PeterCxy
/
open-keychain
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

drop broken pinning mechanism

This commit is contained in:
Vincent Breitmoser 2021-01-29 12:05:08 +01:00
parent 258cd4c836
commit 2cc35ce970
8 changed files with 10 additions and 301 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
OpenKeychain/src/main/assets/LetsEncryptCA.cer
View File

@ -1,27 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

32
OpenKeychain/src/main/assets/hkps.pool.sks-keyservers.net.CA.cer
View File

@ -1,32 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIFizCCA3OgAwIBAgIJAK9zyLTPn4CPMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV
BAYTAk5PMQ0wCwYDVQQIDARPc2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5u
ZXQgQ0ExHjAcBgNVBAMMFXNrcy1rZXlzZXJ2ZXJzLm5ldCBDQTAeFw0xMjEwMDkw
MDMzMzdaFw0yMjEwMDcwMDMzMzdaMFwxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIDARP
c2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5uZXQgQ0ExHjAcBgNVBAMMFXNr
cy1rZXlzZXJ2ZXJzLm5ldCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBANdsWy4PXWNUCkS3L//nrd0GqN3dVwoBGZ6w94Tw2jPDPifegwxQozFXkG6I
6A4TK1CJLXPvfz0UP0aBYyPmTNadDinaB9T4jIwd4rnxl+59GiEmqkN3IfPsv5Jj
MkKUmJnvOT0DEVlEaO1UZIwx5WpfprB3mR81/qm4XkAgmYrmgnLXd/pJDAMk7y1F
45b5zWofiD5l677lplcIPRbFhpJ6kDTODXh/XEdtF71EAeaOdEGOvyGDmCO0GWqS
FDkMMPTlieLA/0rgFTcz4xwUYj/cD5e0ZBuSkYsYFAU3hd1cGfBue0cPZaQH2HYx
Qk4zXD8S3F4690fRhr+tki5gyG6JDR67aKp3BIGLqm7f45WkX1hYp+YXywmEziM4
aSbGYhx8hoFGfq9UcfPEvp2aoc8u5sdqjDslhyUzM1v3m3ZGbhwEOnVjljY6JJLx
MxagxnZZSAY424ZZ3t71E/Mn27dm2w+xFRuoy8JEjv1d+BT3eChM5KaNwrj0IO/y
u8kFIgWYA1vZ/15qMT+tyJTfyrNVV/7Df7TNeWyNqjJ5rBmt0M6NpHG7CrUSkBy9
p8JhimgjP5r0FlEkgg+lyD+V79H98gQfVgP3pbJICz0SpBQf2F/2tyS4rLm+49rP
fcOajiXEuyhpcmzgusAj/1FjrtlynH1r9mnNaX4e+rLWzvU5AgMBAAGjUDBOMB0G
A1UdDgQWBBTkwyoJFGfYTVISTpM8E+igjdq28zAfBgNVHSMEGDAWgBTkwyoJFGfY
TVISTpM8E+igjdq28zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQAR
OXnYwu3g1ZjHyley3fZI5aLPsaE17cOImVTehC8DcIphm2HOMR/hYTTL+V0G4P+u
gH+6xeRLKSHMHZTtSBIa6GDL03434y9CBuwGvAFCMU2GV8w92/Z7apkAhdLToZA/
X/iWP2jeaVJhxgEcH8uPrnSlqoPBcKC9PrgUzQYfSZJkLmB+3jEa3HKruy1abJP5
gAdQvwvcPpvYRnIzUc9fZODsVmlHVFBCl2dlu/iHh2h4GmL4Da2rRkUMlbVTdioB
UYIvMycdOkpH5wJftzw7cpjsudGas0PARDXCFfGyKhwBRFY7Xp7lbjtU5Rz0Gc04
lPrhDf0pFE98Aw4jJRpFeWMjpXUEaG1cq7D641RpgcMfPFvOHY47rvDTS7XJOaUT
BwRjmDt896s6vMDcaG/uXJbQjuzmmx3W2Idyh3s5SI0GTHb0IwMKYb4eBUIpQOnB
cE77VnCYqKvN1NVYAqhWjXbY7XasZvszCRcOG+W3FqNaHOK/n/0ueb0uijdLan+U
f4p1bjbAox8eAOQS/8a3bzkJzdyBNUKGx1BIK2IBL9bn/HravSDOiNRSnZ/R3l9G
ZauX0tu7IIDlRCILXSyeazu0aj/vdT3YFQXPcvt5Fkf5wiNTo53f72/jYEJd6qph
WrpoKqrwGwTpRUCMhYIUt65hsTxCiJJ5nKe39h46sg==
-----END CERTIFICATE-----

