From 2cc35ce97052ca35d15532e5c4213bcb005ce845 Mon Sep 17 00:00:00 2001 From: Vincent Breitmoser Date: Fri, 29 Jan 2021 12:05:08 +0100 Subject: [PATCH] drop broken pinning mechanism --- .../src/main/assets/LetsEncryptCA.cer | 27 ---- .../hkps.pool.sks-keyservers.net.CA.cer | 32 ---- OpenKeychain/src/main/assets/pgp.mit.edu.cer | 32 ---- .../keychain/KeychainApplication.java | 13 -- .../keychain/network/OkHttpClientFactory.java | 9 -- .../network/TlsCertificatePinning.java | 140 ------------------ .../AddEditKeyserverDialogFragment.java | 51 ++----- .../main/res/layout/add_keyserver_dialog.xml | 7 - 8 files changed, 10 insertions(+), 301 deletions(-) delete mode 100644 OpenKeychain/src/main/assets/LetsEncryptCA.cer delete mode 100644 OpenKeychain/src/main/assets/hkps.pool.sks-keyservers.net.CA.cer delete mode 100644 OpenKeychain/src/main/assets/pgp.mit.edu.cer delete mode 100644 OpenKeychain/src/main/java/org/sufficientlysecure/keychain/network/TlsCertificatePinning.java diff --git a/OpenKeychain/src/main/assets/LetsEncryptCA.cer b/OpenKeychain/src/main/assets/LetsEncryptCA.cer deleted file mode 100644 index 0002462ce..000000000 --- a/OpenKeychain/src/main/assets/LetsEncryptCA.cer +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow -SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT -GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF -q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 -SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 -Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA -a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj -/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T -AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG -CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv -bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k -c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw -VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC -ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz -MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu -Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF -AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo -uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ -wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu -X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG -PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 -KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== ------END CERTIFICATE----- diff --git a/OpenKeychain/src/main/assets/hkps.pool.sks-keyservers.net.CA.cer b/OpenKeychain/src/main/assets/hkps.pool.sks-keyservers.net.CA.cer deleted file mode 100644 index 24a2ad2e8..000000000 --- a/OpenKeychain/src/main/assets/hkps.pool.sks-keyservers.net.CA.cer +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFizCCA3OgAwIBAgIJAK9zyLTPn4CPMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV -BAYTAk5PMQ0wCwYDVQQIDARPc2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5u -ZXQgQ0ExHjAcBgNVBAMMFXNrcy1rZXlzZXJ2ZXJzLm5ldCBDQTAeFw0xMjEwMDkw -MDMzMzdaFw0yMjEwMDcwMDMzMzdaMFwxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIDARP -c2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5uZXQgQ0ExHjAcBgNVBAMMFXNr -cy1rZXlzZXJ2ZXJzLm5ldCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBANdsWy4PXWNUCkS3L//nrd0GqN3dVwoBGZ6w94Tw2jPDPifegwxQozFXkG6I -6A4TK1CJLXPvfz0UP0aBYyPmTNadDinaB9T4jIwd4rnxl+59GiEmqkN3IfPsv5Jj -MkKUmJnvOT0DEVlEaO1UZIwx5WpfprB3mR81/qm4XkAgmYrmgnLXd/pJDAMk7y1F -45b5zWofiD5l677lplcIPRbFhpJ6kDTODXh/XEdtF71EAeaOdEGOvyGDmCO0GWqS -FDkMMPTlieLA/0rgFTcz4xwUYj/cD5e0ZBuSkYsYFAU3hd1cGfBue0cPZaQH2HYx -Qk4zXD8S3F4690fRhr+tki5gyG6JDR67aKp3BIGLqm7f45WkX1hYp+YXywmEziM4 -aSbGYhx8hoFGfq9UcfPEvp2aoc8u5sdqjDslhyUzM1v3m3ZGbhwEOnVjljY6JJLx -MxagxnZZSAY424ZZ3t71E/Mn27dm2w+xFRuoy8JEjv1d+BT3eChM5KaNwrj0IO/y -u8kFIgWYA1vZ/15qMT+tyJTfyrNVV/7Df7TNeWyNqjJ5rBmt0M6NpHG7CrUSkBy9 -p8JhimgjP5r0FlEkgg+lyD+V79H98gQfVgP3pbJICz0SpBQf2F/2tyS4rLm+49rP -fcOajiXEuyhpcmzgusAj/1FjrtlynH1r9mnNaX4e+rLWzvU5AgMBAAGjUDBOMB0G -A1UdDgQWBBTkwyoJFGfYTVISTpM8E+igjdq28zAfBgNVHSMEGDAWgBTkwyoJFGfY -TVISTpM8E+igjdq28zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQAR -OXnYwu3g1ZjHyley3fZI5aLPsaE17cOImVTehC8DcIphm2HOMR/hYTTL+V0G4P+u -gH+6xeRLKSHMHZTtSBIa6GDL03434y9CBuwGvAFCMU2GV8w92/Z7apkAhdLToZA/ -X/iWP2jeaVJhxgEcH8uPrnSlqoPBcKC9PrgUzQYfSZJkLmB+3jEa3HKruy1abJP5 -gAdQvwvcPpvYRnIzUc9fZODsVmlHVFBCl2dlu/iHh2h4GmL4Da2rRkUMlbVTdioB -UYIvMycdOkpH5wJftzw7cpjsudGas0PARDXCFfGyKhwBRFY7Xp7lbjtU5Rz0Gc04 -lPrhDf0pFE98Aw4jJRpFeWMjpXUEaG1cq7D641RpgcMfPFvOHY47rvDTS7XJOaUT -BwRjmDt896s6vMDcaG/uXJbQjuzmmx3W2Idyh3s5SI0GTHb0IwMKYb4eBUIpQOnB -cE77VnCYqKvN1NVYAqhWjXbY7XasZvszCRcOG+W3FqNaHOK/n/0ueb0uijdLan+U -f4p1bjbAox8eAOQS/8a3bzkJzdyBNUKGx1BIK2IBL9bn/HravSDOiNRSnZ/R3l9G -ZauX0tu7IIDlRCILXSyeazu0aj/vdT3YFQXPcvt5Fkf5wiNTo53f72/jYEJd6qph -WrpoKqrwGwTpRUCMhYIUt65hsTxCiJJ5nKe39h46sg== ------END CERTIFICATE----- diff --git a/OpenKeychain/src/main/assets/pgp.mit.edu.cer b/OpenKeychain/src/main/assets/pgp.mit.edu.cer deleted file mode 100644 index 5de4241cb..000000000 --- a/OpenKeychain/src/main/assets/pgp.mit.edu.cer +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFnDCCBISgAwIBAgIRAOEF8Fi8qyp/9jJV2GaC7EUwDQYJKoZIhvcNAQELBQAw -djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix -EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT -FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMTcwMzMwMDAwMDAwWhcNMjAwMzI5 -MjM1OTU5WjCB2TELMAkGA1UEBhMCVVMxDjAMBgNVBBETBTAyMTM5MRYwFAYDVQQI -Ew1NYXNzYWNodXNldHRzMRIwEAYDVQQHEwlDYW1icmlkZ2UxHTAbBgNVBAkTFDc3 -IE1hc3NhY2h1c2V0dHMgQXZlMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3Rp -dHV0ZSBvZiBUZWNobm9sb2d5MSkwJwYDVQQLDCBJbmZvcm1hdGlvbiBTeXN0ZW1z -ICYgVGVjaG5vbG9neTEUMBIGA1UEAxMLcGdwLm1pdC5lZHUwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQDVoQg1md1TohFDgQxOnxQmJ7Nz/wR4pOGmYt/+ -WQdt+TodycBsadeEpOvGlU06Spv8RNIm8KARm+Eqc/DrHwwl5XrkYH4R4wnIIrRB -aZAx4kNWIzqfHX11+sDr+73PESctpxxVfdzhotBjewEuvrORsG3Q4LWCu8dMSMPD -kuI7GKzu80gBrwYf0XjMidnocGab8VQNwRRhKvBnFZ9zYjsdUPZ7WMHvztcZdhsW -g5jbmuysPC9ErpxeE0xD/DyDoc46UUORW2kfXYm3e6cB4/zjybCIJYBW/G28KTlk -AuuYHcQtbQAHAMah3VcOi+2IQbrsgd88M12siOZsQ2ljmcd/AgMBAAGjggG/MIIB -uzAfBgNVHSMEGDAWgBQeBaN3j2yW4luHS6a0hqxxAAznODAdBgNVHQ4EFgQUoyY9 -TyBELfDcf5GE01hdrh3j+AgwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAw -HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGcGA1UdIARgMF4wUgYMKwYB -BAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29tbW9uLm9y -Zy9jZXJ0L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYwCAYGZ4EMAQICMEQGA1UdHwQ9 -MDswOaA3oDWGM2h0dHA6Ly9jcmwuaW5jb21tb24tcnNhLm9yZy9JbkNvbW1vblJT -QVNlcnZlckNBLmNybDB1BggrBgEFBQcBAQRpMGcwPgYIKwYBBQUHMAKGMmh0dHA6 -Ly9jcnQudXNlcnRydXN0LmNvbS9JbkNvbW1vblJTQVNlcnZlckNBXzIuY3J0MCUG -CCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMBYGA1UdEQQPMA2C -C3BncC5taXQuZWR1MA0GCSqGSIb3DQEBCwUAA4IBAQCN63TS5Z2nhbOK4EgoYoc0 -pvZjd5lQVQofmyC3oflfPbSeYXfCdfgJz9eA9WJR6YDAd6c9BlGbFCmv6hGWTXUf -0/44cQUc4wJ2HrN5aceJKTPFsIlaV6TqFA0G7nkye5QV3vVF1hvTosbMKfFYYUdT -EYz4KlYyes9WdtuQodKNjwf+zXi6HdOZX2jPZB2uI/Qrb39G/qn9yuIlvAazo7j9 -HcgBWO8yG53oLCDdu6qFT+e9+mb/MazfjyoR9iYpC27NgCLJGNvGdYhwEDCXVEF0 -6wHNlpxGIs7HVvPedaG4ClAPhiNGvtQz3Q7idmJaSoifEfG6vpTuUEdaK9S52z+A ------END CERTIFICATE----- diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java index 03fd91371..370584104 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java @@ -23,21 +23,13 @@ import java.lang.reflect.Method; import java.security.Security; import java.util.HashMap; -import android.accounts.Account; -import android.accounts.AccountManager; import android.annotation.SuppressLint; import android.app.Application; -import android.content.Context; import android.graphics.Bitmap; import android.os.Build; -import android.os.Build.VERSION; -import android.os.Build.VERSION_CODES; -import android.widget.Toast; -import androidx.annotation.Nullable; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.sufficientlysecure.keychain.keysync.KeyserverSyncManager; -import