cthrace/open-keychain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Pin keybase certificate

Browse Source
This commit is contained in:
Dominik Schürmann
2015-09-21 14:05:44 +02:00
parent ad2c8867e6
commit 9ee61dc0df
4 changed files with 57 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java
View File

@@ -100,6 +100,12 @@ public class KeychainApplication extends Application {
TlsHelper.addPinnedCertificate("hkps.pool.sks-keyservers.net", getAssets(), "hkps.pool.sks-keyservers.net.CA.cer");
TlsHelper.addPinnedCertificate("pgp.mit.edu", getAssets(), "pgp.mit.edu.cer");
// NOTE:
// keybase.io.CA.cer only holds the CA issuing the actual keybase.io certificate, but this
// is better than no pinning!
// We are not using https://github.com/keybase/node-client/blob/master/src/ca.iced
// because it is only valid for api.keybase.io (https://github.com/keybase/keybase-issues/issues/964)
TlsHelper.addPinnedCertificate("keybase.io", getAssets(), "keybase.io.CA.cer");
TemporaryStorageProvider.cleanUp(this);

45
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpKeybaseClient.java
View File

@@ -1,7 +1,3 @@
package org.sufficientlysecure.keychain.util;
import com.squareup.okhttp.OkHttpClient;
import com.squareup.okhttp.OkUrlFactory;
/*
* Copyright (C) 2015 Dominik Schürmann <dominik@dominikschuermann.de>
*
@@ -19,8 +15,14 @@ import com.squareup.okhttp.OkUrlFactory;
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package org.sufficientlysecure.keychain.util;
import com.squareup.okhttp.OkHttpClient;
import com.squareup.okhttp.OkUrlFactory;
import com.textuality.keybase.lib.KeybaseUrlConnectionClient;
import org.sufficientlysecure.keychain.Constants;
import java.io.IOException;
import java.net.Proxy;
import java.net.URL;
@@ -33,25 +35,14 @@ import java.util.concurrent.TimeUnit;
public class OkHttpKeybaseClient implements KeybaseUrlConnectionClient {
private final OkUrlFactory factory;
private final OkUrlFactory proxyFactory;
private static OkUrlFactory generateUrlFactory() {
OkHttpClient client = new OkHttpClient();
client.setConnectTimeout(5000, TimeUnit.MILLISECONDS);
client.setReadTimeout(25000, TimeUnit.MILLISECONDS);
return new OkUrlFactory(client);
}
private static OkUrlFactory generateProxyUrlFactory() {
OkHttpClient client = new OkHttpClient();
client.setConnectTimeout(30000, TimeUnit.MILLISECONDS);
client.setReadTimeout(40000, TimeUnit.MILLISECONDS);
return new OkUrlFactory(client);
}
public OkHttpKeybaseClient() {
factory = generateUrlFactory();
proxyFactory = generateProxyUrlFactory();
}
@Override
@@ -61,14 +52,28 @@ public class OkHttpKeybaseClient implements KeybaseUrlConnectionClient {
@Override
public URLConnection openConnection(URL url, Proxy proxy) throws IOException {
URLConnection conn;
if (proxy != null) {
proxyFactory.client().setProxy(proxy);
conn = proxyFactory.open(url);
factory.client().setProxy(proxy);
factory.client().setConnectTimeout(30000, TimeUnit.MILLISECONDS);
factory.client().setReadTimeout(40000, TimeUnit.MILLISECONDS);
} else {
conn = factory.open(url);
factory.client().setConnectTimeout(5000, TimeUnit.MILLISECONDS);
factory.client().setReadTimeout(25000, TimeUnit.MILLISECONDS);
}
return conn;
factory.client().setFollowSslRedirects(false);
// forced the usage of keybase.io pinned certificate
try {
if (!TlsHelper.usePinnedCertificateIfAvailable(factory.client(), url)) {
throw new IOException("no pinned certificate found for URL!");
}
} catch (TlsHelper.TlsHelperException e) {
Log.e(Constants.TAG, "TlsHelper failed", e);
throw new IOException("TlsHelper failed");
}
return factory.open(url);
}
}