From 007d02f01b1381d218a248a377e186b4549a5e0e Mon Sep 17 00:00:00 2001
From: Adithya Abraham Philip <adithyaphilip@gmail.com>
Date: Sun, 7 Jun 2015 02:19:03 +0530
Subject: added proxy support, silent right now

---
 .../keychain/util/TlsHelper.java                   | 27 ++++++++++++++++++++++
 1 file changed, 27 insertions(+)

(limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java')

diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java
index 4ff14e3bb..b116524ef 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java
@@ -19,6 +19,8 @@ package org.sufficientlysecure.keychain.util;
 
 import android.content.res.AssetManager;
 
+import com.squareup.okhttp.CertificatePinner;
+import com.squareup.okhttp.OkHttpClient;
 import org.sufficientlysecure.keychain.Constants;
 
 import java.io.ByteArrayInputStream;
@@ -85,6 +87,31 @@ public class TlsHelper {
         return url.openConnection();
     }
 
+    public static void pinCertificateIfNecessary(OkHttpClient client, URL url) throws TlsHelperException {
+        if (url.getProtocol().equals("https")) {
+            for (String domain : sStaticCA.keySet()) {
+                if (url.getHost().endsWith(domain)) {
+                    pinCertificate(sStaticCA.get(domain), domain, client);
+                }
+            }
+        }
+    }
+
+    public static void pinCertificate(byte[] certificate, String hostName, OkHttpClient client)
+            throws TlsHelperException {
+        try {
+            // Load CA
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            Certificate ca = cf.generateCertificate(new ByteArrayInputStream(certificate));
+            String pin = CertificatePinner.pin(ca);
+            Log.e("PHILIP", "" + ca.getPublicKey() + ":" + pin);
+
+            client.setCertificatePinner(new CertificatePinner.Builder().add(hostName, pin).build());
+        } catch (CertificateException e) {
+            throw new TlsHelperException(e);
+        }
+    }
+
     /**
      * Opens a Connection that will only accept certificates signed with a specific CA and skips common name check.
      * This is required for some distributed Keyserver networks like sks-keyservers.net
-- 
cgit v1.2.3