Pin keybase certificate

OpenKeychain/src/main/assets/keybase.io.CA.cer

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
+MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
+YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG
+EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg
+U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
+VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp
+SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS
+1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ
+DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM
+QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp
+YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7
+qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD
+VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
+JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
+BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
+MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry
+dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs
+rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp
+fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B
+kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH
+uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O
+ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
+gP8L8mJMcCaY
+-----END CERTIFICATE-----

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java

@@ -100,6 +100,12 @@ public class KeychainApplication extends Application {
 
         TlsHelper.addPinnedCertificate("hkps.pool.sks-keyservers.net", getAssets(), "hkps.pool.sks-keyservers.net.CA.cer");
         TlsHelper.addPinnedCertificate("pgp.mit.edu", getAssets(), "pgp.mit.edu.cer");
+        // NOTE:
+        // keybase.io.CA.cer only holds the CA issuing the actual keybase.io certificate, but this
+        // is better than no pinning!
+        // We are not using https://github.com/keybase/node-client/blob/master/src/ca.iced
+        // because it is only valid for api.keybase.io (https://github.com/keybase/keybase-issues/issues/964)
+        TlsHelper.addPinnedCertificate("keybase.io", getAssets(), "keybase.io.CA.cer");
 
         TemporaryStorageProvider.cleanUp(this);
 

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpKeybaseClient.java

@@ -1,7 +1,3 @@
-package org.sufficientlysecure.keychain.util;
-
-import com.squareup.okhttp.OkHttpClient;
-import com.squareup.okhttp.OkUrlFactory;
 /*
  * Copyright (C) 2015 Dominik Schürmann <dominik@dominikschuermann.de>
  *
@@ -19,8 +15,14 @@ import com.squareup.okhttp.OkUrlFactory;
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+package org.sufficientlysecure.keychain.util;
+
+import com.squareup.okhttp.OkHttpClient;
+import com.squareup.okhttp.OkUrlFactory;
 import com.textuality.keybase.lib.KeybaseUrlConnectionClient;
 
+import org.sufficientlysecure.keychain.Constants;
+
 import java.io.IOException;
 import java.net.Proxy;
 import java.net.URL;
@@ -33,25 +35,14 @@ import java.util.concurrent.TimeUnit;
 public class OkHttpKeybaseClient implements KeybaseUrlConnectionClient {
 
     private final OkUrlFactory factory;
-    private final OkUrlFactory proxyFactory;
 
     private static OkUrlFactory generateUrlFactory() {
         OkHttpClient client = new OkHttpClient();
-        client.setConnectTimeout(5000, TimeUnit.MILLISECONDS);
-        client.setReadTimeout(25000, TimeUnit.MILLISECONDS);
-        return new OkUrlFactory(client);
-    }
-
-    private static OkUrlFactory generateProxyUrlFactory() {
-        OkHttpClient client = new OkHttpClient();
-        client.setConnectTimeout(30000, TimeUnit.MILLISECONDS);
-        client.setReadTimeout(40000, TimeUnit.MILLISECONDS);
         return new OkUrlFactory(client);
     }
 
     public OkHttpKeybaseClient() {
         factory = generateUrlFactory();
-        proxyFactory = generateProxyUrlFactory();
     }
 
     @Override
@@ -61,14 +52,28 @@ public class OkHttpKeybaseClient implements KeybaseUrlConnectionClient {
 
     @Override
     public URLConnection openConnection(URL url, Proxy proxy) throws IOException {
-        URLConnection conn;
         if (proxy != null) {
-            proxyFactory.client().setProxy(proxy);
+            factory.client().setProxy(proxy);
-            conn = proxyFactory.open(url);
+            factory.client().setConnectTimeout(30000, TimeUnit.MILLISECONDS);
+            factory.client().setReadTimeout(40000, TimeUnit.MILLISECONDS);
         } else {
-            conn = factory.open(url);
+            factory.client().setConnectTimeout(5000, TimeUnit.MILLISECONDS);
+            factory.client().setReadTimeout(25000, TimeUnit.MILLISECONDS);
         }
-        return conn;
+
+        factory.client().setFollowSslRedirects(false);
+
+        // forced the usage of keybase.io pinned certificate
+        try {
+            if (!TlsHelper.usePinnedCertificateIfAvailable(factory.client(), url)) {
+                throw new IOException("no pinned certificate found for URL!");
+            }
+        } catch (TlsHelper.TlsHelperException e) {
+            Log.e(Constants.TAG, "TlsHelper failed", e);
+            throw new IOException("TlsHelper failed");
+        }
+
+        return factory.open(url);
     }
 
 }