diff options
Diffstat (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote')
10 files changed, 490 insertions, 121 deletions
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ApiPendingIntentFactory.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ApiPendingIntentFactory.java index 7c05edb71..4107167b5 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ApiPendingIntentFactory.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ApiPendingIntentFactory.java @@ -51,10 +51,10 @@ public class ApiPendingIntentFactory { CryptoInputParcel cryptoInput) { switch (requiredInput.mType) { - case NFC_MOVE_KEY_TO_CARD: - case NFC_DECRYPT: - case NFC_SIGN: { - return createNfcOperationPendingIntent(data, requiredInput, cryptoInput); + case SECURITY_TOKEN_MOVE_KEY_TO_CARD: + case SECURITY_TOKEN_DECRYPT: + case SECURITY_TOKEN_SIGN: { + return createSecurityTokenOperationPendingIntent(data, requiredInput, cryptoInput); } case PASSPHRASE: { @@ -66,7 +66,7 @@ public class ApiPendingIntentFactory { } } - private PendingIntent createNfcOperationPendingIntent(Intent data, RequiredInputParcel requiredInput, CryptoInputParcel cryptoInput) { + private PendingIntent createSecurityTokenOperationPendingIntent(Intent data, RequiredInputParcel requiredInput, CryptoInputParcel cryptoInput) { Intent intent = new Intent(mContext, RemoteSecurityTokenOperationActivity.class); // pass params through to activity that it can be returned again later to repeat pgp operation intent.putExtra(RemoteSecurityTokenOperationActivity.EXTRA_REQUIRED_INPUT, requiredInput); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ApiPermissionHelper.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ApiPermissionHelper.java index 7edd8b2b0..47ecdb21f 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ApiPermissionHelper.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ApiPermissionHelper.java @@ -18,6 +18,10 @@ package org.sufficientlysecure.keychain.remote; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.util.Arrays; + import android.annotation.SuppressLint; import android.app.PendingIntent; import android.content.Context; @@ -33,15 +37,10 @@ import org.openintents.openpgp.OpenPgpError; import org.openintents.openpgp.util.OpenPgpApi; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.R; +import org.sufficientlysecure.keychain.provider.ApiDataAccessObject; import org.sufficientlysecure.keychain.provider.KeychainContract; -import org.sufficientlysecure.keychain.provider.ProviderHelper; import org.sufficientlysecure.keychain.util.Log; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.util.ArrayList; -import java.util.Arrays; - /** * Abstract service class for remote APIs that handle app registration and user input. @@ -49,13 +48,13 @@ import java.util.Arrays; public class ApiPermissionHelper { private final Context mContext; - private final ProviderHelper mProviderHelper; + private final ApiDataAccessObject mApiDao; private PackageManager mPackageManager; - public ApiPermissionHelper(Context context) { + public ApiPermissionHelper(Context context, ApiDataAccessObject apiDao) { mContext = context; mPackageManager = context.getPackageManager(); - mProviderHelper = new ProviderHelper(context); + mApiDao = apiDao; } public static class WrongPackageCertificateException extends Exception { @@ -66,14 +65,24 @@ public class ApiPermissionHelper { } } + /** Returns true iff the caller is allowed, or false on any type of problem. + * This method should only be used in cases where error handling is dealt with separately. + */ + protected boolean isAllowedIgnoreErrors() { + try { + return isCallerAllowed(); + } catch (WrongPackageCertificateException e) { + return false; + } + } + /** * Checks if caller is allowed to access the API * * @return null if caller is allowed, or a Bundle with a PendingIntent */ - protected Intent isAllowed(Intent data) { + protected Intent isAllowedOrReturnIntent(Intent data) { ApiPendingIntentFactory piFactory = new ApiPendingIntentFactory(mContext); - try { if (isCallerAllowed()) { return null; @@ -168,7 +177,7 @@ public class ApiPermissionHelper { Uri uri = KeychainContract.ApiAccounts.buildByPackageAndAccountUri(currentPkg, accountName); - return mProviderHelper.getApiAccountSettings(uri); // can be null! + return mApiDao.getApiAccountSettings(uri); // can be null! } @Deprecated @@ -224,35 +233,29 @@ public class ApiPermissionHelper { private boolean isPackageAllowed(String packageName) throws WrongPackageCertificateException { Log.d(Constants.TAG, "isPackageAllowed packageName: " + packageName); - ArrayList<String> allowedPkgs = mProviderHelper.getRegisteredApiApps(); - Log.d(Constants.TAG, "allowed: " + allowedPkgs); + byte[] storedPackageCert = mApiDao.getApiAppCertificate(packageName); - // check if package is allowed to use our service - if (allowedPkgs.contains(packageName)) { - Log.d(Constants.TAG, "Package is allowed! packageName: " + packageName); + boolean isKnownPackage = storedPackageCert != null; + if (!isKnownPackage) { + Log.d(Constants.TAG, "Package is NOT allowed! packageName: " + packageName); + return false; + } + Log.d(Constants.TAG, "Package is