From f6b3887f93aa445312da9cfbfafe0edd3cf168ed Mon Sep 17 00:00:00 2001 From: Wiktor Kwapisiewicz Date: Tue, 22 May 2018 11:06:31 +0200 Subject: [PATCH] Follow redirects when fetching keys over WKD Some hosts (like `kernel.org`) redirect all requests to a subdomain (in this case `www`). As WKD queries are always over HTTPS following redirects would be safe. --- .../keychain/keyimport/WebKeyDirectoryClient.java | 2 +- .../keychain/network/OkHttpClientFactory.java | 12 ++++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/keyimport/WebKeyDirectoryClient.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/keyimport/WebKeyDirectoryClient.java index e6df3cab9..66058aedf 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/keyimport/WebKeyDirectoryClient.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/keyimport/WebKeyDirectoryClient.java @@ -94,7 +94,7 @@ public class WebKeyDirectoryClient implements KeyserverClient { Request request = new Request.Builder().url(url).build(); - OkHttpClient client = OkHttpClientFactory.getClientPinnedIfAvailable(url, proxy); + OkHttpClient client = OkHttpClientFactory.getClientPinnedIfAvailableWithRedirects(url, proxy); Response response = client.newCall(request).execute(); if (response.isSuccessful()) { diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/network/OkHttpClientFactory.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/network/OkHttpClientFactory.java index 1d2bdc6f5..507a9509c 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/network/OkHttpClientFactory.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/network/OkHttpClientFactory.java @@ -47,10 +47,18 @@ public class OkHttpClientFactory { } public static OkHttpClient getClientPinnedIfAvailable(URL url, Proxy proxy) { + // don't follow any redirects for keyservers, as discussed in the security audit + return getClientPinnedIfAvailable(url, proxy, false); + } + + public static OkHttpClient getClientPinnedIfAvailableWithRedirects(URL url, Proxy proxy) { + return getClientPinnedIfAvailable(url, proxy, true); + } + + private static OkHttpClient getClientPinnedIfAvailable(URL url, Proxy proxy, boolean followRedirects) { OkHttpClient.Builder builder = new OkHttpClient.Builder(); - // don't follow any redirects for keyservers, as discussed in the security audit - builder.followRedirects(false) + builder.followRedirects(followRedirects) .followSslRedirects(false); if (proxy != null) {