restore pinning for hkps.pool.sks-keyservers.net only (it won't work without)
This commit is contained in:
parent
1034b8b99c
commit
1af70961aa
|
@ -0,0 +1,32 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIFizCCA3OgAwIBAgIJAK9zyLTPn4CPMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV
|
||||||
|
BAYTAk5PMQ0wCwYDVQQIDARPc2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5u
|
||||||
|
ZXQgQ0ExHjAcBgNVBAMMFXNrcy1rZXlzZXJ2ZXJzLm5ldCBDQTAeFw0xMjEwMDkw
|
||||||
|
MDMzMzdaFw0yMjEwMDcwMDMzMzdaMFwxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIDARP
|
||||||
|
c2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5uZXQgQ0ExHjAcBgNVBAMMFXNr
|
||||||
|
cy1rZXlzZXJ2ZXJzLm5ldCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
|
||||||
|
ggIBANdsWy4PXWNUCkS3L//nrd0GqN3dVwoBGZ6w94Tw2jPDPifegwxQozFXkG6I
|
||||||
|
6A4TK1CJLXPvfz0UP0aBYyPmTNadDinaB9T4jIwd4rnxl+59GiEmqkN3IfPsv5Jj
|
||||||
|
MkKUmJnvOT0DEVlEaO1UZIwx5WpfprB3mR81/qm4XkAgmYrmgnLXd/pJDAMk7y1F
|
||||||
|
45b5zWofiD5l677lplcIPRbFhpJ6kDTODXh/XEdtF71EAeaOdEGOvyGDmCO0GWqS
|
||||||
|
FDkMMPTlieLA/0rgFTcz4xwUYj/cD5e0ZBuSkYsYFAU3hd1cGfBue0cPZaQH2HYx
|
||||||
|
Qk4zXD8S3F4690fRhr+tki5gyG6JDR67aKp3BIGLqm7f45WkX1hYp+YXywmEziM4
|
||||||
|
aSbGYhx8hoFGfq9UcfPEvp2aoc8u5sdqjDslhyUzM1v3m3ZGbhwEOnVjljY6JJLx
|
||||||
|
MxagxnZZSAY424ZZ3t71E/Mn27dm2w+xFRuoy8JEjv1d+BT3eChM5KaNwrj0IO/y
|
||||||
|
u8kFIgWYA1vZ/15qMT+tyJTfyrNVV/7Df7TNeWyNqjJ5rBmt0M6NpHG7CrUSkBy9
|
||||||
|
p8JhimgjP5r0FlEkgg+lyD+V79H98gQfVgP3pbJICz0SpBQf2F/2tyS4rLm+49rP
|
||||||
|
fcOajiXEuyhpcmzgusAj/1FjrtlynH1r9mnNaX4e+rLWzvU5AgMBAAGjUDBOMB0G
|
||||||
|
A1UdDgQWBBTkwyoJFGfYTVISTpM8E+igjdq28zAfBgNVHSMEGDAWgBTkwyoJFGfY
|
||||||
|
TVISTpM8E+igjdq28zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQAR
|
||||||
|
OXnYwu3g1ZjHyley3fZI5aLPsaE17cOImVTehC8DcIphm2HOMR/hYTTL+V0G4P+u
|
||||||
|
gH+6xeRLKSHMHZTtSBIa6GDL03434y9CBuwGvAFCMU2GV8w92/Z7apkAhdLToZA/
|
||||||
|
X/iWP2jeaVJhxgEcH8uPrnSlqoPBcKC9PrgUzQYfSZJkLmB+3jEa3HKruy1abJP5
|
||||||
|
gAdQvwvcPpvYRnIzUc9fZODsVmlHVFBCl2dlu/iHh2h4GmL4Da2rRkUMlbVTdioB
|
||||||
|
UYIvMycdOkpH5wJftzw7cpjsudGas0PARDXCFfGyKhwBRFY7Xp7lbjtU5Rz0Gc04
|
||||||
|
lPrhDf0pFE98Aw4jJRpFeWMjpXUEaG1cq7D641RpgcMfPFvOHY47rvDTS7XJOaUT
|
||||||
|
BwRjmDt896s6vMDcaG/uXJbQjuzmmx3W2Idyh3s5SI0GTHb0IwMKYb4eBUIpQOnB
|
||||||
|
cE77VnCYqKvN1NVYAqhWjXbY7XasZvszCRcOG+W3FqNaHOK/n/0ueb0uijdLan+U
|
||||||
|
f4p1bjbAox8eAOQS/8a3bzkJzdyBNUKGx1BIK2IBL9bn/HravSDOiNRSnZ/R3l9G
|
||||||
|
ZauX0tu7IIDlRCILXSyeazu0aj/vdT3YFQXPcvt5Fkf5wiNTo53f72/jYEJd6qph
|
||||||
|
WrpoKqrwGwTpRUCMhYIUt65hsTxCiJJ5nKe39h46sg==
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -30,6 +30,7 @@ import android.os.Build;
|
||||||
|
|
||||||
import org.bouncycastle.jce.provider.BouncyCastleProvider;
|
import org.bouncycastle.jce.provider.BouncyCastleProvider;
|
||||||
import org.sufficientlysecure.keychain.keysync.KeyserverSyncManager;
|
import org.sufficientlysecure.keychain.keysync.KeyserverSyncManager;
|
||||||
|
import org.sufficientlysecure.keychain.network.TlsCertificatePinning;
|
||||||
import org.sufficientlysecure.keychain.provider.TemporaryFileProvider;
|
import org.sufficientlysecure.keychain.provider.TemporaryFileProvider;
|
||||||
import org.sufficientlysecure.keychain.util.PRNGFixes;
|
import org.sufficientlysecure.keychain.util.PRNGFixes;
|
||||||