32
OpenKeychain/src/main/assets/pgp.mit.edu.cer
View File

@ -1,32 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIFnDCCBISgAwIBAgIRAOEF8Fi8qyp/9jJV2GaC7EUwDQYJKoZIhvcNAQELBQAw
djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT
FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMTcwMzMwMDAwMDAwWhcNMjAwMzI5
MjM1OTU5WjCB2TELMAkGA1UEBhMCVVMxDjAMBgNVBBETBTAyMTM5MRYwFAYDVQQI
Ew1NYXNzYWNodXNldHRzMRIwEAYDVQQHEwlDYW1icmlkZ2UxHTAbBgNVBAkTFDc3
IE1hc3NhY2h1c2V0dHMgQXZlMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3Rp
dHV0ZSBvZiBUZWNobm9sb2d5MSkwJwYDVQQLDCBJbmZvcm1hdGlvbiBTeXN0ZW1z
ICYgVGVjaG5vbG9neTEUMBIGA1UEAxMLcGdwLm1pdC5lZHUwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDVoQg1md1TohFDgQxOnxQmJ7Nz/wR4pOGmYt/+
WQdt+TodycBsadeEpOvGlU06Spv8RNIm8KARm+Eqc/DrHwwl5XrkYH4R4wnIIrRB
aZAx4kNWIzqfHX11+sDr+73PESctpxxVfdzhotBjewEuvrORsG3Q4LWCu8dMSMPD
kuI7GKzu80gBrwYf0XjMidnocGab8VQNwRRhKvBnFZ9zYjsdUPZ7WMHvztcZdhsW
g5jbmuysPC9ErpxeE0xD/DyDoc46UUORW2kfXYm3e6cB4/zjybCIJYBW/G28KTlk
AuuYHcQtbQAHAMah3VcOi+2IQbrsgd88M12siOZsQ2ljmcd/AgMBAAGjggG/MIIB
uzAfBgNVHSMEGDAWgBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNVHQ4EFgQUoyY9
TyBELfDcf5GE01hdrh3j+AgwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGcGA1UdIARgMF4wUgYMKwYB
BAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29tbW9uLm9y
Zy9jZXJ0L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYwCAYGZ4EMAQICMEQGA1UdHwQ9
MDswOaA3oDWGM2h0dHA6Ly9jcmwuaW5jb21tb24tcnNhLm9yZy9JbkNvbW1vblJT
QVNlcnZlckNBLmNybDB1BggrBgEFBQcBAQRpMGcwPgYIKwYBBQUHMAKGMmh0dHA6
Ly9jcnQudXNlcnRydXN0LmNvbS9JbkNvbW1vblJTQVNlcnZlckNBXzIuY3J0MCUG
CCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMBYGA1UdEQQPMA2C
C3BncC5taXQuZWR1MA0GCSqGSIb3DQEBCwUAA4IBAQCN63TS5Z2nhbOK4EgoYoc0
pvZjd5lQVQofmyC3oflfPbSeYXfCdfgJz9eA9WJR6YDAd6c9BlGbFCmv6hGWTXUf
0/44cQUc4wJ2HrN5aceJKTPFsIlaV6TqFA0G7nkye5QV3vVF1hvTosbMKfFYYUdT
EYz4KlYyes9WdtuQodKNjwf+zXi6HdOZX2jPZB2uI/Qrb39G/qn9yuIlvAazo7j9
HcgBWO8yG53oLCDdu6qFT+e9+mb/MazfjyoR9iYpC27NgCLJGNvGdYhwEDCXVEF0
6wHNlpxGIs7HVvPedaG4ClAPhiNGvtQz3Q7idmJaSoifEfG6vpTuUEdaK9S52z+A
-----END CERTIFICATE-----

13
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java
View File

@ -23,21 +23,13 @@ import java.lang.reflect.Method;
import java.security.Security;
import java.util.HashMap;
import android.accounts.Account;
import android.accounts.AccountManager;
import android.annotation.SuppressLint;
import android.app.Application;
import android.content.Context;
import android.graphics.Bitmap;
import android.os.Build;
import android.os.Build.VERSION;
import android.os.Build.VERSION_CODES;
import android.widget.Toast;
import androidx.annotation.Nullable;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.sufficientlysecure.keychain.keysync.KeyserverSyncManager;
import org.sufficientlysecure.keychain.network.TlsCertificatePinning;
import org.sufficientlysecure.keychain.provider.TemporaryFileProvider;
import org.sufficientlysecure.keychain.util.PRNGFixes;
import org.sufficientlysecure.keychain.util.Preferences;
@ -95,11 +87,6 @@ public class KeychainApplication extends Application {
// Upgrade preferences as needed
preferences.upgradePreferences();
TlsCertificatePinning.addPinnedCertificate("keys.openpgp.org", getAssets(), "LetsEncryptCA.cer");
TlsCertificatePinning.addPinnedCertificate("hkps.pool.sks-keyservers.net", getAssets(), "hkps.pool.sks-keyservers.net.CA.cer");
TlsCertificatePinning.addPinnedCertificate("pgp.mit.edu", getAssets(), "pgp.mit.edu.cer");
TlsCertificatePinning.addPinnedCertificate("keyserver.ubuntu.com", getAssets(), "LetsEncryptCA.cer");
// only set up the rest on our main process
if (!BuildConfig.APPLICATION_ID.equals(getProcessName())) {
return;

