From 6c2efb02353f34ea153f4bf8ed283685ccaad9a9 Mon Sep 17 00:00:00 2001 From: Michal Kepkowski Date: Sat, 12 Mar 2016 19:32:36 +0100 Subject: okhttp3 --- .../keychain/util/TlsHelper.java | 24 ++++++++++++---------- 1 file changed, 13 insertions(+), 11 deletions(-) (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java index 1492abdeb..d1b8f768b 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java @@ -19,8 +19,8 @@ package org.sufficientlysecure.keychain.util; import android.content.res.AssetManager; -import com.squareup.okhttp.OkHttpClient; +import okhttp3.OkHttpClient; import org.sufficientlysecure.keychain.Constants; import java.io.ByteArrayInputStream; @@ -39,6 +39,7 @@ import java.util.HashMap; import java.util.Map; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManagerFactory; public class TlsHelper { @@ -80,30 +81,30 @@ public class TlsHelper { * @throws TlsHelperException * @throws IOException */ - public static boolean usePinnedCertificateIfAvailable(OkHttpClient client, URL url) throws TlsHelperException, IOException { + public static SSLSocketFactory getPinnedSslSocketFactory(URL url) throws TlsHelperException, IOException { if (url.getProtocol().equals("https")) { // use certificate PIN from assets if we have one for (String host : sPinnedCertificates.keySet()) { if (url.getHost().endsWith(host)) { - pinCertificate(sPinnedCertificates.get(host), client); - return true; + return pinCertificate(sPinnedCertificates.get(host)); + //return true; } } } - return false; + return null; } /** - * Modifies the client to accept only requests with a given certificate. Applies to all URLs requested by the - * client. - * Therefore a client that is pinned this way should be used to only make requests to URLs with passed certificate. + * Modifies the builder to accept only requests with a given certificate. Applies to all URLs requested by the + * builder. + * Therefore a builder that is pinned this way should be used to only make requests to URLs with passed certificate. * * @param certificate certificate to pin - * @param client OkHttpClient to enforce pinning on + * @param builder OkHttpBuilder to enforce pinning on * @throws TlsHelperException * @throws IOException */ - private static void pinCertificate(byte[] certificate, OkHttpClient client) + private static SSLSocketFactory pinCertificate(byte[] certificate) throws TlsHelperException, IOException { // We don't use OkHttp's CertificatePinner since it can not be used to pin self-signed // certificate if such certificate is not accepted by TrustManager. @@ -130,7 +131,8 @@ public class TlsHelper { SSLContext context = SSLContext.getInstance("TLS"); context.init(null, tmf.getTrustManagers(), null); - client.setSslSocketFactory(context.getSocketFactory()); + return context.getSocketFactory(); + //builder.sslSocketFactory(context.getSocketFactory()); } catch (CertificateException | KeyStoreException | KeyManagementException | NoSuchAlgorithmException e) { throw new TlsHelperException(e); } -- cgit v1.2.3 From 26bfe06d80f4114da298a7e7e05a59db823a8d40 Mon Sep 17 00:00:00 2001 From: Michal Kepkowski Date: Wed, 6 Apr 2016 19:25:10 +0200 Subject: cleaning --- .../org/sufficientlysecure/keychain/util/TlsHelper.java | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java index d1b8f768b..c23985ac0 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java @@ -44,12 +44,6 @@ import javax.net.ssl.TrustManagerFactory; public class TlsHelper { - public static class TlsHelperException extends Exception { - public TlsHelperException(Exception e) { - super(e); - } - } - private static Map sPinnedCertificates = new HashMap<>(); /** @@ -87,7 +81,6 @@ public class TlsHelper { for (String host : sPinnedCertificates.keySet()) { if (url.getHost().endsWith(host)) { return pinCertificate(sPinnedCertificates.get(host)); - //return true; } } } @@ -138,4 +131,10 @@ public class TlsHelper { } } + public static class TlsHelperException extends Exception { + public TlsHelperException(Exception e) { + super(e); + } + } + } -- cgit v1.2.3 From 2d762e55da92ef45576967c0d1befef55e7935ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Sch=C3=BCrmann?= Date: Sat, 9 Apr 2016 11:53:37 +0200 Subject: Okhttp3 cleanups, docs, and fix timeouts for default client --- .../src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java | 4 ---- 1 file changed, 4 deletions(-) (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java index c23985ac0..77ed6fe0b 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java @@ -19,8 +19,6 @@ package org.sufficientlysecure.keychain.util; import android.content.res.AssetManager; - -import okhttp3.OkHttpClient; import org.sufficientlysecure.keychain.Constants; import java.io.ByteArrayInputStream; @@ -93,7 +91,6 @@ public class TlsHelper { * Therefore a builder that is pinned this way should be used to only make requests to URLs with passed certificate. * * @param certificate certificate to pin - * @param builder OkHttpBuilder to enforce pinning on * @throws TlsHelperException * @throws IOException */ @@ -125,7 +122,6 @@ public class TlsHelper { context.init(null, tmf.getTrustManagers(), null); return context.getSocketFactory(); - //builder.sslSocketFactory(context.getSocketFactory()); } catch (CertificateException | KeyStoreException | KeyManagementException | NoSuchAlgorithmException e) { throw new TlsHelperException(e); } -- cgit v1.2.3 From c8e5395d4e3c3dcc349ebe6bb300016f44d430d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Sch=C3=BCrmann?= Date: Sat, 9 Apr 2016 18:34:00 +0200 Subject: Use cert pinning only if available --- .../main/java/org/sufficientlysecure/keychain/util/TlsHelper.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java index 77ed6fe0b..fe62eff55 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java @@ -86,9 +86,10 @@ public class TlsHelper { } /** - * Modifies the builder to accept only requests with a given certificate. Applies to all URLs requested by the - * builder. - * Therefore a builder that is pinned this way should be used to only make requests to URLs with passed certificate. + * Modifies the builder to accept only requests with a given certificate. + * Applies to all URLs requested by the builder. + * Therefore a builder that is pinned this way should be used to only make requests + * to URLs with passed certificate. * * @param certificate certificate to pin * @throws TlsHelperException -- cgit v1.2.3