import org.sufficientlysecure.keychain.util.Preferences;
|
import org.sufficientlysecure.keychain.util.Preferences;
|
||||||
|
@ -87,6 +88,8 @@ public class KeychainApplication extends Application {
|
||||||
// Upgrade preferences as needed
|
// Upgrade preferences as needed
|
||||||
preferences.upgradePreferences();
|
preferences.upgradePreferences();
|
||||||
|
|
||||||
|
TlsCertificatePinning.addPinnedCertificate("hkps.pool.sks-keyservers.net", getAssets(), "hkps.pool.sks-keyservers.net.CA.cer");
|
||||||
|
|
||||||
// only set up the rest on our main process
|
// only set up the rest on our main process
|
||||||
if (!BuildConfig.APPLICATION_ID.equals(getProcessName())) {
|
if (!BuildConfig.APPLICATION_ID.equals(getProcessName())) {
|
||||||
return;
|
return;
|
||||||
|
|
|
@ -71,6 +71,15 @@ public class OkHttpClientFactory {
|
||||||
.readTimeout(25000, TimeUnit.MILLISECONDS);
|
.readTimeout(25000, TimeUnit.MILLISECONDS);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If a pinned cert is available, use it!
|
||||||
|
// NOTE: this fails gracefully back to "no pinning" if no cert is available.
|
||||||
|
TlsCertificatePinning tlsCertificatePinning = new TlsCertificatePinning(url);
|
||||||
|
boolean isHttpsProtocol = "https".equals(url.getProtocol());
|
||||||
|
boolean isPinAvailable = tlsCertificatePinning.isPinAvailable();
|
||||||
|
if (isHttpsProtocol && isPinAvailable) {
|
||||||
|
tlsCertificatePinning.pinCertificate(builder);
|
||||||
|
}
|
||||||
|
|
||||||
return builder.build();
|
return builder.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,140 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2017 Schürmann & Breitmoser GbR
|
||||||
|
*
|
||||||
|
* This program is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU General Public License as published by
|
||||||
|
* the Free Software Foundation, either version 3 of the License, or
|
||||||
|
* (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.sufficientlysecure.keychain.network;
|
||||||
|
|
||||||
|
import android.content.res.AssetManager;
|
||||||
|
|
||||||
|
import java.io.ByteArrayInputStream;
|
||||||
|
import java.io.ByteArrayOutputStream;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.io.InputStream;
|
||||||
|
import java.net.URL;
|
||||||
|
import java.security.KeyManagementException;
|
||||||
|
import java.security.KeyStore;
|
||||||
|
import java.security.KeyStoreException;
|
||||||
|
import java.security.NoSuchAlgorithmException;
|
||||||
|
import java.security.cert.Certificate;
|
||||||
|
import java.security.cert.CertificateException;
|
||||||
|
import java.security.cert.CertificateFactory;
|
||||||
|
import java.util.Arrays;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
import javax.net.ssl.SSLContext;
|
||||||
|
import javax.net.ssl.SSLSocketFactory;
|
||||||
|
import javax.net.ssl.TrustManager;
|
||||||
|
import javax.net.ssl.TrustManagerFactory;
|
||||||
|
import javax.net.ssl.X509TrustManager;
|
||||||
|
|
||||||
|
import okhttp3.OkHttpClient;
|
||||||
|
import timber.log.Timber;
|
||||||
|
|
||||||
|
|
||||||
|
public class TlsCertificatePinning {
|
||||||
|
|
||||||
|
private static Map<String, byte[]> sCertificatePins = new HashMap<>();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Add certificate from assets to pinned certificate map.