9
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/network/OkHttpClientFactory.java
View File

@ -71,15 +71,6 @@ public class OkHttpClientFactory {
.readTimeout(25000, TimeUnit.MILLISECONDS);
}
// If a pinned cert is available, use it!
// NOTE: this fails gracefully back to "no pinning" if no cert is available.
TlsCertificatePinning tlsCertificatePinning = new TlsCertificatePinning(url);
boolean isHttpsProtocol = "https".equals(url.getProtocol());
boolean isPinAvailable = tlsCertificatePinning.isPinAvailable();
if (isHttpsProtocol && isPinAvailable) {
tlsCertificatePinning.pinCertificate(builder);
}
return builder.build();
}

140
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/network/TlsCertificatePinning.java
View File

@ -1,140 +0,0 @@
/*
* Copyright (C) 2017 Schürmann & Breitmoser GbR
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package org.sufficientlysecure.keychain.network;
import android.content.res.AssetManager;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import okhttp3.OkHttpClient;
import timber.log.Timber;
public class TlsCertificatePinning {
private static Map<String, byte[]> sCertificatePins = new HashMap<>();
/**
* Add certificate from assets to pinned certificate map.
*/
public static void addPinnedCertificate(String host, AssetManager assetManager, String cerFilename) {
try {
InputStream is = assetManager.open(cerFilename);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
int reads = is.read();
while (reads != -1) {
baos.write(reads);
reads = is.read();
}
is.close();
sCertificatePins.put(host, baos.toByteArray());
} catch (IOException e) {
Timber.w(e);
}
}
private final URL url;
public TlsCertificatePinning(URL url) {
this.url = url;
}
public boolean isPinAvailable() {
return sCertificatePins.containsKey(url.getHost());
}
/**
* Modifies the builder to accept only requests with a given certificate.
* Applies to all URLs requested by the builder.
* Therefore a builder that is pinned this way should be used to only make requests
* to URLs with passed certificate.
*/
void pinCertificate(OkHttpClient.Builder builder) {
Timber.d("Pinning certificate for " + url);
// We don't use OkHttp's CertificatePinner since it can not be used to pin self-signed
// certificate if such certificate is not accepted by TrustManager.
// (Refer to note at end of description:
// http://square.github.io/okhttp/javadoc/com/squareup/okhttp/CertificatePinner.html )
// Creating our own TrustManager that trusts only our certificate eliminates the need for certificate pinning
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
byte[] certificate = sCertificatePins.get(url.getHost());
Certificate ca = cf.generateCertificate(new ByteArrayInputStream(certificate));
KeyStore keyStore = createSingleCertificateKeyStore(ca);
X509TrustManager trustManager = createTrustManager(keyStore);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[]{trustManager}, null);
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
builder.sslSocketFactory(sslSocketFactory, trustManager);
} catch (CertificateException | KeyStoreException |
KeyManagementException | NoSuchAlgorithmException | IOException e) {
throw new IllegalStateException(e);
}
}
private KeyStore createSingleCertificateKeyStore(Certificate ca) throws KeyStoreException,
CertificateException, NoSuchAlgorithmException, IOException {
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
return keyStore;
}
private X509TrustManager createTrustManager(KeyStore keyStore) throws NoSuchAlgorithmException,
KeyStoreException {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers: "
+ Arrays.toString(trustManagers));
}
return (X509TrustManager) trustManagers[0];
}
}

51
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/dialog/AddEditKeyserverDialogFragment.java
View File