allowed! packageName: " + packageName); - // check package signature - byte[] currentCert; - try { - currentCert = getPackageCertificate(packageName); - } catch (NameNotFoundException e) { - throw new WrongPackageCertificateException(e.getMessage()); - } + byte[] currentPackageCert; + try { + currentPackageCert = getPackageCertificate(packageName); + } catch (NameNotFoundException e) { + throw new WrongPackageCertificateException(e.getMessage()); + } - byte[] storedCert = mProviderHelper.getApiAppCertificate(packageName); - if (Arrays.equals(currentCert, storedCert)) { - Log.d(Constants.TAG, - "Package certificate is correct! (equals certificate from database)"); - return true; - } else { - throw new WrongPackageCertificateException( - "PACKAGE NOT ALLOWED! Certificate wrong! (Certificate not " + - "equals certificate from database)"); - } + boolean packageCertMatchesStored = Arrays.equals(currentPackageCert, storedPackageCert); + if (packageCertMatchesStored) { + Log.d(Constants.TAG,"Package certificate matches expected."); + return true; } - Log.d(Constants.TAG, "Package is NOT allowed! packageName: " + packageName); - return false; + throw new WrongPackageCertificateException("PACKAGE NOT ALLOWED DUE TO CERTIFICATE MISMATCH!"); } } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/KeychainExternalProvider.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/KeychainExternalProvider.java new file mode 100644 index 000000000..455857f00 --- /dev/null +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/KeychainExternalProvider.java @@ -0,0 +1,284 @@ +/* + * Copyright (C) 2016 Vincent Breitmoser <look@my.amazin.horse> + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +package org.sufficientlysecure.keychain.remote; + + +import java.security.AccessControlException; +import java.util.Arrays; +import java.util.HashMap; + +import android.content.ContentProvider; +import android.content.ContentValues; +import android.content.Context; +import android.content.UriMatcher; +import android.database.Cursor; +import android.database.DatabaseUtils; +import android.database.sqlite.SQLiteDatabase; +import android.database.sqlite.SQLiteQueryBuilder; +import android.net.Uri; +import android.os.Binder; +import android.support.annotation.NonNull; +import android.text.TextUtils; + +import org.sufficientlysecure.keychain.Constants; +import org.sufficientlysecure.keychain.provider.ApiDataAccessObject; +import org.sufficientlysecure.keychain.provider.KeychainContract; +import org.sufficientlysecure.keychain.provider.KeychainContract.ApiApps; +import org.sufficientlysecure.keychain.provider.KeychainContract.Certs; +import org.sufficientlysecure.keychain.provider.KeychainContract.KeyRings; +import org.sufficientlysecure.keychain.provider.KeychainContract.UserPackets; +import org.sufficientlysecure.keychain.provider.KeychainDatabase; +import org.sufficientlysecure.keychain.provider.KeychainDatabase.Tables; +import org.sufficientlysecure.keychain.provider.KeychainExternalContract; +import org.sufficientlysecure.keychain.provider.KeychainExternalContract.EmailStatus; +import org.sufficientlysecure.keychain.provider.SimpleContentResolverInterface; +import org.sufficientlysecure.keychain.util.Log; + + +public class KeychainExternalProvider extends ContentProvider implements SimpleContentResolverInterface { + private static final int EMAIL_STATUS = 101; + private static final int API_APPS = 301; + private static final int API_APPS_BY_PACKAGE_NAME = 302; + + + private UriMatcher mUriMatcher; + private ApiPermissionHelper mApiPermissionHelper; + + + /** + * Build and return a {@link UriMatcher} that catches all {@link Uri} variations supported by + * this {@link ContentProvider}. + */ + protected UriMatcher buildUriMatcher() { + final UriMatcher matcher = new UriMatcher(UriMatcher.NO_MATCH); + + String authority = KeychainExternalContract.CONTENT_AUTHORITY_EXTERNAL; + + /** + * list email_status + * + * <pre> + * email_status/ + * </pre> + */ + matcher.addURI(authority, KeychainExternalContract.BASE_EMAIL_STATUS, EMAIL_STATUS); + + matcher.addURI(KeychainContract.CONTENT_AUTHORITY, KeychainContract.BASE_API_APPS, API_APPS); + matcher.addURI(KeychainContract.CONTENT_AUTHORITY, KeychainContract.BASE_API_APPS + "/*", API_APPS_BY_PACKAGE_NAME); + + return matcher; + } + + private KeychainDatabase mKeychainDatabase; + + /** {@inheritDoc} */ + @Override + public boolean onCreate() { + mUriMatcher = buildUriMatcher(); + mApiPermissionHelper = new ApiPermissionHelper(getContext(), new ApiDataAccessObject(this)); + return true; + } + + public KeychainDatabase getDb() { + if(mKeychainDatabase == null) + mKeychainDatabase = new KeychainDatabase(getContext()); + return mKeychainDatabase; + } + + /** + * {@inheritDoc} + */ + @Override + public String getType(@NonNull Uri uri) { + final int match = mUriMatcher.match(uri); + switch (match) { + case EMAIL_STATUS: + return EmailStatus.CONTENT_TYPE; + + case API_APPS: + return ApiApps.CONTENT_TYPE; + + case API_APPS_BY_PACKAGE_NAME: + return ApiApps.CONTENT_ITEM_TYPE; + + default: + throw new UnsupportedOperationException("Unknown uri: " + uri); + } + } + + /** + * {@inheritDoc} + */ + @Override + public Cursor query(@NonNull Uri uri, String[] projection, String selection, String[] selectionArgs, + String sortOrder) { + Log.v(Constants.TAG, "query(uri=" + uri + ", proj=" + Arrays.toString(projection) + ")"); + + SQLiteQueryBuilder qb = new SQLiteQueryBuilder(); + + int match = mUriMatcher.match(uri); + + String groupBy = null; + + switch (match) { + case EMAIL_STATUS: { + boolean callerIsAllowed = mApiPermissionHelper.isAllowedIgnoreErrors(); + if (!callerIsAllowed) { + throw new AccessControlException("An application must register before use of KeychainExternalProvider!"); + } + + HashMap<String, String> projectionMap = new HashMap<>(); + projectionMap.put(EmailStatus._ID, "email AS _id"); + projectionMap.put(EmailStatus.EMAIL_ADDRESS, + Tables.USER_PACKETS + "." + UserPackets.USER_ID + " AS " + EmailStatus.EMAIL_ADDRESS); + // we take the minimum (>0) here, where "1" is "verified by known secret key", "2" is "self-certified" + projectionMap.put(EmailStatus.EMAIL_STATUS, "CASE ( MIN (" + Certs.VERIFIED + " ) ) " + // remap to keep this provider contract independent from our internal representation + + " WHEN " + Certs.VERIFIED_SELF + " THEN 1" + + " WHEN " + Certs.VERIFIED_SECRET + " THEN 2" + + " END AS " + EmailStatus.EMAIL_STATUS); + qb.setProjectionMap(projectionMap); + + if (projection == null) { + throw new IllegalArgumentException("Please provide a projection!"); + } + + qb.setTables( + Tables.USER_PACKETS + + " INNER JOIN " + Tables.CERTS + " ON (" + + Tables.USER_PACKETS + "." + UserPackets.MASTER_KEY_ID + " = " + + Tables.CERTS + "." + Certs.MASTER_KEY_ID + + " AND " + Tables.USER_PACKETS + "." + UserPackets.RANK + " = " + + Tables.CERTS + "." + Certs.RANK + // verified == 0 has no self-cert, which is basically an error case. never return that! + + " AND " + Tables.CERTS + "." + Certs.VERIFIED + " > 0" + + ")" + ); + qb.appendWhere(Tables.USER_PACKETS + "." + UserPackets.USER_ID + " IS NOT NULL"); + // in case there are multiple verifying certificates + groupBy = Tables.USER_PACKETS + "." + UserPackets.MASTER_KEY_ID + ", " + + Tables.USER_PACKETS + "." + UserPackets.USER_ID; + + if (TextUtils.isEmpty(sortOrder)) { + sortOrder = EmailStatus.EMAIL_ADDRESS + " ASC, " + EmailStatus.EMAIL_STATUS + " DESC"; + } + + // uri to watch is all /key_rings/ + uri = KeyRings.CONTENT_URI; + + boolean gotCondition = false; + String emailWhere = ""; + // JAVA ♥ + for (int i = 0; i < selectionArgs.length; ++i) { + if (selectionArgs[i].length() == 0) { + continue; + } + if (i != 0) { + emailWhere += " OR "; + } + emailWhere += UserPackets.USER_ID + " LIKE "; + // match '*<email>', so it has to be at the *end* of the user id + emailWhere += DatabaseUtils.sqlEscapeString("%<" + selectionArgs[i] + ">"); + gotCondition = true; + } + + if (gotCondition) { + qb.appendWhere(" AND (" + emailWhere + ")"); + } else { + // TODO better way to do this? + Log.e(Constants.TAG, "Malformed find by email query!"); + qb.appendWhere(" AND 0"); + } + + break; + } + + case API_APPS_BY_PACKAGE_NAME: { + String requestedPackageName = uri.getLastPathSegment(); + checkIfPackageBelongsToCaller(getContext(), requestedPackageName); + + qb.setTables(Tables.API_APPS); + qb.appendWhere(ApiApps.PACKAGE_NAME + " = "); + qb.appendWhereEscapeString(requestedPackageName); + + break; + } + + default: { + throw new IllegalArgumentException("Unknown URI " + uri + " (" + match + ")"); + } + + } + + // If no sort order is specified use the default + String orderBy; + if (TextUtils.isEmpty(sortOrder)) { + orderBy = null; + } else { + orderBy = sortOrder; + } + + SQLiteDatabase db = getDb().getReadableDatabase(); + + Cursor cursor = qb.query(db, projection, selection, null, groupBy, null, orderBy); + if (cursor != null) { + // Tell the cursor what uri to watch, so it knows when its source data changes + cursor.setNotificationUri(getContext().getContentResolver(), uri); + } + + Log.d(Constants.TAG, + "Query: " + qb.buildQuery(projection, selection, null, null, orderBy, null)); + + return cursor; + } + + private void checkIfPackageBelongsToCaller(Context context, String requestedPackageName) { + int callerUid = Binder.getCallingUid(); + String[] callerPackageNames = context.getPackageManager().getPackagesForUid(callerUid); + if (callerPackageNames == null) { + throw new IllegalStateException("Failed to retrieve caller package name, this is an error!"); + } + + boolean packageBelongsToCaller = false; + for (String p : callerPackageNames) { + if (p.equals(requestedPackageName)) { + packageBelongsToCaller = true; + break; + } + } + if (!packageBelongsToCaller) { + throw new SecurityException("ExternalProvider may only check status of caller package!"); + } + } + + @Override + public Uri insert(@NonNull Uri uri, ContentValues values) { + throw new UnsupportedOperationException(); + } + + @Override + public int delete(@NonNull Uri uri, String additionalSelection, String[] selectionArgs) { + throw new UnsupportedOperationException(); + } + + @Override + public int update(@NonNull Uri uri, ContentValues values, String selection, String[] selectionArgs) { + throw new UnsupportedOperationException(); + } + +} diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/OpenPgpService.