.lib.User;

@@ -51,6 +52,7 @@ import org.sufficientlysecure.keychain.service.KeybaseVerificationParcel;
 import org.sufficientlysecure.keychain.ui.base.CryptoOperationHelper;
 import org.sufficientlysecure.keychain.ui.util.KeyFormattingUtils;
 import org.sufficientlysecure.keychain.util.Log;
+import org.sufficientlysecure.keychain.util.OkHttpKeybaseClient;
 import org.sufficientlysecure.keychain.util.ParcelableProxy;
 import org.sufficientlysecure.keychain.util.Preferences;
 import org.sufficientlysecure.keychain.util.orbot.OrbotHelper;
@@ -240,7 +242,9 @@ public class ViewKeyKeybaseFragment extends LoaderFragment implements
            final ArrayList<CharSequence> proofList = new ArrayList<CharSequence>();
            final Hashtable<Integer, ArrayList<Proof>> proofs = new Hashtable<Integer, ArrayList<Proof>>();
            try {
-                User keybaseUser = User.findByFingerprint(fingerprint, mParcelableProxy.getProxy());
+                KeybaseQuery keybaseQuery = new KeybaseQuery(new OkHttpKeybaseClient());
+                keybaseQuery.setProxy(mParcelableProxy.getProxy());
+                User keybaseUser = User.findByFingerprint(keybaseQuery, fingerprint);
                for (Proof proof : keybaseUser.getProofs()) {
                    Integer proofType = proof.getType();
                    appendIfOK(proofs, proofType, proof);
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/FilterCursorWrapper.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/FilterCursorWrapper.java
@@ -1,3 +1,20 @@
+/*
+ * Copyright (C) 2015 Dominik Schürmann <dominik@dominikschuermann.de>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
 package org.sufficientlysecure.keychain.util;


--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpKeybaseClient.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpKeybaseClient.java
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2015 Dominik Schürmann <dominik@dominikschuermann.de>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package org.sufficientlysecure.keychain.util;
+
+import com.squareup.okhttp.OkHttpClient;
+import com.squareup.okhttp.OkUrlFactory;
+import com.textuality.keybase.lib.KeybaseUrlConnectionClient;
+
+import org.sufficientlysecure.keychain.Constants;
+
+import java.io.IOException;
+import java.net.Proxy;
+import java.net.URL;
+import java.net.URLConnection;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * Wrapper for Keybase Lib
+ */
+public class OkHttpKeybaseClient implements KeybaseUrlConnectionClient {
+
+    private final OkUrlFactory factory;
+
+    private static OkUrlFactory generateUrlFactory() {
+        OkHttpClient client = new OkHttpClient();
+        return new OkUrlFactory(client);
+    }
+
+    public OkHttpKeybaseClient() {
+        factory = generateUrlFactory();
+    }
+
+    @Override
+    public URLConnection openConnection(URL url) throws IOException {
+        return openConnection(url, null);
+    }
+
+    @Override
+    public URLConnection openConnection(URL url, Proxy proxy) throws IOException {
+        if (proxy != null) {
+            factory.client().setProxy(proxy);
+            factory.client().setConnectTimeout(30000, TimeUnit.MILLISECONDS);
+            factory.client().setReadTimeout(40000, TimeUnit.MILLISECONDS);
+        } else {
+            factory.client().setConnectTimeout(5000, TimeUnit.MILLISECONDS);
+            factory.client().setReadTimeout(25000, TimeUnit.MILLISECONDS);
+        }
+
+        factory.client().setFollowSslRedirects(false);
+
+        // forced the usage of keybase.io pinned certificate
+        try {
+            if (!TlsHelper.usePinnedCertificateIfAvailable(factory.client(), url)) {
+                throw new IOException("no pinned certificate found for URL!");
+            }
+        } catch (TlsHelper.TlsHelperException e) {
+            Log.e(Constants.TAG, "TlsHelper failed", e);
+            throw new IOException("TlsHelper failed");
+        }
+
+        return factory.open(url);
+    }
+
+}