@ -33,10 +33,6 @@ import android.os.Bundle;
import android.os.Message;
import android.os.Messenger;
import android.os.RemoteException;
import androidx.annotation.NonNull;
import com.google.android.material.textfield.TextInputLayout;
import androidx.fragment.app.DialogFragment;
import androidx.appcompat.app.AlertDialog;
import android.view.KeyEvent;
import android.view.LayoutInflater;
import android.view.View;
@ -44,17 +40,19 @@ import android.view.inputmethod.EditorInfo;
import android.view.inputmethod.InputMethodManager;
import android.widget.Button;
import android.widget.CheckBox;
import android.widget.CompoundButton;
import android.widget.EditText;
import android.widget.TextView;
import android.widget.TextView.OnEditorActionListener;
import androidx.annotation.NonNull;
import androidx.appcompat.app.AlertDialog;
import androidx.fragment.app.DialogFragment;
import com.google.android.material.textfield.TextInputLayout;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import org.sufficientlysecure.keychain.R;
import org.sufficientlysecure.keychain.keyimport.HkpKeyserverAddress;
import org.sufficientlysecure.keychain.network.OkHttpClientFactory;
import org.sufficientlysecure.keychain.network.TlsCertificatePinning;
import org.sufficientlysecure.keychain.network.orbot.OrbotHelper;
import org.sufficientlysecure.keychain.util.ParcelableProxy;
import org.sufficientlysecure.keychain.util.Preferences;
@ -84,7 +82,6 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On
private EditText mKeyserverEditOnionText;
private TextInputLayout mKeyserverEditOnionTextLayout;
private CheckBox mVerifyKeyserverCheckBox;
private CheckBox mOnlyTrustedKeyserverCheckBox;
public enum DialogAction {
ADD,
@ -134,13 +131,6 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On
mKeyserverEditOnionText = view.findViewById(R.id.keyserver_onion_edit_text);
mKeyserverEditOnionTextLayout = view.findViewById(R.id.keyserver_onion_edit_text_layout);
mVerifyKeyserverCheckBox = view.findViewById(R.id.verify_connection_checkbox);
mOnlyTrustedKeyserverCheckBox = view.findViewById(R.id.only_trusted_keyserver_checkbox);
mVerifyKeyserverCheckBox.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
@Override
public void onCheckedChanged(CompoundButton buttonView, boolean isChecked) {
mOnlyTrustedKeyserverCheckBox.setEnabled(isChecked);
}
});
switch (mDialogAction) {
case ADD: {
@ -243,20 +233,12 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On
OrbotHelper.DialogActions dialogActions = new OrbotHelper.DialogActions() {
@Override
public void onOrbotStarted() {
verifyConnection(
keyserver,
proxy,
mOnlyTrustedKeyserverCheckBox.isChecked()
);
verifyConnection(keyserver, proxy);
}
@Override
public void onNeutralButton() {
verifyConnection(
keyserver,
null,
mOnlyTrustedKeyserverCheckBox.isChecked()
);
verifyConnection(keyserver, null);
}
@Override
@ -266,11 +248,7 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On
};
if (OrbotHelper.putOrbotInRequiredState(dialogActions, getActivity())) {
verifyConnection(
keyserver,
proxy,
mOnlyTrustedKeyserverCheckBox.isChecked()
);
verifyConnection(keyserver, proxy);
}
} else {
dismiss();
@ -327,7 +305,7 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On
}
public void verifyConnection(HkpKeyserverAddress keyserver, final ParcelableProxy proxy, final boolean onlyTrustedKeyserver) {
public void verifyConnection(HkpKeyserverAddress keyserver, ParcelableProxy proxy) {
new AsyncTask<HkpKeyserverAddress, Void, VerifyReturn>() {
ProgressDialog mProgressDialog;
@ -345,7 +323,7 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On
protected VerifyReturn doInBackground(HkpKeyserverAddress... keyservers) {
mKeyserver = keyservers[0];
return verifyKeyserver(mKeyserver, proxy, onlyTrustedKeyserver);
return verifyKeyserver(mKeyserver, proxy);
}
@Override
@ -360,20 +338,11 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On
}.execute(keyserver);
}
private VerifyReturn verifyKeyserver(HkpKeyserverAddress keyserver, final ParcelableProxy proxy, final boolean onlyTrustedKeyserver) {
private VerifyReturn verifyKeyserver(HkpKeyserverAddress keyserver, ParcelableProxy proxy) {
VerifyReturn reason = VerifyReturn.GOOD;
try {
URI keyserverUriHttp = keyserver.getUrlURI();
// check TLS pinning only for non-Tor keyservers
TlsCertificatePinning tlsCertificatePinning = new TlsCertificatePinning(keyserverUriHttp.toURL());
boolean isPinAvailable = tlsCertificatePinning.isPinAvailable();
if (onlyTrustedKeyserver && !isPinAvailable) {
Timber.w("No pinned certificate for this host in OpenKeychain's assets.");
reason = VerifyReturn.NO_PINNED_CERTIFICATE;
return reason;
}
OkHttpClient client = OkHttpClientFactory.getClientPinnedIfAvailable(
keyserverUriHttp.toURL(), proxy.getProxy());
client.newCall(new Request.Builder().url(keyserverUriHttp.toURL()).build()).execute();

7
OpenKeychain/src/main/res/layout/add_keyserver_dialog.xml
View File

@ -53,11 +53,4 @@
android:checked="true"
android:text="@string/label_verify_keyserver_connection" />
<CheckBox
android:id="@+id/only_trusted_keyserver_checkbox"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:checked="true"
android:text="@string/label_only_trusted_keyserver" />
</LinearLayout>