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/OpenPgpService.java index a5dc2a03c..88cd066a2 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/OpenPgpService.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/OpenPgpService.java @@ -1,5 +1,6 @@ /* * Copyright (C) 2013-2015 Dominik Schürmann <dominik@dominikschuermann.de> + * Copyright (C) 2016 Vincent Breitmoser <look@my.amazin.horse> * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -17,11 +18,24 @@ package org.sufficientlysecure.keychain.remote; + +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; +import java.util.Date; +import java.util.HashSet; +import java.util.List; + import android.app.PendingIntent; import android.app.Service; import android.content.Intent; import android.database.Cursor; import android.net.Uri; +import android.os.Bundle; import android.os.IBinder; import android.os.ParcelFileDescriptor; import android.os.Parcelable; @@ -43,12 +57,15 @@ import org.sufficientlysecure.keychain.operations.results.ExportResult; import org.sufficientlysecure.keychain.operations.results.OperationResult.LogEntryParcel; import org.sufficientlysecure.keychain.operations.results.PgpSignEncryptResult; import org.sufficientlysecure.keychain.pgp.CanonicalizedPublicKeyRing; +import org.sufficientlysecure.keychain.pgp.KeyRing; +import org.sufficientlysecure.keychain.pgp.KeyRing.UserId; import org.sufficientlysecure.keychain.pgp.PgpDecryptVerifyInputParcel; import org.sufficientlysecure.keychain.pgp.PgpDecryptVerifyOperation; import org.sufficientlysecure.keychain.pgp.PgpSecurityConstants; import org.sufficientlysecure.keychain.pgp.PgpSignEncryptInputParcel; import org.sufficientlysecure.keychain.pgp.PgpSignEncryptOperation; import org.sufficientlysecure.keychain.pgp.exception.PgpKeyNotFoundException; +import org.sufficientlysecure.keychain.provider.ApiDataAccessObject; import org.sufficientlysecure.keychain.provider.KeychainContract; import org.sufficientlysecure.keychain.provider.KeychainContract.ApiAccounts; import org.sufficientlysecure.keychain.provider.KeychainContract.KeyRings; @@ -61,18 +78,12 @@ import org.sufficientlysecure.keychain.util.InputData; import org.sufficientlysecure.keychain.util.Log; import org.sufficientlysecure.keychain.util.Passphrase; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Date; -import java.util.HashSet; -import java.util.List; - public class OpenPgpService extends Service { - static final String[] EMAIL_SEARCH_PROJECTION = new String[]{ + public static final List<Integer> SUPPORTED_VERSIONS = + Collections.unmodifiableList(Arrays.asList(3, 4, 5, 6, 7, 8, 9, 10, 11)); + + static final String[] KEY_SEARCH_PROJECTION = new String[]{ KeyRings._ID, KeyRings.MASTER_KEY_ID, KeyRings.IS_EXPIRED, @@ -80,35 +91,50 @@ public class OpenPgpService extends Service { }; // do not pre-select revoked or expired keys - static final String EMAIL_SEARCH_WHERE = Tables.KEYS + "." + KeychainContract.KeyRings.IS_REVOKED + static final String KEY_SEARCH_WHERE = Tables.KEYS + "." + KeychainContract.KeyRings.IS_REVOKED + " = 0 AND " + KeychainContract.KeyRings.IS_EXPIRED + " = 0"; private ApiPermissionHelper mApiPermissionHelper; private ProviderHelper mProviderHelper; + private ApiDataAccessObject mApiDao; @Override public void onCreate() { super.onCreate(); - mApiPermissionHelper = new ApiPermissionHelper(this); + mApiPermissionHelper = new ApiPermissionHelper(this, new ApiDataAccessObject(this)); mProviderHelper = new ProviderHelper(this); + mApiDao = new ApiDataAccessObject(this); } - /** - * Search database for key ids based on emails. - */ - private Intent returnKeyIdsFromEmails(Intent data, String[] encryptionUserIds) { + private static class KeyIdResult { + final Intent mResultIntent; + final HashSet<Long> mKeyIds; + + KeyIdResult(Intent resultIntent) { + mResultIntent = resultIntent; + mKeyIds = null; + } + KeyIdResult(HashSet<Long> keyIds) { + mResultIntent = null; + mKeyIds = keyIds; + } + } + + private KeyIdResult returnKeyIdsFromEmails(Intent data, String[] encryptionUserIds, boolean isOpportunistic) { boolean noUserIdsCheck = (encryptionUserIds == null || encryptionUserIds.length == 0); boolean missingUserIdsCheck = false; boolean duplicateUserIdsCheck = false; - ArrayList<Long> keyIds = new ArrayList<>(); + HashSet<Long> keyIds = new HashSet<>(); ArrayList<String> missingEmails = new ArrayList<>(); ArrayList<String> duplicateEmails = new ArrayList<>(); if (!noUserIdsCheck) { - for (String email : encryptionUserIds) { + for (String rawUserId : encryptionUserIds) { + UserId userId = KeyRing.splitUserId(rawUserId); + String email = userId.email != null ? userId.email : rawUserId; // try to find the key for this specific email Uri uri = KeyRings.buildUnifiedKeyRingsFindByEmailUri(email); - Cursor cursor = getContentResolver().query(uri, EMAIL_SEARCH_PROJECTION, EMAIL_SEARCH_WHERE, null, null); + Cursor cursor = getContentResolver().query(uri, KEY_SEARCH_PROJECTION, KEY_SEARCH_WHERE, null, null); try { // result should be one entry containing the key id if (cursor != null && cursor.moveToFirst()) { @@ -137,15 +163,17 @@ public class OpenPgpService extends Service { } } - // convert ArrayList<Long> to long[] - long[] keyIdsArray = new long[keyIds.size()]; - for (int i = 0; i < keyIdsArray.length; i++) { - keyIdsArray[i] = keyIds.get(i); + if (isOpportunistic && (noUserIdsCheck || missingUserIdsCheck)) { + Intent result = new Intent(); + result.putExtra(OpenPgpApi.RESULT_ERROR, + new OpenPgpError(OpenPgpError.OPPORTUNISTIC_MISSING_KEYS, "missing keys in opportunistic mode")); + result.putExtra(OpenPgpApi.RESULT_CODE, OpenPgpApi.RESULT_CODE_ERROR); + return new KeyIdResult(result); } if (noUserIdsCheck || missingUserIdsCheck || duplicateUserIdsCheck) { - // allow the user to verify pub key selection - + // convert ArrayList<Long> to long[] + long[] keyIdsArray = getUnboxedLongArray(keyIds); ApiPendingIntentFactory piFactory = new ApiPendingIntentFactory(getBaseContext()); PendingIntent pi = piFactory.createSelectPublicKeyPendingIntent(data, keyIdsArray, missingEmails, duplicateEmails, noUserIdsCheck); @@ -154,19 +182,15 @@ public class OpenPgpService extends Service { Intent result = new Intent(); result.putExtra(OpenPgpApi.RESULT_INTENT, pi); result.putExtra(OpenPgpApi.RESULT_CODE, OpenPgpApi.RESULT_CODE_USER_INTERACTION_REQUIRED); - return result; - } else { - // everything was easy, we have exactly one key for every email - - if (keyIdsArray.length == 0) { - Log.e(Constants.TAG, "keyIdsArray.length == 0, should never happen!"); - } + return new KeyIdResult(result); + } - Intent result = new Intent(); - result.putExtra(OpenPgpApi.RESULT_KEY_IDS, keyIdsArray); - result.putExtra(OpenPgpApi.RESULT_CODE, OpenPgpApi.RESULT_CODE_SUCCESS); - return result; + // everything was easy, we have exactly one key for every email + if (keyIds.isEmpty()) { + Log.e(Constants.TAG, "keyIdsArray.length == 0, should never happen!"); } + + return new KeyIdResult(keyIds); } private Intent signImpl(Intent data, InputStream inputStream, @@ -280,20 +304,31 @@ public class OpenPgpService extends Service { compressionId = PgpSecurityConstants.OpenKeychainCompressionAlgorithmTags.UNCOMPRESSED; } - // first try to get key ids from non-ambiguous key id extra - long[] keyIds = data.getLongArrayExtra(OpenPgpApi.EXTRA_KEY_IDS); - if (keyIds == null) { + long[] keyIds; + { + HashSet<Long> encryptKeyIds = new HashSet<>(); + // get key ids based on given user ids - String[] userIds = data.getStringArrayExtra(OpenPgpApi.EXTRA_USER_IDS); - // give params through to activity... - Intent result = returnKeyIdsFromEmails(data, userIds); + if (data.hasExtra(OpenPgpApi.EXTRA_USER_IDS)) { + String[] userIds = data.getStringArrayExtra(OpenPgpApi.EXTRA_USER_IDS); + boolean isOpportunistic = data.getBooleanExtra(OpenPgpApi.EXTRA_OPPORTUNISTIC_ENCRYPTION, false); + // give params through to activity... + KeyIdResult result = returnKeyIdsFromEmails(data, userIds, isOpportunistic); + + if (result.mResultIntent != null) { + return result.mResultIntent; + } + encryptKeyIds.addAll(result.mKeyIds); + } - if (result.getIntExtra(OpenPgpApi.RESULT_CODE, 0) == OpenPgpApi.RESULT_CODE_SUCCESS) { - keyIds = result.getLongArrayExtra(OpenPgpApi.RESULT_KEY_IDS); - } else { - // if not success -> result contains a PendingIntent for user interaction - return result; + // add key ids from non-ambiguous key id extra + if (data.hasExtra(OpenPgpApi.EXTRA_KEY_IDS)) { + for (long keyId : data.getLongArrayExtra(OpenPgpApi.EXTRA_KEY_IDS)) { + encryptKeyIds.add(keyId); + } } + + keyIds = getUnboxedLongArray(encryptKeyIds); } // TODO this is not correct! @@ -305,8 +340,7 @@ public class OpenPgpService extends Service { .setVersionHeader(null) .setCompressionAlgorithm(compressionId) .setSymmetricEncryptionAlgorithm(PgpSecurityConstants.OpenKeychainSymmetricKeyAlgorithmTags.USE_DEFAULT) - .setEncryptionMasterKeyIds(keyIds) - .setFailOnMissingEncryptionKeyIds(true); + .setEncryptionMasterKeyIds(keyIds); if (sign) { @@ -405,11 +439,11 @@ public class OpenPgpService extends Service { } String currentPkg = mApiPermissionHelper.getCurrentCallingPackage(); - HashSet<Long> allowedKeyIds = mProviderHelper.getAllowedKeyIdsForApp( + HashSet<Long> allowedKeyIds = mApiDao.getAllowedKeyIdsForApp( KeychainContract.ApiAllowedKeys.buildBaseUri(currentPkg)); if (data.getIntExtra(OpenPgpApi.EXTRA_API_VERSION, -1) < 7) { - allowedKeyIds.addAll(mProviderHelper.getAllKeyIdsForApp( + allowedKeyIds.addAll(mApiDao.getAllKeyIdsForApp( ApiAccounts.buildBaseUri(currentPkg))); } @@ -422,6 +456,15 @@ public class OpenPgpService extends Service { cryptoInput.mPassphrase = new Passphrase(data.getCharArrayExtra(OpenPgpApi.EXTRA_PASSPHRASE)); } + if (data.hasExtra(OpenPgpApi.EXTRA_DECRYPTION_RESULT_WRAPPER)) { + // this is wrapped in a Bundle to avoid ClassLoader problems + Bundle wrapperBundle = data.getBundleExtra(OpenPgpApi.EXTRA_DECRYPTION_RESULT_WRAPPER); + wrapperBundle.setClassLoader(getClassLoader()); + OpenPgpDecryptionResult decryptionResult = wrapperBundle.getParcelable(OpenPgpApi.EXTRA_DECRYPTION_RESULT); + if (decryptionResult != null && decryptionResult.hasDecryptedSessionKey()) { + cryptoInput.addCryptoData(decryptionResult.sessionKey, decryptionResult.decryptedSessionKey); + } + } byte[] detachedSignature = data.getByteArrayExtra(OpenPgpApi.EXTRA_DETACHED_SIGNATURE); @@ -582,7 +625,8 @@ public class OpenPgpService extends Service { try { // try to find key, throws NotFoundException if not in db! CanonicalizedPublicKeyRing keyRing = - mProviderHelper.getCanonicalizedPublicKeyRing(masterKeyId); + mProviderHelper.getCanonicalizedPublicKeyRing( + KeyRings.buildUnifiedKeyRingsFindBySubkeyUri(masterKeyId)); Intent result = new Intent(); result.putExtra(OpenPgpApi.RESULT_CODE, OpenPgpApi.RESULT_CODE_SUCCESS); @@ -669,7 +713,21 @@ public class OpenPgpService extends Service { } else { // get key ids based on given user ids String[] userIds = data.getStringArrayExtra(OpenPgpApi.EXTRA_USER_IDS); - return returnKeyIdsFromEmails(data, userIds); + KeyIdResult keyResult = returnKeyIdsFromEmails(data, userIds, false); + if (keyResult.mResultIntent != null) { + return keyResult.mResultIntent; + } + + if (keyResult.mKeyIds == null) { + throw new AssertionError("one of requiredUserInteraction and keyIds must be non-null, this is a bug!"); + } + + long[] keyIds = getUnboxedLongArray(keyResult.mKeyIds); + + Intent resultIntent = new Intent(); + resultIntent.putExtra(OpenPgpApi.RESULT_CODE, OpenPgpApi.RESULT_CODE_SUCCESS); + resultIntent.putExtra(OpenPgpApi.RESULT_KEY_IDS, keyIds); + return resultIntent; } } @@ -716,6 +774,26 @@ public class OpenPgpService extends Service { } } + @NonNull + private static long[] getUnboxedLongArray(@NonNull Collection<Long> arrayList) { + long[] result = new long[arrayList.size()]; + int i = 0; + for (Long e : arrayList) { + result[i++] = e; + } + return result; + } + + private Intent checkPermissionImpl(@NonNull Intent data) { + Intent permissionIntent = mApiPermissionHelper.isAllowedOrReturnIntent(data); + if (permissionIntent != null) { + return permissionIntent; + } + Intent result = new Intent(); + result.putExtra(OpenPgpApi.RESULT_CODE, OpenPgpApi.RESULT_CODE_SUCCESS); + return result; + } + private Intent getSignKeyMasterId(Intent data) { // NOTE: Accounts are deprecated on API version >= 7 if (data.getIntExtra(OpenPgpApi.EXTRA_API_VERSION, -1) < 7) { @@ -765,20 +843,19 @@ public class OpenPgpService extends Service { // version code is required and needs to correspond to version code of service! // History of versions in openpgp-api's CHANGELOG.md - List<Integer> supportedVersions = Arrays.asList(3, 4, 5, 6, 7, 8, 9, 10); - if (!supportedVersions.contains(data.getIntExtra(OpenPgpApi.EXTRA_API_VERSION, -1))) { + if (!SUPPORTED_VERSIONS.contains(data.getIntExtra(OpenPgpApi.EXTRA_API_VERSION, -1))) { Intent result = new Intent(); OpenPgpError error = new OpenPgpError (OpenPgpError.INCOMPATIBLE_API_VERSIONS, "Incompatible API versions!\n" + "used API version: " + data.getIntExtra(OpenPgpApi.EXTRA_API_VERSION, -1) + "\n" - + "supported API versions: " + supportedVersions); + + "supported API versions: " + SUPPORTED_VERSIONS); result.putExtra(OpenPgpApi.RESULT_ERROR, error); result.putExtra(OpenPgpApi.RESULT_CODE, OpenPgpApi.RESULT_CODE_ERROR); return result; } // check if caller is allowed to access OpenKeychain - Intent result = mApiPermissionHelper.isAllowed(data); + Intent result = mApiPermissionHelper.isAllowedOrReturnIntent(data); if (result != null) { return result; } @@ -845,6 +922,9 @@ public class OpenPgpService extends Service { String action = data.getAction(); switch (action) { + case OpenPgpApi.ACTION_CHECK_PERMISSION: { + return checkPermissionImpl(data); + } case OpenPgpApi.ACTION_CLEARTEXT_SIGN: { return signImpl(data, inputStream, outputStream, true); } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/AccountSettingsActivity.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/AccountSettingsActivity.java index e19757d65..27700b5e6 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/AccountSettingsActivity.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/AccountSettingsActivity.java @@ -29,7 +29,7 @@ import org.sufficientlysecure.keychain.R; import org.sufficientlysecure.keychain.operations.results.OperationResult; import org.sufficientlysecure.keychain.operations.results.OperationResult.LogType; import org.sufficientlysecure.keychain.operations.results.SingletonResult; -import org.sufficientlysecure.keychain.provider.ProviderHelper; +import org.sufficientlysecure.keychain.provider.ApiDataAccessObject; import org.sufficientlysecure.keychain.remote.AccountSettings; import org.sufficientlysecure.keychain.ui.base.BaseActivity; import org.sufficientlysecure.keychain.util.Log; @@ -98,7 +98,7 @@ public class AccountSettingsActivity extends BaseActivity { } private void loadData(Uri accountUri) { - AccountSettings settings = new ProviderHelper(this).getApiAccountSettings(accountUri); + AccountSettings settings = new ApiDataAccessObject(this).getApiAccountSettings(accountUri); mAccountSettingsFragment.setAccSettings(settings); } @@ -110,7 +110,7 @@ public class AccountSettingsActivity extends BaseActivity { } private void save() { - new ProviderHelper(this).updateApiAccount(mAccountUri, mAccountSettingsFragment.getAccSettings()); + new ApiDataAccessObject(this).updateApiAccount(mAccountUri, mAccountSettingsFragment.getAccSettings()); SingletonResult result = new SingletonResult( SingletonResult.RESULT_OK, LogType.MSG_ACC_SAVED); Intent intent = new Intent(); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/AppSettingsActivity.