From 9ee61dc0dfa5990126b7fb79c5373beb83a8b040 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Sch=C3=BCrmann?= Date: Mon, 21 Sep 2015 14:05:44 +0200 Subject: Pin keybase certificate --- OpenKeychain/src/main/assets/keybase.io.CA.cer | 25 ++++++++++++ .../keychain/KeychainApplication.java | 6 +++ .../keychain/util/OkHttpKeybaseClient.java | 45 ++++++++++++---------- 3 files changed, 56 insertions(+), 20 deletions(-) create mode 100644 OpenKeychain/src/main/assets/keybase.io.CA.cer (limited to 'OpenKeychain/src/main') diff --git a/OpenKeychain/src/main/assets/keybase.io.CA.cer b/OpenKeychain/src/main/assets/keybase.io.CA.cer new file mode 100644 index 000000000..65ded9b1c --- /dev/null +++ b/OpenKeychain/src/main/assets/keybase.io.CA.cer @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT +MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i +YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG +EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg +U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv +VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp +SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS +1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ +DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM +QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp +YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7 +qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD +VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig +JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF +BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF +MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry +dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs +rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp +fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B +kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH +uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O +ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh +gP8L8mJMcCaY +-----END CERTIFICATE----- diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java index 45d81749a..56dd9a4cb 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java @@ -100,6 +100,12 @@ public class KeychainApplication extends Application { TlsHelper.addPinnedCertificate("hkps.pool.sks-keyservers.net", getAssets(), "hkps.pool.sks-keyservers.net.CA.cer"); TlsHelper.addPinnedCertificate("pgp.mit.edu", getAssets(), "pgp.mit.edu.cer"); + // NOTE: + // keybase.io.CA.cer only holds the CA issuing the actual keybase.io certificate, but this + // is better than no pinning! + // We are not using https://github.com/keybase/node-client/blob/master/src/ca.iced + // because it is only valid for api.keybase.io (https://github.com/keybase/keybase-issues/issues/964) + TlsHelper.addPinnedCertificate("keybase.io", getAssets(), "keybase.io.CA.cer"); TemporaryStorageProvider.cleanUp(this); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpKeybaseClient.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpKeybaseClient.java index 7c1d9f291..32a5406e0 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpKeybaseClient.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpKeybaseClient.java @@ -1,7 +1,3 @@ -package org.sufficientlysecure.keychain.util; - -import com.squareup.okhttp.OkHttpClient; -import com.squareup.okhttp.OkUrlFactory; /* * Copyright (C) 2015 Dominik Schürmann * @@ -19,8 +15,14 @@ import com.squareup.okhttp.OkUrlFactory; * along with this program. If not, see . */ +package org.sufficientlysecure.keychain.util; + +import com.squareup.okhttp.OkHttpClient; +import com.squareup.okhttp.OkUrlFactory; import com.textuality.keybase.lib.KeybaseUrlConnectionClient; +import org.sufficientlysecure.keychain.Constants; + import java.io.IOException; import java.net.Proxy; import java.net.URL; @@ -33,25 +35,14 @@ import java.util.concurrent.TimeUnit; public class OkHttpKeybaseClient implements KeybaseUrlConnectionClient { private final OkUrlFactory factory; - private final OkUrlFactory proxyFactory; private static OkUrlFactory generateUrlFactory() { OkHttpClient client = new OkHttpClient(); - client.setConnectTimeout(5000, TimeUnit.MILLISECONDS); - client.setReadTimeout(25000, TimeUnit.MILLISECONDS); - return new OkUrlFactory(client); - } - - private static OkUrlFactory generateProxyUrlFactory() { - OkHttpClient client = new OkHttpClient(); - client.setConnectTimeout(30000, TimeUnit.MILLISECONDS); - client.setReadTimeout(40000, TimeUnit.MILLISECONDS); return new OkUrlFactory(client); } public OkHttpKeybaseClient() { factory = generateUrlFactory(); - proxyFactory = generateProxyUrlFactory(); } @Override @@ -61,14 +52,28 @@ public class OkHttpKeybaseClient implements KeybaseUrlConnectionClient { @Override public URLConnection openConnection(URL url, Proxy proxy) throws IOException { - URLConnection conn; if (proxy != null) { - proxyFactory.client().setProxy(proxy); - conn = proxyFactory.open(url); + factory.client().setProxy(proxy); + factory.client().setConnectTimeout(30000, TimeUnit.MILLISECONDS); + factory.client().setReadTimeout(40000, TimeUnit.MILLISECONDS); } else { - conn = factory.open(url); + factory.client().setConnectTimeout(5000, TimeUnit.MILLISECONDS); + factory.client().setReadTimeout(25000, TimeUnit.MILLISECONDS); } - return conn; + + factory.client().setFollowSslRedirects(false); + + // forced the usage of keybase.io pinned certificate + try { + if (!TlsHelper.usePinnedCertificateIfAvailable(factory.client(), url)) { + throw new IOException("no pinned certificate found for URL!"); + } + } catch (TlsHelper.TlsHelperException e) { + Log.e(Constants.TAG, "TlsHelper failed", e); + throw new IOException("TlsHelper failed"); + } + + return factory.open(url); } } \ No newline at end of file -- cgit v1.2.3