org.sufficientlysecure.keychain.network.TlsCertificatePinning; import org.sufficientlysecure.keychain.provider.TemporaryFileProvider; import org.sufficientlysecure.keychain.util.PRNGFixes; import org.sufficientlysecure.keychain.util.Preferences; @@ -95,11 +87,6 @@ public class KeychainApplication extends Application { // Upgrade preferences as needed preferences.upgradePreferences(); - TlsCertificatePinning.addPinnedCertificate("keys.openpgp.org", getAssets(), "LetsEncryptCA.cer"); - TlsCertificatePinning.addPinnedCertificate("hkps.pool.sks-keyservers.net", getAssets(), "hkps.pool.sks-keyservers.net.CA.cer"); - TlsCertificatePinning.addPinnedCertificate("pgp.mit.edu", getAssets(), "pgp.mit.edu.cer"); - TlsCertificatePinning.addPinnedCertificate("keyserver.ubuntu.com", getAssets(), "LetsEncryptCA.cer"); - // only set up the rest on our main process if (!BuildConfig.APPLICATION_ID.equals(getProcessName())) { return; diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/network/OkHttpClientFactory.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/network/OkHttpClientFactory.java index 507a9509c..b98f36fac 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/network/OkHttpClientFactory.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/network/OkHttpClientFactory.java @@ -71,15 +71,6 @@ public class OkHttpClientFactory { .readTimeout(25000, TimeUnit.MILLISECONDS); } - // If a pinned cert is available, use it! - // NOTE: this fails gracefully back to "no pinning" if no cert is available. - TlsCertificatePinning tlsCertificatePinning = new TlsCertificatePinning(url); - boolean isHttpsProtocol = "https".equals(url.getProtocol()); - boolean isPinAvailable = tlsCertificatePinning.isPinAvailable(); - if (isHttpsProtocol && isPinAvailable) { - tlsCertificatePinning.pinCertificate(builder); - } - return builder.build(); } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/network/TlsCertificatePinning.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/network/TlsCertificatePinning.java deleted file mode 100644 index 5431ce9bf..000000000 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/network/TlsCertificatePinning.java +++ /dev/null @@ -1,140 +0,0 @@ -/* - * Copyright (C) 2017 Schürmann & Breitmoser GbR - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -package org.sufficientlysecure.keychain.network; - -import android.content.res.AssetManager; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.net.URL; -import java.security.KeyManagementException; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.cert.Certificate; -import java.security.cert.CertificateException; -import java.security.cert.CertificateFactory; -import java.util.Arrays; -import java.util.HashMap; -import java.util.Map; - -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSocketFactory; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import javax.net.ssl.X509TrustManager; - -import okhttp3.OkHttpClient; -import timber.log.Timber; - - -public class TlsCertificatePinning { - - private static Map sCertificatePins = new HashMap<>(); - - /** - * Add certificate from assets to pinned certificate map. - */ - public static void addPinnedCertificate(String host, AssetManager assetManager, String cerFilename) { - try { - InputStream is = assetManager.open(cerFilename); - ByteArrayOutputStream baos = new ByteArrayOutputStream(); - int reads = is.read(); - - while (reads != -1) { - baos.write(reads); - reads = is.read(); - } - - is.close(); - - sCertificatePins.put(host, baos.toByteArray()); - } catch (IOException e) { - Timber.w(e); - } - } - - private final URL url; - - public TlsCertificatePinning(URL url) { - this.url = url; - } - - public boolean isPinAvailable() { - return sCertificatePins.containsKey(url.getHost()); - } - - /** - * Modifies the builder to accept only requests with a given certificate. - * Applies to all URLs requested by the builder. - * Therefore a builder that is pinned this way should be used