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/AppSettingsActivity.java index 3b5fdfd8a..249c0c208 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/AppSettingsActivity.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/AppSettingsActivity.java @@ -37,8 +37,8 @@ import org.bouncycastle.util.encoders.Hex; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.R; import org.sufficientlysecure.keychain.operations.results.OperationResult; +import org.sufficientlysecure.keychain.provider.ApiDataAccessObject; import org.sufficientlysecure.keychain.provider.KeychainContract; -import org.sufficientlysecure.keychain.provider.ProviderHelper; import org.sufficientlysecure.keychain.remote.AppSettings; import org.sufficientlysecure.keychain.ui.base.BaseActivity; import org.sufficientlysecure.keychain.ui.dialog.AdvancedAppSettingsDialogFragment; @@ -182,7 +182,7 @@ public class AppSettingsActivity extends BaseActivity { } private void loadData(Bundle savedInstanceState, Uri appUri) { - mAppSettings = new ProviderHelper(this).getApiAppSettings(appUri); + mAppSettings = new ApiDataAccessObject(this).getApiAppSettings(appUri); // get application name and icon from package manager String appName; diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/AppSettingsAllowedKeysListFragment.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/AppSettingsAllowedKeysListFragment.java index caa173f03..22a03a7c5 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/AppSettingsAllowedKeysListFragment.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/AppSettingsAllowedKeysListFragment.java @@ -36,8 +36,8 @@ import android.widget.ListView; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.R; import org.sufficientlysecure.keychain.compatibility.ListFragmentWorkaround; +import org.sufficientlysecure.keychain.provider.ApiDataAccessObject; import org.sufficientlysecure.keychain.provider.KeychainContract; -import org.sufficientlysecure.keychain.provider.ProviderHelper; import org.sufficientlysecure.keychain.ui.adapter.KeyAdapter; import org.sufficientlysecure.keychain.ui.adapter.KeySelectableAdapter; import org.sufficientlysecure.keychain.ui.widget.FixedListView; @@ -47,7 +47,7 @@ public class AppSettingsAllowedKeysListFragment extends ListFragmentWorkaround i private static final String ARG_DATA_URI = "uri"; private KeySelectableAdapter mAdapter; - private ProviderHelper mProviderHelper; + private ApiDataAccessObject mApiDao; private Uri mDataUri; @@ -69,7 +69,7 @@ public class AppSettingsAllowedKeysListFragment extends ListFragmentWorkaround i public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); - mProviderHelper = new ProviderHelper(getActivity()); + mApiDao = new ApiDataAccessObject(getActivity()); } @Override @@ -107,7 +107,7 @@ public class AppSettingsAllowedKeysListFragment extends ListFragmentWorkaround i // application this would come from a resource. setEmptyText(getString(R.string.list_empty)); - Set<Long> checked = mProviderHelper.getAllKeyIdsForApp(mDataUri); + Set<Long> checked = mApiDao.getAllKeyIdsForApp(mDataUri); mAdapter = new KeySelectableAdapter(getActivity(), null, 0, checked); setListAdapter(mAdapter); getListView().setOnItemClickListener(mAdapter); @@ -141,7 +141,7 @@ public class AppSettingsAllowedKeysListFragment extends ListFragmentWorkaround i public void saveAllowedKeys() { try { - mProviderHelper.saveAllowedKeyIdsForApp(mDataUri, getSelectedMasterKeyIds()); + mApiDao.saveAllowedKeyIdsForApp(mDataUri, getSelectedMasterKeyIds()); } catch (RemoteException | OperationApplicationException e) { Log.e(Constants.TAG, "Problem saving allowed key ids!", e); } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/RemoteCreateAccountActivity.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/RemoteCreateAccountActivity.java index adc1f5abf..a4a0b242c 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/RemoteCreateAccountActivity.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/RemoteCreateAccountActivity.java @@ -17,6 +17,7 @@ package org.sufficientlysecure.keychain.remote.ui; + import android.content.Intent; import android.net.Uri; import android.os.Bundle; @@ -25,8 +26,8 @@ import android.widget.TextView; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.R; +import org.sufficientlysecure.keychain.provider.ApiDataAccessObject; import org.sufficientlysecure.keychain.provider.KeychainContract; -import org.sufficientlysecure.keychain.provider.ProviderHelper; import org.sufficientlysecure.keychain.remote.AccountSettings; import org.sufficientlysecure.keychain.ui.base.BaseActivity; import org.sufficientlysecure.keychain.ui.util.Notify; @@ -56,7 +57,7 @@ public class RemoteCreateAccountActivity extends BaseActivity { final String packageName = extras.getString(EXTRA_PACKAGE_NAME); final String accName = extras.getString(EXTRA_ACC_NAME); - final