Refactor certificate pinning for OkHttp 3.9
This commit is contained in:
parent
202f702652
commit
fd18e0215d
|
@ -65,8 +65,11 @@ public class OkHttpClientFactory {
|
||||||
|
|
||||||
// If a pinned cert is available, use it!
|
// If a pinned cert is available, use it!
|
||||||
// NOTE: this fails gracefully back to "no pinning" if no cert is available.
|
// NOTE: this fails gracefully back to "no pinning" if no cert is available.
|
||||||
if (url != null && TlsCertificatePinning.getPinnedSslSocketFactory(url) != null) {
|
TlsCertificatePinning tlsCertificatePinning = new TlsCertificatePinning(url);
|
||||||
builder.sslSocketFactory(TlsCertificatePinning.getPinnedSslSocketFactory(url));
|
boolean isHttpsProtocol = "https".equals(url.getProtocol());
|
||||||
|
boolean isPinAvailable = tlsCertificatePinning.isPinAvailable();
|
||||||
|
if (isHttpsProtocol && isPinAvailable) {
|
||||||
|
tlsCertificatePinning.pinCertificate(builder);
|
||||||
}
|
}
|
||||||
|
|
||||||
return builder.build();
|
return builder.build();
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 2013-2015 Dominik Schürmann <dominik@dominikschuermann.de>
|
* Copyright (C) 2013-2017 Dominik Schürmann <dominik@dominikschuermann.de>
|
||||||
*
|
*
|
||||||
* This program is free software: you can redistribute it and/or modify
|
* This program is free software: you can redistribute it and/or modify
|
||||||
* it under the terms of the GNU General Public License as published by
|
* it under the terms of the GNU General Public License as published by
|
||||||
|
@ -34,16 +34,21 @@ import java.security.NoSuchAlgorithmException;
|
||||||
import java.security.cert.Certificate;
|
import java.security.cert.Certificate;
|
||||||
import java.security.cert.CertificateException;
|
import java.security.cert.CertificateException;
|
||||||
import java.security.cert.CertificateFactory;
|
import java.security.cert.CertificateFactory;
|
||||||
|
import java.util.Arrays;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
||||||
import javax.net.ssl.SSLContext;
|
import javax.net.ssl.SSLContext;
|
||||||
import javax.net.ssl.SSLSocketFactory;
|
import javax.net.ssl.SSLSocketFactory;
|
||||||
|
import javax.net.ssl.TrustManager;
|
||||||
import javax.net.ssl.TrustManagerFactory;
|
import javax.net.ssl.TrustManagerFactory;
|
||||||
|
import javax.net.ssl.X509TrustManager;
|
||||||
|
|
||||||
|
import okhttp3.OkHttpClient;
|
||||||
|
|
||||||
public class TlsCertificatePinning {
|
public class TlsCertificatePinning {
|
||||||
|
|
||||||
private static Map<String, byte[]> sPinnedCertificates = new HashMap<>();
|
private static Map<String, byte[]> sCertificatePins = new HashMap<>();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Add certificate from assets to pinned certificate map.
|
* Add certificate from assets to pinned certificate map.
|
||||||
|
@ -61,27 +66,20 @@ public class TlsCertificatePinning {
|
||||||
|
|
||||||
is.close();
|
is.close();
|
||||||
|
|
||||||
sPinnedCertificates.put(host, baos.toByteArray());
|
sCertificatePins.put(host, baos.toByteArray());
|
||||||
} catch (IOException e) {
|
} catch (IOException e) {
|
||||||
Log.w(Constants.TAG, e);
|
Log.w(Constants.TAG, e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
private final URL url;
|
||||||
* Use pinned certificate for OkHttpClient if we have one.
|
|
||||||
*
|
public TlsCertificatePinning(URL url) {
|
||||||
* @return true, if certificate is available, false if not
|
this.url = url;
|
||||||
*/
|
}
|
||||||
public static SSLSocketFactory getPinnedSslSocketFactory(URL url) {
|
|
||||||
if (url.getProtocol().equals("https")) {
|
public boolean isPinAvailable() {
|
||||||
// use certificate PIN from assets if we have one
|
return sCertificatePins.containsKey(url.getHost());
|
||||||
for (String host : sPinnedCertificates.keySet()) {
|
|
||||||
if (url.getHost().endsWith(host)) {
|
|
||||||
return pinCertificate(sPinnedCertificates.get(host));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return null;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -89,39 +87,55 @@ public class TlsCertificatePinning {
|
||||||
* Applies to all URLs requested by the builder.
|
* Applies to all URLs requested by the builder.
|
||||||
* Therefore a builder that is pinned this way should be used to only make requests
|
* Therefore a builder that is pinned this way should be used to only make requests
|
||||||
* to URLs with passed certificate.
|
* to URLs with passed certificate.
|
||||||
*
|
|
||||||
* @param certificate certificate to pin
|
|
||||||
*/
|
*/
|
||||||
private static SSLSocketFactory pinCertificate(byte[] certificate) {
|
void pinCertificate(OkHttpClient.Builder builder) {
|
||||||
|
Log.d(Constants.TAG, "Pinning certificate for " + url);
|
||||||
|
|
||||||
// We don't use OkHttp's CertificatePinner since it can not be used to pin self-signed
|
// We don't use OkHttp's CertificatePinner since it can not be used to pin self-signed
|
||||||
// certificate if such certificate is not accepted by TrustManager.