to only make requests - * to URLs with passed certificate. - */ - void pinCertificate(OkHttpClient.Builder builder) { - Timber.d("Pinning certificate for " + url); - - // We don't use OkHttp's CertificatePinner since it can not be used to pin self-signed - // certificate if such certificate is not accepted by TrustManager. - // (Refer to note at end of description: - // http://square.github.io/okhttp/javadoc/com/squareup/okhttp/CertificatePinner.html ) - // Creating our own TrustManager that trusts only our certificate eliminates the need for certificate pinning - try { - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - byte[] certificate = sCertificatePins.get(url.getHost()); - Certificate ca = cf.generateCertificate(new ByteArrayInputStream(certificate)); - - KeyStore keyStore = createSingleCertificateKeyStore(ca); - X509TrustManager trustManager = createTrustManager(keyStore); - - SSLContext sslContext = SSLContext.getInstance("TLS"); - sslContext.init(null, new TrustManager[]{trustManager}, null); - SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory(); - - builder.sslSocketFactory(sslSocketFactory, trustManager); - } catch (CertificateException | KeyStoreException | - KeyManagementException | NoSuchAlgorithmException | IOException e) { - throw new IllegalStateException(e); - } - } - - private KeyStore createSingleCertificateKeyStore(Certificate ca) throws KeyStoreException, - CertificateException, NoSuchAlgorithmException, IOException { - String keyStoreType = KeyStore.getDefaultType(); - KeyStore keyStore = KeyStore.getInstance(keyStoreType); - keyStore.load(null, null); - keyStore.setCertificateEntry("ca", ca); - - return keyStore; - } - - private X509TrustManager createTrustManager(KeyStore keyStore) throws NoSuchAlgorithmException, - KeyStoreException { - TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( - TrustManagerFactory.getDefaultAlgorithm()); - trustManagerFactory.init(keyStore); - TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); - if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) { - throw new IllegalStateException("Unexpected default trust managers: " - + Arrays.toString(trustManagers)); - } - - return (X509TrustManager) trustManagers[0]; - } -} diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/dialog/AddEditKeyserverDialogFragment.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/dialog/AddEditKeyserverDialogFragment.java index f58685a98..6bdc4783e 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/dialog/AddEditKeyserverDialogFragment.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/dialog/AddEditKeyserverDialogFragment.java @@ -33,10 +33,6 @@ import android.os.Bundle; import android.os.Message; import android.os.Messenger; import android.os.RemoteException; -import androidx.annotation.NonNull; -import com.google.android.material.textfield.TextInputLayout; -import androidx.fragment.app.DialogFragment; -import androidx.appcompat.app.AlertDialog; import android.view.KeyEvent; import android.view.LayoutInflater; import android.view.View; @@ -44,17 +40,19 @@ import android.view.inputmethod.EditorInfo; import android.view.inputmethod.InputMethodManager; import android.widget.Button; import android.widget.CheckBox; -import android.widget.CompoundButton; import android.widget.EditText; import android.widget.TextView; import android.widget.TextView.OnEditorActionListener; +import androidx.annotation.NonNull; +import androidx.appcompat.app.AlertDialog; +import androidx.fragment.app.DialogFragment; +import com.google.android.material.textfield.TextInputLayout; import okhttp3.OkHttpClient; import okhttp3.Request; import org.sufficientlysecure.keychain.R; import org.sufficientlysecure.keychain.keyimport.HkpKeyserverAddress; import org.sufficientlysecure.keychain.network.OkHttpClientFactory; -import org.sufficientlysecure.keychain.network.TlsCertificatePinning; import org.sufficientlysecure.keychain.network.orbot.OrbotHelper; import