aboutsummaryrefslogtreecommitdiffstats
path: root/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java
diff options
context:
space:
mode:
Diffstat (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java')
-rw-r--r--OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java27
1 files changed, 27 insertions, 0 deletions
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java
index 4ff14e3bb..b116524ef 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java
@@ -19,6 +19,8 @@ package org.sufficientlysecure.keychain.util;
import android.content.res.AssetManager;
+import com.squareup.okhttp.CertificatePinner;
+import com.squareup.okhttp.OkHttpClient;
import org.sufficientlysecure.keychain.Constants;
import java.io.ByteArrayInputStream;
@@ -85,6 +87,31 @@ public class TlsHelper {
return url.openConnection();
}
+ public static void pinCertificateIfNecessary(OkHttpClient client, URL url) throws TlsHelperException {
+ if (url.getProtocol().equals("https")) {
+ for (String domain : sStaticCA.keySet()) {
+ if (url.getHost().endsWith(domain)) {
+ pinCertificate(sStaticCA.get(domain), domain, client);
+ }
+ }
+ }
+ }
+
+ public static void pinCertificate(byte[] certificate, String hostName, OkHttpClient client)
+ throws TlsHelperException {
+ try {
+ // Load CA
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ Certificate ca = cf.generateCertificate(new ByteArrayInputStream(certificate));
+ String pin = CertificatePinner.pin(ca);
+ Log.e("PHILIP", "" + ca.getPublicKey() + ":" + pin);
+
+ client.setCertificatePinner(new CertificatePinner.Builder().add(hostName, pin).build());
+ } catch (CertificateException e) {
+ throw new TlsHelperException(e);
+ }
+ }
+
/**
* Opens a Connection that will only accept certificates signed with a specific CA and skips common name check.
* This is required for some distributed Keyserver networks like sks-keyservers.net
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-01 11:20:26 +0000