|
// certificate if such certificate is not accepted by TrustManager.
|
||||||
// (Refer to note at end of description:
|
// (Refer to note at end of description:
|
||||||
// http://square.github.io/okhttp/javadoc/com/squareup/okhttp/CertificatePinner.html )
|
// http://square.github.io/okhttp/javadoc/com/squareup/okhttp/CertificatePinner.html )
|
||||||
// Creating our own TrustManager that trusts only our certificate eliminates the need for certificate pinning
|
// Creating our own TrustManager that trusts only our certificate eliminates the need for certificate pinning
|
||||||
try {
|
try {
|
||||||
// Load CA
|
|
||||||
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||||
|
byte[] certificate = sCertificatePins.get(url.getHost());
|
||||||
Certificate ca = cf.generateCertificate(new ByteArrayInputStream(certificate));
|
Certificate ca = cf.generateCertificate(new ByteArrayInputStream(certificate));
|
||||||
|
|
||||||
// Create a KeyStore containing our trusted CAs
|
KeyStore keyStore = createSingleCertificateKeyStore(ca);
|
||||||
String keyStoreType = KeyStore.getDefaultType();
|
X509TrustManager trustManager = createTrustManager(keyStore);
|
||||||
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
|
|
||||||
keyStore.load(null, null);
|
|
||||||
keyStore.setCertificateEntry("ca", ca);
|
|
||||||
|
|
||||||
// Create a TrustManager that trusts the CAs in our KeyStore
|
SSLContext sslContext = SSLContext.getInstance("TLS");
|
||||||
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
|
sslContext.init(null, new TrustManager[]{trustManager}, null);
|
||||||
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
|
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
|
||||||
tmf.init(keyStore);
|
|
||||||
|
|
||||||
// Create an SSLContext that uses our TrustManager
|
builder.sslSocketFactory(sslSocketFactory, trustManager);
|
||||||
SSLContext context = SSLContext.getInstance("TLS");
|
|
||||||
context.init(null, tmf.getTrustManagers(), null);
|
|
||||||
|
|
||||||
return context.getSocketFactory();
|
|
||||||
} catch (CertificateException | KeyStoreException |
|
} catch (CertificateException | KeyStoreException |
|
||||||
KeyManagementException | NoSuchAlgorithmException | IOException e) {
|
KeyManagementException | NoSuchAlgorithmException | IOException e) {
|
||||||
throw new IllegalStateException(e);
|
throw new IllegalStateException(e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private KeyStore createSingleCertificateKeyStore(Certificate ca) throws KeyStoreException,
|
||||||
|
CertificateException, NoSuchAlgorithmException, IOException {
|
||||||
|
String keyStoreType = KeyStore.getDefaultType();
|
||||||
|
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
|
||||||
|
keyStore.load(null, null);
|
||||||
|
keyStore.setCertificateEntry("ca", ca);
|
||||||
|
|
||||||
|
return keyStore;
|
||||||
|
}
|
||||||
|
|
||||||
|
private X509TrustManager createTrustManager(KeyStore keyStore) throws NoSuchAlgorithmException,
|
||||||
|
KeyStoreException {
|
||||||
|
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
|
||||||
|
TrustManagerFactory.getDefaultAlgorithm());
|
||||||
|
trustManagerFactory.init(keyStore);
|
||||||
|
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
|
||||||
|
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
|
||||||
|
throw new IllegalStateException("Unexpected default trust managers: "
|
||||||
|
+ Arrays.toString(trustManagers));
|
||||||
|
}
|
||||||
|
|
||||||
|
return (X509TrustManager) trustManagers[0];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -366,8 +366,9 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On
|
||||||
URI keyserverUriHttp = keyserver.getUrlURI();
|
URI keyserverUriHttp = keyserver.getUrlURI();
|
||||||
|
|
||||||
// check TLS pinning only for non-Tor keyservers
|
// check TLS pinning only for non-Tor keyservers
|
||||||
if (onlyTrustedKeyserver
|
TlsCertificatePinning tlsCertificatePinning = new TlsCertificatePinning(keyserverUriHttp.toURL());
|
||||||
&& TlsCertificatePinning.getPinnedSslSocketFactory(keyserverUriHttp.toURL()) == null) {
|
boolean isPinAvailable = tlsCertificatePinning.isPinAvailable();
|
||||||
|
if (onlyTrustedKeyserver && !isPinAvailable) {
|
||||||
Log.w(Constants.TAG, "No pinned certificate for this host in OpenKeychain's assets.");
|
Log.w(Constants.TAG, "No pinned certificate for this host in OpenKeychain's assets.");
|
||||||
reason = VerifyReturn.NO_PINNED_CERTIFICATE;
|
reason = VerifyReturn.NO_PINNED_CERTIFICATE;
|
||||||
return reason;
|
return reason;
|
||||||
|
|
Loading…
Reference in a new issue