org.sufficientlysecure.keychain.util.ParcelableProxy; import org.sufficientlysecure.keychain.util.Preferences; @@ -84,7 +82,6 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On private EditText mKeyserverEditOnionText; private TextInputLayout mKeyserverEditOnionTextLayout; private CheckBox mVerifyKeyserverCheckBox; - private CheckBox mOnlyTrustedKeyserverCheckBox; public enum DialogAction { ADD, @@ -134,13 +131,6 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On mKeyserverEditOnionText = view.findViewById(R.id.keyserver_onion_edit_text); mKeyserverEditOnionTextLayout = view.findViewById(R.id.keyserver_onion_edit_text_layout); mVerifyKeyserverCheckBox = view.findViewById(R.id.verify_connection_checkbox); - mOnlyTrustedKeyserverCheckBox = view.findViewById(R.id.only_trusted_keyserver_checkbox); - mVerifyKeyserverCheckBox.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() { - @Override - public void onCheckedChanged(CompoundButton buttonView, boolean isChecked) { - mOnlyTrustedKeyserverCheckBox.setEnabled(isChecked); - } - }); switch (mDialogAction) { case ADD: { @@ -243,20 +233,12 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On OrbotHelper.DialogActions dialogActions = new OrbotHelper.DialogActions() { @Override public void onOrbotStarted() { - verifyConnection( - keyserver, - proxy, - mOnlyTrustedKeyserverCheckBox.isChecked() - ); + verifyConnection(keyserver, proxy); } @Override public void onNeutralButton() { - verifyConnection( - keyserver, - null, - mOnlyTrustedKeyserverCheckBox.isChecked() - ); + verifyConnection(keyserver, null); } @Override @@ -266,11 +248,7 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On }; if (OrbotHelper.putOrbotInRequiredState(dialogActions, getActivity())) { - verifyConnection( - keyserver, - proxy, - mOnlyTrustedKeyserverCheckBox.isChecked() - ); + verifyConnection(keyserver, proxy); } } else { dismiss(); @@ -327,7 +305,7 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On } - public void verifyConnection(HkpKeyserverAddress keyserver, final ParcelableProxy proxy, final boolean onlyTrustedKeyserver) { + public void verifyConnection(HkpKeyserverAddress keyserver, ParcelableProxy proxy) { new AsyncTask() { ProgressDialog mProgressDialog; @@ -345,7 +323,7 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On protected VerifyReturn doInBackground(HkpKeyserverAddress... keyservers) { mKeyserver = keyservers[0]; - return verifyKeyserver(mKeyserver, proxy, onlyTrustedKeyserver); + return verifyKeyserver(mKeyserver, proxy); } @Override @@ -360,20 +338,11 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On }.execute(keyserver); } - private VerifyReturn verifyKeyserver(HkpKeyserverAddress keyserver, final ParcelableProxy proxy, final boolean onlyTrustedKeyserver) { + private VerifyReturn verifyKeyserver(HkpKeyserverAddress keyserver, ParcelableProxy proxy) { VerifyReturn reason = VerifyReturn.GOOD; try { URI keyserverUriHttp = keyserver.getUrlURI(); - // check TLS pinning only for non-Tor keyservers - TlsCertificatePinning tlsCertificatePinning = new TlsCertificatePinning(keyserverUriHttp.toURL()); - boolean isPinAvailable = tlsCertificatePinning.isPinAvailable(); - if (onlyTrustedKeyserver && !isPinAvailable) { - Timber.w("No pinned certificate for this host in OpenKeychain's assets."); - reason = VerifyReturn.NO_PINNED_CERTIFICATE; - return reason; - } - OkHttpClient client = OkHttpClientFactory.getClientPinnedIfAvailable( keyserverUriHttp.toURL(), proxy.getProxy()); client.newCall(new Request.Builder().url(keyserverUriHttp.toURL()).build()).execute(); diff --git a/OpenKeychain/src/main/res/layout/add_keyserver_dialog.xml b/OpenKeychain/src/main/res/layout/add_keyserver_dialog.xml index 63ee7dae2..28af3fe75 100644 --- a/OpenKeychain/src/main/res/layout/add_keyserver_dialog.xml +++ b/OpenKeychain/src/main/res/layout/add_keyserver_dialog.xml @@ -53,11 +53,4 @@ android:checked="true" android:text="@string/label_verify_keyserver_connection" /> - - \ No newline at end of file