ProviderHelper providerHelper = new ProviderHelper(this); + final ApiDataAccessObject apiDao = new ApiDataAccessObject(this); mAccSettingsFragment = (AccountSettingsFragment) getSupportFragmentManager().findFragmentById( R.id.api_account_settings_fragment); @@ -65,7 +66,7 @@ public class RemoteCreateAccountActivity extends BaseActivity { // update existing? Uri uri = KeychainContract.ApiAccounts.buildByPackageAndAccountUri(packageName, accName); - AccountSettings settings = providerHelper.getApiAccountSettings(uri); + AccountSettings settings = apiDao.getApiAccountSettings(uri); if (settings == null) { // create new account settings = new AccountSettings(accName); @@ -94,11 +95,11 @@ public class RemoteCreateAccountActivity extends BaseActivity { if (mUpdateExistingAccount) { Uri baseUri = KeychainContract.ApiAccounts.buildBaseUri(packageName); Uri accountUri = baseUri.buildUpon().appendEncodedPath(accName).build(); - providerHelper.updateApiAccount( + apiDao.updateApiAccount( accountUri, mAccSettingsFragment.getAccSettings()); } else { - providerHelper.insertApiAccount( + apiDao.insertApiAccount( KeychainContract.ApiAccounts.buildBaseUri(packageName), mAccSettingsFragment.getAccSettings()); } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/RemoteRegisterActivity.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/RemoteRegisterActivity.java index d31f9e35a..0ce9e66c9 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/RemoteRegisterActivity.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/RemoteRegisterActivity.java @@ -17,13 +17,14 @@ package org.sufficientlysecure.keychain.remote.ui; + import android.content.Intent; import android.os.Bundle; import android.view.View; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.R; -import org.sufficientlysecure.keychain.provider.ProviderHelper; +import org.sufficientlysecure.keychain.provider.ApiDataAccessObject; import org.sufficientlysecure.keychain.remote.AppSettings; import org.sufficientlysecure.keychain.ui.base.BaseActivity; import org.sufficientlysecure.keychain.util.Log; @@ -52,7 +53,7 @@ public class RemoteRegisterActivity extends BaseActivity { final byte[] packageSignature = extras.getByteArray(EXTRA_PACKAGE_SIGNATURE); Log.d(Constants.TAG, "ACTION_REGISTER packageName: " + packageName); - final ProviderHelper providerHelper = new ProviderHelper(this); + final ApiDataAccessObject apiDao = new ApiDataAccessObject(this); mAppSettingsHeaderFragment = (AppSettingsHeaderFragment) getSupportFragmentManager().findFragmentById( R.id.api_app_settings_fragment); @@ -67,8 +68,7 @@ public class RemoteRegisterActivity extends BaseActivity { @Override public void onClick(View v) { // Allow - - providerHelper.insertApiApp(mAppSettingsHeaderFragment.getAppSettings()); + apiDao.insertApiApp(mAppSettingsHeaderFragment.getAppSettings()); // give data through for new service call Intent resultData = extras.getParcelable(EXTRA_DATA); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/SelectSignKeyIdListFragment.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/SelectSignKeyIdListFragment.java index 852e8bb81..73ce5fe47 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/SelectSignKeyIdListFragment.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/ui/SelectSignKeyIdListFragment.java @@ -17,6 +17,7 @@ package org.sufficientlysecure.keychain.remote.ui; + import android.app.Activity; import android.content.Context; import android.content.Intent; @@ -36,9 +37,9 @@ import org.openintents.openpgp.util.OpenPgpApi; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.R; import org.sufficientlysecure.keychain.compatibility.ListFragmentWorkaround; +import org.sufficientlysecure.keychain.provider.ApiDataAccessObject; import org.sufficientlysecure.keychain.provider.KeychainContract; import org.sufficientlysecure.keychain.provider.KeychainContract.KeyRings; -import org.sufficientlysecure.keychain.provider.ProviderHelper; import org.sufficientlysecure.keychain.ui.adapter.SelectKeyCursorAdapter; import org.sufficientlysecure.keychain.ui.widget.FixedListView; import org.sufficientlysecure.keychain.util.Log; @@ -49,7 +50,7 @@ public class SelectSignKeyIdListFragment extends ListFragmentWorkaround implemen public static final String ARG_DATA = "data"; private SelectKeyCursorAdapter mAdapter; - private ProviderHelper mProviderHelper; + private ApiDataAccessObject mApiDao; private Uri mDataUri; @@ -72,7 +73,7 @@ public class SelectSignKeyIdListFragment extends ListFragmentWorkaround implemen public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); - mProviderHelper = new ProviderHelper(getActivity()); + mApiDao = new ApiDataAccessObject(getActivity()); } @Override @@ -116,7 +117,7 @@ public class SelectSignKeyIdListFragment extends ListFragmentWorkaround implemen Uri allowedKeysUri = mDataUri.buildUpon().appendPath(KeychainContract.PATH_ALLOWED_KEYS).build(); Log.d(Constants.TAG, "allowedKeysUri: " + allowedKeysUri); - mProviderHelper.addAllowedKeyIdForApp(allowedKeysUri, masterKeyId); + mApiDao.addAllowedKeyIdForApp(allowedKeysUri, masterKeyId); resultData.putExtra(OpenPgpApi.EXTRA_SIGN_KEY_ID, masterKeyId); |