|
||||||
|
*/
|
||||||
|
public static void addPinnedCertificate(String host, AssetManager assetManager, String cerFilename) {
|
||||||
|
try {
|
||||||
|
InputStream is = assetManager.open(cerFilename);
|
||||||
|
ByteArrayOutputStream baos = new ByteArrayOutputStream();
|
||||||
|
int reads = is.read();
|
||||||
|
|
||||||
|
while (reads != -1) {
|
||||||
|
baos.write(reads);
|
||||||
|
reads = is.read();
|
||||||
|
}
|
||||||
|
|
||||||
|
is.close();
|
||||||
|
|
||||||
|
sCertificatePins.put(host, baos.toByteArray());
|
||||||
|
} catch (IOException e) {
|
||||||
|
Timber.w(e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private final URL url;
|
||||||
|
|
||||||
|
public TlsCertificatePinning(URL url) {
|
||||||
|
this.url = url;
|
||||||
|
}
|
||||||
|
|
||||||
|
public boolean isPinAvailable() {
|
||||||
|
return sCertificatePins.containsKey(url.getHost());
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Modifies the builder to accept only requests with a given certificate.
|
||||||
|
* Applies to all URLs requested by the builder.
|
||||||
|
* Therefore a builder that is pinned this way should be used to only make requests
|
||||||
|
* to URLs with passed certificate.
|
||||||
|
*/
|
||||||
|
void pinCertificate(OkHttpClient.Builder builder) {
|
||||||
|
Timber.d("Pinning certificate for " + url);
|
||||||
|
|
||||||
|
// We don't use OkHttp's CertificatePinner since it can not be used to pin self-signed
|
||||||
|
// certificate if such certificate is not accepted by TrustManager.
|
||||||
|
// (Refer to note at end of description:
|
||||||
|
// http://square.github.io/okhttp/javadoc/com/squareup/okhttp/CertificatePinner.html )
|
||||||
|
// Creating our own TrustManager that trusts only our certificate eliminates the need for certificate pinning
|
||||||
|
try {
|
||||||
|
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||||
|
byte[] certificate = sCertificatePins.get(url.getHost());
|
||||||
|
Certificate ca = cf.generateCertificate(new ByteArrayInputStream(certificate));
|
||||||
|
|
||||||
|
KeyStore keyStore = createSingleCertificateKeyStore(ca);
|
||||||
|
X509TrustManager trustManager = createTrustManager(keyStore);
|
||||||
|
|
||||||
|
SSLContext sslContext = SSLContext.getInstance("TLS");
|
||||||
|
sslContext.init(null, new TrustManager[]{trustManager}, null);
|
||||||
|
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
|
||||||
|
|
||||||
|
builder.sslSocketFactory(sslSocketFactory, trustManager);
|
||||||
|
} catch (CertificateException | KeyStoreException |
|
||||||
|
KeyManagementException | NoSuchAlgorithmException | IOException e) {
|
||||||
|
throw new IllegalStateException(e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private KeyStore createSingleCertificateKeyStore(Certificate ca) throws KeyStoreException,
|
||||||
|
CertificateException, NoSuchAlgorithmException, IOException {
|
||||||
|
String keyStoreType = KeyStore.getDefaultType();
|
||||||
|
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
|
||||||
|
keyStore.load(null, null);
|
||||||
|
keyStore.setCertificateEntry("ca", ca);
|
||||||
|
|
||||||
|
return keyStore;
|
||||||
|
}
|
||||||
|
|
||||||
|
private X509TrustManager createTrustManager(KeyStore keyStore) throws NoSuchAlgorithmException,
|
||||||
|
KeyStoreException {
|
||||||
|
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
|
||||||
|
TrustManagerFactory.getDefaultAlgorithm());
|
||||||
|
trustManagerFactory.init(keyStore);
|
||||||
|
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
|
||||||
|
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
|
||||||
|
throw new IllegalStateException("Unexpected default trust managers: "
|
||||||
|
+ Arrays.toString(trustManagers));
|
||||||
|
}
|
||||||
|
|
||||||
|
return (X509TrustManager) trustManagers[0];
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue